Group account logon capture

I have a need to capture who logs on to a group account by having the user authenticate with their own AD account. Unfortunately, I’m a complete novice at PS and not much better at AD.

Here are the basic requirements:

  1. User logs in as the group account user, immediately prompted for personal account login.
  2. Not allowed to proceed to desktop unless personal account login is successful, logs out group account if failure.
  3. If group account screen locks, unlocking requires re-authentication. This prevents one user from logging in, locking screen and walking away and another user unlocking the group account and operating as first user.
  4. Lock screen or logout of group account logs out user from their own account, active use on the group account maintains user login to AD.
I appreciate any assistance that can be given. Part of me thinks that not all of the above is obtainable, and I'm not entirely sure PS is the appropriate place to do this.

Wags

Hello Wags,

What exactly do you mean by “group account logon”?

Kris.

You say you are novice, then it is vital that you get up to speed on PowerShell holistically in order to limit / avoid, bad habits, misconceptions, errors, etc./ that you are going to encounter. See the pointer below.

This has little to do with PowerShell and more to do with trying to do an indirect Auth effort. PowerShell cannot address this as this is a Windows security boundary controlled by the OS.

A user can only log on to a system with one identity at a time. If you are using the ‘Group Account’ metafile as context for a shared account / shared password, then this by itself seems from a risk management perspective, not to be prudent.

What you are literally talking about is trying to use PowerShell to replicate/supplant what MSGINA (that whole logon process) does. PowerShell will not do this.

To do this, you need to write your own customer MSGINA.dll implementation …

MSGina.dll Features
https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/msgina-dll-features

… and I know many seasoned programmers who’d never go down this path. It’s not easy, and require C++ programming skills and is prone to error.

Yet, from your write up, it seems like you have a scenario where someone has done something like this for you. Either way, if so, PowerShell still cannot control this. All you are left with is enable advanced auditing via GPO of all target systems, and using PowerShell to mine logon events from the Security logs using gate built-in Event log cmdlets.

Get-Command -Name '*event*' | Format-Table -AutoSize

# Results

CommandType Name                  Version      Source                          
----------- ----                  -------      ------                          
...
Cmdlet      Get-Event             3.1.0.0      Microsoft.PowerShell.Utility    
Cmdlet      Get-EventLog          3.1.0.0      Microsoft.PowerShell.Management 
Cmdlet      Get-EventSubscriber   3.1.0.0      Microsoft.PowerShell.Utility    
Cmdlet      Get-WinEvent          3.0.0.0      Microsoft.PowerShell.Diagnostics
Cmdlet      Limit-EventLog        3.1.0.0      Microsoft.PowerShell.Management 
...  
Cmdlet      New-Event             3.1.0.0      Microsoft.PowerShell.Utility
Cmdlet      New-EventLog          3.1.0.0      Microsoft.PowerShell.Management 
...
Cmdlet      New-WinEvent          3.0.0.0      Microsoft.PowerShell.Diagnostics
…

# Always look to the help files first.

# Get parameters, examples, full and Online help for a cmdlet or function

# Get a list of all functions
Get-Command -CommandType Function | 
Out-GridView -PassThru -Title 'Available functions'

# Get a list of all commandlets
Get-Command -CommandType Cmdlet | 
Out-GridView -PassThru -Title 'Available cmdlets'

# Get a list of all functions for the specified name
Get-Command -Name '*ADGroup*' -CommandType Function | 
Out-GridView -PassThru -Title 'Available named functions'

# Get a list of all commandlets for the specified name
Get-Command -Name '*ADGroup**'  -CommandType Cmdlet | 
Out-GridView -PassThru -Title 'Available named cmdlet'

# get function / cmdlet details
(Get-Command -Name Get-ADUser).Parameters
Get-help -Name Get-ADUser -Examples
Get-help -Name Get-ADUser -Full
Get-help -Name Get-ADUser -Online


# Get parameter that accepts pipeline input
Get-Help Get-ADUser -Parameter * | 
Where-Object {$_.pipelineInput -match 'true'} | 
Select * 


# List of all parameters that a given cmdlet supports along with a short description:
Get-Help dir -para * | 
Format-Table Name, { $_.Description[0].Text } -wrap

Get-Help about_*
Get-Help about_Functions

# All Help topics locations
Get-Help about* | Select Name, Synopsis

Get-Help about* | 
  Select-Object -Property Name, Synopsis |
  Out-GridView -Title 'Select Topic' -OutputMode Multiple |
  ForEach-Object {
    Get-Help -Name $_.Name -ShowWindow
  }

explorer "$pshome\$($Host.CurrentCulture.Name)"
<#

There are pre-built script on the MS powershellgallery.com that you can leverage as is or tweak as needed.

Security Log Logon/Logoff Event Reporter This script reads the security log, then displays a chronological record of local and remote logon and logoff activities, including failed attempts if enabled in Group/Local Policy. It allows the input of a date range and a remote hostname if desired. https://gallery.technet.microsoft.com/scriptcenter/Log-Parser-to-Identify-8aac36bd

Yet, again, you are new, so get ramped up, as you should never run any code, form any one, no matter where you get it from, unless you fully understand explicitly what it is doing. If not, you can pose serious risks operationally and security was in your environment. Always, Always use unknown code in an isolated test lab first.

Learning Resource Pointers

https://social.technet.microsoft.com/wiki/contents/articles/183.windows-powershell-survival-guide.aspx https://www.reddit.com/r/PowerShell/comments/99dc5d/powershell_for_a_noob https://www.reddit.com/r/PowerShell/comments/ax83qg/how_to_learn_powershell https://www.reddit.com/r/PowerShell/comments/95y82g/whats_the_best_youtube_powershell_tutorial_series https://www.reddit.com/r/PowerShell/comments/ar6cvt/powershell_in_depth_second_edition/egmlpom/?context=3