Wednesday, October 29, 2014

PowerShell Scripts for Admins and Auditors

Here a a few PowerShell script that I use to look al logs and user accounts.


To finding the latest logon time

•Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName username).LastLogon } | Measure-Latest

The following example demonstrates how to find inactive user accounts:

•Search-ADAccount -AccountInactive | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass –A

•The following example demonstrates how to find user accounts that have been inactive for 90 days:

•Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass –A

Retrieving Local Security Log Information

On a local computer, the PowerShell Get-EventLog cmdlet


•get-eventlog -list |<br>where \{$_.logdisplayname -eq `<br>"security"\}

Find all users who have “Password Never Expires

Search-ADAccount -PasswordNeverExpires | FT Name,ObjectClass –A

To Determine Who Has Never Logged On

get-aduser -f {-not ( lastlogontimestamp -like "*") -and (enabled -eq $true)}

Find the Location of a Locked-Out User (jferron)


$DomainControllers = Get-ADDomainController -Filter *

Foreach($DC in $DomainControllers)


Get-ADUser -Identity jferron -Server $DC.Hostname `

-Properties AccountLockoutTime,LastBadPasswordAttempt,BadPwdCount,LockedOut