Skip to content

Auditing Active Directory Accounts

User accounts

List disabled user accounts

1
Search-ADaccount -AccountDisabled -UsersOnly | Select Name, LastLogonDate | Sort LastLogonDate

List inactive user accounts ( > 90 days )

1
2
$Timespan = 90
Search-ADaccount -AccountInactive -Timespan $Timespan -UsersOnly | Select Name | Sort Name

List inactive computer accounts ( > 90 days )

1
2
$Timespan = 90
Search-ADaccount -AccountInactive -Timespan $Timespan -ComputersOnly | Select Name | Sort Name

List accounts for which password does not expire

1
Get-ADUser -Filter {PasswordNeverExpires -eq $false} | FT Name,ObjectClass -A

Computer Accounts

List disabled computer accounts

1
Search-ADaccount -AccountDisabled -ComputersOnly | Select Name, LastLogonDate | Sort LastLogonDate

Insecure Configuration

List accounts with a non standard Primary Group

1
Get-ADObject -LDAPfilter '(&(primarygroupId=*)(!(|(primarygroupID=513)(primarygroupID=515)(primarygroupID=516)(primarygroupID=521)))(!(Name=Guest)))' -Properties primarygroupID

List accounts which are a member of a privilegied group

1
Get-ADObject -LDAPfilter '(admincount=1)' -Properties admincount | Select Name | Sort Name

List accounts without a password

1
Get-ADObject -LDAPfilter '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))' -Properties useraccountcontrol

List accounts with Reversible Encryption

1
Get-ADObject -LDAPfilter '(userAccountControl:1.2.840.113556.1.4.803:=128)' -Properties useraccountcontrol | Select Name | Sort Name

List duplicate accounts

1
Get-ADObject -LDAPfilter '(cn=*cnf:*)'

List machines registered in the domain by non admin users

1
Get-ADComputer -LDAPfilter '(ms-DS-CreatorSID=*)' -Properties ms-DS-CreatorSID | Select Name | Sort Name

Check for the presence of the principals Everyone and/or Anonymous in the Pre-Windows 2000 group

1
Get-ADGroupMember -Identity 'Pre-Windows 2000 Compatible Access' | Select Name | Sort Name

Password Operations

(All code snips feature the WhatIf parameter to prevent accidental execution)

Disable password expiration for all accounts

1
Get-ADUser -Filter {PasswordNeverExpires -eq $false} | ForEach-Object { Set-ADUser -Identity $_ -PasswordNeverExpires $true -WhatIf}

Enable password expiration for all users accounts in an Organizational Unit

1
2
$SearchBase = 'OU=Example,DC=LAB,DC=LOCAL'
Get-ADUser -Filter {PasswordNeverExpires -eq $true} -SearchBase $SearchBase | ForEach-Object { Set-ADUser -Identity $_ -PasswordNeverExpires $false -WhatIf}

Enable password expiration for all users in a group

1
2
$GroupName = 'GROUPNAME'
Get-ADGroupMember -Identity $GroupName | ForEach-Object { Set-ADUser -Identity $_ -PasswordNeverExpires $false -WhatIf }

Enable password expiration for all users in a group and in nested groups

1
2
$GroupName = 'GROUPNAME'
Get-ADGroupMember -Identity $GroupName -Recursive | ForEach-Object { Set-ADUser -Identity $_ -PasswordNeverExpires $false -WhatIf }