PowerShell

Group account login tracking

Viewing 3 reply threads
  • Author
    Posts
    • #1559178
      Jonathan Wegner
      Participant
      • Topics: 1
      • Replies: 2
      Member Points: 124
      Rank: Level 2

      We use group logins but need a way to track what user is using the group account.  In addition to this, we need users to keep their personal accounts active despite using group accounts.  One thought was to have a login script that runs from the group account.  It would prompt the user for their personal account login information, authenticate to the domain, write the user information to file and then allow the user to login.  If the user is unable to login to their personal account it would kick them out with a message that they need to verify their personal login information.

      Is the above possible in powershell or is another scripting language better suited?  If it is possible, any assistance in how to do it would be much appreciated.  I’m a powershell novice, but I have a programming background.  I can think through the logic, just no idea how to implement it.

      Wags

      0
    • #1559196
      Leos Marek
      Moderator
      • Topics: 30
      • Replies: 282
      Post count: 299
      Member Points: 18,161
      Rank: Level 4

      What is a group account? I only know personal or shared accounts.

      0
      • #1559197
        Jonathan Wegner
        Participant
        • Topics: 1
        • Replies: 2
        Member Points: 124
        Rank: Level 2

        Group would be the same as a shared account.  It is not tied to one person but is tied to a specific system function that cannot be tied to one person.

        0
    • #1559198
      David Figueroa
      Participant
      • Topics: 5
      • Replies: 44
      Post count: 14
      Member Points: 3,272
      Rank: Level 3

      Powershell would definitely be a good choice for something like this.

      Ideally, you’d want it as a login script for the shared accounts.  I would set it up as a WPF script that ran full screen in modal mode.  You could make it run synchronously (group policy/registry setting). Use the AccountManagement framework to prompt the user for their credentials and validate them against AD, and of course log them off if the fail more than x amount of times. Additionally, you could log the attempts to a text file, or an eventlog, etc.

      Richard Siddaway’s blog on this is a great starting point. https://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/

      If the group account is tied to the same set of users for each one, then you could even present them a list of users from that group to select from as a choice (but it’s not necessary obviously).

      David F.

      0
    • #1559200
      Leos Marek
      Moderator
      • Topics: 30
      • Replies: 282
      Post count: 299
      Member Points: 18,161
      Rank: Level 4

      Can you describe your use case?

      Thinkgs like shared accounts should not be used for any administrative purposes. Why dont you simply add the needed permissions to a group of users? Then you would not have to do any tracking like this in first place.

      0
      • #1559201
        Jonathan Wegner
        Participant
        • Topics: 1
        • Replies: 2
        Member Points: 124
        Rank: Level 2

        These are not administrator accounts.  This usage is common in the military where you have someone “standing watch” and need a shared account so all have access to the same information.
        I saw this particular type of usage in a previous position where we ran training exercises over the course of several days using computers to drive the training scenario.  It was not wise to force users to logout and have another user login right in the middle of a battle.

        0
        • #1559202
          Leos Marek
          Moderator
          • Topics: 30
          • Replies: 282
          Post count: 299
          Member Points: 18,161
          Rank: Level 4

          That did not help me much to understand what are you trying to achieve. Having shared account for a training session is understandable, but I don’t get the rest 🙂

          Anyway, you could create a simple script that will do a Start-Process powershell.exe -credential (get-credential) parameter and start your second script that will write the info to the file. If the start-process fails due to bad authentication, you can logoff the shared account.

          Make sure to enable this GPO option otherwise your users will not get the interactive Powershell window.

          0
Viewing 3 reply threads
You must be logged in to reply to this topic.
© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account