• State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 32 subscribers
  • Views 2380 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Powershell Script to Monitor AD Group Member Password

max348

Hi

Can anyone help me with a powershell script to monitor the Password expiry date for the Members of a AD group.

I tried below script which gives me the output but it also gives me "Get Output Failed" error.

Import-Module ActiveDirectory;

$MaxPwdAge   = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days;

$expiredDate = (Get-Date).addDays(-$MaxPwdAge);

$Groups=Get-ADGroupMember "<Name of Group>"  -Recursive | Get-ADUser  -Properties   Name, msDS-UserPasswordExpiryTimeComputed,PasswordLastSet  | select Name, samaccountname, PasswordLastSet, @{name = "DaysUntilExpired"; Expression = {$_.PasswordLastSet - $ExpiredDate | select -ExpandProperty Days}} | Sort-Object PasswordLastSet;

Write-Output $($Groups);

exit 0;

  • 0

    I just tested against the Administrator Group, on one of my DCs and it worked perfectly.

  • 0 in reply to yaquaholic

    Okay your script runs fine, but not as SAM monitor.

    SAM monitors need to return their data in either a Statistic (required) or a Message: (optional).

    And then it can only return ten sets in a PowerShell monitor (one Statistic + one Message x 10 times), 11 will break it.

    So you need to rework your code to better return the results.

    Easiest would be to return only those who passwords are due to expire in X days, the next option is to associate  the username as unique identifiers.

    So the it ends with ten sets of results, I would put the DaytoExpired as the statistic, so the output looks something like:

    "Statistic.<username>: <DaysToExpired>"

    "Message.<username>: Has X days until passwd expiration"

    Start here - Creating a Windows PowerShell monitor - SolarWinds Worldwide, LLC. Help and Support

    If you need a hand shout! emoticons_wink.png

  • 0 in reply to yaquaholic

    @yaquaholic : Thank you for the reply.

    Can you please help me with the code. Objective of this  is to create a dashboard to monitor the Account status of the Managers.

    Also can you help me with adding account lockout field with this code.

  • 0 in reply to max348

    Sure can, but it'll be tomorrow before I get a chance (UK based and it's home time). emoticons_wink.png

  • 0

    This script will output all of the specified group's users whose passwords are expiring within 10% and 25% of your domain's MaxPasswordAge.

    You should put the AD group name in the Script Arguments field, optionally followed by the number of critical/warning days to check.

    ### Get Password Policy Max Age

    $passwordMaxAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

    ### First argument in component should be the AD team to check

    ### Optional: Second argument should be critical days to expiry - defaults to 10% of AD Domain Policy MaxPasswordAge

    ### Optional: Third argument should be warning days to expiry - defaults to 25% of AD Domain Policy MaxPasswordAge

    ### Example Arguments: Users, 30, 60

    $adGroupToCheck = $args[0]

    if ($args[1]) { $expiryCritical = $args[1] } else { $expiryCritical = $passwordMaxAge * .10 }

    if ($args[2]) { $expiryWarning = $args[2] } else { $expiryWarning = $passwordMaxAge * .25 }

    Import-Module ActiveDirectory

    ### Get AD group members

    $adGroupMembers = Get-ADGroupMember $adGroupToCheck -Recursive

    ### Initialize count/list variables

    $countExpiryCritical = 0

    $listExpiryCritical = @()

    $countExpiryWarning = 0

    $listExpiryWarning = @()

    ### Iterate through all members of the given AD group and add them to applicable warning or critical count/list

    foreach ($member in $adGroupMembers) {

        $adUserDetails = Get-ADUser -Identity $member.samaccountname -Properties Name, PasswordLastSet

        $daysUntilExpiry = $passwordMaxAge - $((Get-Date) - $adUserDetails.PasswordLastSet).Days

        if ($daysUntilExpiry -lt $expiryCritical) {

            $countExpiryCritical++

            $listExpiryCritical += "$($adUserDetails.UserPrincipalName) expires in $daysUntilExpiry days!"

            }

        elseif ($daysUntilExpiry -lt $expiryWarning) {

            $countExpiryWarning++

            $listExpiryWarning += "$($adUserDetails.UserPrincipalName) expires in $daysUntilExpiry days!"

            }

        }

    ### Set Component Statistic threshold for Critical to Critical greater than 0

    Write-Host "Message.Critical: $($listExpiryCritical -join ' ')"

    Write-Host "Statistic.Critical: $countExpiryCritical"

    ### Set Component Statistic threshold for Warning to Warning greater than 0

    Write-Host "Message.Warning: $($listExpiryWarning -join ' ')"

    Write-Host "Statistic.Warning: $countExpiryWarning"

    Then, after testing and getting output, configure your thresholds as follows in the component:

    pastedImage_10.png

    Hope this helps!

    Jack Vaughan, Jr.

    Systems Monitoring Engineer

    ___________________________

    CONNECTRIA HOSTING

    jvaughan@connectria.com

    ___________________________

    NO JERKS ALLOWEDRegistered
    www.connectria.com
    Connectria Blog
    Recommend us on Linkedin
    Follow us on Twitter

    pastedImage_11.png

  • 0 in reply to jack.vaughan

    jvaughan@connectria.com​  : Thank you for the code.

    Having an alerting property with threshold is very helpful. But i am also looking to have an output like below to show it on the Dashboard.

    Name    SAMAccountName        Password Last Set             Days Until Expiry        Account Lockout

    XYZ             XYZ123                   8/25/2018 4:19:35 PM                      44                            NO

    ABC             ABC456                   7/2/2018 4:19:35 PM                        6                             Yes

  • 0 in reply to jack.vaughan

    You beat me too it! Damn this multi-timezone-thing emoticons_laugh.png

    Nicely done sir

  • 0 in reply to max348

    If I recall, the easiest way is to use the old legacy Report Writer, here is a good start to using it - Understanding Orion Report Writer

    Create the chart as a report, then from your chosen view (or a duplicate one), click Customize (top right if you have the correct rights) and add a resource called "Report from Orion Report Writer".

    Save the view and review it, find the "Report from Orion Report Writer" widget and click edit, then select the report you created.

    It sounds like a lot, but if you have read up, the Success Center - SolarWinds Worldwide, LLC. Help and Support and of course Thwack are good place to start, you should find your way.

    Hope it helps.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.