Malicious individuals who obtain administrative access to your Active Directory domain can breach the safety of your network. Any changes to a user account password made by anyone aside from the account owner or an IT administrator could be a symbol of a lively Directory account hack. A malefactor who has stolen administrative credentials and used them to vary a user account password has complete access to the account and may use it to read, copy and delete data in Active Directory. As a result, your organization can suffer system downtime, business disruptions or leaks of sensitive data.
1. Open the Powershell ISE → Create new script with the following code and run it, specifying the computer list and the path for export:
invoke-command {
$members = net localgroup administrators |
where {$_ -AND $_ -notmatch “command completed successfully”} |
select -skip 4
New-Object PSObject -Property @{
Computername = $env:COMPUTERNAME
Group = “Administrators”
Members=$members
}
} -computer fs1,sp01,ncnad -HideComputerName |
Select * -ExcludeProperty RunspaceID | Export-CSV c:\data\local_admins.csv -NoTypeInformation
2. Open the file produced by the script in MS Excel.
Originally published: https://www.netwrix.com/how_to_detect_who_deleted_file.html