The Multifunctioning DBA

Oct 21 2009   10:00AM GMT

AD Audit all together

Colin Smith Colin Smith Profile: Colin Smith

Here is the full script so you can copy and paste it. Remember that you will need to make some modifications to the script to fit your environment. Let me know if you have any questions at all.

Thanks




###########################################################################
## Script Name: 90-180.ps1
## Written by: Colin Smith
## Date: 9/15/09
###########################################################################
## ChangeLog
###########################################################################
###########################################################################
## This Script will enumerate all accounts in the your domain
## and disable all accounts that have not been logged in with in 
## over 90 days, unless the account is one of the Protected OU's.
## This script will also delete all accounts that are disabled
## and have not been loged in with in over 180 Days.
## This script will not search accounts that reside in defined 
## exception containers. This will also find the users H: Drive 
## folder and move it to \\someserver\_term to await deletion.
## This script will also remove all group memberships from accounts
## before deletion of the account. This will avoid Hashes in Groups
## this replaces the 90-180 Visual Basic Script.
###########################################################################
###########################################################################
## Requirments for this script are Powershell V1 installed as well as
## Quest Active Directory Management Snapin
###########################################################################



#######################################################
## This Function Gets a listing of all user account
## and last logon times and created dates for 
## all users on the your domain that are not in
## Excluded OU's
#######################################################
function get_users
{
	foreach($company in $companies)
		{
#Echo "Company is $company"
			Clear-Content "c:\90-180\$company.csv"
			Clear-Content "c:\90-180\$company.disabled.txt"
			echo "enabled, LogonName, firstname, lastname, dn, lastlogon, createddate" >> "c:\90-180\$company.csv"

			$dcs = Get-QADComputer -ComputerRole DomainController
	
			$users = Get-QADUser -SizeLimit 0 -searchroot "Some.root.com/$company/Users" | where{(($_.dn -notlike "*disabled*") -and ($_.dn -notlike "*Generic*") -and ($_.dn -notlike "*Vendors*") -and ($_.dn -notlike "*mail-in*") -and ($_.dn -notlike "*shared calendars*"))}

	
			foreach($user in $users)
				{
					$lastlogon = $null
					foreach($dc in $dcs)
					{
						$dclogon = Get-QADUser -Service $dc.Name -SamAccountName $user.samaccountname | select lastlogon
						$dclogon = $dclogon.lastlogon.value

						if ($dclogon -ne $null)
							{
								if($lastlogon -lt $dclogon)
									{
										$lastlogon = $dclogon
									}
							}
					}
					if ($lastlogon -eq $Null) 
						{ 
							$lastlogon = [datetime]::Now.AddDays(-500000)
						}

					$o = New-Object PSObject
					$o | Add-Member NoteProperty "User" $user.Name
					$o | Add-Member NoteProperty "LastLogin" $lastlogon
					$o | Add-Member NoteProperty "DisplayName" $user.DisplayName
					$o | Add-Member NoteProperty "Disabled" $user.accountisdisabled 
					$o | Add-Member NoteProperty "DistinguishedName" $user.DN
					$o | Add-Member NoteProperty "Created" $user.CreationDate
					$o | Add-Member NoteProperty "SamAccountName" $user.SamAccountName
					$o | Add-Member NoteProperty "LastName" $user.LastName
					$o | Add-Member NoteProperty "FirstName" $user.FirstName

		
					if($o.disabled -eq "False")
						{			$enabled = "DISABLED"}
					else
						{			$enabled = "ENABLED"}
					$Fname = $o.FirstName
					$lname = $o.LastName
					$lastlogon = $o.LastLogin
					$created = $o.Created
					$samname = $o.samaccountname
					$dn = $o.DistinguishedName
					$dn = $dn.replace(",", ":")
			
					echo "$enabled, $samname, $fname, $lname, $DN, $lastlogon, $created" >> "c:\90-180\$company.csv"
			
				}
	

		}
}


##########################################################
## Function Disable_Accounts
## Find all accounts that need to be disabled
## Disable the account
## Move the account to the appropriate disabled OU
## Log the account that has been disabled and moved
##########################################################
function Disable_Accounts
{
	foreach($company in $companies)
		{
			$listedusers = Import-Csv "c:\90-180\$company.csv"
			foreach($listeduser in $listedusers)
			{
				$fname = $listeduser.Firstname
				$lname = $listeduser.LastName
				$dn = $listeduser.dn
				$dn = $dn.replace(":", ",")
				$enabled = $listeduser.enabled
				$logon = $listeduser.lastlogon
				$logonname = $listeduser.logonname
				$created = $listeduser.createddate
			
##########################################################
## Check for accounts in Holding OU that are still 
## disabled and beyond the 30 holding limit and
## move them to the disabled OU
##########################################################
				if(($enabled -eq "DISABLED") -and ($created -lt $holdingdate) -and ($dn -like "*holding*"))
					{
						$logonname | Move-QADObject -NewParentContainer "pni.us.ad.gannett.com/$company/Users/Disabled" -WhatIf
						echo "$fname $lname $logonname" >> "c:\90-180\$company.disabled.txt"
					}
					
