Auditing Active Directory Accounts¶

User accounts¶

List disabled user accounts¶

1	Search-ADaccount -AccountDisabled -UsersOnly \| Select Name, LastLogonDate \| Sort LastLogonDate

List inactive user accounts ( > 90 days )¶

1 2	$Timespan = 90 Search-ADaccount -AccountInactive -Timespan $Timespan -UsersOnly \| Select Name \| Sort Name

List inactive computer accounts ( > 90 days )¶

1 2	$Timespan = 90 Search-ADaccount -AccountInactive -Timespan $Timespan -ComputersOnly \| Select Name \| Sort Name

List accounts for which password does not expire¶

1	Get-ADUser -Filter {PasswordNeverExpires -eq $false} \| FT Name,ObjectClass -A

Computer Accounts¶

List disabled computer accounts¶

1	Search-ADaccount -AccountDisabled -ComputersOnly \| Select Name, LastLogonDate \| Sort LastLogonDate

Insecure Configuration¶

List accounts with a non standard Primary Group¶

1	Get-ADObject -LDAPfilter '(&(primarygroupId=*)(!(\|(primarygroupID=513)(primarygroupID=515)(primarygroupID=516)(primarygroupID=521)))(!(Name=Guest)))' -Properties primarygroupID

List accounts which are a member of a privilegied group¶

1	Get-ADObject -LDAPfilter '(admincount=1)' -Properties admincount \| Select Name \| Sort Name

List accounts without a password¶

1	Get-ADObject -LDAPfilter '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))' -Properties useraccountcontrol

List accounts with Reversible Encryption¶

1	Get-ADObject -LDAPfilter '(userAccountControl:1.2.840.113556.1.4.803:=128)' -Properties useraccountcontrol \| Select Name \| Sort Name

List duplicate accounts¶

1	Get-ADObject -LDAPfilter '(cn=cnf:)'

List machines registered in the domain by non admin users¶

1	Get-ADComputer -LDAPfilter '(ms-DS-CreatorSID=*)' -Properties ms-DS-CreatorSID \| Select Name \| Sort Name

Check for the presence of the principals Everyone and/or Anonymous in the Pre-Windows 2000 group¶

1	Get-ADGroupMember -Identity 'Pre-Windows 2000 Compatible Access' \| Select Name \| Sort Name

Password Operations¶

(All code snips feature the WhatIf parameter to prevent accidental execution)

Disable password expiration for all accounts¶

1	Get-ADUser -Filter {PasswordNeverExpires -eq $false} \| ForEach-Object { Set-ADUser -Identity $_ -PasswordNeverExpires $true -WhatIf}

Enable password expiration for all users accounts in an Organizational Unit¶

1
2

$SearchBase = 'OU=Example,DC=LAB,DC=LOCAL'
Get-ADUser -Filter {PasswordNeverExpires -eq $true} -SearchBase $SearchBase | ForEach-Object { Set-ADUser -Identity $_ -PasswordNeverExpires $false -WhatIf}

Enable password expiration for all users in a group¶

1 2	$GroupName = 'GROUPNAME' Get-ADGroupMember -Identity $GroupName \| ForEach-Object { Set-ADUser -Identity $_ -PasswordNeverExpires $false -WhatIf }

Enable password expiration for all users in a group and in nested groups¶

1 2	$GroupName = 'GROUPNAME' Get-ADGroupMember -Identity $GroupName -Recursive \| ForEach-Object { Set-ADUser -Identity $_ -PasswordNeverExpires $false -WhatIf }