AD PowerShell – Monitor disabled accounts

I’ve been working on various automated monitors via PowerShell. This one I came up with after reading the Best Practices for Securing Active Directory document from Microsoft. There are a bunch of takeaways from this document and I’m sure I’ll post more stuff that spawned from it. This is just one minor piece.

The purpose of this script is to monitor the built-in accounts that are disabled and you want to stay disabled. This script will email you if they become enabled. You can also add other various accounts that you have disabled for whatever reason such as the built-in domain admin.

A few notes:

  • As always, read through it and enter in your custom info that I have generalized.
  • I realize now that write-host is not the best method – feel free to change it if it bothers you. Please see this article regarding write-host.

_______________________________________________________________________

cls
Import-Module ActiveDirectory
#$ErrorActionPreference = "silentlycontinue"

###########
#Variables#
###########

#Users to monitor
$users = ("krbtgt", "guest")
$counter = 0
$msg = $null

######
#Code#
######

$users | foreach {
    Get-ADUser $_ | foreach {
        If ($_.enabled -eq $true)
            {
            (Write-Host "*** $($_.samaccountname) has been enabled! ***")
            $msg += "*** $($_.samaccountname) has been enabled! ***`n"
            $counter++
            }

        elseif ($_.enabled -eq $false)
            {
            Write-Host "$($_.samaccountname) - is disabled"
            $msg += "$($_.samaccountname) - is disabled`n"
            }
    }
}

If ($counter -eq 0)
        {Exit}
    elseif ($counter -gt 0)
        {

        #send email
        $subject = "** A Monitored Builtin User has been enabled! **"
        $body = "A monitored Builtin User has been enabled. Please check the contents of this email message for more details`n`n`n"
        $body = $body + $msg
        Send-MailMessage -from "AD-User-Monitor@company.com" -to "servergroup@company.com" -subject $subject -body $body -smtpserver "smtp.company.com"

        }

_______________________________________________________________________

akers8806

Leave a Reply

Your email address will not be published. Required fields are marked *