Script Repository


Properties of computer accounts

May 13, 2016
966

The script creates a CSV report containing properties of all computers in all AD domains managed by Adaxes.

Note: The script uses the $Context variable available on the server side only. This means that it can be executed only by Business Rules, Custom Commands, and Scheduled Tasks. For example, to schedule the report, you can create a Scheduled Task configured for the Domain-DNS object type. To add the script to a Scheduled Task, use the Run a program or PowerShell script action.

Parameters:

  • $propertiesToExport - specifies LDAP names of computer properties that will be included in the report and their display names as they will appear in the CSV file;
  • $csvFilePath - specifies a path to the CSV file created by the script.

Edit Remove
PowerShell
$propertiesToExport = @(
    @("name", "Name"),
    @("lastLogonTimestamp", "Last Logon"),
    @("userAccountControl", "Account Options")
) # TODO: modify me

$csvFilePath = "\\SERVER\Share\ComputerReport.csv" # TODO: modify me

# Declare human readable descriptions for Account Options
$accountOptions = @{
    1 = "Logon script is executed";
    2 = "Account is disabled";
    8 = "Home directory is required";
    16 = "Account is locked out";
    32 = "No password is required";
    64 = "User cannot change password";
    128 = "Store password using reversible encryption";
    256 = "Temporary duplicated account";
    512 = "Normal account";
    2048 = "Interdomain trust account";
    4096 = "Workstation trust account";
    8192 = "Server trust account";
    65536 = "Password never expires";
    131072 = "MNS logon account";
    262144 = "Smart card is required for interactive logon";
    524288 = "Account is trusted for delegation";
    1048576 = "Account is sensitive and cannot be delegated";
    2097152 = "Use Kerberos DES encryption types for this account";
    4194304 = "Do not require Kerberos preauthentication";
    8388608 = "Password has expired";
    16777216 = "Account is trusted to authenticate for delegation"
}

# Get LDAP and display names for the properties
$propertyLdapNames = @()
$propertiesFriendlyNames = @()
foreach ($propertyInfo in $propertiesToExport)
{
    $propertyLdapNames += $propertyInfo[0]
    $propertiesFriendlyNames += $propertyInfo[1]
}

# Find computers
$searcher = $Context.BindToObject("Adaxes://rootDSE")
$searcher.SearchFilter = "(objectCategory=computer)"
$searcher.PageSize = 500
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.SetPropertiesToLoad($propertyLdapNames)
$searcher.VirtualRoot = $True

try
{
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()
    
    # Build report
    $report = @()
    foreach ($searchResult in $searchResults)
    {                        
        # Get property values for each computer
        $record = New-Object PSObject
        for ($i = 0; $i -lt $propertyLdapNames.Length; $i++)
        {
            $propertyName = $propertyLdapNames[$i]
            
            # Get property value
            $value = $searchResult.Properties[$propertyName].Value
            switch ($propertyName)
            {
                "lastLogonTimestamp"
                {
                    if (($value -eq 0) -or ($value -eq $NULL))
                    {
                        $value = "unspecified"
                    }
                    else
                    {
                        try
                        {
                            $value = [DateTime]::FromFiletime([Int64]::Parse($value))
                        }
                        catch
                        {
                            $Context.LogMessage("Cannot convert value '$value' to the date/time format", "Warning") # TODO: modify me
                            $value = "unspecified"
                        }
                    }
                }
                "userAccountControl"
                {
                    $userAccountControl = @()
                    foreach ($key in $accountOptions.Keys)
                    {
                        if ($value -band $key)
                        {
                            $userAccountControl += $accountOptions[$key]
                        }
                    }
                    $value = $userAccountControl -join ";"
                }
            }
            
            $record | Add-Member -MemberType NoteProperty -Name $propertiesFriendlyNames[$i] -Value $value
        }
        $report += $record
    }
    $report | Sort-Object -Property Name | Export-csv -NoTypeInformation -Path $csvFilePath
}
finally
{
    # Release resources used by the search
    $searchResultIterator.Dispose()
}

Comments ( 0 )
No results found.
Leave a comment