To help detect and prevent malicious behavior I usually implement different scripts or other monitoring features in my customers environments.
One of the snippets I frequently use detects newly created accounts. By implementing this we can quickly detect if someone creates new accounts without the IT departments knowledge.
The following script checks for newly created accounts the last 14 days.
You can change the scope by adjusting the $Days parameter. Note that it needs to be a negative value.
And remember to load the Active Directory module before you run the code.
$Days = "-14"
$Newly = (Get-ADUser -Filter * -Properties * | where { ($_.whenCreated -ge (Get-Date).AddDays($Days)) } | select DisplayName,whenCreated)
Foreach ($User in $Newly) {
$NewName = $User.DisplayName
$NewDate = ($User.whenCreated).ToString("yyyy-MM-dd")
Write-Host "NEW: $NewName ($NewDate)"
}
If you found this helpful or have any feedback please post a message below.
