Select Page

Powershell Part 1 – Auditing, Power through with the shell.

Powershell Part 1 – Auditing, Power through with the shell.

At some point in their lives most IT employees will feel the stress that comes with auditing. Auditing tends to strike fear into the hearts of most people, but with some basic powershell knowledge you can cover all your needs. With a couple simple commands you can pull quick Active Directory reports to satisfy your needs with minimal effort and hair pulling.  This is the first in a series of blogs that will help you get familiar enough with powershell to gain confidence using what truly is a robust and powerful tool at your fingertips, and best part it’s free!

KeepCalmAndLearnPowerShell_1024x768_2

 

Firstly, get to know the ins-and-outs of the command Get-ADUser.  This command is your go to command and pretty much the only one you’ll need to know for pulling reports from Active Directory.  Let me give you an example:

Your boss comes in and says “We need to pull a report of all users who have never changed their password”.  Now you can say OK, stay right there and I’ll get that all set.  Open up powershell and type in

Get-ADUser –filter * -Properties PasswordLastSet | Where { $_.passwordLastSet –eq $null }

So looking at this we are searching at all Active Directory objects PasswordLastSet date and throwing in a conditional to see those who never changed their password.  Nice, simple and fast.  OK this is good let’s move on.

Now you need to find those who haven’t updated their passwords in the last 90 days because this is a more practical query.  So we type in powershell

$90Days = (Get-Date) .adddays(-90)

Get-ADUser -filter {(passwordlastset -le $90days)}

So we get a nice output, but quickly discover we just got a report containing the thousands of terminated employees with disabled accounts. All we need to do is add a quick conditional in there to make sure we are only pulling active/enabled accounts.

Get-ADUser -filter {(passwordlastset -le ($90Days)) -AND (enabled -eq $True)}

 Now the real question:  We got the information we need but how do we make it readable and sortable.  Powershell command output can easily be exported by adding a couple simple options.

Get-ADUser -filter {(passwordlastset -le ($90Days)) -AND (enabled -eq $True)} | Export -csv C:\TestFile.csv

That’s it!  Now the results are exported to a CSV file for easy access and sorting.

With these couple quick examples it is easy to see that powershell is not difficult to use.  Granted these are simplified examples, but I wanted to develop a foundation on how easily things can be done and build off that.

Get-ADUser can be an incredible tool for auditing your Active Directory environment.  Let’s quickly go over some of the options and properties of get-aduser.

-Filter:  This option allows us to, as it says, filter the results so we can get a cleaner look at only the information we need.  If you are searching all of Active Directory you will use -Filter *

-SearchBase:  This allows us to specify a Domain if we have a multi-domain setup or seach only within a certain OU.  Usage is simply -Searchbase <string>  or an example -searchbase “DC=test,DC=com”

-Properties:  This really is the main option we want to use for auditing and pulling information.  With this option we can specify properties we want to retrieve that are not included in the default set.  The default set consists  of DistinguishedName, Enabled, GivenName, Name, ObjectClass, ObjectGUID, SamAccountName, SID, Surname and UserPrincipalName.  Some of those most  commonly used are LastLogonDate, Created, PasswordlastSet, MemberOf, AccountExpirationDate, Modified.  This is a short listing but get-aduser can pretty much pull any property that is an attribute in your Active Directory environment.

With this overview we should have a good grasp on the get-aduser command and be ready to take on all those audit demands that come our way.  Now that we’ve gotten a small taste of powershell and what it can we can start digging deeper and see where else we can use this tool.

Get-ADUser -Filter * -SearchBase “OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM”                      Get all users under the container ‘OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM’.
Get-ADUser -Filter ‘Name -like “*SvcAccount”‘ | FT Name,SamAccountName -A                                             Get all users that have a name that ends with ‘SvcAccount’.
Get-ADUser GlenJohn -Properties *                                                                                                                                Get all properties of the user with samAccountName ‘GlenJohn’.
Get-ADUser -Filter {Name -eq “GlenJohn”} -SearchBase “DC=AppNC” -Properties mail -Server lds.Fabrikam.com:50000                                                                                                                                                    Get the user with name ‘GlenJohn’ on the AD LDS instance.
Get-ADUser -Filter * -SearchBase “DC=Test,DC=COM” -Properties LastLogonDate, Created, MemberOf, PasswordLastSet, AccountExpiration | Export-csv c:\test.csv                                                 Get all users in AD including the default properties and LastLogonDate, Created, MemberOf, PasswordLastSet and AccountExpiration and export to CSV

 

 

 

About The Author

Dan Kelly

Graduating from college in 2002 with a bachelors in Computer Science, I quickly became aware that my degree didn’t really prepare me for a real-world career. Not having the time and/or patience to take more college courses I set upon trying to teach myself the real world tools I would need to be successful. I quickly realized that I learn extremely well when I can take something I read/hear and then take it to the real world and do it. Nowadays, you can’t be successful if you don’t have a working knowledge of many process, applications, platforms etc and build your IT Toolbox to be able to fix pretty much anything. Most of the time you can find information you need in books and classes, but those don’t give you the real-world solutions and information that you need right now pertaining to your problem. I have gathered a lot of tips, secrets and knowledge of a multitude of IT related areas, but I can always gain more and wanted a place to share the things I’ve learned along the way. ITDiversified gives that platform for knowledge sharing and hopefully it can become a sort of cross-training ground for many IT professionals who need a nice central repository of knowledge on demand.

1 Comment

  1. Hi I found your command didn’t work for me until I did the following. (I assume it could be formatting issue with your blog post)

    $90Days = (Get-Date).adddays(-90) – remove the space between get-date and adddays

    Get-ADUser -filter {(passwordlastset -le $90Days) -and (enabled -eq $True)} -remove the brackets around $90days

    hope it helps.

    Reply

Leave a reply

Your email address will not be published.