Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v3.0
v3.0
  • Home
  • How does Lithnet Access Manager help prevent lateral movement?
  • Access Manager Editions
  • Licensing
  • What's new in Access Manager v3
  • Change log
  • Installation
    • Getting started
    • System Requirements
    • Downloads
    • Upgrading from Access Manager v1
    • Upgrading from Access Manager v2
      • Considerations for migrating from Access Manager v2
    • Installing the Access Manager Server
      • Creating a service account for the Access Manager Service
      • SQL installation options
      • Installing the Access Manager Service
      • High availability options
        • Load balancing Access Manager
    • Installing the Access Manager Agent
      • Enabling agent support on the AMS server
      • Installing the Access Manager Agent on Windows
      • Installing the Access Manager Agent on Linux
      • Installing the Access Manager Agent on macOS
  • Configuration
    • Setting up Authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Microsoft Entra ID
      • Setting up authentication with Okta
      • Setting up smart card authentication
      • Setting up integrated windows authentication
    • Deploying Features
      • Setting up RapidLAPS
      • LAPS
        • Setting up Microsoft LAPS for Active Directory
        • Setting up Microsoft LAPS for Entra
        • Setting up Lithnet LAPS
      • Just-in-time Authentication (JIT)
        • Setting up JIT for computers
        • Setting up JIT for roles
      • Setting up BitLocker access
        • Setting up access to BitLocker keys stored in Active Directory
        • Setting up BitLocker recovery key backup and access using the Access Manager Agent
    • Importing authorization rules
      • Import Microsoft LAPS permissions from Active Directory
      • Importing BitLocker permissions from Active Directory
      • Importing local administrator group membership from domain-joined Windows devices
      • Import mappings from a CSV file
      • Performing an offline discovery of local admins
  • Help and support
    • Frequently asked Questions
    • Troubleshooting
    • Quick start guides
      • Getting started with Windows LAPS and Lithnet Access Manager
      • Getting started with Windows LAPS for Active Directory
      • Getting started with Windows LAPS for Microsoft Entra
      • Getting started with RapidLAPS
    • Product lifecycle
    • Choosing between the Lithnet and Microsoft agent for LAPS
    • Support Articles
      • KB000001: The Access Manager Agent cannot connect and logs a token-validation-failed error
      • KB000002: Users retain their admin rights after their JIT period expires
      • KB000003: Configuring the Access Manager Agent to manage an account other than 'root' on Linux
      • KB000004: Creating a log file to troubleshoot installation issues with the Access Manager Service
      • KB000005: Access Manager stops working after applying the November 2022 Windows update
      • KB000006: Migrating the Access Manager Database
      • KB000007: Adding JIT groups via Group Policy doesn't work with NTLM Disabled
      • KB000008: AMS is unable to JIT into privileged groups such as Domain Admins
      • KB000009: Access Manager may return an out-of-date LAPS password, or no password at all
      • KB000010: The Access Manager agents fail to register on macOS 15 (Sequoia)
      • KB000011: Users report delays in obtaining just-in-time access via AD
      • KB000012: Troubleshooting Windows authentication in the Access Manager Web App
      • KB000013: Access Manager cannot be installed on Windows Server 2016 with TLS 1.0 disabled
    • Advanced help topics
      • Creating an Entra app registration or Access Manager
      • Setting up agent policies
      • Managing word lists
      • Password history retention
      • Ports and traffic flows
      • Internet access requirements
      • Access evaluation in Access Manager Service (AMS)
      • Recovering from a lost encryption certificate
      • Script-based authorization
      • Customized auditing with PowerShell notification channels
      • Variables available in audit notification channels
      • Setting up audit templates
      • Backup and Restore
      • Event ID reference
      • Group policy configuration
    • PowerShell reference
      • Add-AmsDeviceRegistrationKeyGroup
      • Add-AmsGroupMember
      • Add-AmsIdpClaimMapping
      • Clear-AmsIdpClaimMapping
      • Export-AmsServerDiagnostics
      • Get-AmsActiveDirectoryJitOptions
      • Get-AmsActiveDirectoryJitGroupCreationRule
      • Get-AmsComputerAuthorizationRule
      • Get-AmsDevice
      • Get-AmsDeviceRegistrationKey
      • Get-AmsFveRecoveryKey
      • Get-AmsGroup
      • Get-AmsGroupMembers
      • Get-AmsHostConfig
      • Get-AmsIdpClaimMapping
      • Get-AmsJitSchedulerJob
      • Get-AmsLocalAdminPassword
      • Get-AmsLocalAdminPasswordHistory
      • Get-AmsRoleAuthorizationRule
      • Get-AmsServiceConfig
      • New-AmsActiveDirectoryJitGroupCreationRule
      • New-AmsComputerAuthorizationRule
      • New-AmsDeviceRegistrationKey
      • New-AmsGroup
      • New-AmsRoleAuthorizationRule
      • Remove-AmsActiveDirectoryJitGroupCreationRule
      • Remove-AmsComputerAuthorizationRule
      • Remove-AmsDevice
      • Remove-AmsDeviceRegistrationKey
      • Remove-AmsDeviceRegistrationKeyGroup
      • Remove-AmsGroup
      • Remove-AmsGroupMember
      • Remove-AmsJitSchedulerJob
      • Remove-AmsRoleAuthorizationRule
      • Set-AmsActiveDirectoryJitGroupCreationRule
      • Set-AmsActiveDirectoryJitOptions
      • Set-AmsComputerAuthorizationRule
      • Set-AmsDevice
      • Set-AmsDeviceRegistrationKey
      • Set-AmsGroup
      • Set-AmsHostConfig
      • Set-AmsRoleAuthorizationRule
      • Set-AmsServiceConfig
    • Application help pages
      • Host configuration page
      • App Configuration
        • AMS License configuration page
        • Authentication configuration page
        • Email configuration page
        • Rate limit configuration page
        • IP Address detection configuration page
        • User interface configuration page
        • Auditing page
        • Security page
        • Database configuration page
      • Access Manager Agent
        • Access Manager Agent - Agent registration page
        • Agent Policies
          • Access Manager Agent - Windows polices page
          • Access Manager Agent - macOS polices page
          • Access Manager Agent - Linux polices page
          • Access Manager Agent - Legacy AMSv2 policies page
        • Access Manager Agent - Password settings page
        • Access Manager Agent - Devices page
        • Access Manager Agent - Groups page
      • Directory Configuration
        • Active Directory configuration page
          • Microsoft LAPS configuration page
          • Lithnet LAPS configuration page (Active Directory)
          • Just-in-time access configuration page
          • BitLocker configuration page
        • Microsoft Entra configuration page
      • Authorization Rules
        • Computer authorization rules page
        • Role authorization rules page
      • Effective access page
    • Getting Support
Powered by GitBook
On this page
  • Example script
  • Script Parameters
  • $eventData
  • Logging information
  • Performance
  • Available variables
  • Legacy (v1) PowerShell scripts

Was this helpful?

  1. Help and support
  2. Advanced help topics

Customized auditing with PowerShell notification channels

PreviousScript-based authorizationNextVariables available in audit notification channels

Last updated 11 months ago

Was this helpful?

Access Manager's auditing framework allows you to extend the product's auditing capabilities through the use of PowerShell scripts. Using a PowerShell notification channel, you can send audit events to any system you can connect to with PowerShell.

Example script

The following script is a very simple example that extracts some audit information from the supplied eventData object, and writes to the PowerShell information stream.

function Write-AuditEvent{
    param(
    $eventData)

    Write-Information "We're in PowerShell for auditing!";

    # Learn more about PowerShell auditing scripts https://go.lithnet.io/fwlink/jgazdugh

    $user = $eventData.User.FullyQualifiedName
    $target = $eventData.Request.Target
    $result = $eventData.Response.Code
    $accessType = $eventData.Response.AccessType
    $isSuccess = $eventData.Response.IsSuccess
    
    if ($isSuccess)
    {
        Write-Information "User $user successfully requested $accessType access to $target";
    }
    else
    {
        Write-Information "User $user was denied $accessType access to $target with response code $result";
    }
}

Script Parameters

$eventData

The $eventData variable is an object that contains information about the access request. See the Available variables section below for the list of available variables you can use.

Logging information

You can use the Write-Information, Write-Warning, Write-Verbose cmdlets to write to the AMS log file. Note that if you use Write-Error, or if an exception is thrown and not handled, the auditing event will fail. If you tick the Deny the user's request if the delivery of this notification fails option, the user's request will be denied.

Performance

If you use the Deny the user's request if the delivery of this notification fails, the user's access request cannot be granted until your script completes. From the user's perspective, they will be waiting in the browser while the audit event takes place. If you have a slow script, or lots of scripts, this wait time may seem excessive.

If you do not use this option, the user is granted their access request, and the audit event is delivered asynchronously. Any failures will be logged in the AMS logs, but the user will not be denied access.

Scripts must complete within 10 seconds, or they are cancelled by the Access Manager engine.

Available variables

Legacy (v1) PowerShell scripts

Access Manager v1 used a slightly different PowerShell script format. These scripts are still supported by Access Manager v3, but only work for Computer access auditing. You should upgrade any scripts to v3 scripts to ensure full audit information for all types of access requests is available.

function Write-AuditLog{
    param(
    [hashtable]$tokens,
    [bool]$isSuccess
)
}

The page contains a full list of all valid variables that you can use throughout your scripts.

audit variables