VBScript to check membership of privileged groups

This is a variation of a script I posted a few weeks ago which outputs the membership of a multiple AD groups. In short, I was asked to put a script together which would gather the group memberships of various privileged groups within our organisation for audit purposes, for example Domain Admins, Exchange Admins, various support groups which have raised access etc.

As this kind of information is pretty useful for reviewing to check if and how group memberships have changed over time, I wanted to amend the original script to ensure that no older data was lost. In order to accurately pinpoint when a historical log had been created, it made sense to use the creation date of the most recent file to generate the timestamp for archiving the older data. In this way, we can simply check the older files in filename order to see how they’ve changed over time.

It’s a simple task to comment out all the echo statements to enable this script to run as a scheduled task. In future I will be aiming to automate checking of the most recent file against the previous one and generating some kind of alert when group memberships have changed, this will take some time though so don’t expect it any time soon!

As with the script this has been adapted from, you’ll need to create a source file containing the FQDN’s of each group you want to audit. If anyone needs any more details, drop me a message in the replies and I’ll try and answer it as soon as I can!

WARNING – be careful adding an “on error” statement with this one – if there’s no groups file it can create an infinitely large text file full of carriage returns. I’ve put a check in for the groups file deliberately to guard against this but it could cause issues on a production server if you omit this section for any reason…

' VBscript to output group membership of privileged AD groups
' Put list of groups' FQDNs in C:\temp\privileged.txt
' Results will be output to C:\temp\privileged_group_membership.txt

' Set variables and define constants

Dim fso
Dim objReadFile
Dim objWriteFile
Dim strOutputFile
Dim strOldFile
Dim strGroupsFile
Dim strGroup
Dim strGroupFQDN
Dim strUsername
Dim WshShell

Const ForReading = 1
Const ForAppending = 2
Const ForWriting = 8

strGroupsFile = "C:\temp\privileged_groups.txt"
strOutputFile = "C:\temp\privileged_group_membership.txt"

Set fso = CreateObject("Scripting.FileSystemObject")
Set WshShell = CreateObject("WScript.Shell")

' Check for groups file, quit if it doesn't exist.

If Not fso.FileExists(strGroupsFile) Then
	Wscript.Echo "No groups file available."
	Wscript.Quit
End If

' Check for previous results file, rename with datestamp to prevent overwriting audit information

If fso.FileExists(strOutputFile) Then
	Set strOldFile = fso.GetFile(strOutputFile)
		createdate = strOldFile.DateCreated

	strDay = Day(createdate)
	strMonth = Month(createdate)
	strYear = Year(createdate)

	If len(strDay) < 2 Then
		strDay = "0" & strDay
	End If

	If len(strMonth) < 2 Then
		strMonth = "0" & strMonth
	End If

	strNewFileName = "C:\temp\privileged_group_membership_" & strYear & strMonth & strDay & ".txt"
	fso.MoveFile strOutputFile, strNewFileName
End If

' Open privileged groups file and create output file

Set objReadFile = fso.OpenTextFile(strGroupsFile, ForReading)
Set objWriteFile = fso.OpenTextFile(strOutputFile, ForAppending, True)

objWriteFile.Write "Membership of privileged groups as of " & Time & " on " & Date & vbCrLf & vbCrLf & vbCrLf

' Query AD for membership of each group specified in the privileged groups file and 

Do until objReadFile.AtEndOfStream
	strGroupFQDN = objReadFile.ReadLine
	Set objGroup = GetObject("LDAP://" & strGroupFQDN)
	arrMemberOf = objGroup.GetEx("member") 
	objWriteFile.Write "Group: " & strGroupFQDN & vbCrLf & vbCrLf
	For Each strMember in arrMemberOf 
		Set strUsername = GetObject("LDAP://"  & strMember)
		If len(strUsername.sAMAccountName) < 8 Then
			objWriteFile.Write strUsername.sAMAccountName & vbTab & vbTab & strMember & vbCrLf
		Else
			objWriteFile.Write strUsername.sAMAccountName & vbTab & strMember & vbCrLf
		End If
	Next
	Set objGroup = Nothing
	objWriteFile.Write vbCrLf & vbCrLf
Loop

' Close open objects and quit script.

Wscript.Echo "Script complete."

objReadFile.Close
objWriteFile.Close

Wscript.Quit

Web Debugging with Fiddler

A colleague introduced me to a great little tool the other day which we used for diagnosing a slow website fault. Fiddler is a freeware product which, in their own words, provides “a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet”.

This comes in especially useful when attempting to find out why a website is taking a long time to load, as I dealt with recently. Unfortunately, I’m unable to post screenshots due to the sensitive nature of the sites in question, but I am able to describe the symptoms and the steps taken.

First, some background. The website has been up and running for months. No changes have occurred except some windows patching a couple of weeks ago (uh-oh!). Anecdotal evidence indicates that the fault appears to be a recent issue, however as with all anecdotal evidence this is far from definitive fact.

Investigations so far have failed to turn up any configuration faults, either in the website, on the server, or at infrastructure (AD / DNS) or network level. Other sites on the same server are accessible without issue. Individual files within this website are downloadable extremely quickly, so it appears to be a fault in the website operation itself, probably the coding somewhere.

So, we opted to use Fiddler to get a more forensic look at what’s happening when the website is launched:

1. First I launched Fiddler, then I launched IE and attempted to connect to the faulty website.
2. In the Web Sessions window, I could see a successful 200 HTTP code indicating that the initial connection to the website, followed by an attempt to download a number of .css files.
3. After a couple of minutes, the download of the .css files timed out, and finally the IE window finished loading.

Starting with the obvious, I checked for faulty links. I was able to see all the .css files in the source folder … or was I? Re-checking the host tags, for some reason launching this website was attempting to download style sheets from a slightly different URL. Attempts to ping or connect to this URL by any method resulted in failure.

Returning this info back to the web developers enabled them to identify a variable file which was redirecting the browser to a now-defunct site to download the .css files. After a quick update to this file, the browser was able to retrieve the files it was supposed to and without the ensuing time-out, the page now loads in a fraction of a second – as expected.

If I get some free time I’ll try and mock up a similar situation so you can see the screenshots from this investigation, but hopefully the above has give you a taste of what Fiddler does and what it can be used for. This was just my first foray into using the product and I’m sure it has many more tricks up it’s sleeve, but this was more than enough for me to want to pass it on to anyone who hasn’t heard about it yet……….