Automated Report of Domain Admins using PowerShell

This is a short and simple PowerShell script to output all direct and indirect members of the default Active Directory, Domain Admins group to a CSV. 

To setup the process, take the code below, adjust accordingly and save to a computer with access to the Active Directory PowerShell module.

In the format below, the script will output the Name, Date account was created, Date password was last set, whether the user can change the password, if the account is enabled and finally, the SID.

The above information is outputted to the folder $Path and the default file name is DomainAdmins_dd-MM-yyyy.csv

Items in bold should be correctly configured.

       

Import-Module ActiveDirectory

$Today = Get-Date -Format dd-MM-yyyy
$Path = "\\some\path"
$File = "DomainAdmins" + "_" + $Today + ".csv"

Get-ADGroupMember "Domain Admins" -Recursive | Get-ADUser -Properties PasswordLastSet,CannotChangePassword,Enabled,SID,Created | Select-Object Name,Created,PasswordLastSet,CannotChangePassword,Enabled,SID | export-csv -path "$Path\$File.csv" -NoTypeInformation

       
 

To automate this task, save it to a machine where the AD PowerShell module is available and build a scheduled task suited to your requirements.


General
- Name: Domain Admins Report
- When running the task, use the following user account: domain\service-account
- Run whether user is logged on or not


Triggers
Begin the task: On a schedule
Settings - Weekly
Start *SomeDate* 22:00:00
   - Recur every: 1 weeks on Friday
Stop task if it runs longer than 1 hour (or 30mins for a small environment)
Enabled

Actions
Action: Start a program

Settings
Program/script: powershell.exe
Add arguments (optional): -nologo -File "C:\Scripts\ReportDomainAdmins.ps1"


Right click your newly created task and select 'Run' to test.

Account Lockout Notifications using PowerShell

This is a short and simple PowerShell script to alert an administrative mailbox, group mailbox or even the account in question that its account has locked out.

To setup the process, take the code below, adjust accordingly and save to your PDC, the DC your lockouts will always hit.

In the format below the script will send an email to $MailTo, from $MailFrom with a subject of $MailSubject via mail server $SMTPServer on port $SMTPPort.
The content of the email is held within $MailBody.

Items in bold should be correctly configured.

       

Import-Module ActiveDirectory

$AccountLockOutEvent=Get-EventLog -LogName "Security" -InstanceID 4740 -Newest 1
$LockedAccount = $($AccountLockOutEvent.ReplacementStrings[0])
$AccountLockOutEventTime = $AccountLockOutEvent.TimeGenerated
$AccountLockOutEventMessage = $AccountLockOutEvent.Message

$ADUserDisplayName = (Get-ADUser $LockedAccount -Properties DisplayName).DisplayName

$MailFrom = "AccountLockout@company.co"
$MailTo = "SomeUser@company.co"
$SMTPServer = "mailserver.company.local"
$SMTPPort = "25"
$MailSubject = "User Account Locked Out: $LockedAccount / $ADUserDisplayName" 
$MailBody = "Account $LockedAccount was locked out on $AccountLockOutEventTime.`n`nEvent Details:`n`n$AccountLockOutEventMessage`n`nUser: $ADUserDisplayName"

$EmailMessage = New-Object System.Net.Mail.MailMessage($MailFrom , $MailTo)
$emailMessage.Subject = $Mailsubject
$emailMessage.Body = $Mailbody

$SmtpClient = New-Object System.Net.Mail.SmtpClient($SMTPServer, $SMTPPort)
$SmtpClient.Send($emailMessage)

       
 

The second and final step is to configure a scheduled task to run when a 4740 error (Account Locked Out) is logged to the security event log.

The parameters for my scheduled task are as follows:


General
- Name: Account Lockout Email
- Run whether user is logged on or not

Triggers
Begin the task: On an event
Settings - Basic
Log: Security 
Source: Microsoft Windows security audting.
Event ID: 4740
Enabled: True

Actions
Action: Start a program

Settings
Program/script: powershell.exe
Add arguments (optional): -nologo -File "C:\Scripts\EmailOnLockout.ps1"