Microsoft Windows

AD Audit Script Q and A

I got the following comment on Part 3 of the script.
RobDolfijn

Hi Colin,

This is just what I need so I’m looking forward to the whole script!
I’m getting stuc on Get_Users because it is not recognized as a cmdlet, please help me?

So I am not sure how you have it set up but I think I have an idea of what is going on. One of two things.

1. You have the function below the main part of the script that calls the function. The function has to be before the main part of the script so that Powershell knows about the function.

2. The other thing is that you do not have the function defined in the {} brackets.

My assumption here is that the first thing is the issue. The Powershell ‘Engine’ looks for the function definitions before the function is called. It seems strange but that is how it works in many languages. So just make sure that you put all the functions above the function call and you should be good. Hope that this helps. Please let me know if you have any issues.

AD Audit in Powershell Script Part 6

As i recall, in Part 5 we had gathered all the account information, parsed that, disabled accounts that needed to be disabled, gathered information on all the disabled accounts, and removed the accounts from the domain that needed to be as well as documented that we did so. Now that leaves me with needing to accomplish one more thing. My business would like to have certain people notified about the account changes that have taken place. This is where the Mail function comes into play. Below is the code that I execute to send email when needed.

function Mail
{
$file1 = "c:\90-180\file1.Disabled.txt"
$file2 = "c:\90-180\file2.Disabled.txt"
$file3 = "c:\90-180\file3.Disabled.txt"
$file4 = "c:\90-180\file1.Deleted.txt"
$file5 = "c:\90-180\file2.Deleted.txt"
$file6 = "c:\90-180\file3.Deleted.txt"

$smtpServer = "mailhost"
$smtp = New-Object Net.Mail.SmtpClient($smtpServer)
$msg = New-Object Net.Mail.MailMessage

##########################################################
## Test for Attachment files. If the file is not
## available then do not create the attachment object
##########################################################
if(Test-Path $file1)
{$att1 = New-Object Net.Mail.Attachment($file1)}
if(Test-Path $file2)
{$att2 = New-Object Net.Mail.Attachment($file2)}
if(Test-Path $file3)
{$att3 = New-Object Net.Mail.Attachment($file3)}
if(Test-Path $file4)
{$att4 = New-Object Net.Mail.Attachment($file4)}
if(Test-Path $file5)
{$att5 = New-Object Net.Mail.Attachment($file5)}
if(Test-Path $file6)
{$att6 = New-Object Net.Mail.Attachment($file6)}

$msg.From = "90-180Audit@pni.com"
$msg.To.Add("somemail@host.com")
$msg.Subject = "Disabled and Deleted Domain Accounts"
$msg.Body = "Attached are files with names of disabled and deleted accounts."

##########################################################
## Test if the file is available again. If so then
## create the attachment.
##########################################################
if(Test-Path $file1)
{$msg.Attachments.Add($att1)}
if(Test-Path $file2)
{$msg.Attachments.Add($att2)}
if(Test-Path $file3)
{$msg.Attachments.Add($att3)}
if(Test-Path $file4)
{$msg.Attachments.Add($att4)}
if(Test-Path $file5)
{$msg.Attachments.Add($att5)}
if(Test-Path $file6)
{$msg.Attachments.Add($att6)}

$smtp.Send($msg)
$att1.Dispose()
$att2.Dispose()
$att3.Dispose()
$att4.Dispose()
$att5.Dispose()
$att6.Dispose()
}

first I define all 6 of the files that I may or may not want to attach to the email. Then I set up the SMTPserver and the mail objects. Now I test for each of the files that I may or may not want to attach. I only want to attach the file if the file exists. This way I do not get errors about files not being on the filesystem and I am not sending blank files to the people that need the information.
I then define who the message is from, who it is to, subject, and the body. Now that we have that I have to start attaching the files. After attaching the files that are needed I send the message and then close all the attachments just to make sure that no handles keep the files open. I want to be able to delete the files later.

Well that is it. Next post will have the script in its entirety so that you do not have to cut and paste so much. Hope all this helps you out. Let me know if you have any questions about any part of this script.

AD Audit in Powershell Script Part 5

Now that we have disabled and moved all the disabled accounts to the Disabled OU I am going to get all the user object information from just the disabled OU this time. I need this since objects have been moved around. This scan of AD does go much faster as I am only scanning the one OU. I have this is the Delete_Users function. I chose not to have the gathering disabled users as a function but you certainly could break that out if you like.
In this function I create a csv file for all the objects in the disabled OU and now I determine if they meet the criteria for delection. If they do then I have a few things that I want to do with them.
First I want to get a list of all the groups that the user is a member of so I can remove them from the groups before deleting the user object. This will prevent us from getting hashes of UID’s in groups. I hate that…
Then I remove the user object and make note that I did so, again so paperwork can be done for this action. Then I need to go check and see if they have a home directory. I go out and look and if they do I move it to another chunk of disk that managers have access to so they can look through the data in that folder for anything that they may need. Those folders are removed at regular intervals by another clean up script.

