using SA-ldapsearch to search for related accounts


I want to set up an alert if an account is disabled in active directory, a related account exists, and is left enabled. The relationship between the accounts is defined, for example, related accounts have the same sAMAccountName but with a number appended to the end to make them unique.

For example:

I have an account in active directory that was disabled: sAMAccountName=Sara. I want to verify the account is still disabled, and if so, automatically check active directory to see if Sara1 or Sara(whatever) exists, and if it is still enabled.

I need to verify because this search will not be running in real-time, so it is possible an account was disabled and re-enabled, and I do not want this to generate results.

I have SA-ldapsearch installed, and I can get various parts of this to work, but not all in the same search.

• I can perform the basic search to return results of all accounts that were disabled.

• I can use ldapfilter to check attributes and verify the account is still disabled.

• I have used ldapsearch separately to return attributes of existing accounts, and can use the wildcard to find all the accounts I want.

How do I put this all together? How do I take the results of the first half of my search, and feed them into an ldapsearch command adding a wildcard? When I try this I run into the problem that ldapsearch must be the first command of a search.

I have thought about splitting this into two searches and using a lookup file to store the results, but that seems like an awfully complex way to do this. And I am not even sure it would work.

What other options do I have?

Splunk Employee
Splunk Employee

Your best bet for this is to create a lookup with the associated accounts in it. Create a table with the account name and the associated account. You should have a CSV file that looks like this:


Whatever is appropriate to your environment. You can do this with an ldapsearch:

|ldapsearch domain=XXX search="(&(objectClass=user)(!(objectclass=computer)))" attrs="sAMAccountName" | rename sAMAccountName as assoc_user | eval isAssoc=if(match(assoc_user,"\d+$"),1,0) | where isAssoc=1 | rex field=assoc_user "^(?<src_user>.*?)\d+$" | eval src_nt_domain=XXX | table src_nt_domain,src_user,assoc_user | outputlookup associated_users.csv

Now, with that lookup, you can do what you want:

sourcetype=WinEventLog:Security (EventCode=629 OR EventCode=4725) | lookup associated_users src_nt_domain,src_user OUTPUT assoc_user | ldapfilter domain=$src_nt_domain$ search="(sAMAccountName=$assoc_user$)" attrs="userAccountControl" | where userAccountControl!="*DISABLE*" | stats values(assoc_user) by src_nt_domain,src_user

What you will get is a table with the domain and username of the newly-disabled user and the list of associated accounts that have not been disabled yet.

(Note: search commands have not been verified independently, since I don't have your environment)