I wanted a process to identify the members of our domain
admins group and see if that account was being used. This was to see if any admin accounts were
being orphaned. I also provide this list
when auditors ask for all the domain admins group members, but in reality this script can be used to audit any AD group.
Start of script
Get-ADGroupMember -Identity 'Domain Admins' | foreach {
Get-ADUser -identity $_.SAMAccountName -Properties * | Select-Object name,
@{Name="Password Last Set"; Expression={[DateTime]::FromFileTime($_.pwdLastSet)}},
LastLogonDate, @{Name="Last Logon Time Stamp";
Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} }
If you want to export this to CSV add this to the end.
| Export-Csv 'C:\temp\Domain_Admin_Members_and_Last_Logon.csv'
-NoClobber –NoTypeInformation
You can also use the Send-MailMessage command to email the
csv as an attachment. The command can be
found here: http://mytechnicalsolution.blogspot.com/search/label/send-MailMessage
No comments:
Post a Comment