Imagine if you will an HR system that removes users on a regular basis as these users are fired or leave the company. Now with the same system, no one has audited this system in a while and no one knows if the system is working well? How can we audit Active Directory (or Exchange) to determine if the users still exist? The script below was written as a quick way to show what you can do in PowerShell. This script is a quick one off (hence the post name) and is not intended to be an end all solution for this.
The Script
Here is the code for the script:
# Get domains in environment
$objForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$DomainList = @($objForest.Domains | Select-Object Name)
$Domains = $DomainList | foreach {$_.Name}
$Users = Import-CSV c:\scripts\oldusers.csv
$stillactive = @()
#Act on each domain
foreach($Domain in ($Domains)) {
Write-Host "Checking $Domain" -fore red
Foreach($line in $users) {
$first = $line.first
$last = $line.last
$mailbox = $first+"."+$last
$name1 = Get-ADUser -filter {(givenname -eq $first) -and (surname -eq $last)} -Server $domain -properties givenname
if ($name1 -ne $null) {
$mailboxexists = get-mailbox $mailbox
write-host "The search found that " -nonewline
write-host $first" "$last -fore red -nonewline
write-host " is still in your directory."
if ($mailboxexists -ne $null) {write-host "The same user has a mailbox in Exchange as well.";write-host " "}
[string]$stillactive += "$first $last`r`n"
}
}
}
# Send email out to the IT Department
$email = read-host "Do you want to send an email report [y or n]"
if ($email -eq "y") {
$body = @()
$body = "Here is a list of the users who are in Active Directory and who should not be:`r`n"
foreach ($line in $stillactive) {
$body += "$line`r`n"
}
$Subject = "Old Users Still in AD"
$server = ($s = (get-transportservice).name)[0]
$to = "it@lab101.com"
$from = "noreply@lab101.com"
Send-MailMessage -to $to -from $from -subject $subject -body $body -SmtpServer $server
}
Explanation
Lines 1-7: Get a list of domains in the environment to scan for users.
Lines 9-26: Search for users and related mailboxes and visually report (write-host) when running.
Lines 28-41: Email results out to the IT department (or whoever)
Sample run of the script:
Short. Simple. Sweet.
There are plenty of branches for this script to make it more complex/flexible:
- Data is currently pulled from one CSV file, could be pulled form multiple files
- more attributes can be queried upon, I used Last and first name for quick test solution
- Events could be logged to the event viewer
- More complete formatted (HTML) emails could be sent out.
Script 2
Along the same lines auditing for accounts that should be removed, auditing for old UPNs in the case of a company rename, domain rename or cleanup for Office 365 UPN changes. The below line is a simple one-liner:
get-aduser -Properties userprincipalname -filter {userprincipalname -like '*lab09*'} |ft givenname,userp*
Basically this one-liner will look for any user account with a UPN that contains a certain text string, in the above case ‘lab09’, that can be whatever domain you need to search for.
Thanks for looking at these scripts. Please comment if you have any questions.
