cancel
Showing results for 
Search instead for 
Did you mean: 
gsween
Level 7
Report Inappropriate Content
Message 1 of 18

AD Accts Set to "Password Never Expires"

Hello all,

I need to create a rule to find any AD accounts with the "Password Never Expires" checkbox enabled. I beleive the event ID's are 642 and 4738? What is the best way to do this? This would be to gather that information and get a report on it.

Thanks

17 Replies
gsween
Level 7
Report Inappropriate Content
Message 2 of 18

Re: AD Accts Set to "Password Never Expires"

Anyone have the best way to do this? I just need to be alerted whenever an AD account is flagged with the "Password Never Expires" checkbox is checked. Trying to get a firm hold on accounts being created with this option enabled.

ThanksCapture.JPG

mepplin
Level 9
Report Inappropriate Content
Message 3 of 18

Re: AD Accts Set to "Password Never Expires"

I'm looking at how the Windows events are parsed and am not finding a simple way yet, but will keep looking and maybe something will jump out. I would like to suggest another approach. This approach would involve creating a dynamic watchlist which queries AD every x hours and creates a list of users who have this flag set. This list could then be used as a filter in the report. Depedning on your use case there are a couple of different approaches which I'll present here at a high level.

Use Case 1: A report of users created with the flag set for Password Never Expires.

(Create a dynamic watchlist of type destination user which will query AD for the list required.)

  1. Open Watchlists and click add.
  2. Main tab - Enter name, select Dynamic, enable automatic updates and select an update frequency and time.
  3. Source tab - select LDAP, add the IP and the credentials.
  4. Query -  Set the Lookup Attribute to sAMAccountName (default) and paste the following query
    1. help
  5. Values tab - select type of destination user then run now.It is destination user since the source user field in these events is the user that created the user and destination user is the name of the user created.

From here create a report or view which filters on the appropriate windows ID. You can do this from a filter list for Signature ID, select Windows and enter the signature ID such as 4738, and add a filter for the destination user being in the watchlist created above.

Use Case 2: Create a list of user IDs as above to use in correlation rules, reports or views.

  1. Create a watchlist exactly as above but on the values tab select Source User instead of destination user. When a user logs in the id is in the source user field.
  2. You can then create reports, views and correlations using the source user watchlist as a filter and this will provide real time monitoring of these users and their activity.

Hope this helps, and if I find out anything more I will let you know.

Mike

gsween
Level 7
Report Inappropriate Content
Message 4 of 18

Re: AD Accts Set to "Password Never Expires"

Thanks Mike! I will try these. Been searching for weeks on how to set this up and get results. I will update any progress

Regards

G

gsween
Level 7
Report Inappropriate Content
Message 5 of 18

Re: AD Accts Set to "Password Never Expires"

Hey Mike

You have the Query as "1. help". Looks like your query did not paste correctly in the conversation pane?

Thanks

mepplin
Level 9
Report Inappropriate Content
Message 6 of 18

Re: AD Accts Set to "Password Never Expires"

The query should be:

(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

gsween
Level 7
Report Inappropriate Content
Message 7 of 18

Re: AD Accts Set to "Password Never Expires"

HI MIke

I am using the LDAP source type "LDAP", IP of one of our DC's and account cred's of a common LDAP accuont we use to query AD. When I test the query, I get this:

enrichmentFilter=

error

Failed to authenticate ldapqry: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]

The creds are correct and this account is in the correct AD groups so it should have the right permissions.Any ideas?

Capture.JPG

Thanks

mepplin
Level 9
Report Inappropriate Content
Message 8 of 18

Re: AD Accts Set to "Password Never Expires"

I've run into this error before, and its an error returned by AD that indicates invalid credentials. The code after the data token in the error message which is 52e is 'Invalid Credentials'.

You can find out more at this link regarding that error.

http://www-01.ibm.com/support/docview.wss?uid=swg21290631

gsween
Level 7
Report Inappropriate Content
Message 9 of 18

Re: AD Accts Set to "Password Never Expires"

Yes, I found that link and no help. The account I am using is valid and I tested with other accounts as well, all the same error.

Thanks

G

Re: AD Accts Set to "Password Never Expires"

Is it possible your AD admin has enabled secure AD or has AD running on a non-standard port. If so it will be on a different port. If that is the case for the IP address enter it as IPSmiley Tongueort such as 1.2.3.4:3890