- Windows Server 2012 Automation with PowerShell Cookbook
- Ed Goad
- 548字
- 2021-07-27 18:09:56
Searching for and reporting on AD users
Once your AD environment has existed for some time, finding and changing settings in your environment can become difficult. For example, let's say when the domain was first created, all the users had the same logon script named logon.bat. Over time, specific needs arose that caused the creation of logon2.bat, and new_logon.bat, and testlogon.bat, with different users assigned to each script.
As an administrator, you want to consolidate all these logon scripts into one, but you need to know what this will impact. You need to know which logon scripts are being used, who is using which ones, and why the different scripts exist. Thanks to the capabilities of AD and PowerShell queries, these items can easily be found.
In this recipe we will perform multiple queries against Active Directory. We will be returning different information.
How to do it...
Carry out the following steps to search for and report on AD users:
- To report on all users and their logon scripts execute the following code:
Get-ADUser -Filter * -Properties SamAccountName, DisplayName, ` ProfilePath, ScriptPath | ` Select-Object SamAccountName, DisplayName, ProfilePath, ScriptPath
- To find all disabled user accounts execute the following code:
Get-ADUser –Filter 'Enabled -eq $false'
- To find users who haven't logged in for 30 days execute the following code:
$logonDate = (Get-Date).AddDays(-30) Get-ADUser -Filter 'LastLogonDate -lt $logonDate' | Select-Object DistinguishedName
- To find accounts with multiple logon failures execute the following code:
$primaryDC = Get-ADDomainController -Discover -Service PrimaryDC Get-ADUser -Filter 'badpwdcount -ge 5' -Server $primaryDC.Name ` -Properties BadPwdCount | Select-Object DistinguishedName, BadPwdCount
How it works...
The first example uses Get-ADUser and queries Active Directory for all User objects, and returns them to PowerShell. The accounts are then piped through Select-Object to return the username, profile location, and logon script to the screen.
The second example creates a simple filter for AD to show accounts that are not enabled. Get-ADUser is called with this filter and it returns the appropriate accounts.
The third example creates a slightly more robust AD filter that identifies users, who have not logged in for more than 30 days. We start by creating the $logonDate variable and assigning it with the date 30 days ago. We then call Get-ADUser with a filter based on the LastLogonDate attribute, and lastly return Distinguished Name of the users that match the filter. These may be users who have been on vacation, extended work trips and have not been able to log on to the domain, or user accounts that no longer are needed.
The fourth example provides a simple filter based on the number of bad password attempts for an account. We start by identifying the primary domain controller (PDC) in the environment. When a bad password attempt occurs, it is tracked on the domain controller initially queried, as well as the PDC emulator. This allows us to query a single server instead of all the DCs. If a particular account has a high number of password failures, it can be a sign of possible hacking attempt. As such, it is always helpful to have a script similar to this available so that the entire domain can be reviewed at a glance to determine if one user is having a problem, or if it is wide spread issue.
- 平面設計初步
- 樂高機器人EV3設計指南:創造者的搭建邏輯
- MCSA Windows Server 2016 Certification Guide:Exam 70-741
- 數據庫原理與應用技術學習指導
- Windows程序設計與架構
- 大學C/C++語言程序設計基礎
- 計算機與信息技術基礎上機指導
- Hadoop應用開發基礎
- ADuC系列ARM器件應用技術
- Learning Cassandra for Administrators
- Containerization with Ansible 2
- 百度智能小程序:AI賦能新機遇
- CAD應用程序開發詳解
- Adobe Edge Quickstart Guide
- 深度剖析:硬盤固件級數據恢復