Searching for and reporting on AD users
Once your AD environment has existed for some time, finding and changing settings in your environment can become difficult. For example, let's say when the domain was first created, all the users had the same logon script named logon.bat. Over time, specific needs arose that caused the creation of logon2.bat, and new_logon.bat, and testlogon.bat, with different users assigned to each script.
As an administrator, you want to consolidate all these logon scripts into one, but you need to know what this will impact. You need to know which logon scripts are being used, who is using which ones, and why the different scripts exist. Thanks to the capabilities of AD and PowerShell queries, these items can easily be found.
In this recipe we will perform multiple queries against Active Directory. We will be returning different information.
How to do it...
Carry out the following steps to search for and report on AD users:
- To report on all users and their logon scripts execute the following code:
Get-ADUser -Filter * -Properties SamAccountName, DisplayName, ` ProfilePath, ScriptPath | ` Select-Object SamAccountName, DisplayName, ProfilePath, ScriptPath
- To find all disabled user accounts execute the following code:
Get-ADUser –Filter 'Enabled -eq $false'
- To find users who haven't logged in for 30 days execute the following code:
$logonDate = (Get-Date).AddDays(-30) Get-ADUser -Filter 'LastLogonDate -lt $logonDate' | Select-Object DistinguishedName
- To find accounts with multiple logon failures execute the following code:
$primaryDC = Get-ADDomainController -Discover -Service PrimaryDC Get-ADUser -Filter 'badpwdcount -ge 5' -Server $primaryDC.Name ` -Properties BadPwdCount | Select-Object DistinguishedName, BadPwdCount
How it works...
The first example uses Get-ADUser and queries Active Directory for all User objects, and returns them to PowerShell. The accounts are then piped through Select-Object to return the username, profile location, and logon script to the screen.
The second example creates a simple filter for AD to show accounts that are not enabled. Get-ADUser is called with this filter and it returns the appropriate accounts.
The third example creates a slightly more robust AD filter that identifies users, who have not logged in for more than 30 days. We start by creating the $logonDate variable and assigning it with the date 30 days ago. We then call Get-ADUser with a filter based on the LastLogonDate attribute, and lastly return Distinguished Name of the users that match the filter. These may be users who have been on vacation, extended work trips and have not been able to log on to the domain, or user accounts that no longer are needed.
The fourth example provides a simple filter based on the number of bad password attempts for an account. We start by identifying the primary domain controller (PDC) in the environment. When a bad password attempt occurs, it is tracked on the domain controller initially queried, as well as the PDC emulator. This allows us to query a single server instead of all the DCs. If a particular account has a high number of password failures, it can be a sign of possible hacking attempt. As such, it is always helpful to have a script similar to this available so that the entire domain can be reviewed at a glance to determine if one user is having a problem, or if it is wide spread issue.