##########################################################
## Find any accounts that are disabled and not in the 
## Holding OU and move them to the disabled OU
## This cleans up any accounts that have been disabled
## by hand and not moved to the disabled OU.
##########################################################
				if(($enabled -eq "DISABLED")-and ($dn -notlike "*holding*"))
					{
						$logonname | Move-QADObject -NewParentContainer 'some.root.com/$company/Users/Disabled' -WhatIf
						echo "$fname $lname $logonname" >> "c:\90-180\$company.disabled.txt"
					}
			
##########################################################
## Check for accounts not in holding OU that are beyond 
## the 90 day limit for login and create date
## and disable them and move them to the disabled OU.
##########################################################			
				if(($enabled -eq "ENABLED") -and ($logon -lt $disabledate) -and ($created -lt $disabledate) -and ($dn -notlike "*Holding*"))
					{
						$logonname | Disable-QADUser -WhatIf
						$logonname | Move-QADObject -NewParentContainer "some.root.com/$company/Users/Disabled" -WhatIf
						echo "$fname $lname $logonname" >> "c:\90-180\$company.disabled.txt"
					}
							
				
			}
		}
}

##########################################################
## function Get_Disabled_Accounts
## Search only the disabled OU for all disabled accounts
## Get the Last Login time and the Created Date so we 
## can determine if the account should be removed from 
## the domain.
##########################################################
function Get_Disabled_Accounts
{

foreach($company in $companies)
{
Clear-Content "c:\90-180\$company.disabledou.csv"
echo "enabled, LogonName, firstname, lastname, dn, lastlogon, createddate" >> "c:\90-180\$company.disabledou.csv"

			$dcs = Get-QADComputer -ComputerRole DomainController
	
			$users = Get-QADUser -SizeLimit 0 -searchroot "some.root.com/$company/Users/Disabled"

			foreach($user in $users)
				{
					$lastlogon = $null
					foreach($dc in $dcs)
					{
						$dclogon = Get-QADUser -Service $dc.Name -SamAccountName $user.samaccountname | select lastlogon
						$dclogon = $dclogon.lastlogon.value

						if ($dclogon -ne $null)
							{
								if($lastlogon -lt $dclogon)
									{
										$lastlogon = $dclogon
									}
							}
					}
					if ($lastlogon -eq $Null) 
						{ 
							$lastlogon = [datetime]::Now.AddDays(-500000)
						}

					$o = New-Object PSObject
					$o | Add-Member NoteProperty "User" $user.Name
					$o | Add-Member NoteProperty "LastLogin" $lastlogon
					$o | Add-Member NoteProperty "DisplayName" $user.DisplayName
					$o | Add-Member NoteProperty "Disabled" $user.accountisdisabled 
					$o | Add-Member NoteProperty "DistinguishedName" $user.DN
					$o | Add-Member NoteProperty "Created" $user.CreationDate
					$o | Add-Member NoteProperty "SamAccountName" $user.SamAccountName
					$o | Add-Member NoteProperty "LastName" $user.LastName
					$o | Add-Member NoteProperty "FirstName" $user.FirstName
					$o | Add-Member NoteProperty "Groups" $user.MemberOf

		
					if($o.disabled -eq "False")
						{			$enabled = "DISABLED"}
					else
						{			$enabled = "ENABLED"}
					$Fname = $o.FirstName
					$lname = $o.LastName
					$lastlogon = $o.LastLogin
					$created = $o.Created
					$samname = $o.samaccountname
					$dn = $o.DistinguishedName
					$dn = $dn.replace(",", ":")
					$groups = $o.groups
			
					echo "$enabled, $samname, $fname, $lname, $DN, $lastlogon, $created" >> "c:\90-180\$company.disabledou.csv"
					if($groups -ne $null)
						{
							if(($lastlogon -lt $deletedate) -and ($created -lt $deletedate))
								{
									echo $groups >> "c:\90-180\$samname.groups.txt"
								}
						}
			
				}
	

		}
}
##########################################################
## Function Delete_Accounts
## Find all acounts that are in the disabled OU's and
## determine what accounts have not been loged in with
## in over 180 days and also were created over 180 days
## ago. Once the accounts have been identified capture 
## Users login name so that we can remove all groups 
## from that user as well as move the users H: Drive 
## folder to the K drive to await deletion.
##########################################################
function Delete_Accounts
{
	foreach($company in $companies)
		{
		Echo "Delete accounts for $company"
			$listedusers = Import-Csv "c:\90-180\$company.disabledou.csv"
			Clear-Content "c:\90-18\$company.deleted.txt"
			foreach($listeduser in $listedusers)
			{
				$fname = $listeduser.Firstname
				$lname = $listeduser.LastName
				$dn = $listeduser.dn
				$dn = $dn.replace(":", ",")
				$enabled = $listeduser.enabled
				$logon = $listeduser.lastlogon
				$logonname = $listeduser.logonname
				$created = $listeduser.createddate
			
