Active Directory

AD Audit in Powershell Script Part 2

Now that we have some idea about what this script is about and what we would like to accomplish with the script lets get into it.

I have the code in the box below and I will just go over what I am doing . This is where the script will start so I am setting up my variables and then I will start to call the other functions of the script.
First I place on doing my own error checking where I care if an error occurs and I do not want to be notified or have the script stop if an error does occur so I Silently Continue. I get the time that the script started so I can log that for a few reasons. One is so that I know when the script ran last and two so I can know how long the script runs. I set up the variables that I care about such as $holdingdays, $disabledays, and $deletedays. Now I take those values to determine the dates for holdin, disable, and delete. In my company we have other companies that are on our domain and we have them separated out with OU’s that have a company name designation. that is what my $companies variable holds. Now I can start to call my functions.

##########################################################
## Main
## Set up variables and call functions of script.
##########################################################
$ErrorActionPreference = "SilentlyContinue"
$starttime = [datetime]::Now
echo "Start 90-180 Script run at $starttime" >> "c:\90-180\90-180.log"
$holdingdays = -30
$disabledays = -90
$deletedays = -180
$disabledate = [datetime]::Now.AddDays($disabledays)
$deletedate = [datetime]::Now.AddDays($deletedays)
$holdingdate = [datetime]::Now.AddDays($holdingdays)
$companies = "name1", "name2", "name3"
clear-content "c:\90-180\homedirs.txt"
#echo "calling Get_Users"
Get_Users
#echo "calling Disable_Acconts"
Disable_Accounts
#Echo "Calling Get Disabled Accounts"
Get_Disabled_Accounts
#Echo "Calling Delete_Accounts"
Delete_Accounts
#Echo "Calling Mail"
Mail
$endtime = [datetime]::Now
echo "End 90-180 Script run at $endtime" >> "c:\90-180\90-180.log"
echo "#################################`n" >> "c:\90-180\90-180.log"

My next post will be about the get_users function. This is a fun one since it has to query all the DC’s.

AD Audit in Powershell Script Part 1

As I said before I have completed my re-write of my Active Directory Audit into Powershell. Man is it better. more functional and less code. I love it. This script goes out and searches my domain for user accounts that are old and stale. By old and stale I mean that they were both created, and have not been logged into in 90 days or more. If they meet that criteria then I go ahead and disable them, move the object to a disabled OU, and send out notifications about the account being disabled to the appropriate people so the action can be documented. That is only part one of the script.

Second is the script will now look at all the accounts that reside in the disabled OU and determine if the account has been created and that the last logon date was more than 180 days ago. If the account meets that criteria then I gather a list of all the groups that user is a member of, remove the user from the groups, delete the account, and finally I go out and see if they have a home directory folder. If they do then I move that folder and all contents to another file share so that managers and other top level employees can access that data. (I have another script that deletes that data after 30 days of inavtivity.)

So lets get into it a bit. Before we go over any code though I want to talk about AD and Replication. If you have more than one DC then you have an issue with getting accurate last logon timestamps. When a user logs in to the domain they can authenticate using any of the domain controllers but AD does not replicate that property to all the other DC’s you have. This is an issue with this script since I want to make sure I do not disable or delete an account based on information from a DC that may not have the latest information. This means that we must query all DC’s and look for the newest logon timestamp and use that.

Also just a side note, this script does require having the Quest AD Management cmdlets installed and available. You can get them at http://www.quest.com/powershell/activero…

So next post we dive into the begining part of the script.

More with Quest AD Powershell CMDLETS

I am continuing work on the script that I am converting from VBScript to Powershell and I must say that it is going quite well with the help of the Quest cmdlets. In the script I want to go through a particular OU and delete any accounts that are currntly disabled, and were created a minimum of 180 days ago, and have not been used in a minimum of 180 days. I can do this with the following block of code.

$deletedays = - 180
$deletedate = [datetime]::Now.AddDays($deletedays)

Get-QADUser -SearchRoot “pni.us.ad.gannett.com/PNI/Users/Disabled” | where{(($_.lastlogontimestamp.value -lt $deletedate) -and ($_.creationdate -lt $deletedate) -and ($_.AccountIsDisabled -eq “True”))}  | Tee-Object -filepath “c:\removedaccounts.txt” | Remove-QADObject -Force

So you will also notice that I am using the Tee-Object cmdlet. This is not a quest cmdlet but it is nice as I can log what accounts I am deleting with the Remove-QADObject cmdlet that is provided by Quest. Be careful when doing things like removing accounts in scripts and be sure to test completly. A good way to test is to use the -whatif clause. This will show you what would happen if you did run it.

Powershell Query AD

I have talked in the past about some cmdlets that Quest Software provides for Powershell. Well today they came in usefull for me. My boss came up and wanted to know when the last time a certain service account had authenticated to the domain. Now we log all users logging in via our login script but since this is a service account, the login script does not fire and therefore we do not get a log of the event. So using the cmdlets from Quest Software I did the following and got what we needed.

$1600users = Get-QADUser | where {$_.logonname -like “*p1600-10*”}
foreach($1600user in $1600users)
{
$name = $1600user
$date = $1600user.LastLogon
echo “$name logged in on $date”
}

That is it and it let us know that we have two accounts that have to do with the server services that we were interested in and also let us know the last logon time for each.

