Monitoring AD users
-
I like Netwrix Apps, they have a lot of free apps like:
https://www.netwrix.com/netwrix_password_expiration_notifier.html
-
We also use Netwrix.
-
IIRC scripts that send 14, 7, and 3 day notices by email
"change your password, idiot"
-
@MattSpeller
yeah, I guess that's something you need to do by hand. Will just build a small PowerShell script and use a scheduled task for it. -
Powershell to monitor last login I'll share my script tomorrow
-
@DustinB3403 said in Monitoring AD users:
Powershell to monitor last login I'll share my script tomorrow
Thanks, but as far as I remember, there's a problem with the last logon attribute. It doesn't sync between DC's by default. I need to check that, but I think I wrote a script some time ago that will query all your DCs directly, not only the one the executing user is logged on to.
-
I think PWM can do password expiration notifications. I haven't looked into it too deeply. we're planning on deploying it this summer.
-
Oh yeah.
#List acconts not logged into within the past X (90) days Import-module activedirectory $domain = “YOUR-DOMAIN” $DaysInactive = 60 $time = (Get-Date).Adddays(-($DaysInactive)) # Get all AD User with lastLogonTimestamp less than our time and set to enable Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp | # Output Name and lastLogonTimestamp into CSV select-object Name,@{Name=”Stamp”; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString(‘yyyy-MM-dd_hh:mm:ss’)}} | export-csv C:\OLD_User.csv –notypeinformation
-
@DustinB3403 Thanks Dustin.
-
@thwr said in Monitoring AD users:
@DustinB3403 Thanks Dustin.
Inactive users (based on Dustin's script):
function TW:Get-InactiveADUser { param ( [parameter(Mandatory=$true)] [string]$DaysInactive, [parameter(Mandatory=$true)] [string]$SearchBase ) $pointInTime = (Get-Date).Adddays(-($DaysInactive)) # Fetch users $result = Get-ADUser ` -Properties EmailAddress,LastLogonTimeStamp,DisplayName ` -SearchBase $SearchBase ` -Filter { PasswordNeverExpires -eq $False -and Enabled -eq $true -and (LastLogonTimestamp -lt $pointInTime -or LastLogonTimestamp -eq 0) } | Sort-Object -Property lastLogonTimestamp return $result }
Usage:
TW:Get-InactiveADUser -DaysInactive 30 -Searchbase "OU=aaa,OU=bbb,OU=ccc,DC=xxx,DC=yyy,DC=zzz"
-
Users who keep entering wrong passwords (will query every DC in your domain, may be slow with lots of users):
function TW:Get-ADUserBadPasswordCount { param ( [parameter(Mandatory=$true)] [string]$SearchBase ) # Fetch users $users = Get-ADUser ` -Properties BadPwdCount,EmailAddress,LastLogonTimeStamp,DisplayName ` -SearchBase $SearchBase ` -Filter { Enabled -eq $true } # Add "column" to output object Add-Member -InputObject $users -NotePropertyName TotalBadPwdCount -NotePropertyValue "0" -Force ForEach($user in $users) { $count = 0 # Query each DC ForEach($dc in Get-ADComputer -Filter "*" -SearchBase "ou=Domain Controllers,DC=xxx,DC=yyy,DC=zzz") { $localuser = Get-ADUser -Server $dc.DNSHostName -Filter "*" -Properties BadPwdCount -SearchBase $user.distinguishedName $count = $count + $localuser.BadPwdCount } $user.TotalBadPwdCount = ($count).ToString() } return $users }
Usage:
TW:Get-ADUserBadPasswordCount -SearchBase "OU=aaa,OU=bbb,OU=ccc,DC=xxx,DC=yyy,DC=zzz" | ft DisplayName, sAMAccountName, EmailAddress, TotalBadPWdCount -AutoSize
Output looks like this:
DisplayName sAMAccountName EmailAddress TotalBadPWdCount ----------- -------------- ------------ ---------------- Some User someuser1 [email protected] {17} Some Other User someuser2 [email protected] {0}
-
There are multiple examples of powershell scripts that will email users with near expiring passwords. I really need to get off my ass and set on up on the DC at a few of my clients with constant problem users...