Most of the organizations will conduct an audit of their active directory infrastructure once in three or six months as part of a regular clean up and maintenance process. Some of the common activities involved in AD audit process are given below.
- Find all disabled objects like users, computers and service accounts
- Find all accounts which are inactive for the last 90 days
- Find all accounts with a password that will never expire
- Find all users, computers and service accounts that are expired
- Find all users, computers and service accounts that will expire in next 7 days
- Find all accounts that have been locked out
Now let's see how you can use PowerShell to obtain the above information.
Find all disabled objects like users, computers and service accounts:
Search-ADAccount -AccountDisabled | Format-Table Name, ObjectClass -AutoSize
Find all accounts which are inactive for the last 90 days:
Find all disabled objects like users, computers and service accounts:
Search-ADAccount -AccountDisabled | Format-Table Name, ObjectClass -AutoSize
Find all accounts which are inactive for the last 90 days:
Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | Format-Table Name, ObjectClass -AutoSize
Find all accounts with a password that will never expire:
Search-ADAccount -PasswordNeverExpires | FT Name, ObjectClass -A
Find all users, computers and service accounts that are expired:
Find all users, computers and service accounts that are expired:
Search-ADAccount -AccountExpired | FT Name, ObjectClass -A
Find all users, computers and service accounts that will expire in next 7 days:
Search-ADAccount -AccountExpiring -TimeSpan 7.00:00:00 | FT Name, ObjectClass -A
Find all accounts that have been locked out:
Search-ADAccount -LockedOut | FT Name, ObjectClass -A
As per company IT policies, rules and regulations they can decide what actions need to be taken against the audited items.
Reference: docs.microsoft.com
No comments:
Post a Comment