SID-500

Home » PowerShell » PowerShell: My top 10 commands for documenting and monitoring Active Directory

PowerShell: My top 10 commands for documenting and monitoring Active Directory

In this post i want to introduce my top 10 commands for documentation and monitoring Active Directory Domain Services.

List all Domain-Controllers

Get-ADDomainController -Filter * | Format-List Name,Ipv4Address,IPv6Address,OperatingSystem

1.PNG

List all Global Catalog Servers

Get-ADDomainController -Discover -Service "GlobalCatalog"

2.PNG

List all Operation Master Roles (FSMO)

Forest-wide Roles

Get-ADForest | Format-Table SchemaMaster,DomainNamingmaster

4.PNG

Domain-wide Roles

Get-ADDomain | Format-List pdc*,infra*,rid*

5.PNG

I have to admit: netdom query fsmo is much simpler 😉

netdom query fsmo

6.PNG

Link: Active Directory FSMO Rollen (Betriebsmaster)

Monitoring Active Directory Logins

Successful Logins

I am looking for logins of user “Petra”. Note that all event logs on all domain controllers need to be looked up. If you don´t speak German, don´t let yourself get confused of the German screenshot. Pay attention to the Logontype “Anmeldetyp”. The value is 2 – a user has logged on to the domain.

Get-EventLog -LogName Security -InstanceId 4624 | Where-Object Message -match "petra" | Format-Table TimeGenerated,Message -AutoSize -Wrap

6.PNG

Unbenannt.PNG

Unsuccessful Logins

Get-EventLog -LogName Security -InstanceId 4771 | Where-Object Message -match "petra" | Format-Table TimeGenerated,Message -AutoSize -Wrap

7.PNG

Note the error code 0x18. The user has provided a bad password.

Bild2.png

More information about active directory logins in my German blog post: Active Directory Anmeldungen ßberwachen

Find orphaned Computer Accounts

To find all computer accounts that have not logged on to the domain for a year run

Get-ADComputer -Filter * -Properties operatingsystem,lastlogondate | Where-Object {($_.operatingsystem -notlike "*Server*") -and ($_.lastlogondate -le ((Get-Date).adddays(-365)))} | Sort-Object Lastlogondate | Format-Table Name,Lastlogondate

Unbenannt.PNG

Link (German): Active Directory: Verwaiste (inaktive) Computerkonten finden

Find orphaned User Accounts

To find all user accounts that have not logged on to the domain for a year run

Get-ADUser -Filter * -Properties LastLogonDate | ? {$_.lastlogondate -ne $null -and $_.lastlogondate -le ((get-date).adddays(-365))} | Format-List Name,LastLogonDate

Link (German): Active Directory: Inaktive Benutzer mit Get-ADUser suchen

Find orphaned Group Policies

To find all Group Policies that have not linked to an organizational unit run

Get-GPO -All | % {
 If ( $_ | Get-GPOReport -ReportType XML | Select-String -NotMatch "<LinksTo>" ) {
 Write-Host $_.DisplayName, $_.CreationTime, $_.Modificationtime 
 }
 }

Link (German): Active Directory: Suche nach inaktiven, nicht verknĂźpften Gruppenrichtlinien

Find all Active Directory Contacts

Get-ADObject -Filter 'objectClass -eq "contact"' -Properties CN | Format-List CN

2.PNG

Link: PowerShell: Finding Active Directory Contacts

List Hardware information of domain joined Computers

Get a list of all computers using Set-Content or a variable.

(Get-ADComputer -Filter *).Name | Set-Content C:\Computers.txt

Then run Get-WMIObject and save the output user-friendly.

Get-WMIObject -ComputerName (Get-Content C:\Computers.txt) -Class Win32_Computersystem -ErrorAction SilentlyContinue | ConvertTo-Html Name,TotalPhysicalMemory -Title (Get-Date) -Body "RAM Liste aller Computer" | Set-Content C:\Ram.htm

Unbenannt

Link (German): WMI: Hardwarekonfiguration aller Domänen-Computer abrufen und speichern

Searching for Active Sync users

Fair enough this is related to Exchange. But Exchange is related to Active Directory. So lets search for Exchange Active Sync users.

Get-CASMailbox -Filter {hasactivesyncdevicepartnership -eq $true -and -not displayname -like "CAS_*"} | Get-Mailbox | Format-List name

Unbenannt.PNG

Link (German): Exchange Active Sync Benutzer anzeigen

Further Information

If you want to install a Domain Controller with PowerShell, then take a look to my post PowerShell: How to install a Domain Controller with Server Core.


2 Comments

  1. […] For documenting purposes see also my article PowerShell: My top 10 commands for documenting and monitoring Active Directory […]

    Like

  2. […] Well, let´s run a command from my blog post PowerShell: My top 10 commands for documenting and monitoring Active Directory. […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Who is the blogger?

My name is Patrick GrĂźnauer (pewa2303). I am from Austria. On sid-500 I write about Windows, Cisco and IT-Security in English and German. Have fun while reading!

Patrick Gruenauer
Follow SID-500 on WordPress.com