I need to create a rule to find any AD accounts with the "Password Never Expires" checkbox enabled. I beleive the event ID's are 642 and 4738? What is the best way to do this? This would be to gather that information and get a report on it.
Anyone have the best way to do this? I just need to be alerted whenever an AD account is flagged with the "Password Never Expires" checkbox is checked. Trying to get a firm hold on accounts being created with this option enabled.
I'm looking at how the Windows events are parsed and am not finding a simple way yet, but will keep looking and maybe something will jump out. I would like to suggest another approach. This approach would involve creating a dynamic watchlist which queries AD every x hours and creates a list of users who have this flag set. This list could then be used as a filter in the report. Depedning on your use case there are a couple of different approaches which I'll present here at a high level.
Use Case 1: A report of users created with the flag set for Password Never Expires.
(Create a dynamic watchlist of type destination user which will query AD for the list required.)
From here create a report or view which filters on the appropriate windows ID. You can do this from a filter list for Signature ID, select Windows and enter the signature ID such as 4738, and add a filter for the destination user being in the watchlist created above.
Use Case 2: Create a list of user IDs as above to use in correlation rules, reports or views.
Hope this helps, and if I find out anything more I will let you know.
I am using the LDAP source type "LDAP", IP of one of our DC's and account cred's of a common LDAP accuont we use to query AD. When I test the query, I get this:
Failed to authenticate ldapqry: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]
The creds are correct and this account is in the correct AD groups so it should have the right permissions.Any ideas?
I've run into this error before, and its an error returned by AD that indicates invalid credentials. The code after the data token in the error message which is 52e is 'Invalid Credentials'.
You can find out more at this link regarding that error.
Is it possible your AD admin has enabled secure AD or has AD running on a non-standard port. If so it will be on a different port. If that is the case for the IP address enter it as IPort such as 220.127.116.11:3890