Active Directory Archives - Michael Rogers

Auditing: Notify Manager Of Contractor Account Expiry

May 1, 2019 Michael Rogers Auditing, Powershell

Notify manager of contractor Active Directory user account expiry via email and notify the service desk of any incomplete user accounts.

I personally think that notifying employees/managers of accounts that are due to expire creates a better customer experience than that employee/contractor coming in one day and not being able to log in.

With this in mind I have created the below script that works in two parts by looking for the string Contractor in the EmployeeType attribute.

Part 1 is gathering all the direct reports for a manager and if the conditions are met they will receive one email with any employees whose accounts are due to expire in the next 30 days.

Part 2 Gathers all users who have the EmployeeType set but are missing details such as account expiry or manager.

The script below provides basic output to the console and if you uncomment the send mail section it will then send the email. I have only included very basic email output but you can wrap your own HTML email template around these to make them look much more professional.

Auditing: Format Active Directory Email Addresses

August 19, 2018 Michael Rogers Auditing, Powershell

Perhaps this is just my own OCD but I think email addresses should all be formatted in the same way in active directory but inevitably some will put john@company.com and others will put John@company.com and all variations in between.

The below can be run to fix the formatting as you like it and will change all email addresses to your desired format.

$users = Get-ADUser -filter * -Properties name,samaccountname,mail  | Select-Object name,samaccountname,mail
foreach ($user in $users) {

    $Name = $user.name
    $UserID = $user.samaccountname
    $Email = $user.mail
    $NewEmail = (Get-Culture).TextInfo.ToTitleCase("$email")
try {
set-aduser $UserID -EmailAddress $NewEmail 
}
catch {write-host "The email field for $Name is blank" -ForegroundColor Red}
}
$users.Count

GUI: LAPS Password Recovery Tool

June 19, 2018 Michael Rogers GUI, Powershell

The below LAPS Password Recovery Tool For Deleted Objects and those still in AD is created to allow you also recover the Microsoft LAPS administrator password of objects that have been deleted but that are still within the tombstone period of your Active Directory Forest.

This is the only advantage over Microsofts own GUI but is useful if you were to delete lots of machines from Active Directory and subsequently need to get in to it without restoring the object.

It will need to be run as an account that has permissions to ready the ms-Mcs-AdmPwd property and requires the Active Directory PowerShell module to be available (RSAT)

Function: Internet Radio Control – Frontier Silicon

June 1, 2018 Michael Rogers Auditing, Powershell

The below uses the PowerShell invoke web request cmdlet to control a Roberts Internet Radio using the Frontier Silicon API. I have tied this in with my home automation to turn the radio on and off as feedback what is playing.

Auditing: Report and Disable Inactive AD User Accounts

March 13, 2018 Michael Rogers Auditing, Powershell

The below can be run as a scheduled task to detect and disable accounts that have not been used for a specified amount of days or for accounts which have never been used.

Report outputs to a CSV and is displayed as follows:

Auditing: Reset Passwords That Expire Today

March 9, 2018 Michael Rogers Auditing, Powershell

The below can be run as a scheduled task to detect Active Directory User accounts that have passwords that expire today. Any objects where the password is due to expire today will automatically have the “Change password at next logon” ticked meaning that they wont suddenly lose connection to things such as mapped drives at the original expiry time.

Credit to Andrew Lyonette for turning my “Why dont you solve it like this” in to the script below.
https://www.linkedin.com/in/andylyonette/

Auditing: Report and Disable Inactive AD Computer Accounts

March 9, 2018 Michael Rogers Auditing, Powershell

The below can be run as a scheduled task to detect and disable accounts that have not been used for a specified amount of days or for accounts which have never been used.

Report outputs to a CSV and is displayed as follows: