Thursday, September 12, 2013

How to generate complex AD account metrics


PowerShell Metrics Series: Active Directory Reporting
How to generate and report basic AD account metrics
How to generate complex AD account metrics part 1
How to generate complex AD account metrics part 2
How to store AD metrics in SharePoint 2010
How to present AD metrics in a SharePoint 2010 dashboard
Introduction

In the previous posting in this series, we explored how to generate and report simple Active Directory metrics, such as total number of accounts by type and total number of accounts with mail boxes. In this posting, we will explore how to generate more complex metrics, including:
  • Total number of enabled user accounts
  • Total number of disabled user accounts
  • Total number of user accounts that have been locked out
  • Total number of enabled user accounts that have never logged on
Review

Here's the script that has been created thus far (below).  I've added additional comments to help you understand what is going on:
##################################### # Name:        AD Report Generator # Author:      [your name] # Date:        [date] # Description: ##################################### Import-module ActiveDirectory # Create the report container # --------------------------- # Save the data and time.  This date and time # will be used also for generating the report # filename. $DateTime = Get-Date # Use this date/time to generate the report file name $DateTimeFileString = $DateTime.ToString("yyyyMMddHHmmss") # Now generate the path/file string $FilePathString = "\\[YourPath]\ADReport_" + $DateTimeFileString + ".txt" # Create a new text file New-Item $FilePathString -Type File # Write the report date/time # -------------------------- # Add the date/time to the top of the file [string]$StringToWrite = $DateTime Set-Content $FilePathString $StringToWrite # and then add a couple of lines after Add-Content $FilePathString "" Add-Content $FilePathString "" # Add a header to the report # -------------------------- $StringToWrite = "AD Domain Accounts Report" Add-Content $FilePathString $StringToWrite $StringToWrite = "Generated on host " + $env:Computername + " by " + $env:UserName Add-Content $FilePathString $StringToWrite Add-Content $FilePathString "=====================================================" Add-Content $FilePathString "" Add-Content $FilePathString "" Add-Content $FilePathString ""   # Build the report # ---------------- # This next line of code interrogates AD and builds the array # that contains all accounts in AD and the desired properties.   # It effectively generates a list of accounts and their # properties that you can parse and filter as needed.  This only # needs to be performed once, for the entire report, as all of # the rest of the attention will be focused on this array. [array]$AllAccounts = Get-ADUser -Filter * -Properties Name, Givenname, Surname, DistinguishedName, Enabled, LastLogonDate, LastLogonTimeStamp, LockedOut, msExchHomeServerName, SAMAccountName, CreateTimeStamp, Created, PasswordLastSet, Description # This line gets the total number of accounts and report it.   # It effectively counts all of the rows in the array. $StringToWrite = "Total number of AD domain accounts of all types: " + $AllAccounts.Count Add-Content $FilePathString $StringToWrite Add-Content $FilePathString "" # This line gets the total number of accounts having Exchange # mailboxes. The Where-Object performs all of the complex # interaction necessary for filtering the array - you simply # need to provide it with the filter parameters.  Note the use # of "$_", which is a shorthand reference to the object being # filtered.  Note too how Boolean equations are written.   # Boolean operators are denoted by a hyphen "-".  See the # References for additional discussion on this notation. [array]$AllMailboxUsers = $AllAccounts | Where-Object {$_.msExchHomeServerName -NotLike $NULL} $StringToWrite = "Total number of users who have email accounts: " + $AllMailboxUsers.Count Add-Content $FilePathString $StringToWrite Add-Content $FilePathString "" # This line gets the total number of administrative accounts # using the # same approach as previous.  As discussed earlier, # it assumes that admin accounts are distinguished by having # the word "Admin" in their Description field.  Other fields # may also be used - if so, use them instead. [array]$AllAdminAccounts = $AllAccounts | Where-Object {$_.Description -Like '*Admin*'} $StringToWrite = "Total number of Administrative accounts: " + $AllAdminAccounts.Count Add-Content $FilePathString $StringToWrite Add-Content $FilePathString "" # Get total number of service accounts.  Same approach as # previous. Assumes that service accounts are distinguished # by having the word "Service" in their Description field. [array]$AllServiceAccounts = $AllAccounts | Where-Object {$_.Description -Like '*Service*'} $StringToWrite = "Total number of Service accounts: " + $AllServiceAccounts.Count Add-Content $FilePathString $StringToWrite Add-Content $FilePathString "" # Get total number of accounts used for testing.  Same approach # as previous. Assumes that testing accounts are distinguished by # having the word "Testing" in their Description field. [array]$AllTestingAccounts = $AllAccounts | Where-Object {$_.Description -Like '*Testing*'} $StringToWrite = "Total number of Testing accounts: " + $AllTestingAccounts.Count Add-Content $FilePathString $StringToWrite Add-Content $FilePathString "" # Get total number of end user accounts.  Same approach as # previous, but this time the array is filtered for NOT having # certain keywords in their their Description field.   [array]$AllUserAccounts = $AllAccounts | Where-Object {($_.Description -NotLike '*Admin*') -and ($_.Description -NotLike '*Service*') -and ($_.Description -NotLike '*Testing*')} $StringToWrite = "Total number of User accounts: " + $AllUserAccounts.Count Add-Content $FilePathString $StringToWrite Add-Content $FilePathString ""

Add Additional Active Directory Metrics

Below is what we will add.  The first metric to extract is the total number of enabled user accounts, and then we'll get the total number of disabled user accounts.  We already have an array that is composed of user accounts only, namely, $AllUserAccounts.  All that needs to be done is to filter this array further based upon the value of the account Enabled property, which is a Boolean.  Here again note that a single line of code is all that is needed to extract the desired metric:
# This line gets the total number of user accounts that # are enabled. [array]$AllEnabledUserAccounts = $AllUserAccounts | Where-Object {$_.Enabled -eq $True} $StringToWrite = "Total number of Enabled User accounts: " + $AllEnabledUserAccounts.Count Add-Content $FilePathString $StringToWrite Add-Content $FilePathString "" # This line gets the total number of user accounts that # are disabled. [array]$AllDisabledUserAccounts = $AllUserAccounts | Where-Object {$_.Enabled -eq $False} $StringToWrite = "Total number of Disabled User accounts: " + $AllDisabledUserAccounts.Count Add-Content $FilePathString $StringToWrite Add-Content $FilePathString ""

The next couple of metrics to explore are the total number of locked out user accounts and the number of user accounts that have never logged in:
# This line gets the total number of enabled users # accounts that have been locked out. [array]$AllEnabledLockedUserAccounts = $AllEnabledUserAccounts | Where-Object {$_.LockedOut -eq $True} $StringToWrite = "Total number of Enabled User accounts that are locked out: " + $AllEnabledLockedUserAccounts.Count Add-Content $FilePathString $StringToWrite Add-Content $FilePathString "" # This line gets the total number of enabled users # that have never logged in. [array]$AllEnabledUserAccountsNeverlogon = $AllEnabledUserAccounts | Where-Object {$_.LastLogonDate -eq $NULL} $StringToWrite = "Total number of Enabled User accounts that have never logged on: " + $AllEnabledUserAccountsNeverlogon.Count Add-Content $FilePathString $StringToWrite Add-Content $FilePathString ""

Summary

In this posting, we have explored how to generate more complex metrics.  These more complex metrics build upon the metrics already extracted previously. In the next posting, we'll complete our exploration of how to generate metrics by learning how to generate the various LastLogonDate categories typically of interest, such as 180, 90, 45, 30 and 14 day logons, to name a few.  Extracting LastLogonDate values brings real value to management and your customers, as it provides the raw data on actual system usage that management can use to more effectively perform trend analyses and justify and plan infrastructure budgets.

References

No comments: