This PowerShell script will give you some options to search Active Directory users:
- Report Locked Accounts
- Report Expired Accounts
- Report Expired Passwords
- Report Enabled accounts that have no recent activity (default 120 days)
- Report All Accounts
By default, the fields related to an account’s ability to login are included:
User Status from Active Directory
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 |
# Script to run AD User security reports. # # Able to report: # Locked Out Accounts # Expired Accounts # Expired Passwords # Enabled Accounts with no activity. # ALL Accounts # # Written by Forrest McFaddin Import-Module ActiveDirectory # Clear any previous domain variables $Domain = $null $Domain_Status = $null # Prompt for Domain or set it to user's domain. [string]$Domain = Read-Host "Enter Domain to check or press enter to continue with current user's domain" IF(!$Domain){ $Domain = $env:UserDomain } # Check for domain try{ $Domain_Status = (Get-ADDomain $domain) write-host -ForegroundColor Green "Connected to domain" $Domain }Catch{ IF(!$Domain_Status){ Write-Output "" return "Could not connect to domain. Please confirm domain name or run this script with an account that has access." } } # Prompt for Report Type [int]$report_type = Read-Host "Choose report to run: [1] Expired Accounts, [2] Expired Passwords, [3] Locked Out Accounts, [4] Enabled Accounts with no password expiration or activity, [5] ALL" # Specify timeframe for "recent activity" (Days) $activity_window = 120 # Expired Accounts IF($report_type -eq 1){ $AD = (Get-ADUser -Filter * -server $Domain -Properties AccountExpirationDate,AccountLockoutTime,badpwdCount,LastLogonDate,PasswordLastSet,PasswordExpired,Enabled | select name,Enabled,AccountExpirationDate,AccountLockoutTime,LastLogonDate,badpwdCount,PasswordExpired,PasswordLastSet) $AD | where {($_.AccountExpirationDate -lt (Get-Date) -AND $_.AccountExpirationDate -ne $null ) -and $_.Enabled -eq $true} | more | ft } # Expired Passwords IF($report_type -eq 2){ $AD = (Get-ADUser -Filter * -server $Domain -Properties AccountExpirationDate,AccountLockoutTime,badpwdCount,LastLogonDate,PasswordLastSet,PasswordExpired,Enabled | select name,Enabled,AccountExpirationDate,AccountLockoutTime,LastLogonDate,badpwdCount,PasswordExpired,PasswordLastSet) $AD | where {$_.PasswordExpired -eq $true-and $_.Enabled -eq $true -and $_.AccountExpirationDate -eq $null} | ft } # Locked Out Accounts IF($report_type -eq 3){ $AD = (Get-ADUser -Filter * -server $Domain -Properties LockedOut,AccountExpirationDate,AccountLockoutTime,badpwdCount,LastLogonDate,PasswordLastSet,PasswordExpired,Enabled | select name,Enabled,LockedOut,AccountLockoutTime,LastLogonDate,badpwdCount,PasswordExpired,PasswordLastSet) $AD | where {$_.LockedOut -eq $true -and $_.Enabled -eq $true -and $_.PasswordExpired -eq $false} | ft } # Enabled Accounts with no password expiration or activity IF($report_type -eq 4){ $AD = (Get-ADUser -Filter * -server $Domain -Properties AccountExpirationDate,AccountLockoutTime,badpwdCount,LastLogonDate,PasswordLastSet,PasswordExpired,Enabled | select name,Enabled,AccountExpirationDate,AccountLockoutTime,LastLogonDate,badpwdCount,PasswordExpired,PasswordLastSet) $AD | where {($_.name -notlike "*healthmailbox*" -and $_.PasswordExpired -ne $true -and $_.Enabled -eq $true -and $_.LastLogonDate -lt ((Get-Date).AddDays(-($activity_window))))} | ft } # All IF($report_type -eq 5){ $AD = (Get-ADUser -Filter * -server $Domain -Properties AccountExpirationDate,AccountLockoutTime,badpwdCount,LastLogonDate,PasswordLastSet,PasswordExpired,Enabled | select name,Enabled,AccountExpirationDate,AccountLockoutTime,LastLogonDate,badpwdCount,PasswordExpired,PasswordLastSet) $AD | where {$_.name -notlike "*healthmailbox*"} | ft } |
Malagasy Ariary
indexing
Cotton
transition
architecture