##########################################################
## Function Delete_Accounts
## Find all acounts that are in the disabled OU's and
## determine what accounts have not been loged in with
## in over 180 days and also were created over 180 days
## ago. Once the accounts have been identified capture
## Users login name so that we can remove all groups
## from that user as well as move the users Home Drive
## folder to anothe location to await deletion.
##########################################################
function Delete_Accounts
{
	foreach($company in $companies)
		{
		Echo "Delete accounts for $company"
			$listedusers = Import-Csv "c:\90-180\$company.disabledou.csv"
			Clear-Content "c:\90-18\$company.deleted.txt"
			foreach($listeduser in $listedusers)
			{
				$fname = $listeduser.Firstname
				$lname = $listeduser.LastName
				$dn = $listeduser.dn
				$dn = $dn.replace(":", ",")
				$enabled = $listeduser.enabled
				$logon = $listeduser.lastlogon
				$logonname = $listeduser.logonname
				$created = $listeduser.createddate

##########################################################
## Check for accounts that have not been used and were
## created more than 180 days ago. If found then remove
## all groups, remove from domain, log removal from
## domain and move H: Drive to holding area.
##########################################################
				if(($created -lt $deletedate) -and ($logon -lt $deletedate))
					{
##########################################################
## Gather all groups that the user is a member of
## and loop thru all groups to remove the user.
##########################################################
						if(Test-Path "c:\90-180\$logonname.groups.txt")
						{
							$groups = Get-Content "c:\90-180\$logonname.groups.txt"
							foreach($group in $groups)
							{
								Remove-QADGroupMember -Identity $group -Member $logonname -whatif
							}
							#rm "c:\90-180\$logonname.groups.txt"
						}

##########################################################
## Remove the User Object and log the removal
##########################################################
						Remove-QADObject $logonname -whatif
						echo "$fname $lname $logonname" >> "c:\90-180\$company.deleted.txt"

##########################################################
## Check to see if the user has an H: Drive
## If the folder exists then move it to the K: Drive
## to hold until the time limit to delete the folder
##########################################################
						if(Test-Path "\\servername\users$\$logonname")
						{
							move-item -literalPath "\\servername\users$\$logonname" -destination "\\servername\data\common\_term\$logonname" -whatIf
							Echo "Moved \\servername\users$\$logonname to \\servername\data\common\_term\$logonname" >> "c:\90-180\homedirs.txt"
						}
						else
						{
							Echo "NO H Drive found for $logonname" >> "c:\90-180\homedirs.txt"
						}
					}

				}
			}
}

Well that does it for taking action on the AD Objects. Now I just need to send out the notifications of the actions that the script took. That will be next time. Let me know if you have any questions about this function.

AD Audit in Powershell Script Part 4

Now that we have all of the users information into a csv file it is time to start sorting through all of that data and determining what objects need to be disabled and moved to the disabled OU that I have set up for all disabled accounts to go and await deletion. Lets do that with the Disable_Accounts function. This is a pretty basic function but I have a do a few different things here. First we have a Holding OU and that is available for our new account provisioning system. It creates accounts and places them in this OU in a disabled state. I am going to look in this OU to see if the account has been there for 30 days or more and if so I will move the user object. I am also going to go scan for any accounts that are disabled but not in the Disabled or Holding OU’s and then move them. This keeps things clean just in case a person disables an account and does not move it. Lastly I will disable and move all accounts that meet my criteria. I am also logging the accounts that I disable so that paperwork can also be done for these accounts.

##########################################################
## Function Disable_Accounts
## Find all accounts that need to be disabled
## Disable the account
## Move the account to the appropriate disabled OU
## Log the account that has been disabled and moved
##########################################################
function Disable_Accounts
{
	foreach($company in $companies)
		{
			$listedusers = Import-Csv "c:\90-180\$company.csv"
			foreach($listeduser in $listedusers)
			{
				$fname = $listeduser.Firstname
				$lname = $listeduser.LastName
				$dn = $listeduser.dn
				$dn = $dn.replace(":", ",")
				$enabled = $listeduser.enabled
				$logon = $listeduser.lastlogon
				$logonname = $listeduser.logonname
				$created = $listeduser.createddate

##########################################################
## Check for accounts in Holding OU that are still
## disabled and beyond the 30 holding limit and
## move them to the disabled OU
##########################################################
				if(($enabled -eq "DISABLED") -and ($created -lt $holdingdate) -and ($dn -like "*holding*"))
					{
						$logonname | Move-QADObject -NewParentContainer "pni.us.ad.gannett.com/$company/Users/Disabled" -WhatIf
						echo "$fname $lname $logonname" >> "c:\90-180\$company.disabled.txt"
					}

