Windows Security PowerPack

Frequently Asked Questions

What is PowerGUI?

PowerGUI is an extensible graphical administrative console for managing systems based on Windows PowerShell. More information.

What is PowerShell?

Windows PowerShell is a command-line shell and scripting language designed especially for system administration. More information.

What is a PowerPack?

A PowerPack is an add-on for the PowerGUI Platform. More information.

This PowerGUI PowerPack is a free set of utilities I designed and Quest Software coded to fill 3 long standing gaps in Windows and AD security administration and auditing without which life is complicated for both the administrator and auditor.

Here are 3 gaps and how the Windows Security PowerPack fills them:

No way to find dormant user accounts
No way to analyze user level password settings
No way to find which computers a user is currently logged onto

Problem: No way to find dormant user accounts

Finding users accounts who haven't logged on in X days is important but there's no good way to do it in AD.

The "days since last logon" query option in AD Users and computers doesn't work right, doesn't display last logon date/time and omits users how have never logged on at all.

Figuring out last logon date and time is complicated. First, the lastlogon field isn't displayed. Second, that field is updated when you logon but only on the domain controller that authenticates you; the field is never replicated to other DCs. If your domain is in Windows 2000 Mixed or Native mode, that means you have to query each domain controller for each user account. If your domain is in Windows 2003 higher modes, AD adds a new field called LastLogonTimeStamp which is replicated by default every 7 days.

Solution: Dormant User Accounts Report

This report in the PowerPack checks your domain and if necessary queries each DC for each user's lastlogon. If your domain is Win2003 mode or higher it automatically uses the new lastLogonTimeStamp and runs much faster. You get to specify how many days makes an account dormant.

For each dormant user it displays everything you need to know about the user including if it's disabled, when the account was created and how long ago it last logged on if at all. It also checks to make sure the replication interval for lastLogonTimeStamp isn't shorter than the threshold you specify for "dormant" accounts and warns you if is. You can export the report to a variety of formats including Excel.

Click here for an example.

Problem: No way to analyze user level password settings

Auditors and admins alike need a spreadsheet of user accounts with fields like password expiration status and overrides like PasswordNeverExpires. You've got to have this information to make sure accounts are in compliance with controls. The problem is, a number of these settings are buried as bits in the UserAccountAccontrol (UAC) integer on user accounts which simple LDAP queries can't properly display as separate columns.

Solution: Password Settings Audit

This report scans all your user accounts and lists their disabled status, PasswordLastSet, PasswordAge, PasswordExpired, PasswordNeverExpires, PasswordStatus and more. You can export the report to a variety of formats including Excel.

Click here for an example.

Problem: No way to find which computers a user is currently logged onto

In Windows there's no central component which keeps track of where a user is logged on. At any given time a user may be logged on to multiple workstations, have Terminal Services session active and network connections to various servers. Before you ask, no, domain controllers don't have this information - once they authenticate you to given computer they forget about you.

This is a problem when you need to get a user logged out of all systems whether to solve an operational issue or in the case of a terminated or compromised user account. Remember, disabling or deleting an account only prevents future logons; those actions have no affect on current logon sessions.

Solution: Logon Sessions

The Logon Session node of my PowerPack queries multiple computers simultaneously for a specified user name. You can filter by or a host of logon session variables like LogonType and SessionAge and the PowerPack quickly shows you every computer where matching logon sessions are found. You can export the report to a variety of formats including Excel.

Click here for an example.

Upcoming Webinars

Additional Resources

Windows Security PowerPack

•	Requirements
•	Download
•	How-to

Home

Tools

Windows Security PowerPack

User name:
Password:
	/ Forgot?
	Register

Home

Follow @randyfsmith

About | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2012 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.