Monitoring AD users
-
What are you using to monitor account expirations, account locks (badPwdCount, expiration, ...) and unused accounts (lastLogonTime)? I'm looking for something that can also monitor computer accounts (like unused machine accounts). Big plus would be a reporting feature, like a PDF or CSV export.
I could write something myself, like a little PowerShell script or a small windows service, but I would prefer to use something that already exists. Free / open source a plus.
-
I like Netwrix Apps, they have a lot of free apps like:
https://www.netwrix.com/netwrix_password_expiration_notifier.html
-
We also use Netwrix.
-
IIRC scripts that send 14, 7, and 3 day notices by email
"change your password, idiot"
-
@MattSpeller
yeah, I guess that's something you need to do by hand. Will just build a small PowerShell script and use a scheduled task for it. -
Powershell to monitor last login I'll share my script tomorrow
-
@DustinB3403 said in Monitoring AD users:
Powershell to monitor last login I'll share my script tomorrow
Thanks, but as far as I remember, there's a problem with the last logon attribute. It doesn't sync between DC's by default. I need to check that, but I think I wrote a script some time ago that will query all your DCs directly, not only the one the executing user is logged on to.
-
I think PWM can do password expiration notifications. I haven't looked into it too deeply. we're planning on deploying it this summer.
-
Oh yeah.
#List acconts not logged into within the past X (90) days Import-module activedirectory $domain = “YOUR-DOMAIN” $DaysInactive = 60 $time = (Get-Date).Adddays(-($DaysInactive)) # Get all AD User with lastLogonTimestamp less than our time and set to enable Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp | # Output Name and lastLogonTimestamp into CSV select-object Name,@{Name=”Stamp”; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString(‘yyyy-MM-dd_hh:mm:ss’)}} | export-csv C:\OLD_User.csv –notypeinformation -
@DustinB3403 Thanks Dustin.
-
@thwr said in Monitoring AD users:
@DustinB3403 Thanks Dustin.
Inactive users (based on Dustin's script):
function TW:Get-InactiveADUser { param ( [parameter(Mandatory=$true)] [string]$DaysInactive, [parameter(Mandatory=$true)] [string]$SearchBase ) $pointInTime = (Get-Date).Adddays(-($DaysInactive)) # Fetch users $result = Get-ADUser ` -Properties EmailAddress,LastLogonTimeStamp,DisplayName ` -SearchBase $SearchBase ` -Filter { PasswordNeverExpires -eq $False -and Enabled -eq $true -and (LastLogonTimestamp -lt $pointInTime -or LastLogonTimestamp -eq 0) } | Sort-Object -Property lastLogonTimestamp return $result }Usage:
TW:Get-InactiveADUser -DaysInactive 30 -Searchbase "OU=aaa,OU=bbb,OU=ccc,DC=xxx,DC=yyy,DC=zzz" -
Users who keep entering wrong passwords (will query every DC in your domain, may be slow with lots of users):
function TW:Get-ADUserBadPasswordCount { param ( [parameter(Mandatory=$true)] [string]$SearchBase ) # Fetch users $users = Get-ADUser ` -Properties BadPwdCount,EmailAddress,LastLogonTimeStamp,DisplayName ` -SearchBase $SearchBase ` -Filter { Enabled -eq $true } # Add "column" to output object Add-Member -InputObject $users -NotePropertyName TotalBadPwdCount -NotePropertyValue "0" -Force ForEach($user in $users) { $count = 0 # Query each DC ForEach($dc in Get-ADComputer -Filter "*" -SearchBase "ou=Domain Controllers,DC=xxx,DC=yyy,DC=zzz") { $localuser = Get-ADUser -Server $dc.DNSHostName -Filter "*" -Properties BadPwdCount -SearchBase $user.distinguishedName $count = $count + $localuser.BadPwdCount } $user.TotalBadPwdCount = ($count).ToString() } return $users }Usage:
TW:Get-ADUserBadPasswordCount -SearchBase "OU=aaa,OU=bbb,OU=ccc,DC=xxx,DC=yyy,DC=zzz" | ft DisplayName, sAMAccountName, EmailAddress, TotalBadPWdCount -AutoSizeOutput looks like this:
DisplayName sAMAccountName EmailAddress TotalBadPWdCount ----------- -------------- ------------ ---------------- Some User someuser1 [email protected] {17} Some Other User someuser2 [email protected] {0} -
There are multiple examples of powershell scripts that will email users with near expiring passwords. I really need to get off my ass and set on up on the DC at a few of my clients with constant problem users...
