This PowerShell script is designed to retrieve and analyze changes in the "userAccountControl" attribute for disabled users in Active Directory.
This way you can find when the user is disabled.
Below, I'll provide a breakdown of the script with explanations for each section:
- Script Header:
- The script starts with a script header that
includes a description of its purpose, author, creation date, and some
notes.
- Output Path for Disabled Users:
- It defines the output file path for the list of
disabled users in the $OutputPath variable, which is set to
"C:\temp\DisabledUsers.txt."
- Retrieve Disabled Users:
- It retrieves a list of disabled users from Active
Directory using the Get-ADUser cmdlet with a filter for users
whose "Enabled" property is equal to $false. The
selected property is "SamAccountName," which is stored in the $disabledUsers
variable.
- Export Disabled Users to a Text File:
- The list of disabled users is then exported to a
text file at the path specified in $OutputPath.
- Display Export Message:
- It displays a message indicating that the export of
disabled users has been completed.
- Additional Definitions:
- It defines the fully qualified domain name (FQDN)
of the primary domain controller (PDC), the input users (read from the
"DisabledUsers.txt" file), and a new output path for the change
information.
- Initialize an Array for Change Information:
- An empty array $allChanges is initialized to
store change information for all disabled users.
- Loop through Disabled Users:
- It iterates through the list of disabled users
obtained from the "DisabledUsers.txt" file.
- For each user, it retrieves additional information,
including the user's description.
- It then enters a nested loop to analyze changes to
the "userAccountControl" attribute.
- Get Replication Attribute Metadata:
- It uses the Get-ADReplicationAttributeMetadata
cmdlet to retrieve replication attribute metadata for the
"userAccountControl" attribute.
- This information includes details about when the
attribute was last changed.
- Filter Metadata Entries with Changes:
- It filters the metadata entries to include only
those with a "Version" greater than 0, indicating changes to
the attribute.
- Create Custom Objects:
- For each change, a custom object is created to
store the user's SamAccountName, description, the changed attribute's
object, and the last originating change time.
- Append Change Information:
- The change information for each user is added to
the $allChanges array.
- It then attempts to export this information to a
CSV file with the -Append flag. Note that exporting within the
loop may not be the best approach; consider exporting the entire array
after the loop to avoid potential issues.
- Export All Changes to a CSV File:
- Finally, all changes collected in the $allChanges
array are exported to a CSV file specified in the $OutputPath
variable. Again, consider moving this export outside of the loop for a
more efficient operation.
Please review the script and make necessary
adjustments for efficiency and any specific requirements you may have for
tracking changes in the "userAccountControl" attribute for disabled
users in your Active Directory environment.
<#
.SYNOPSIS
Script to
retrieve and analyze changes in userAccountControl attribute for disabled users
in Active Directory.
.DESCRIPTION
This script
retrieves a list of disabled users from Active Directory and tracks changes to
the "userAccountControl" attribute for each user.
It exports the
change information to a CSV file.
Author: Navinya Ambre
Creation
Date: 12/10/2023
.NOTES
- Make sure you
have the necessary permissions to access Active Directory.
- Ensure that
the required Active Directory modules are loaded.
- Verify that
the specified file paths exist.
# Define the output file path for disabled users
$OutputPath = "C:\temp\DisabledUsers.txt"
# ... (rest of your script)
# Export all changes to a CSV file
$allChanges | Export-Csv -Path $OutputPath
-NoTypeInformation -Append
#>
# Define the output file path for disabled users
$OutputPath = "C:\temp\DisabledUsers.txt"
# Get all disabled users from Active Directory
$disabledUsers = Get-ADUser -Filter {Enabled -eq $false} | Select-Object SamAccountName
# Export the list of disabled users to a text file
$disabledUsers | Out-File -FilePath $OutputPath -Encoding UTF8
# Display a message indicating the export is complete
Write-Host "Disabled users have been exported to $OutputPath."
# Define variables for Primary DC and output file
$PDC_FQDN = "PDC Name"
$inputusers = Get-Content -Path "C:\Temp\DisabledUsers.txt"
$OutputPath = "C:\Temp\AllDisabledUsersChanges1.csv"
# Initialize an empty array to store change information
for all disabled users
$allChanges = @()
# Get all disabled users
foreach ($inputuser in $inputusers) {
$disabledUsers = Get-ADUser -Identity $inputuser -Properties Description
# Iterate through each disabled user
foreach ($user in $disabledUsers) {
# Get replication attribute metadata for the
userAccountControl attribute
$replicationMetadata = Get-ADReplicationAttributeMetadata -Object $user.DistinguishedName -Server $PDC_FQDN -Properties userAccountControl
# Filter metadata entries with changes (version increase)
$changes = $replicationMetadata | Where-Object { $_.Version -gt 0 }
# Create an object containing user information, change
information, and user description
foreach ($change in $changes) {
$changeInfo = [PSCustomObject]@{
SamAccountName = $user.SamAccountName
Description = $user.Description
Object = $change.Object
LastOriginatingChangeTime = $change.LastOriginatingChangeTime
}
$allChanges += $changeInfo | Export-Csv -Path $OutputPath -NoTypeInformation -Append
}
}
}
# Export all changes to a CSV file
$allChanges | Export-Csv -Path $OutputPath -NoTypeInformation -Append
Please consider this an open forum for sharing your thoughts, modifications, and suggestions regarding the script. Your input and feedback are highly encouraged and valued.
No comments:
Post a Comment