Finding expired computers and disabled users in AD
The objects in your AD database—the users, computers, groups, OUs, policies, and so on, are constantly changing in almost all organizations. Users leave, computers die, OUs and policies are added/removed/renamed, and so on. Change is constant!
A side effect of this change is having orphaned objects: users who are no longer part of your organization, or computers that no longer actually exist physically. You can also find you have objects that may be valid but have not been used for a long time.
Those accounts represent a potential security risk. An unused user account, for example, due to a user leaving and their account not being removed, can represent a threat vector. Suppose Ruth in the accounting department (who has access to the firm's accounting data) has left. If her account is active, then someone guessing her password could attempt to use her credentials to access such information. The risk is magnified if Ruth could access that information from the internet.
Any expired computers (that is, ones that have not logged in for a long time) may no longer have a machine password synced with AD). This means the computer is probably not getting WSUS updates or GPO-based policies.
This recipe finds computers that have not been used and users that have not logged in for a month. The recipe then generates a nice report and saves that report to a file in a corporate file share for you and others to look at.
Getting ready
Run this recipe on DC1
. Ideally, your domain should have enough users and computers created and configured.
How to do it...
- Build the report header:
$RKReport = '' $RkReport += "*** Reskit.Org AD Daily AD report`n" $RKReport += "*** Generated [$(Get-Date)]`n" $RKReport += "***********************************`n`n"
- Report on the computer accounts that have not logged in the past month:
$RkReport += "*** Machines not logged on in past month`n" $AMonthAgo = (Get-Date).AddMonths(-1) $ADCHT2 = @{ Properties = 'lastLogonDate' Filter = 'lastLogonDate -lt $AMonthAgo' } $RkReport += Get-ADComputer @ADCHT2 | Sort-Object -Property lastLogonDate | Format-Table -Property Name, LastLogonDate | Out-String
- Get the users who have not logged on in the past month:
$RKReport += "*** Users not logged on in past month`n" $RkReport += Get-AdUser @ADCHT2 | Sort-Object -Property lastLogonDate | Format-Table -Property Name, LastLogonDate | Out-String
- Find any user accounts that are disabled:
$ADCHT3 = @{ Properties = 'Enabled' } $RKReport += "*** Disabled Users`n" $RkReport += Get-ADUser @Adcht3 -Filter {Enabled -ne $true}| Sort-Object -Property lastLogonDate | Format-Table -Property Name, LastLogonDate | Out-String
- Display the report:
$RKReport
How it works...
In step 1, you build a header for your report. In step 2, you add a list of computer accounts that have not signed on recently, and in step 3, you list the users who have not logged in for a while. In step 4, you add to the report details of disabled accounts. These first four steps produce no output.
In step 5, you display the report, which looks like this:
There's more...
In step 5, you can see some things to consider in the report. One user has not logged on for a very long time (and her system hasn't either). You can also see users who are disabled. The first two (Guest
and krbtgt
) are normal and are to be expected. The final entry shows a user who is disabled and has not logged on for a very long time. Both user accounts should be reviewed to see if they are still needed by the business.