			
##########################################################
## Check for accounts that have not been used and were
## created more than 180 days ago. If found then remove
## all groups, remove from domain, log removal from 
## domain and move H: Drive to holding area.
##########################################################
				if(($created -lt $deletedate) -and ($logon -lt $deletedate))
					{
##########################################################
## Gather all groups that the user is a member of
## and loop thru all groups to remove the user.
##########################################################									
						if(Test-Path "c:\90-180\$logonname.groups.txt")
						{
							$groups = Get-Content "c:\90-180\$logonname.groups.txt"
							foreach($group in $groups)
							{	
								Remove-QADGroupMember -Identity $group -Member $logonname -whatif	
							}
							#rm "c:\90-180\$logonname.groups.txt"
						}
						
##########################################################
## Remove the User Object and log the removal
##########################################################
						Remove-QADObject $logonname -whatif
						echo "$fname $lname $logonname" >> "c:\90-180\$company.deleted.txt"

##########################################################
## Check to see if the user has an H: Drive
## If the folder exists then move it to the K: Drive
## to hold until the time limit to delete the folder
##########################################################
						if(Test-Path "\\someserver\yourhomedrives\$logonname")
						{
							move-item -literalPath "\\someserver\yourhomedrives\$logonname" -destination "\\someserver\_term\$logonname" -whatIf
							Echo "Moved \\someserver\yourhomedrives\$logonname to \\pni-pcfs01\data\common\_term\$logonname" >> "c:\90-180\homedirs.txt"
						}
						else
						{
							Echo "NO H Drive found for $logonname" >> "c:\90-180\homedirs.txt"
						}
					}

				}
			}
}
##########################################################
## Email all Log files about disabled and deleted 
## accounts to someaccount@domain.com
##########################################################
function Mail
{
$file1 = "c:\90-180\file1.Disabled.txt"
$file2 = "c:\90-180\file2.Disabled.txt"
$file3 = "c:\90-180\file3.Disabled.txt"
$file4 = "c:\90-180\file1.Deleted.txt"
$file5 = "c:\90-180\file2.Deleted.txt"
$file6 = "c:\90-180\file3.Deleted.txt"

$smtpServer = "somemailhost"
$smtp = New-Object Net.Mail.SmtpClient($smtpServer)
$msg = New-Object Net.Mail.MailMessage

##########################################################
## Test for Attachment files. If the file is not 
## available then do not create the attachment object
##########################################################
if(Test-Path $file1)
{$att1 = New-Object Net.Mail.Attachment($file1)}
if(Test-Path $file2)
{$att2 = New-Object Net.Mail.Attachment($file2)}
if(Test-Path $file3)
{$att3 = New-Object Net.Mail.Attachment($file3)}
if(Test-Path $file4)
{$att4 = New-Object Net.Mail.Attachment($file4)}
if(Test-Path $file5)
{$att5 = New-Object Net.Mail.Attachment($file5)}
if(Test-Path $file6)
{$att6 = New-Object Net.Mail.Attachment($file6)}


$msg.From = "90-180Audit@pni.com"
$msg.To.Add("somemail@domain.com")
$msg.Subject = "Disabled and Deleted Domain Accounts"
$msg.Body = "Attached are files with names of disabled and deleted accounts."

##########################################################
## Test if the file is available again. If so then
## create the attachment.
##########################################################
if(Test-Path $file1)
{$msg.Attachments.Add($att1)}
if(Test-Path $file2)
{$msg.Attachments.Add($att2)}
if(Test-Path $file3)
{$msg.Attachments.Add($att3)}
if(Test-Path $file4)
{$msg.Attachments.Add($att4)}
if(Test-Path $file5)
{$msg.Attachments.Add($att5)}
if(Test-Path $file6)
{$msg.Attachments.Add($att6)}

$smtp.Send($msg)
$att1.Dispose()
$att2.Dispose()
$att3.Dispose()
$att4.Dispose()
$att5.Dispose()
$att6.Dispose()
}

##########################################################
## Main
## Set up variables and call functions of script.
##########################################################
$ErrorActionPreference = "SilentlyContinue"
$starttime = [datetime]::Now
echo "Start 90-180 Script run at $starttime" >> "c:\90-180\90-180.log"
$holdingdays = -30
$disabledays = -90
$deletedays = -180
$disabledate = [datetime]::Now.AddDays($disabledays)
$deletedate = [datetime]::Now.AddDays($deletedays)
$holdingdate = [datetime]::Now.AddDays($holdingdays)
$companies = "PNI", "AMG", "GPP"
clear-content "c:\90-180\homedirs.txt"
#echo "calling Get_Users"
Get_Users
#echo "calling Disable_Acconts"
Disable_Accounts
#Echo "Calling Get Disabled Accounts"
Get_Disabled_Accounts
#Echo "Calling Delete_Accounts"
Delete_Accounts
#Echo "Calling Mail"
Mail
$endtime = [datetime]::Now
echo "End 90-180 Script run at $endtime" >> "c:\90-180\90-180.log"
echo "#################################`n" >> "c:\90-180\90-180.log"

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: