Last active
July 2, 2016 22:57
-
-
Save mapledyne/31b9e7e3e389c48a5fc5 to your computer and use it in GitHub Desktop.
Dashing widgets for Active Directory
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#requires -version 2.0 | |
#this script assumes all users have the same policy and does | |
#not take fine grained password policies into account. | |
#The -Next parameter indicates how many days to check. In other words | |
#user accounts with expiring passwords in the next X days. The script | |
#defaults to the user domain, but you can specify another search base | |
#by using a distinguished name like ou=employees,dc=jdhlab,dc=local | |
Param( | |
[Parameter(Position=0)] | |
[ValidateScript({$_ -ge 1})] | |
[int]$Next=14, | |
[string]$SearchBase=([ADSI]"LDAP://$env:userdnsdomain").distinguishedname | |
) | |
Import-Module ActiveDirectory | |
#get current domain password policy | |
$policy=Get-ADDefaultDomainPasswordPolicy | |
#save the password age in days | |
$days=$Policy.MaxPasswordAge.TotalDays | |
#calculate our starting and ending dates | |
$Start=(Get-Date).AddDays(-$days) | |
$End=(Get-Date).AddDays(-($days-$next)) | |
Write-Host "Finding users under $SearchBase with passwords set between $($Start.Date) and $($End.Date)" -ForegroundColor Green | |
function Send-Widget($Widget,[string[]]$Users) | |
{ | |
$lines = "" | |
foreach ($User in $Users) | |
{ | |
If($lines.length -gt 1) | |
{ | |
$lines += "," | |
} | |
$line = $User -replace "=", ":" | |
$line = $line -replace ";", "," | |
$line = $line -replace "@", "" | |
$lines += $line | |
} | |
$lines = "{'auth_token': 'YOUR_AUTH_TOKEN', 'status': 'normal', 'items': [" + $lines + "], 'service': 'Active Directory' }" | |
$lines = $lines -replace "'", "`"" | |
Write-Host $lines | |
$url = "http://YOUR_DASHBOARD_SERVER/widgets/" + $Widget | |
Invoke-WebRequest $url -ContentType "application/json" -Method Post -Body $lines | |
} | |
function Send-Widget-Set([string[]]$Expiring,[string[]]$Expired,[string[]]$Locked) | |
{ | |
$Widget = "active_directory_users" | |
$lines = "" | |
foreach ($l in $Locked) | |
{ | |
If($lines.length -gt 1) | |
{ | |
$lines += "," | |
} | |
$line = $l -replace "=", ":" | |
$line = $line -replace ";", "," | |
$line = $line -replace "@", "" | |
$lines += $line | |
} | |
foreach ($e in $Expired) | |
{ | |
If($lines.length -gt 1) | |
{ | |
$lines += "," | |
} | |
$line = $e -replace "=", ":" | |
$line = $line -replace ";", "," | |
$line = $line -replace "@", "" | |
$lines += $line | |
} | |
foreach ($e in $Expiring) | |
{ | |
If($lines.length -gt 1) | |
{ | |
$lines += "," | |
} | |
$line = $e -replace "=", ":" | |
$line = $line -replace ";", "," | |
$line = $line -replace "@", "" | |
$lines += $line | |
} | |
$status = "normal" | |
If($Expired.length -gt 0) | |
{ | |
$status = "warning" | |
} | |
If($Locked.length -gt 0) | |
{ | |
$status = "critical" | |
} | |
$lines = "{'auth_token': 'YOUR_AUTH_TOKEN', 'status': '" + $status + "', 'items': [" + $lines + "], 'service': 'Active Directory' }" | |
$lines = $lines -replace "'", "`"" | |
Write-Host $lines | |
$url = "http://YOUR_DASHBOARD_SERVER/widgets/" + $Widget | |
Invoke-WebRequest $url -ContentType "application/json" -Method Post -Body $lines | |
} | |
#Use a Try/Catch to handle any errors. | |
Try | |
{ | |
#get all users with passwords that have not expired and was set between | |
#the start and end dates. Only get enabled accounts with passwords that can expire. | |
#you can select as many other properties as you'd like | |
# $hello = Get-ADUser -searchBase $SearchBase -filter { | |
# Enabled -eq $True -AND PasswordNeverExpires -eq $False -AND PasswordLastSet -ge $Start.Date -AND PasswordLastSet -le $End.Date | |
# } -properties * | | |
# Select DistinguishedName,PasswordLastSet, | |
# @{Name="PasswordAge";Expression={(Get-Date) - $_.PasswordLastSet }}, @{Name="DaysLeft";Expression={$days - ((Get-Date) - $_.PasswordLastSet)}} | |
$expiring = Get-ADUser -searchBase $SearchBase -filter { | |
Enabled -eq $True -AND PasswordNeverExpires -eq $False -AND PasswordLastSet -ge $Start.Date -AND PasswordLastSet -le $End.Date | |
} -properties * | sort-object -property PasswordLastSet | | |
Select @{Name="'label'"; Expression = {"'" + $_.Name.substring(0,[Math]::Min(18,$_.Name.Length)) + "'"}}, | |
@{Name="'value'";Expression={(&{If((($days) - ((Get-Date) - $_.PasswordLastSet).Days) -gt 1 ) {"'" + [string](($days) - ((Get-Date) - $_.PasswordLastSet).Days) + " days'"} Else { (&{If( (($days * 24) - ((Get-Date) - $_.PasswordLastSet).TotalHours) -gt 1 ) { "'" + [string][Math]::Floor((($days * 24) - ((Get-Date) - $_.PasswordLastSet).TotalHours)) + " hours'" } Else { "'" + [string][Math]::Floor((($days * 24 * 60) - ((Get-Date) - $_.PasswordLastSet).TotalMinutes)) + " min'" }}) }}) }} | |
# "'" + [string][Math]::Floor((($days * 24) - ((Get-Date) - $_.PasswordLastSet).TotalHours)) + " hours'" | |
# (&{If( (($days * 24) - ((Get-Date) - $_.PasswordLastSet).TotalHours) -gt 1 ) { "'" + [string][Math]::Floor((($days * 24) - ((Get-Date) - $_.PasswordLastSet).TotalHours)) + " hours'" } Else { "'" + [string][Math]::Floor((($days * 24 * 60) - ((Get-Date) - $_.PasswordLastSet).TotalMinutes)) + " min'" }}) | |
# @{Name="'value'";Expression={(&{If((($days) - ((Get-Date) - $_.PasswordLastSet).Days) -gt 1 ) {"'" + [string](($days) - ((Get-Date) - $_.PasswordLastSet).Days) + " days'"} Else {"'" + [string][Math]::Floor((($days * 24) - ((Get-Date) - $_.PasswordLastSet).TotalHours)) + " hours'"}}) }} | |
# @{Name="'value'";Expression={"'" + [string][Math]::Round((($days * 24) - ((Get-Date) - $_.PasswordLastSet).TotalHours)) + " days'"}} | |
# @{Name="'value'";Expression={"'" + [string](($days) - ((Get-Date) - $_.PasswordLastSet).Days) + " days'"}} | |
Send-Widget -Widget "expiring_users" -Users $expiring | |
$expired = Get-ADUser -searchBase $SearchBase -Filter { Enabled -eq $True } -properties * | where {$_.PasswordExpired} | sort-object -property PasswordLastSet | | |
Select @{Name="'label'"; Expression = {"'" + $_.Name.substring(0,[Math]::Min(18,$_.Name.Length)) + "'"}}, | |
@{Name="'value'";Expression={"'Expired'"}} | |
Send-Widget -Widget 'expired_users' -Users $expired | |
$locked = Search-ADAccount -LockedOut | Select @{Name="'label'"; Expression = {"'" + $_.Name.substring(0,[Math]::Min(18,$_.Name.Length)) + "'"}}, @{Name="'value'";Expression={"'Locked'"}} | |
Send-Widget -Widget 'locked_users' -Users $locked | |
Send-Widget-Set -Expiring $expiring -Expired $expired -Locked $locked | |
} | |
Catch | |
{ | |
#there was a problem so display a warning and the exception message | |
Write-Warning "Failed to query user accounts in $searchbase." | |
Write-Warning $_.Exception.Message | |
} | |
#end of script |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment