Archive

Archive for May, 2014

Find Active Directory User and Group Information using PowerShell

Quite often during my Active Directory projects I need to generate information about my customer’s users and groups in the environment for documentation purposes. Since PowerShell easily allows us to find and customize this information, I have written a simple script to help grab and output this information.

Copy the text below and save as a .ps1 file.

# PowerShell script to gather information for AD Users.

Import-Module ActiveDirectory

Write-Host “”
Write-Host “Running script to gather information about Active Directory user accounts” -ForegroundColor Green

# Directory where files will be saved
$outdir = “C:\AD Users”

# create the new directory if it’s not already there
if(!(test-path $outdir)){ mkdir $outdir | Out-Null }

# Remove Canonical Name from Distinguished Name
function Get-ADParent ([string] $dn) {
$parts = $dn -split ‘(?<![\\]),’
$parts[1..$($parts.Count-1)] -join ‘,’
}
$parent = @{Name=’OU’; Expression={ Get-ADParent $_ } }
$parent = @{Name=’OU’; Expression={ Get-ADParent $_.DistinguishedName } }

# Find info about the admin users
$allusers = Get-ADUser -filter * -Properties *
$dadmins = $allusers | where {$_.MemberOf -like “*Domain Admins*”}
$eadmins = $allusers | where {$_.MemberOf -like “*Enterprise Admins*”}
$sadmins = $allusers | where {$_.MemberOf -like “*Schema Admins*”}
$admins =$allusers | where {$_.MemberOf -like “*Administrators*”}
$dadmins | select -Property Name,SamAccountName,PasswordNeverExpires | sort Name | Export-Csv $outdir\Groups-DomainAdmins.csv -NoTypeInformation
$eadmins | select -Property Name,SamAccountName,PasswordNeverExpires | sort Name | Export-Csv $outdir\Groups-EnterpriseAdmins.csv -NoTypeInformation
$sadmins | select -Property Name,SamAccountName,PasswordNeverExpires | sort Name | Export-Csv $outdir\Groups-SchemaAdmins.csv -NoTypeInformation
$admins | select -Property Name,SamAccountName,PasswordNeverExpires | sort Name | Export-Csv $outdir\Groups-Administrators.csv -NoTypeInformation

# Find info about groups
$groups = Get-ADGroup -Filter * -Properties *
$groups | select -Property Name,GroupCategory,GroupScope,$parent | sort OU,GroupCategory,Name | Export-Csv $outdir\Groups.csv -NoTypeInformation

# Set date 90 days ago as a value to compare against (find stale accounts)
$date = [DateTime]::Today.AddDays(-90)

# Find info about user accounts (both active and inactive)
$allusers | select -Property Name,SamAccountName,Enabled,LastLogonDate,$parent | sort OU,Enabled,Name | Export-Csv $outdir\AllUsers.csv -NoTypeInformation
$activeusers = $allusers | where {$_.LastLogonDate -gt (get-date).addmonths(-3) -AND $_.enabled -eq “True”}
$activeusers | select -Property Name,SamAccountName,Enabled,LastLogonDate,$parent | sort OU,Name | Export-Csv $outdir\ActiveUsers.csv -NoTypeInformation
$disabledusers = Search-ADAccount -AccountDisabled -UsersOnly
$disabledusers | select -Property Name,SamAccountName,LastLogonDate,$parent | sort OU,Name | Export-Csv $outdir\DisabledUsers.csv -NoTypeInformation
$inactiveusers = Get-ADUser -Filter ‘LastLogon -le $date’
$inactiveusers | select -Property Name,SamAccountName,Enabled,LastLogonDate,$parent | sort Enabled,OU,Name | Export-Csv $outdir\InactiveUsers.csv -NoTypeInformation
$nopwexpiration = $allusers | where {$_.PasswordNeverExpires -eq $true}
$nopwexpiration | select -Property Name,SamAccountName,PasswordNeverExpires,Enabled,$parent | sort OU,Name | Export-Csv $outdir\NoPWExpirationUsers.csv -NoTypeInformation

# Generate text file of the numbers of users
“All Users: $(($allusers).count)” | Out-File $outdir\UserCount.txt
“Active Users: $(($activeusers).count)” | Out-File $outdir\UserCount.txt -Append
“Inactive Users: $(($inactiveusers).count)” | Out-File $outdir\UserCount.txt -Append
“Disabled Users: $(($disabledusers).count)” | Out-File $outdir\UserCount.txt -Append
“Domain Admins: $(($dadmins).count)” | Out-File $outdir\UserCount.txt -Append
“Enterprise Admins: $(($eadmins).count)” | Out-File $outdir\UserCount.txt -Append
“Schema Admins: $(($sadmins).count)” | Out-File $outdir\UserCount.txt -Append
“Administrators: $(($admins).count)” | Out-File $outdir\UserCount.txt -Append
“All Groups: $(($groups).count)” | Out-File $outdir\UserCount.txt -Append

Write-Host “”
Write-Host “Completed!” -NoNewline “Ouput from the script is located in $outdir” -ForegroundColor Green
Write-Host “”

Enjoy!