Monitoring AD users



  • What are you using to monitor account expirations, account locks (badPwdCount, expiration, ...) and unused accounts (lastLogonTime)? I'm looking for something that can also monitor computer accounts (like unused machine accounts). Big plus would be a reporting feature, like a PDF or CSV export.

    I could write something myself, like a little PowerShell script or a small windows service, but I would prefer to use something that already exists. Free / open source a plus.



  • @thwr

    I like Netwrix Apps, they have a lot of free apps like:

    https://www.netwrix.com/netwrix_password_expiration_notifier.html



  • We also use Netwrix.



  • IIRC scripts that send 14, 7, and 3 day notices by email

    "change your password, idiot"



  • @MattSpeller
    yeah, I guess that's something you need to do by hand. Will just build a small PowerShell script and use a scheduled task for it.



  • Powershell to monitor last login I'll share my script tomorrow



  • @DustinB3403 said in Monitoring AD users:

    Powershell to monitor last login I'll share my script tomorrow

    Thanks, but as far as I remember, there's a problem with the last logon attribute. It doesn't sync between DC's by default. I need to check that, but I think I wrote a script some time ago that will query all your DCs directly, not only the one the executing user is logged on to.



  • I think PWM can do password expiration notifications. I haven't looked into it too deeply. we're planning on deploying it this summer.



  • Oh yeah.

    #List acconts not logged into within the past X (90) days
    Import-module activedirectory
    
    $domain = “YOUR-DOMAIN”
    
    $DaysInactive = 60
    
    $time = (Get-Date).Adddays(-($DaysInactive))
    
    # Get all AD User with lastLogonTimestamp less than our time and set to enable
    
    Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp |
    
    # Output Name and lastLogonTimestamp into CSV
    
    select-object Name,@{Name=”Stamp”; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString(‘yyyy-MM-dd_hh:mm:ss’)}} | export-csv C:\OLD_User.csv –notypeinformation


  • @DustinB3403 Thanks Dustin.



  • @thwr said in Monitoring AD users:

    @DustinB3403 Thanks Dustin.

    Inactive users (based on Dustin's script):

    function TW:Get-InactiveADUser 
    {
        param 
        (
            [parameter(Mandatory=$true)]
            [string]$DaysInactive,
            
            [parameter(Mandatory=$true)]
            [string]$SearchBase
        )
    
        $pointInTime = (Get-Date).Adddays(-($DaysInactive))
    
        # Fetch users
        $result = Get-ADUser `
            -Properties EmailAddress,LastLogonTimeStamp,DisplayName `
            -SearchBase  $SearchBase `
            -Filter { PasswordNeverExpires -eq $False -and Enabled -eq $true -and (LastLogonTimestamp -lt $pointInTime -or LastLogonTimestamp -eq 0) } | 
            Sort-Object -Property lastLogonTimestamp 
        return $result
    }
    

    Usage:

    TW:Get-InactiveADUser -DaysInactive 30 -Searchbase "OU=aaa,OU=bbb,OU=ccc,DC=xxx,DC=yyy,DC=zzz"
    


  • Users who keep entering wrong passwords (will query every DC in your domain, may be slow with lots of users):

    function TW:Get-ADUserBadPasswordCount 
    {
        param 
        (      
            [parameter(Mandatory=$true)]
            [string]$SearchBase
        )
    
        # Fetch users 
        $users = Get-ADUser `
            -Properties BadPwdCount,EmailAddress,LastLogonTimeStamp,DisplayName `
            -SearchBase  $SearchBase `
            -Filter { Enabled -eq $true } 
    
        # Add "column" to output object
        Add-Member -InputObject $users -NotePropertyName TotalBadPwdCount -NotePropertyValue "0" -Force
    
    	ForEach($user in $users)
        {
            $count = 0
    
            # Query each DC
            ForEach($dc in Get-ADComputer -Filter "*" -SearchBase "ou=Domain Controllers,DC=xxx,DC=yyy,DC=zzz") 
            {
                $localuser = Get-ADUser -Server $dc.DNSHostName -Filter "*" -Properties BadPwdCount -SearchBase $user.distinguishedName
                $count = $count + $localuser.BadPwdCount
            } 
            
            $user.TotalBadPwdCount = ($count).ToString()
        }
        
        return $users
    }
    

    Usage:

    TW:Get-ADUserBadPasswordCount -SearchBase "OU=aaa,OU=bbb,OU=ccc,DC=xxx,DC=yyy,DC=zzz" | ft DisplayName, sAMAccountName, EmailAddress, TotalBadPWdCount -AutoSize
    

    Output looks like this:

    DisplayName             sAMAccountName   EmailAddress         TotalBadPWdCount
    -----------             --------------   ------------         ----------------
    Some User      	        someuser1 	 [email protected]        {17}             
    Some Other User         someuser2 	 [email protected]   {0}             
    

  • Service Provider

    There are multiple examples of powershell scripts that will email users with near expiring passwords. I really need to get off my ass and set on up on the DC at a few of my clients with constant problem users...


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.