Hope this is helpful.

Scripting

So I have people ask me all the time how I can get so much done in a day. I have to be honest with you, I do not really do that much. This is because I write scripts to do anything and everything for me if I have to do it more than once I script it. If I think something might be useful I script it. I hate doing the same work over and over. Take something as simple as creating a new user on a domain. This is a very simple task in AD but it takes about 2 minutes per account. It is easy to find a script that will create mass accounts with some generic name. Why not take that same script and make it so it creates one account at a time or ten or whatever you need. You can make it so you type in the name of the user interactively or read names in from a list that you have. Simple things like that. Creating this account only takes 2 minutes in AD but I can do it in under 10 seconds.

When you work in the fast paced world like we do, especially in IT where everyone wants it now now now, every second counts. Saving just under 2 minutes does not seem like a lot but that is the just the beginning. If you save 5 minutes here and 10 there and 2 there then it adds up very fast so you can leave work an hour early, or you just make your boss think that you are that much better and more effective. It does not really matter if you are a Windows person or a Unix/Linux person. SCRIPT anything you can and save time.

I come from a Windows background and in this area the Unix/Linux admins are years ahead of the Windows users. I had done some automation using VBScript when I was a Windows Admin, but when I got into Unix for Database Admin, I quickly learned that scripting is the way. Now with Windows Powershell, Windows administrators can be much more effective in less time. Please learn a scripting language that is of use to you and that you understand. I prefer Powershell but VBscript is a good way to go if you like it better.

Good luck scripting and as always, if you have a question let me know by heading to http://sysadminsmith.com and click the ‘Submit a Question’ link on the right.

Powershell commands for Active Directory

I have been asked how to manage Active Directory with Powershell. The best way is with the Quest Software cmd-lets for Active Directory. They are free and available at http://www.quest.com/powershell/activeroles-server.aspx. Once you download them and install them you will still need to add the snapin to your powershell profile. In order to do this just open powershell and do the following.

This will open your powershell profile in notepad. The Powershell profile is really just a powershell script. You can have it do anything you want. I have mine add a few psdrives that I use often and add the snapins that I need. Just add the following line to your profile script and you will be able to use all the AD cmd-lets that Quest has been so kind to supply for free.

add-pssnapin quest.activeroles.admanagement

You can do this with any set of snapins that you find. I have some for sqlserver as well that come in handy.

Let me know if you have any questions by going to http://sysadminsmith.com and clicking the submit a question link to the right.

AD Migration Script Q and A

I received a question from Sandeep as follows:

Hi Colin,

I saw your answer to one of the AD user creation question on IT Knowledge Exchange. You had mentioned that a script can be written using Powershell to migrate a lot of users. I’m completely new to AD and I have a few queries, could you please help?

Queries:

1. I would like to migrate all the users from one Active Directory, Say “X” on MS NT to Active Directory, say “Y” on MS 2000/ MS 2003, is this possible to do without using any tool?

2. Please provide me some details on the scripts that need to be written to accomplish this.

3. What are the steps I need to follow to successfully migrate all the users?

4. If I have to use the ADMT 3 tool, is it reliable? Any other information that I’d need related to this?…

Thanks in advance for your help.

Regards,

Sandeep

This is my reply:

Sandeep,

First I will give you straight answers and then some detail to follow.

1. I would like to migrate all the users from one Active Directory, Say “X” on MS NT to Active Directory, say “Y” on MS 2000/ MS 2003, is this possible to do without using any tool? Migrate might be tough. Copy all users from X to Y for sure. In this though all users will lose password and SID and possibly other attributes.

2. Please provide me some details on the scripts that need to be written to accomplish this.
The script would use the Quest AD cmd-lets to get all the users and all the attributes that you would like to copy over. We would then use that data and create the new users with all the attributes in the new domain.

3. What are the steps I need to follow to successfully migrate all the users?
If you just want to migrate users and not groups or any other objects then you can script this as I said above. If you want passwords and all attributes to migrate the the ADMT is a good tool.

4. If I have to use the ADMT 3 tool, is it reliable? Any other information that I’d need related to this?…
ADMT is a good tool, however, I have not used it very much. Like I said above, if you need all the data then this is a better way to go.

You could write a powershell script or even a batch script if all you want to do is get user information from the old domain and create new users in the new domain. If you want to keep all the users passwords and other object information then the ADMT tool is probably going to be a better option, unless you want to write a lot of code and really dig into AD Objects. If you do not care about any of that and you want to start from scratch then you can certainly write a script to get all the AD User accounts and all attributes that you want to carry over to the new AD  (Y). If you decide that you would like to use scripts for this task then I am more then willing to help you with some basic scripts for this. Have you used Powershell much? Are you familiar with the syntax? If so then you should go download the Quest AD cmd-lets as they will be useful to us in this task. Please let me know how you would like to proceed on this.

In summary I would say that Powershell is an Awesome tool, but in this case, depending on what Sandeep needs, I am not sure that it is the best tool for the task. Powershell is great and comes in handy when your boss says I need to add 30 accounts to AD or I need to modify these 30 accounts or something of that nature. For a Domain Migration I think that Microsoft Utilities may be best.

If you have any other questions please visit http://sysadminsmith.com and click the submit a question link on the right.