Tuesday, January 20, 2015

Getting Your User Accounts Activity Under Control


Hi folks,

This is my first blog entry in 2015. Just wanted to share about my recent adventure.

All of you who manage messaging environment have test accounts that are being created and then abandoned and sitting in your AD forever. Or you may be want to avoid a situation when all of them are in use thus creating extra load on your messaging system, especially if there is too many of them.

This is where our good old friend PowerShell comes to play. In this scenario I used Get-ADUser command which is available in the Active Directory module which comes with Windows 2008 R2 and later.

The best way to identify user activity is to extract information about logons and password changes. I prefer to be using both as in some cases password for accounts (even test accounts, can you imagine this!) is set to never expire. So in addition to password set and changes related attributes I used LastLogon attribute.

Additionally it's worthy to mention scenario when you are in a forest with multiple domains (which is not the best practice according to Microsoft). You may connect to multiple servers or in my case I simply used global catalog to extract the information I needed. To user global catalog you will need to type server host name followed by the 3268 which corresponds to the port GC is listening for LDAP requests.

Please note the attribute msDS-UserPasswordExpiryTimeComputed which is used to calculate password expiration date.

And last, but not least don't forget to import AD module for PowerShell to be able to successfully execute the script.

My final code looks like this


Import-Module ActiveDirectory
Import-Csv D:\scripts\Users.txt | foreach {Get-ADUser -Identity $_.samAccountName –Properties * -Server GC01:3268} |
Select-Object "Displayname",SamAccountName,whenCreated,LastLogonDate,PasswordLastSet,PasswordExpired,PasswordNeverExpires,@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} |Export-Csv D:\scripts\UserActivity.csv

And it produced a nice spreadsheet as below:



Please note user accounts with the blank value for LastLogon which indicates that user has never logged in to the AD domain. In addition to that some of the dates may be a long way in the past. Both may indicate that user accounts might not be in use and therefore a good candidates for deletion. But please make sure that you contact the account or service owners before doing so.

And, finally, my special thanks to the author of this great article which gave me a good hint on the way to go.

Enjoy.