Active Directory Account Auditing 101

Windows Security

How many login accounts do you have? What accounts should be disabled or deleted? What accounts are disabled, expired, locked, etc.? What accounts do not have a password expiration “override”, meaning they are not forced to change them? How many accounts are in compliance with your policy? You have a policy right?

In most Microsoft Windows (Active Directory) environments accounts and passwords are everything. Most companies aren’t using biometrics, smart cards, etc. so an account and password become the “keys to the kingdom”. I am going to show you how to do a cursory audit, answer the questions above, and do it in 30 minutes or less. Best of all, this is free!

NOTE: This article is not written to be instructions for a comprehensive account audit nor is it written to audit individual password strength.

Policy
To begin you need a policy. Without policy, information security initiatives are likely doomed. In many organizations the policy that correlates most closely with this audit is Password Policy. Your policy (and/or supporting standards) should specify the rules for login account passwords. You may also have supporting policies such as a privilege user policy or account termination policy.

NOTE: If you do not have explicit consent (hopefully written) to conduct an audit of an organization’s information assets, get it BEFORE proceeding.

The Audit
I use free tools regularly for audits, penetration testing, etc. Why write a tool if someone has already made one for you?

Before beginning an audit, define what you plan on using it for. Do you have a SOX auditor breathing down your neck (most SOX auditors want a list of login accounts with password age). Do you want the audit as FYI material? Do you plan to use the audit to initiate subsequent policy non-compliance remediation efforts? Most of the audits I conduct are used as part of an ongoing information security lifecycle. Typically, I will audit accounts on a semi-annual basis.

Anyway, let’s begin.

The Tool:
We need a tool that will enumerate the accounts and provide us with the information we seek. My old and trusty tool of choice is UserDump.exe written by Joe Richards. The step-by-step:

1. Visit Joe’s site at http://www.joeware.net/freetools/tools/userdump/index.htm and download the tool.



NOTE: Your email address is OPTIONAL. When I am given the option, I opt not.

For the sake of this exercise, let’s download the file to C:\Tools\UserInfo\UserDump.

2. De-compress userdump.zip (“un-zip”).

3. Open command prompt and change the directory so that you are able to run userdump.exe from the command line.

4. Type the following (without quotes), replace %dcnameorIP% with the IP address or name of an Active Directory domain controller:

“userdump %dcnameorIP% > dcusers.txt

5. After userdump has completed, you should have a tab-delimited text file in the directory that you ran it in.

6. Open Excel. Click File-->Open and locate the newly created dcusers.txt file. You will need to change the “Files of type:” option to “Text Files” in order to see it in the Open dialog box.

7. After you select the file, the Text Import Wizard dialog box will appear. Make sure that “Delimited” is chosen and not “Fixed width”, and click Finish.

8. Viola! Your audit is complete. Now maybe this one calls for some remediation.

Conclusion
The audit conducted in this article should give you answers to the questions we posed at the start. In this audit there were 952 accounts, of which 712 were login accounts. There were numerous password age and no password expiration policy violations as well as accounts that were thought to have been disabled and/or expired that were not.

In a simple exercise lasting no more than 30 minutes, we were able to gather good information. Through remediation we should be able to significantly reduce the risk of unauthorized disclosure, modification and/or destruction to this company’s information assets.