Reporting on AD users
Managing the Active Directory is an important albeit time-consuming task. Discovering a user account that has not been used for a reasonable period or a user that has membership in a privileged account (for example, enterprise administrators) could represent security risks to the organization. Regular reporting can help to place a focus on accounts that could be usefully de-activated. That could mean the account being removed from a security group or removed altogether.
This recipe creates a report of users, computers, and privileged group membership and displays this report on the console.
Getting ready
This recipe, which you run on DC1
, reports on users with possible issues: a user hasn't logged on for a while, has made a lot of bad password attempts, or a user is in a privileged group inappropriately.
How to do it...
- Define the
Get-ReskitUser
function:Function Get-ReskitUser { # Get PDC Emulator DC $PrimaryDC = Get-ADDomainController -Discover -Service PrimaryDC # Get Users $ADUsers = Get-ADUser -Filter * -Properties * -Server $PrimaryDC # Iterate through them and create $Userinfo hash table: Foreach ($ADUser in $ADUsers) { # Create a userinfo HT $UserInfo = [Ordered] @{} $UserInfo.SamAccountname = $ADUser.SamAccountName $Userinfo.DisplayName = $ADUser.DisplayName $UserInfo.Office = $ADUser.Office $Userinfo.Enabled = $ADUser.Enabled $userinfo.LastLogonDate = $ADUser.LastLogonDate $UserInfo.ProfilePath = $ADUser.ProfilePath $Userinfo.ScriptPath = $ADUser.ScriptPath $UserInfo.BadPWDCount = $ADUser.badPwdCount New-Object -TypeName PSObject -Property $UserInfo } } # end of function
- Get the users in the
Reskit.Org
domain:$RKUsers = Get-ReskitUser # Build the report header: $RKReport = '' $RkReport += "*** Reskit.Org AD Report`n" $RKReport += "*** Generated [$(Get-Date)]`n" $RKReport += "*******************************`n`n"
- Report on the disabled users:
$RkReport += "*** Disabled Users`n" $RKReport += $RKUsers | Where-Object {$_.Enabled -NE $true} | Format-Table -Property SamAccountName, Displayname | Out-String
- Report on the users who have not recently logged on:
$OneWeekAgo = (Get-Date).AddDays(-7) $RKReport += "`n*** Users Not logged in since $OneWeekAgo`n" $RkReport += $RKUsers | Where-Object {$_.Enabled -and $_.LastLogonDate -le $OneWeekAgo} | Sort-Object -Property LastlogonDate | Format-Table -Property SamAccountName,lastlogondate | Out-String
- Users with high invalid password attempts:
$RKReport += "`n*** High Number of Bad Password Attempts`n" $RKReport += $RKUsers | Where-Object BadPwdCount -ge 5 | Format-Table -Property SamAccountName, BadPwdCount | Out-String
- Add another report header line for this part of the report and create an empty array of privileged users:
$RKReport += "`n*** Privileged User Report`n" $PUsers = @()
- Query the enterprise admins/domain admins/schema admins groups for members and add to the
$Pusers
array:# Get Enterprise Admins group members $Members = Get-ADGroupMember -Identity 'Enterprise Admins' -Recursive | Sort-Object -Property Name $PUsers += foreach ($Member in $Members) { Get-ADUser -Identity $Member.SID -Properties * | Select-Object -Property Name, @{Name='Group';expression={'Enterprise Admins'}}, whenCreated,LastlogonDate } # Get Domain Admins group members $Members = Get-ADGroupMember -Identity 'Domain Admins' -Recursive | Sort-Object -Property Name $PUsers += Foreach ($Member in $Members) {Get-ADUser -Identity $member.SID -Properties * | Select-Object -Property Name, @{Name='Group';expression={'Domain Admins'}}, WhenCreated, Lastlogondate,SamAccountName } # Get Schema Admins members $Members = Get-ADGroupMember -Identity 'Schema Admins' -Recursive | Sort-Object Name $PUsers += Foreach ($Member in $Members) { Get-ADUser -Identity $member.SID -Properties * | Select-Object -Property Name, @{Name='Group';expression={'Schema Admins'}}, WhenCreated, Lastlogondate,SamAccountName }
- Add the special users to the report:
$RKReport += $PUsers | Out-String
- Display the report to the console:
$RKReport
How it works...
This report writing recipe begins with step 1 defining a function that returns some of the key properties of users in the Reskit.Org
domain. In step 2, you invoke the function to return an array of all the users defined in the domain. These two steps produce no output.
In step 2 through step 9, you build parts of the overall report and add it to the $RKReport
variable. These steps also produce no output.
In step 10, you display the report to the console, which looks like this:
There's more...
In this recipe, you create the report and display it to the console. There are some things you could do that might increase the value of this recipe:
- Save the recipe as a script, then set up a scheduled task to invoke it every day
- Create an SMB share on the DC and save each report to that folder or email it to a mail-enabled group
- Automatically disable any account that has not been in use for, say, 30 days, sending mail to the user's manager letting them know
- Create a list of users authorized to be in the high-privilege groups and ensure the group contains only those members
- Adjust the recipe to output HTML to improve the readability and usability of the report
This recipe calls Get-ADUser
several times in step 7, returning all properties. You might consider some optimization including restricting the properties to only those needed to generate the report.