##########################################################
## Find any accounts that are disabled and not in the
## Holding OU and move them to the disabled OU
## This cleans up any accounts that have been disabled
## by hand and not moved to the disabled OU.
##########################################################
				if(($enabled -eq "DISABLED")-and ($dn -notlike "*holding*"))
					{
						$logonname | Move-QADObject -NewParentContainer 'pni.us.ad.gannett.com/$company/Users/Disabled' -WhatIf
						echo "$fname $lname $logonname" >> "c:\90-180\$company.disabled.txt"
					}

##########################################################
## Check for accounts not in holding OU that are beyond
## the 90 day limit for login and create date
## and disable them and move them to the disabled OU.
##########################################################
				if(($enabled -eq "ENABLED") -and ($logon -lt $disabledate) -and ($created -lt $disabledate) -and ($dn -notlike "*Holding*"))
					{
						$logonname | Disable-QADUser -WhatIf
						$logonname | Move-QADObject -NewParentContainer "pni.us.ad.gannett.com/$company/Users/Disabled" -WhatIf
						echo "$fname $lname $logonname" >> "c:\90-180\$company.disabled.txt"
					}

			}
		}
}

Nothing to complex here. Let me know if you have any questions about this function.

AD Audit in Powershell Script Part 3

Now that we have the main part of the script setup it is time to look at the first function that we call. This is the Get_users function. Now this function gets a listing of all the DC’s and does a get-qaduser on all of them looking at the lastlogon property to determine what DC has the latest information on that user object. It will then use that DC to write that users information out the the file for me.

function get_users
{
	foreach($company in $companies)
		{
#Echo "Company is $company"
			Clear-Content "c:\90-180\$company.csv"
			Clear-Content "c:\90-180\$company.disabled.txt"
			echo "enabled, LogonName, firstname, lastname, dn, lastlogon, createddate" >> "c:\90-180\$company.csv"

			$dcs = Get-QADComputer -ComputerRole DomainController

			$users = Get-QADUser -SizeLimit 0 -searchroot "somecomapny.com/$company/Users" | where{(($_.dn -notlike "*disabled*") -and ($_.dn -notlike "*Generic*") -and ($_.dn -notlike "*Vendors*") -and ($_.dn -notlike "*mail-in*") -and ($_.dn -notlike "*shared calendars*"))}

			foreach($user in $users)
				{
					$lastlogon = $null
					foreach($dc in $dcs)
					{
						$dclogon = Get-QADUser -Service $dc.Name -SamAccountName $user.samaccountname | select lastlogon
						$dclogon = $dclogon.lastlogon.value

						if ($dclogon -ne $null)
							{
								if($lastlogon -lt $dclogon)
									{
										$lastlogon = $dclogon
									}
							}
					}
					if ($lastlogon -eq $Null)
						{
							$lastlogon = [datetime]::Now.AddDays(-500000)
						}

					$o = New-Object PSObject
					$o | Add-Member NoteProperty "User" $user.Name
					$o | Add-Member NoteProperty "LastLogin" $lastlogon
					$o | Add-Member NoteProperty "DisplayName" $user.DisplayName
					$o | Add-Member NoteProperty "Disabled" $user.accountisdisabled
					$o | Add-Member NoteProperty "DistinguishedName" $user.DN
					$o | Add-Member NoteProperty "Created" $user.CreationDate
					$o | Add-Member NoteProperty "SamAccountName" $user.SamAccountName
					$o | Add-Member NoteProperty "LastName" $user.LastName
					$o | Add-Member NoteProperty "FirstName" $user.FirstName

					if($o.disabled -eq "False")
						{			$enabled = "DISABLED"}
					else
						{			$enabled = "ENABLED"}
					$Fname = $o.FirstName
					$lname = $o.LastName
					$lastlogon = $o.LastLogin
					$created = $o.Created
					$samname = $o.samaccountname
					$dn = $o.DistinguishedName
					$dn = $dn.replace(",", ":")

					echo "$enabled, $samname, $fname, $lname, $DN, $lastlogon, $created" >> "c:\90-180\$company.csv"

				}

		}
}

So lets break this down a bit and if you need more explanation just let me know.
Like I said in Part 2 I have multiple companies that are designated by OU’s in the forest. That is why you see the foreach loop. I am breaking it down by company. You do not have to do this if you do not need to.
Now I loop thru and get user info from all DC’s and determine what info to use. You will also notice that I have a
if ($lastlogon -eq $null){$lastlogon = [datetime]::now.adddays(-50000)}
That is so that when I compare to the lastlogon time if the user has never logged on I still get a date but it is a date that will always be less than my 90 or 180 day criteria.
Then I create a new-psobject and define all the fields that I want each object to have. Then I write that out to a csv file. You will notice that I am doing a replace on the DN field. That is because I want to use a csv file and if that field has items separated by commas it will mess things up when I import-csv that file later.

Well that is it for now. Until next time….

Powershell Remove files

I have a server that attempts to backup up the SQL Server databases and it always fails because not enough space is available. This usually is not a big deal as I would run a SQL Clean up task before the backups run to remove the old files. In this case though I am using a third party utility to run the backups and it does not have that functionality. So, since I am no sqljockey yet, I have chosen Powershell as my tool. Here is what I have done.

$days = [datetime]::now.adddays(-7)
E:
cd \
cd Directory
ls | where {$_.name -like "*.bak"} | rm -force
cd tranlogs
ls | where {$_.name -like "*trn"} | rm -force
cd ../../Directory
ls | where {$_.name -like "*.bak"} | rm -force
cd tranlogs
ls | where {$_.name -like "*bak"} | rm -force
ls | where {$_.name -like "*txt"} | where{$_.creationtime -lt $days} | rm -force
c:

You can see that I simple cd to the directory that I have my backupfiles in and do an rm or Remove-object. I am also keeping 7 days worth of the txt log files that the backups create. Just in case I need them. Hope that helps. Enjoy

AD Audit in Powershell Script Part 2

Now that we have some idea about what this script is about and what we would like to accomplish with the script lets get into it.

I have the code in the box below and I will just go over what I am doing . This is where the script will start so I am setting up my variables and then I will start to call the other functions of the script.
First I place on doing my own error checking where I care if an error occurs and I do not want to be notified or have the script stop if an error does occur so I Silently Continue. I get the time that the script started so I can log that for a few reasons. One is so that I know when the script ran last and two so I can know how long the script runs. I set up the variables that I care about such as $holdingdays, $disabledays, and $deletedays. Now I take those values to determine the dates for holdin, disable, and delete. In my company we have other companies that are on our domain and we have them separated out with OU’s that have a company name designation. that is what my $companies variable holds. Now I can start to call my functions.

##########################################################
## Main
## Set up variables and call functions of script.
##########################################################
$ErrorActionPreference = "SilentlyContinue"
$starttime = [datetime]::Now
echo "Start 90-180 Script run at $starttime" >> "c:\90-180\90-180.log"
$holdingdays = -30
$disabledays = -90
$deletedays = -180
$disabledate = [datetime]::Now.AddDays($disabledays)
$deletedate = [datetime]::Now.AddDays($deletedays)
$holdingdate = [datetime]::Now.AddDays($holdingdays)
$companies = "name1", "name2", "name3"
clear-content "c:\90-180\homedirs.txt"
#echo "calling Get_Users"
Get_Users
#echo "calling Disable_Acconts"
Disable_Accounts
#Echo "Calling Get Disabled Accounts"
Get_Disabled_Accounts
#Echo "Calling Delete_Accounts"
Delete_Accounts
#Echo "Calling Mail"
Mail
$endtime = [datetime]::Now
echo "End 90-180 Script run at $endtime" >> "c:\90-180\90-180.log"
echo "#################################`n" >> "c:\90-180\90-180.log"

My next post will be about the get_users function. This is a fun one since it has to query all the DC’s.

AD Audit in Powershell Script Part 1

As I said before I have completed my re-write of my Active Directory Audit into Powershell. Man is it better. more functional and less code. I love it. This script goes out and searches my domain for user accounts that are old and stale. By old and stale I mean that they were both created, and have not been logged into in 90 days or more. If they meet that criteria then I go ahead and disable them, move the object to a disabled OU, and send out notifications about the account being disabled to the appropriate people so the action can be documented. That is only part one of the script.

Second is the script will now look at all the accounts that reside in the disabled OU and determine if the account has been created and that the last logon date was more than 180 days ago. If the account meets that criteria then I gather a list of all the groups that user is a member of, remove the user from the groups, delete the account, and finally I go out and see if they have a home directory folder. If they do then I move that folder and all contents to another file share so that managers and other top level employees can access that data. (I have another script that deletes that data after 30 days of inavtivity.)

So lets get into it a bit. Before we go over any code though I want to talk about AD and Replication. If you have more than one DC then you have an issue with getting accurate last logon timestamps. When a user logs in to the domain they can authenticate using any of the domain controllers but AD does not replicate that property to all the other DC’s you have. This is an issue with this script since I want to make sure I do not disable or delete an account based on information from a DC that may not have the latest information. This means that we must query all DC’s and look for the newest logon timestamp and use that.

Also just a side note, this script does require having the Quest AD Management cmdlets installed and available. You can get them at http://www.quest.com/powershell/activero…

So next post we dive into the begining part of the script.