Created
November 14, 2018 15:15
-
-
Save trevorbryant/915a0593cf08eb1768a1128262847acf to your computer and use it in GitHub Desktop.
Dirty PowerShell audit script to query against accounts management non-compliance to FISMA (loosely)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Super duper dumb PS script to query ActiveDirectory for misconfigured User accounts. | |
# Created by Trevor Bryant (@apporima) | |
# Get-StaleADUserAccounts.ps1 version 1.0.0 | |
# Set variables | |
$timestamp = (Get-Date -f HHmmss_MMddyyyy) | |
$ADDomainInfo = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() | |
$ADDomainInfoMode = $ADDomainInfo.DomainMode | |
$ADDomainInfoName = $ADDomainInfo.Name | |
$Export = "C:\temp\AD_Audit\Stale_AD_User_Account_Audit_$ADDomainInfoName`_$timestamp.csv" | |
$Properties = @("SamAccountName","DisplayName","Description","Manager","ObjectClass","Enabled","LastLogonDate","AccountExpirationDate","PasswordNeverExpires","PasswordExpired","PasswordNotRequired","PasswordLastSet","SmartcardLogonRequired") | |
$AuditExport = @() | |
# Set functions | |
function Get-AccountNeverExpires() { | |
Get-Aduser -Filter {accountExpires -Eq "9223372036854775807"} -Properties $Properties | Where-Object { | |
$_.SamAccountName -notcontains 'domainacct1$' ` | |
-and $_.SamAccountName -notcontains '$domainacct2' ` | |
-and $_.SamAccountName -notcontains 'domainacct3$' ` | |
} | Select-Object $Properties | |
} | |
function Get-ManagerNotSet() { | |
Get-Aduser -Filter {SamAccountName -Like "*"} -Properties $Properties | Where-Object { | |
$_.Manager -eq $null -and $_.DistinguishedName -NotLike "*CA Resources*" | |
} | Select-Object $Properties | |
} | |
function Get-PasswordNotRequired() { | |
Get-Aduser -Filter {PasswordNotRequired -Eq $True} -Properties $Properties | Where-Object { | |
$_.SamAccountName -notcontains 'domainacct1$' ` | |
-and $_.SamAccountName -notcontains '$domainacct2' ` | |
-and $_.SamAccountName -notcontains 'domainacct3$' ` | |
} | Select-Object $Properties | |
} | |
function Get-PasswordNeverExpires() { | |
Get-Aduser -Filter {PasswordNeverExpires -Eq $True} -Properties $Properties | Where-Object { | |
$_.SamAccountName -notcontains 'domainacct1$' ` | |
-and $_.SamAccountName -notcontains '$domainacct2' ` | |
-and $_.SamAccountName -notcontains 'domainacct3$' ` | |
} | Select-Object $Properties | |
} | |
function Get-LogonAge90() { | |
Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 -UsersOnly | Where-Object { | |
$_.DistinguishedName -NotLike "*Mailbox*" ` | |
-and $_.SamAccountName -notcontains 'domainacct1$' ` | |
-and $_.SamAccountName -notcontains '$domainacct2' ` | |
-and $_.SamAccountName -notcontains 'domainacct3$' ` | |
-and $_.SamAccountName -notcontains 'krbtgt' ` | |
} | ForEach-Object { | |
Get-ADUser $_.SamAccountName -Properties $Properties | |
} | Select-Object $Properties | |
} | |
<# | |
function Get-DescriptionFieldNotCompliant() { | |
$Description = @(<custom requirements>) | |
Get-Aduser -Filter {Description -NotLike $Description} -Properties $Properties | Select-Object $Properties | |
} | |
#> | |
####################### | |
### Maximum Effort! ### | |
####################### | |
# Save function results in variables because we don't care about memory usage. | |
$AccountNeverExpires = Get-AccountNeverExpires | |
$ManagerNotSet = Get-ManagerNotSet | |
$PasswordNotRequired = Get-PasswordNotRequired | |
$PasswordNeverExpires = Get-PasswordNeverExpires | |
$LogonAge90 = Get-LogonAge90 | |
#$DescriptionFieldNotCompliant = Get-DescriptionFieldNotCompliant | |
# Build PSObject for each saved variable | |
Write-Host "Collecting information: Account Never Expires." | |
$AccountNeverExpires | ForEach-Object { | |
$Category = "AccountNeverExpires" | |
$Audit = New-Object -TypeName PSObject | |
$Audit | Add-Member -MemberType NoteProperty -Name Category -Value $Category | |
$Audit | Add-Member -MemberType NoteProperty -Name SamAccountName -Value $_.SamAccountName | |
$Audit | Add-Member -MemberType NoteProperty -Name DisplayName -Value $_.DisplayName | |
$Audit | Add-Member -MemberType NoteProperty -Name Description -Value $_.Description | |
$Audit | Add-Member -MemberType NoteProperty -Name Manager -Value $_.Manager | |
$Audit | Add-Member -MemberType NoteProperty -Name ObjectClass -Value $_.ObjectClass | |
$Audit | Add-Member -MemberType NoteProperty -Name LastLogonDate -Value $_.LastLogonDate | |
$Audit | Add-Member -MemberType NoteProperty -Name AccountExpirationDate -Value $_.AccountExpirationDate | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordNeverExpires -Value $_.PasswordNeverExpires | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordExpired -Value $_.PasswordExpired | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordNotRequired -Value $_.PasswordNotRequired | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordLastSet -Value $_.PasswordLastSet | |
$Audit | Add-Member -MemberType NoteProperty -Name SmartcardLogonRequired -Value $_.SmartcardLogonRequired | |
$AuditExport += $Audit | |
} | |
Write-Host "Collecting information: Manager Not Set." | |
$ManagerNotSet | ForEach-Object { | |
$Category = "ManagerNotSet" | |
$Audit = New-Object -TypeName PSObject | |
$Audit | Add-Member -MemberType NoteProperty -Name Category -Value $Category | |
$Audit | Add-Member -MemberType NoteProperty -Name SamAccountName -Value $_.SamAccountName | |
$Audit | Add-Member -MemberType NoteProperty -Name DisplayName -Value $_.DisplayName | |
$Audit | Add-Member -MemberType NoteProperty -Name Description -Value $_.Description | |
$Audit | Add-Member -MemberType NoteProperty -Name Manager -Value $_.Manager | |
$Audit | Add-Member -MemberType NoteProperty -Name ObjectClass -Value $_.ObjectClass | |
$Audit | Add-Member -MemberType NoteProperty -Name LastLogonDate -Value $_.LastLogonDate | |
$Audit | Add-Member -MemberType NoteProperty -Name AccountExpirationDate -Value $_.AccountExpirationDate | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordNeverExpires -Value $_.PasswordNeverExpires | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordExpired -Value $_.PasswordExpired | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordNotRequired -Value $_.PasswordNotRequired | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordLastSet -Value $_.PasswordLastSet | |
$Audit | Add-Member -MemberType NoteProperty -Name SmartcardLogonRequired -Value $_.SmartcardLogonRequired | |
$AuditExport += $Audit | |
} | |
Write-Host "Collecting information: Password Not Required." | |
$PasswordNotRequired | ForEach-Object { | |
$Category = "PasswordNotRequired" | |
$Audit = New-Object -TypeName PSObject | |
$Audit | Add-Member -MemberType NoteProperty -Name Category -Value $Category | |
$Audit | Add-Member -MemberType NoteProperty -Name SamAccountName -Value $_.SamAccountName | |
$Audit | Add-Member -MemberType NoteProperty -Name DisplayName -Value $_.DisplayName | |
$Audit | Add-Member -MemberType NoteProperty -Name Description -Value $_.Description | |
$Audit | Add-Member -MemberType NoteProperty -Name Manager -Value $_.Manager | |
$Audit | Add-Member -MemberType NoteProperty -Name ObjectClass -Value $_.ObjectClass | |
$Audit | Add-Member -MemberType NoteProperty -Name LastLogonDate -Value $_.LastLogonDate | |
$Audit | Add-Member -MemberType NoteProperty -Name AccountExpirationDate -Value $_.AccountExpirationDate | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordNeverExpires -Value $_.PasswordNeverExpires | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordExpired -Value $_.PasswordExpired | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordNotRequired -Value $_.PasswordNotRequired | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordLastSet -Value $_.PasswordLastSet | |
$Audit | Add-Member -MemberType NoteProperty -Name SmartcardLogonRequired -Value $_.SmartcardLogonRequired | |
$AuditExport += $Audit | |
} | |
Write-Host "Collecting information: Password Never Expires." | |
$PasswordNeverExpires | ForEach-Object { | |
$Category = "PasswordNeverExpires" | |
$Audit = New-Object -TypeName PSObject | |
$Audit | Add-Member -MemberType NoteProperty -Name Category -Value $Category | |
$Audit | Add-Member -MemberType NoteProperty -Name SamAccountName -Value $_.SamAccountName | |
$Audit | Add-Member -MemberType NoteProperty -Name DisplayName -Value $_.DisplayName | |
$Audit | Add-Member -MemberType NoteProperty -Name Description -Value $_.Description | |
$Audit | Add-Member -MemberType NoteProperty -Name Manager -Value $_.Manager | |
$Audit | Add-Member -MemberType NoteProperty -Name ObjectClass -Value $_.ObjectClass | |
$Audit | Add-Member -MemberType NoteProperty -Name LastLogonDate -Value $_.LastLogonDate | |
$Audit | Add-Member -MemberType NoteProperty -Name AccountExpirationDate -Value $_.AccountExpirationDate | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordNeverExpires -Value $_.PasswordNeverExpires | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordExpired -Value $_.PasswordExpired | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordNotRequired -Value $_.PasswordNotRequired | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordLastSet -Value $_.PasswordLastSet | |
$Audit | Add-Member -MemberType NoteProperty -Name SmartcardLogonRequired -Value $_.SmartcardLogonRequired | |
$AuditExport += $Audit | |
} | |
Write-Host "Collecting information: Logon Age > 90." | |
$LogonAge90 | ForEach-Object { | |
$Category = "LogonAge90" | |
$Audit = New-Object -TypeName PSObject | |
$Audit | Add-Member -MemberType NoteProperty -Name Category -Value $Category | |
$Audit | Add-Member -MemberType NoteProperty -Name SamAccountName -Value $_.SamAccountName | |
$Audit | Add-Member -MemberType NoteProperty -Name DisplayName -Value $_.DisplayName | |
$Audit | Add-Member -MemberType NoteProperty -Name Description -Value $_.Description | |
$Audit | Add-Member -MemberType NoteProperty -Name Manager -Value $_.Manager | |
$Audit | Add-Member -MemberType NoteProperty -Name ObjectClass -Value $_.ObjectClass | |
$Audit | Add-Member -MemberType NoteProperty -Name LastLogonDate -Value $_.LastLogonDate | |
$Audit | Add-Member -MemberType NoteProperty -Name AccountExpirationDate -Value $_.AccountExpirationDate | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordNeverExpires -Value $_.PasswordNeverExpires | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordExpired -Value $_.PasswordExpired | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordNotRequired -Value $_.PasswordNotRequired | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordLastSet -Value $_.PasswordLastSet | |
$Audit | Add-Member -MemberType NoteProperty -Name SmartcardLogonRequired -Value $_.SmartcardLogonRequired | |
$AuditExport += $Audit | |
} | |
<# | |
Write-Host "Collecting information: Description Field Not Compliant." | |
$DescriptionFieldNotCompliant | ForEach-Object { | |
$Category = "DescriptionFieldNotCompliant" | |
$Audit = New-Object -TypeName PSObject | |
$Audit | Add-Member -MemberType NoteProperty -Name Category -Value $Category | |
$Audit | Add-Member -MemberType NoteProperty -Name SamAccountName -Value $_.SamAccountName | |
$Audit | Add-Member -MemberType NoteProperty -Name DisplayName -Value $_.DisplayName | |
$Audit | Add-Member -MemberType NoteProperty -Name Description -Value $_.Description | |
$Audit | Add-Member -MemberType NoteProperty -Name Manager -Value $_.Manager | |
$Audit | Add-Member -MemberType NoteProperty -Name ObjectClass -Value $_.ObjectClass | |
$Audit | Add-Member -MemberType NoteProperty -Name LastLogonDate -Value $_.LastLogonDate | |
$Audit | Add-Member -MemberType NoteProperty -Name AccountExpirationDate -Value $_.AccountExpirationDate | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordNeverExpires -Value $_.PasswordNeverExpires | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordExpired -Value $_.PasswordExpired | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordNotRequired -Value $_.PasswordNotRequired | |
$Audit | Add-Member -MemberType NoteProperty -Name PasswordLastSet -Value $_.PasswordLastSet | |
$Audit | Add-Member -MemberType NoteProperty -Name SmartcardLogonRequired -Value $_.SmartcardLogonRequired | |
$AuditExport += $Audit | |
} #> | |
$AuditExport | Export-CSV -NoTypeInformation $Export | |
Write-Host "Saved: $Export" | |
Clear-Variable -Name AuditExport,Audit,TimeStamp,Properties,AccountNeverExpires,ManagerNotSet,PasswordNotRequired,PasswordNeverExpires,LogonAge90,DescriptionFieldNotCompliant,Export -ErrorAction SilentlyContinue |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment