I'm looking for solution to capture User Account Control occurs on clients computers. I want to develop Powershell's script and deploy in environemnt with Active Directory 2008 and Windows 10 clients. Currently end users have full local administration rights. I need a report to check how often they're really need elevated permissions.
Regards, Lynx
To see when UAC Prompts are displayed, you can enable UAC Auditing on devices with a regkey or a Group Policy setting, as covered here:
Uac Auditing is done by changing windows policy (Local\Group). The policy in interest is found at: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy
Audit Privilege Use will give you information about elevated usage using the UAC consent.exe dialog box in the System Event log. The Event IDs created by this: 4648 and 4624.
Audit Process Tracking will give you information about processes and their creation/termination. Event Id created by this: 4688. Also, look at event id 4696 to see when a new token (user-logon handle) was assigned to process. Using all these events, you can get a clear picture of the timeline for every process that requested an elevated rights with UAC dialog.
Once that's done, you can audit those events in a PowerShell script by looking for the Windows Event of the appropriate ID like this:
$UACEvents = Get-WinEvent -LogName System | where Id -in (4648, 4624)
Then you simply bake that into whatever process you like.
Event Info
Id Event
4624 A new account was logged in
4648 A logon was attempted using explicit credentials
4696 A primary token was assigned to process