The Multifunctioning DBA

Sep 23 2009   4:35PM GMT

AD Audit in Powershell Script Part 1



Posted by: Colin Smith
Tags:
Active Directory
AD
AD Administration
Powershell

As I said before I have completed my re-write of my Active Directory Audit into Powershell. Man is it better. more functional and less code. I love it. This script goes out and searches my domain for user accounts that are old and stale. By old and stale I mean that they were both created, and have not been logged into in 90 days or more. If they meet that criteria then I go ahead and disable them, move the object to a disabled OU, and send out notifications about the account being disabled to the appropriate people so the action can be documented. That is only part one of the script.

Second is the script will now look at all the accounts that reside in the disabled OU and determine if the account has been created and that the last logon date was more than 180 days ago. If the account meets that criteria then I gather a list of all the groups that user is a member of, remove the user from the groups, delete the account, and finally I go out and see if they have a home directory folder. If they do then I move that folder and all contents to another file share so that managers and other top level employees can access that data. (I have another script that deletes that data after 30 days of inavtivity.)

So lets get into it a bit. Before we go over any code though I want to talk about AD and Replication. If you have more than one DC then you have an issue with getting accurate last logon timestamps. When a user logs in to the domain they can authenticate using any of the domain controllers but AD does not replicate that property to all the other DC’s you have. This is an issue with this script since I want to make sure I do not disable or delete an account based on information from a DC that may not have the latest information. This means that we must query all DC’s and look for the newest logon timestamp and use that.

Also just a side note, this script does require having the Quest AD Management cmdlets installed and available. You can get them at http://www.quest.com/powershell/activeroles-server.aspx

So next post we dive into the begining part of the script.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: