The Multifunctioning DBA


October 22, 2009  10:00 AM

MCTS Exam



Posted by: Colin Smith
Certification, MS SQL Server, MSSQL, Study

So Like I said before I did take the MCTS Exam and I did pass. I can not go into any detail about the test as you have to agree to an NDA before you take it. The test was, in my opinion, not as hard as the study material. I think that MS did a great job with the study material for this test. I was not sure if I was really ready for the test but it turns out I was more than ready.
I finished the test very early. I had about 40 minutes left when I completed the question portion and still over 1 hour left when I completed the simulation portion of the Exam. To study I purchased the following kit and I am about to start on the second book to prepare for the second of the three tests required for the MCITP:DBA certification. Think I will start hitting that hard when I return from Hawaii.

http://www.amazon.com/gp/product/0735623775

Read the book and spend time doing the practices and questions in the book and definitely take the practice tests. You will do well if you do all that.

October 21, 2009  4:00 PM

Sprint HTC Hero



Posted by: Colin Smith
Android, Email, Exchange, Phone

One reason that I was so excited to get this phone was that it supports Exchange Active Sync out of the box. This is great for me since I would like to consolidate down to one phone and get rid of my employer provided device that I am not so fond of. Well I was very disappointed when it did not work. I brought the Hero in and sat down with a mail administrator and we set it all up. Come to find out that the built in sync does not support ssl passwords. Well what is the point then? No IT department is going to allow device syncing without securing the password that is flying in the air in packets that could be sniffed out by anyone. This is, after all, my domain log in password and that is a huge security hole.Thank fully I found Touchdown by NitroDesk. This is a great application. I downloaded the trial installed it and off I went. Very simple setup and it just works and with PUSH email I get my email on the device quickly, sometimes before Outlook gets it. Synced my Calander and Contacts as well. Love it and I say it is well worth the $20.00 that the license costs. I got mine for $10.00 due to some special pricing that they had going on at the time. Check it out if you are on Android. It is great.


October 21, 2009  10:00 AM

AD Audit all together



Posted by: Colin Smith
AD, AD Administration, AD Managment, Powershell, Scripting

Here is the full script so you can copy and paste it. Remember that you will need to make some modifications to the script to fit your environment. Let me know if you have any questions at all.

Thanks




###########################################################################
## Script Name: 90-180.ps1
## Written by: Colin Smith
## Date: 9/15/09
###########################################################################
## ChangeLog
###########################################################################
###########################################################################
## This Script will enumerate all accounts in the your domain
## and disable all accounts that have not been logged in with in 
## over 90 days, unless the account is one of the Protected OU's.
## This script will also delete all accounts that are disabled
## and have not been loged in with in over 180 Days.
## This script will not search accounts that reside in defined 
## exception containers. This will also find the users H: Drive 
## folder and move it to \\someserver\_term to await deletion.
## This script will also remove all group memberships from accounts
## before deletion of the account. This will avoid Hashes in Groups
## this replaces the 90-180 Visual Basic Script.
###########################################################################
###########################################################################
## Requirments for this script are Powershell V1 installed as well as
## Quest Active Directory Management Snapin
###########################################################################



#######################################################
## This Function Gets a listing of all user account
## and last logon times and created dates for 
## all users on the your domain that are not in
## Excluded OU's
#######################################################
function get_users
{
	foreach($company in $companies)
		{
#Echo "Company is $company"
			Clear-Content "c:\90-180\$company.csv"
			Clear-Content "c:\90-180\$company.disabled.txt"
			echo "enabled, LogonName, firstname, lastname, dn, lastlogon, createddate" >> "c:\90-180\$company.csv"

			$dcs = Get-QADComputer -ComputerRole DomainController
	
			$users = Get-QADUser -SizeLimit 0 -searchroot "Some.root.com/$company/Users" | where{(($_.dn -notlike "*disabled*") -and ($_.dn -notlike "*Generic*") -and ($_.dn -notlike "*Vendors*") -and ($_.dn -notlike "*mail-in*") -and ($_.dn -notlike "*shared calendars*"))}

	
			foreach($user in $users)
				{
					$lastlogon = $null
					foreach($dc in $dcs)
					{
						$dclogon = Get-QADUser -Service $dc.Name -SamAccountName $user.samaccountname | select lastlogon
						$dclogon = $dclogon.lastlogon.value

						if ($dclogon -ne $null)
							{
								if($lastlogon -lt $dclogon)
									{
										$lastlogon = $dclogon
									}
							}
					}
					if ($lastlogon -eq $Null) 
						{ 
							$lastlogon = [datetime]::Now.AddDays(-500000)
						}

					$o = New-Object PSObject
					$o | Add-Member NoteProperty "User" $user.Name
					$o | Add-Member NoteProperty "LastLogin" $lastlogon
					$o | Add-Member NoteProperty "DisplayName" $user.DisplayName
					$o | Add-Member NoteProperty "Disabled" $user.accountisdisabled 
					$o | Add-Member NoteProperty "DistinguishedName" $user.DN
					$o | Add-Member NoteProperty "Created" $user.CreationDate
					$o | Add-Member NoteProperty "SamAccountName" $user.SamAccountName
					$o | Add-Member NoteProperty "LastName" $user.LastName
					$o | Add-Member NoteProperty "FirstName" $user.FirstName

		
					if($o.disabled -eq "False")
						{			$enabled = "DISABLED"}
					else
						{			$enabled = "ENABLED"}
					$Fname = $o.FirstName
					$lname = $o.LastName
					$lastlogon = $o.LastLogin
					$created = $o.Created
					$samname = $o.samaccountname
					$dn = $o.DistinguishedName
					$dn = $dn.replace(",", ":")
			
					echo "$enabled, $samname, $fname, $lname, $DN, $lastlogon, $created" >> "c:\90-180\$company.csv"
			
				}
	

		}
}


##########################################################
## Function Disable_Accounts
## Find all accounts that need to be disabled
## Disable the account
## Move the account to the appropriate disabled OU
## Log the account that has been disabled and moved
##########################################################
function Disable_Accounts
{
	foreach($company in $companies)
		{
			$listedusers = Import-Csv "c:\90-180\$company.csv"
			foreach($listeduser in $listedusers)
			{
				$fname = $listeduser.Firstname
				$lname = $listeduser.LastName
				$dn = $listeduser.dn
				$dn = $dn.replace(":", ",")
				$enabled = $listeduser.enabled
				$logon = $listeduser.lastlogon
				$logonname = $listeduser.logonname
				$created = $listeduser.createddate
			
##########################################################
## Check for accounts in Holding OU that are still 
## disabled and beyond the 30 holding limit and
## move them to the disabled OU
##########################################################
				if(($enabled -eq "DISABLED") -and ($created -lt $holdingdate) -and ($dn -like "*holding*"))
					{
						$logonname | Move-QADObject -NewParentContainer "pni.us.ad.gannett.com/$company/Users/Disabled" -WhatIf
						echo "$fname $lname $logonname" >> "c:\90-180\$company.disabled.txt"
					}
					
##########################################################
## Find any accounts that are disabled and not in the 
## Holding OU and move them to the disabled OU
## This cleans up any accounts that have been disabled
## by hand and not moved to the disabled OU.
##########################################################
				if(($enabled -eq "DISABLED")-and ($dn -notlike "*holding*"))
					{
						$logonname | Move-QADObject -NewParentContainer 'some.root.com/$company/Users/Disabled' -WhatIf
						echo "$fname $lname $logonname" >> "c:\90-180\$company.disabled.txt"
					}
			
##########################################################
## Check for accounts not in holding OU that are beyond 
## the 90 day limit for login and create date
## and disable them and move them to the disabled OU.
##########################################################			
				if(($enabled -eq "ENABLED") -and ($logon -lt $disabledate) -and ($created -lt $disabledate) -and ($dn -notlike "*Holding*"))
					{
						$logonname | Disable-QADUser -WhatIf
						$logonname | Move-QADObject -NewParentContainer "some.root.com/$company/Users/Disabled" -WhatIf
						echo "$fname $lname $logonname" >> "c:\90-180\$company.disabled.txt"
					}
							
				
			}
		}
}

##########################################################
## function Get_Disabled_Accounts
## Search only the disabled OU for all disabled accounts
## Get the Last Login time and the Created Date so we 
## can determine if the account should be removed from 
## the domain.
##########################################################
function Get_Disabled_Accounts
{

foreach($company in $companies)
{
Clear-Content "c:\90-180\$company.disabledou.csv"
echo "enabled, LogonName, firstname, lastname, dn, lastlogon, createddate" >> "c:\90-180\$company.disabledou.csv"

			$dcs = Get-QADComputer -ComputerRole DomainController
	
			$users = Get-QADUser -SizeLimit 0 -searchroot "some.root.com/$company/Users/Disabled"

			foreach($user in $users)
				{
					$lastlogon = $null
					foreach($dc in $dcs)
					{
						$dclogon = Get-QADUser -Service $dc.Name -SamAccountName $user.samaccountname | select lastlogon
						$dclogon = $dclogon.lastlogon.value

						if ($dclogon -ne $null)
							{
								if($lastlogon -lt $dclogon)
									{
										$lastlogon = $dclogon
									}
							}
					}
					if ($lastlogon -eq $Null) 
						{ 
							$lastlogon = [datetime]::Now.AddDays(-500000)
						}

					$o = New-Object PSObject
					$o | Add-Member NoteProperty "User" $user.Name
					$o | Add-Member NoteProperty "LastLogin" $lastlogon
					$o | Add-Member NoteProperty "DisplayName" $user.DisplayName
					$o | Add-Member NoteProperty "Disabled" $user.accountisdisabled 
					$o | Add-Member NoteProperty "DistinguishedName" $user.DN
					$o | Add-Member NoteProperty "Created" $user.CreationDate
					$o | Add-Member NoteProperty "SamAccountName" $user.SamAccountName
					$o | Add-Member NoteProperty "LastName" $user.LastName
					$o | Add-Member NoteProperty "FirstName" $user.FirstName
					$o | Add-Member NoteProperty "Groups" $user.MemberOf

		
					if($o.disabled -eq "False")
						{			$enabled = "DISABLED"}
					else
						{			$enabled = "ENABLED"}
					$Fname = $o.FirstName
					$lname = $o.LastName
					$lastlogon = $o.LastLogin
					$created = $o.Created
					$samname = $o.samaccountname
					$dn = $o.DistinguishedName
					$dn = $dn.replace(",", ":")
					$groups = $o.groups
			
					echo "$enabled, $samname, $fname, $lname, $DN, $lastlogon, $created" >> "c:\90-180\$company.disabledou.csv"
					if($groups -ne $null)
						{
							if(($lastlogon -lt $deletedate) -and ($created -lt $deletedate))
								{
									echo $groups >> "c:\90-180\$samname.groups.txt"
								}
						}
			
				}
	

		}
}
##########################################################
## Function Delete_Accounts
## Find all acounts that are in the disabled OU's and
## determine what accounts have not been loged in with
## in over 180 days and also were created over 180 days
## ago. Once the accounts have been identified capture 
## Users login name so that we can remove all groups 
## from that user as well as move the users H: Drive 
## folder to the K drive to await deletion.
##########################################################
function Delete_Accounts
{
	foreach($company in $companies)
		{
		Echo "Delete accounts for $company"
			$listedusers = Import-Csv "c:\90-180\$company.disabledou.csv"
			Clear-Content "c:\90-18\$company.deleted.txt"
			foreach($listeduser in $listedusers)
			{
				$fname = $listeduser.Firstname
				$lname = $listeduser.LastName
				$dn = $listeduser.dn
				$dn = $dn.replace(":", ",")
				$enabled = $listeduser.enabled
				$logon = $listeduser.lastlogon
				$logonname = $listeduser.logonname
				$created = $listeduser.createddate
			
			
##########################################################
## Check for accounts that have not been used and were
## created more than 180 days ago. If found then remove
## all groups, remove from domain, log removal from 
## domain and move H: Drive to holding area.
##########################################################
				if(($created -lt $deletedate) -and ($logon -lt $deletedate))
					{
##########################################################
## Gather all groups that the user is a member of
## and loop thru all groups to remove the user.
##########################################################									
						if(Test-Path "c:\90-180\$logonname.groups.txt")
						{
							$groups = Get-Content "c:\90-180\$logonname.groups.txt"
							foreach($group in $groups)
							{	
								Remove-QADGroupMember -Identity $group -Member $logonname -whatif	
							}
							#rm "c:\90-180\$logonname.groups.txt"
						}
						
##########################################################
## Remove the User Object and log the removal
##########################################################
						Remove-QADObject $logonname -whatif
						echo "$fname $lname $logonname" >> "c:\90-180\$company.deleted.txt"

##########################################################
## Check to see if the user has an H: Drive
## If the folder exists then move it to the K: Drive
## to hold until the time limit to delete the folder
##########################################################
						if(Test-Path "\\someserver\yourhomedrives\$logonname")
						{
							move-item -literalPath "\\someserver\yourhomedrives\$logonname" -destination "\\someserver\_term\$logonname" -whatIf
							Echo "Moved \\someserver\yourhomedrives\$logonname to \\pni-pcfs01\data\common\_term\$logonname" >> "c:\90-180\homedirs.txt"
						}
						else
						{
							Echo "NO H Drive found for $logonname" >> "c:\90-180\homedirs.txt"
						}
					}

				}
			}
}
##########################################################
## Email all Log files about disabled and deleted 
## accounts to someaccount@domain.com
##########################################################
function Mail
{
$file1 = "c:\90-180\file1.Disabled.txt"
$file2 = "c:\90-180\file2.Disabled.txt"
$file3 = "c:\90-180\file3.Disabled.txt"
$file4 = "c:\90-180\file1.Deleted.txt"
$file5 = "c:\90-180\file2.Deleted.txt"
$file6 = "c:\90-180\file3.Deleted.txt"

$smtpServer = "somemailhost"
$smtp = New-Object Net.Mail.SmtpClient($smtpServer)
$msg = New-Object Net.Mail.MailMessage

##########################################################
## Test for Attachment files. If the file is not 
## available then do not create the attachment object
##########################################################
if(Test-Path $file1)
{$att1 = New-Object Net.Mail.Attachment($file1)}
if(Test-Path $file2)
{$att2 = New-Object Net.Mail.Attachment($file2)}
if(Test-Path $file3)
{$att3 = New-Object Net.Mail.Attachment($file3)}
if(Test-Path $file4)
{$att4 = New-Object Net.Mail.Attachment($file4)}
if(Test-Path $file5)
{$att5 = New-Object Net.Mail.Attachment($file5)}
if(Test-Path $file6)
{$att6 = New-Object Net.Mail.Attachment($file6)}


$msg.From = "90-180Audit@pni.com"
$msg.To.Add("somemail@domain.com")
$msg.Subject = "Disabled and Deleted Domain Accounts"
$msg.Body = "Attached are files with names of disabled and deleted accounts."

##########################################################
## Test if the file is available again. If so then
## create the attachment.
##########################################################
if(Test-Path $file1)
{$msg.Attachments.Add($att1)}
if(Test-Path $file2)
{$msg.Attachments.Add($att2)}
if(Test-Path $file3)
{$msg.Attachments.Add($att3)}
if(Test-Path $file4)
{$msg.Attachments.Add($att4)}
if(Test-Path $file5)
{$msg.Attachments.Add($att5)}
if(Test-Path $file6)
{$msg.Attachments.Add($att6)}

$smtp.Send($msg)
$att1.Dispose()
$att2.Dispose()
$att3.Dispose()
$att4.Dispose()
$att5.Dispose()
$att6.Dispose()
}

##########################################################
## Main
## Set up variables and call functions of script.
##########################################################
$ErrorActionPreference = "SilentlyContinue"
$starttime = [datetime]::Now
echo "Start 90-180 Script run at $starttime" >> "c:\90-180\90-180.log"
$holdingdays = -30
$disabledays = -90
$deletedays = -180
$disabledate = [datetime]::Now.AddDays($disabledays)
$deletedate = [datetime]::Now.AddDays($deletedays)
$holdingdate = [datetime]::Now.AddDays($holdingdays)
$companies = "PNI", "AMG", "GPP"
clear-content "c:\90-180\homedirs.txt"
#echo "calling Get_Users"
Get_Users
#echo "calling Disable_Acconts"
Disable_Accounts
#Echo "Calling Get Disabled Accounts"
Get_Disabled_Accounts
#Echo "Calling Delete_Accounts"
Delete_Accounts
#Echo "Calling Mail"
Mail
$endtime = [datetime]::Now
echo "End 90-180 Script run at $endtime" >> "c:\90-180\90-180.log"
echo "#################################`n" >> "c:\90-180\90-180.log"


October 20, 2009  6:48 PM

AD Audit Script Q and A



Posted by: Colin Smith
AD, AD Administration, AD Managment, Powershell, Q and A, Scripting

I got the following comment on Part 3 of the script.
RobDolfijn

Hi Colin,

This is just what I need so I’m looking forward to the whole script!
I’m getting stuc on Get_Users because it is not recognized as a cmdlet, please help me?

So I am not sure how you have it set up but I think I have an idea of what is going on. One of two things.

1. You have the function below the main part of the script that calls the function. The function has to be before the main part of the script so that Powershell knows about the function.

2. The other thing is that you do not have the function defined in the {} brackets.

My assumption here is that the first thing is the issue. The Powershell ‘Engine’ looks for the function definitions before the function is called. It seems strange but that is how it works in many languages. So just make sure that you put all the functions above the function call and you should be good. Hope that this helps. Please let me know if you have any issues.


October 20, 2009  4:45 PM

AD Audit in Powershell Script Part 6



Posted by: Colin Smith
AD, AD Administration, AD Managment, Powershell, Scripting

As i recall, in Part 5 we had gathered all the account information, parsed that, disabled accounts that needed to be disabled, gathered information on all the disabled accounts, and removed the accounts from the domain that needed to be as well as documented that we did so. Now that leaves me with needing to accomplish one more thing. My business would like to have certain people notified about the account changes that have taken place. This is where the Mail function comes into play. Below is the code that I execute to send email when needed.



function Mail { $file1 = "c:\90-180\file1.Disabled.txt" $file2 = "c:\90-180\file2.Disabled.txt" $file3 = "c:\90-180\file3.Disabled.txt" $file4 = "c:\90-180\file1.Deleted.txt" $file5 = "c:\90-180\file2.Deleted.txt" $file6 = "c:\90-180\file3.Deleted.txt" $smtpServer = "mailhost" $smtp = New-Object Net.Mail.SmtpClient($smtpServer) $msg = New-Object Net.Mail.MailMessage ########################################################## ## Test for Attachment files. If the file is not ## available then do not create the attachment object ########################################################## if(Test-Path $file1) {$att1 = New-Object Net.Mail.Attachment($file1)} if(Test-Path $file2) {$att2 = New-Object Net.Mail.Attachment($file2)} if(Test-Path $file3) {$att3 = New-Object Net.Mail.Attachment($file3)} if(Test-Path $file4) {$att4 = New-Object Net.Mail.Attachment($file4)} if(Test-Path $file5) {$att5 = New-Object Net.Mail.Attachment($file5)} if(Test-Path $file6) {$att6 = New-Object Net.Mail.Attachment($file6)} $msg.From = "90-180Audit@pni.com" $msg.To.Add("somemail@host.com") $msg.Subject = "Disabled and Deleted Domain Accounts" $msg.Body = "Attached are files with names of disabled and deleted accounts." ########################################################## ## Test if the file is available again. If so then ## create the attachment. ########################################################## if(Test-Path $file1) {$msg.Attachments.Add($att1)} if(Test-Path $file2) {$msg.Attachments.Add($att2)} if(Test-Path $file3) {$msg.Attachments.Add($att3)} if(Test-Path $file4) {$msg.Attachments.Add($att4)} if(Test-Path $file5) {$msg.Attachments.Add($att5)} if(Test-Path $file6) {$msg.Attachments.Add($att6)} $smtp.Send($msg) $att1.Dispose() $att2.Dispose() $att3.Dispose() $att4.Dispose() $att5.Dispose() $att6.Dispose() }

first I define all 6 of the files that I may or may not want to attach to the email. Then I set up the SMTPserver and the mail objects. Now I test for each of the files that I may or may not want to attach. I only want to attach the file if the file exists. This way I do not get errors about files not being on the filesystem and I am not sending blank files to the people that need the information.
I then define who the message is from, who it is to, subject, and the body. Now that we have that I have to start attaching the files. After attaching the files that are needed I send the message and then close all the attachments just to make sure that no handles keep the files open. I want to be able to delete the files later.

Well that is it. Next post will have the script in its entirety so that you do not have to cut and paste so much. Hope all this helps you out. Let me know if you have any questions about any part of this script.


October 20, 2009  3:43 PM

Apologies



Posted by: Colin Smith
Apologies, Bloggin

I am sorry that it has been so long between posts and I know I left you hanging with the AD Audit Script. I have been very busy this month and one of the things I was doing was preparing for my MCTS Exam and I did pass. I am one step closer to getting my MCITP:DBA Certification. One test down and two to go. So I will get going again. As I recall I owe you one more function of the AD Audit script and then I will tie the whole thing together for you. I noticed that I have one person that has a question so I will also address that as well as any other questions that you may have about that script.

Thanks for your patience and again I do apologize for not posting in such a long time.

PS. This is a busy month for me. Not only did I have to get ready for the exam, but October 12th was my 12th anniversary with the wife and we are also traveling to Hawaii at the end of the month for a 10 day vacation. Also things at work are starting to get very busy with the transition of roles, now I am doing a lot more work for both sides and wow very busy.


October 20, 2009  2:00 PM

Android Phone



Posted by: Colin Smith
Android, Phone

While I was away and so busy in the early parts of the month I picked up a new Cell Phone and I love it. I got the new Sprint HTC Hero.

http://now.sprint.com/android/index.php?pid=3&id9=SEM_Google_P_Sprint_HTC

I love android and all that it can do. Apps are being developed and most that I have downloaded have been great. Here is a link to the app store viewable online and not just on your andriod device.

http://www.cyrket.com/

A couple downsides to this phone, at least to me:

Battery Life – When used heavily for GPS, WIFI, and Bluetooth the phone does not last long enough.

Data Cable – This cable does not have a standard USB Mini plug but some HTC plug. I hate when companies just do not use standard cables.

No Upgrade to 1.6 yet – Sprint and HTC really need to pick this up and work out the bugs that they have. 1.6 introduces some nice features one of which is IPSec VPN without rooting the phone. I need this!!

Other than that I love this phone and think that it is very snappy, multitasks well, and I love the HTC and Sprint customizations.( Even though that is exactly why the 1.6 upgrade is not available for this device)

Overall I would recommend this device to anyone. Sprint has great plans for this phone and I do not think you can beat the priceing of the data plans.

Check it out and let me know what you thing.


September 27, 2009  9:00 AM

AD Audit in Powershell Script Part 5



Posted by: Colin Smith
AD, AD Administration, AD Managment, Powershell, Scripting

Now that we have disabled and moved all the disabled accounts to the Disabled OU I am going to get all the user object information from just the disabled OU this time. I need this since objects have been moved around. This scan of AD does go much faster as I am only scanning the one OU. I have this is the Delete_Users function. I chose not to have the gathering disabled users as a function but you certainly could break that out if you like.
In this function I create a csv file for all the objects in the disabled OU and now I determine if they meet the criteria for delection. If they do then I have a few things that I want to do with them.
First I want to get a list of all the groups that the user is a member of so I can remove them from the groups before deleting the user object. This will prevent us from getting hashes of UID’s in groups. I hate that…
Then I remove the user object and make note that I did so, again so paperwork can be done for this action. Then I need to go check and see if they have a home directory. I go out and look and if they do I move it to another chunk of disk that managers have access to so they can look through the data in that folder for anything that they may need. Those folders are removed at regular intervals by another clean up script.



########################################################## ## Function Delete_Accounts ## Find all acounts that are in the disabled OU's and ## determine what accounts have not been loged in with ## in over 180 days and also were created over 180 days ## ago. Once the accounts have been identified capture ## Users login name so that we can remove all groups ## from that user as well as move the users Home Drive ## folder to anothe location to await deletion. ########################################################## function Delete_Accounts { foreach($company in $companies) { Echo "Delete accounts for $company" $listedusers = Import-Csv "c:\90-180\$company.disabledou.csv" Clear-Content "c:\90-18\$company.deleted.txt" foreach($listeduser in $listedusers) { $fname = $listeduser.Firstname $lname = $listeduser.LastName $dn = $listeduser.dn $dn = $dn.replace(":", ",") $enabled = $listeduser.enabled $logon = $listeduser.lastlogon $logonname = $listeduser.logonname $created = $listeduser.createddate ########################################################## ## Check for accounts that have not been used and were ## created more than 180 days ago. If found then remove ## all groups, remove from domain, log removal from ## domain and move H: Drive to holding area. ########################################################## if(($created -lt $deletedate) -and ($logon -lt $deletedate)) { ########################################################## ## Gather all groups that the user is a member of ## and loop thru all groups to remove the user. ########################################################## if(Test-Path "c:\90-180\$logonname.groups.txt") { $groups = Get-Content "c:\90-180\$logonname.groups.txt" foreach($group in $groups) { Remove-QADGroupMember -Identity $group -Member $logonname -whatif } #rm "c:\90-180\$logonname.groups.txt" } ########################################################## ## Remove the User Object and log the removal ########################################################## Remove-QADObject $logonname -whatif echo "$fname $lname $logonname" >> "c:\90-180\$company.deleted.txt" ########################################################## ## Check to see if the user has an H: Drive ## If the folder exists then move it to the K: Drive ## to hold until the time limit to delete the folder ########################################################## if(Test-Path "\\servername\users$\$logonname") { move-item -literalPath "\\servername\users$\$logonname" -destination "\\servername\data\common\_term\$logonname" -whatIf Echo "Moved \\servername\users$\$logonname to \\servername\data\common\_term\$logonname" >> "c:\90-180\homedirs.txt" } else { Echo "NO H Drive found for $logonname" >> "c:\90-180\homedirs.txt" } } } } }

Well that does it for taking action on the AD Objects. Now I just need to send out the notifications of the actions that the script took. That will be next time. Let me know if you have any questions about this function.


September 25, 2009  4:57 PM

AD Audit in Powershell Script Part 4



Posted by: Colin Smith
AD, AD Administration, AD Managment, Powershell, Scripting

Now that we have all of the users information into a csv file it is time to start sorting through all of that data and determining what objects need to be disabled and moved to the disabled OU that I have set up for all disabled accounts to go and await deletion. Lets do that with the Disable_Accounts function. This is a pretty basic function but I have a do a few different things here. First we have a Holding OU and that is available for our new account provisioning system. It creates accounts and places them in this OU in a disabled state. I am going to look in this OU to see if the account has been there for 30 days or more and if so I will move the user object. I am also going to go scan for any accounts that are disabled but not in the Disabled or Holding OU’s and then move them. This keeps things clean just in case a person disables an account and does not move it. Lastly I will disable and move all accounts that meet my criteria. I am also logging the accounts that I disable so that paperwork can also be done for these accounts.



########################################################## ## Function Disable_Accounts ## Find all accounts that need to be disabled ## Disable the account ## Move the account to the appropriate disabled OU ## Log the account that has been disabled and moved ########################################################## function Disable_Accounts { foreach($company in $companies) { $listedusers = Import-Csv "c:\90-180\$company.csv" foreach($listeduser in $listedusers) { $fname = $listeduser.Firstname $lname = $listeduser.LastName $dn = $listeduser.dn $dn = $dn.replace(":", ",") $enabled = $listeduser.enabled $logon = $listeduser.lastlogon $logonname = $listeduser.logonname $created = $listeduser.createddate ########################################################## ## Check for accounts in Holding OU that are still ## disabled and beyond the 30 holding limit and ## move them to the disabled OU ########################################################## if(($enabled -eq "DISABLED") -and ($created -lt $holdingdate) -and ($dn -like "*holding*")) { $logonname | Move-QADObject -NewParentContainer "pni.us.ad.gannett.com/$company/Users/Disabled" -WhatIf echo "$fname $lname $logonname" >> "c:\90-180\$company.disabled.txt" } ########################################################## ## Find any accounts that are disabled and not in the ## Holding OU and move them to the disabled OU ## This cleans up any accounts that have been disabled ## by hand and not moved to the disabled OU. ########################################################## if(($enabled -eq "DISABLED")-and ($dn -notlike "*holding*")) { $logonname | Move-QADObject -NewParentContainer 'pni.us.ad.gannett.com/$company/Users/Disabled' -WhatIf echo "$fname $lname $logonname" >> "c:\90-180\$company.disabled.txt" } ########################################################## ## Check for accounts not in holding OU that are beyond ## the 90 day limit for login and create date ## and disable them and move them to the disabled OU. ########################################################## if(($enabled -eq "ENABLED") -and ($logon -lt $disabledate) -and ($created -lt $disabledate) -and ($dn -notlike "*Holding*")) { $logonname | Disable-QADUser -WhatIf $logonname | Move-QADObject -NewParentContainer "pni.us.ad.gannett.com/$company/Users/Disabled" -WhatIf echo "$fname $lname $logonname" >> "c:\90-180\$company.disabled.txt" } } } }

Nothing to complex here. Let me know if you have any questions about this function.


September 24, 2009  8:30 PM

AD Audit in Powershell Script Part 3



Posted by: Colin Smith
AD, AD Administration, Powershell, Scripting

Now that we have the main part of the script setup it is time to look at the first function that we call. This is the Get_users function. Now this function gets a listing of all the DC’s and does a get-qaduser on all of them looking at the lastlogon property to determine what DC has the latest information on that user object. It will then use that DC to write that users information out the the file for me.



function get_users { foreach($company in $companies) { #Echo "Company is $company" Clear-Content "c:\90-180\$company.csv" Clear-Content "c:\90-180\$company.disabled.txt" echo "enabled, LogonName, firstname, lastname, dn, lastlogon, createddate" >> "c:\90-180\$company.csv" $dcs = Get-QADComputer -ComputerRole DomainController $users = Get-QADUser -SizeLimit 0 -searchroot "somecomapny.com/$company/Users" | where{(($_.dn -notlike "*disabled*") -and ($_.dn -notlike "*Generic*") -and ($_.dn -notlike "*Vendors*") -and ($_.dn -notlike "*mail-in*") -and ($_.dn -notlike "*shared calendars*"))} foreach($user in $users) { $lastlogon = $null foreach($dc in $dcs) { $dclogon = Get-QADUser -Service $dc.Name -SamAccountName $user.samaccountname | select lastlogon $dclogon = $dclogon.lastlogon.value if ($dclogon -ne $null) { if($lastlogon -lt $dclogon) { $lastlogon = $dclogon } } } if ($lastlogon -eq $Null) { $lastlogon = [datetime]::Now.AddDays(-500000) } $o = New-Object PSObject $o | Add-Member NoteProperty "User" $user.Name $o | Add-Member NoteProperty "LastLogin" $lastlogon $o | Add-Member NoteProperty "DisplayName" $user.DisplayName $o | Add-Member NoteProperty "Disabled" $user.accountisdisabled $o | Add-Member NoteProperty "DistinguishedName" $user.DN $o | Add-Member NoteProperty "Created" $user.CreationDate $o | Add-Member NoteProperty "SamAccountName" $user.SamAccountName $o | Add-Member NoteProperty "LastName" $user.LastName $o | Add-Member NoteProperty "FirstName" $user.FirstName if($o.disabled -eq "False") { $enabled = "DISABLED"} else { $enabled = "ENABLED"} $Fname = $o.FirstName $lname = $o.LastName $lastlogon = $o.LastLogin $created = $o.Created $samname = $o.samaccountname $dn = $o.DistinguishedName $dn = $dn.replace(",", ":") echo "$enabled, $samname, $fname, $lname, $DN, $lastlogon, $created" >> "c:\90-180\$company.csv" } } }

So lets break this down a bit and if you need more explanation just let me know.
Like I said in Part 2 I have multiple companies that are designated by OU’s in the forest. That is why you see the foreach loop. I am breaking it down by company. You do not have to do this if you do not need to.
Now I loop thru and get user info from all DC’s and determine what info to use. You will also notice that I have a
if ($lastlogon -eq $null){$lastlogon = [datetime]::now.adddays(-50000)}
That is so that when I compare to the lastlogon time if the user has never logged on I still get a date but it is a date that will always be less than my 90 or 180 day criteria.
Then I create a new-psobject and define all the fields that I want each object to have. Then I write that out to a csv file. You will notice that I am doing a replace on the DN field. That is because I want to use a csv file and if that field has items separated by commas it will mess things up when I import-csv that file later.

Well that is it for now. Until next time….


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: