Managing the Active Directory is an important albeit time-consuming task. Discovering a user account that has not been used for a reasonable period or a user that has membership in a privileged account (for example, enterprise administrators) could represent security risks to the organization. Regular reporting can help to place a focus on accounts that could be usefully de-activated. That could mean the account being removed from a security group or removed altogether.
This recipe creates a report of users, computers, and privileged group membership and displays this report on the console.
This recipe, which you run on DC1
, reports on users with possible issues: a user hasn't logged on for a while, has made a lot of bad password attempts, or a user is in a privileged group inappropriately.
Get-ReskitUser
function:Function Get-ReskitUser { # Get PDC Emulator DC $PrimaryDC = Get-ADDomainController -Discover -Service PrimaryDC # Get Users $ADUsers = Get-ADUser -Filter * -Properties * -Server $PrimaryDC # Iterate through them and create $Userinfo hash table: Foreach ($ADUser in $ADUsers) { # Create a userinfo HT $UserInfo = [Ordered] @{} $UserInfo.SamAccountname = $ADUser.SamAccountName $Userinfo.DisplayName = $ADUser.DisplayName $UserInfo.Office = $ADUser.Office $Userinfo.Enabled = $ADUser.Enabled $userinfo.LastLogonDate = $ADUser.LastLogonDate $UserInfo.ProfilePath = $ADUser.ProfilePath $Userinfo.ScriptPath = $ADUser.ScriptPath $UserInfo.BadPWDCount = $ADUser.badPwdCount New-Object -TypeName PSObject -Property $UserInfo } } # end of function
Reskit.Org
domain:$RKUsers = Get-ReskitUser # Build the report header: $RKReport = '' $RkReport += "*** Reskit.Org AD Report`n" $RKReport += "*** Generated [$(Get-Date)]`n" $RKReport += "*******************************`n`n"
$RkReport += "*** Disabled Users`n" $RKReport += $RKUsers | Where-Object {$_.Enabled -NE $true} | Format-Table -Property SamAccountName, Displayname | Out-String
$OneWeekAgo = (Get-Date).AddDays(-7) $RKReport += "`n*** Users Not logged in since $OneWeekAgo`n" $RkReport += $RKUsers | Where-Object {$_.Enabled -and $_.LastLogonDate -le $OneWeekAgo} | Sort-Object -Property LastlogonDate | Format-Table -Property SamAccountName,lastlogondate | Out-String
$RKReport += "`n*** High Number of Bad Password Attempts`n" $RKReport += $RKUsers | Where-Object BadPwdCount -ge 5 | Format-Table -Property SamAccountName, BadPwdCount | Out-String
$RKReport += "`n*** Privileged User Report`n" $PUsers = @()
$Pusers
array:# Get Enterprise Admins group members $Members = Get-ADGroupMember -Identity 'Enterprise Admins' -Recursive | Sort-Object -Property Name $PUsers += foreach ($Member in $Members) { Get-ADUser -Identity $Member.SID -Properties * | Select-Object -Property Name, @{Name='Group';expression={'Enterprise Admins'}}, whenCreated,LastlogonDate } # Get Domain Admins group members $Members = Get-ADGroupMember -Identity 'Domain Admins' -Recursive | Sort-Object -Property Name $PUsers += Foreach ($Member in $Members) {Get-ADUser -Identity $member.SID -Properties * | Select-Object -Property Name, @{Name='Group';expression={'Domain Admins'}}, WhenCreated, Lastlogondate,SamAccountName } # Get Schema Admins members $Members = Get-ADGroupMember -Identity 'Schema Admins' -Recursive | Sort-Object Name $PUsers += Foreach ($Member in $Members) { Get-ADUser -Identity $member.SID -Properties * | Select-Object -Property Name, @{Name='Group';expression={'Schema Admins'}}, WhenCreated, Lastlogondate,SamAccountName }
$RKReport += $PUsers | Out-String
$RKReport
This report writing recipe begins with step 1 defining a function that returns some of the key properties of users in the Reskit.Org
domain. In step 2, you invoke the function to return an array of all the users defined in the domain. These two steps produce no output.
In step 2 through step 9, you build parts of the overall report and add it to the $RKReport
variable. These steps also produce no output.
In step 10, you display the report to the console, which looks like this:
In this recipe, you create the report and display it to the console. There are some things you could do that might increase the value of this recipe:
This recipe calls Get-ADUser
several times in step 7, returning all properties. You might consider some optimization including restricting the properties to only those needed to generate the report.
3.145.9.148