The problem is, once in a while managers forget to update the expiration dates of their Consultant/External Partners even if they got a couple of reminders, and since we have some automation process taking care of the off-boarding (thanks to PowerShell! ;-)...it is becoming fun when those guys can't connect to their accounts on Monday morning...and they lost all their access.
So I wrote a tiny script to report any expiring user accounts and send it to the IT department every Monday morning, just to give us a heads up.
Report Example
How does this work ?
SummaryThis script that will retrieve all the users under a specified Organizational Unit and look for any expiring account in the time span specified (by default I set it to 10 days).
If some accounts are found, the script will generate a HTML report and send it via Email.
You will also need to create a scheduled task to run the script at the specific frequency, in my case it runs every Monday at 6 am.
Step by Step
- Look for user accounts expiring in the next 10 days using the cmdlet Search-ADAccount (from the Active Directory Module),
- If some accounts are found, Continue, else Stop.
- Generate a HTML Report,
- Send the Report to IT Support team.
Workflow
Finding Expiring Account
I am using the very neat cmdlet: Search-ADAccount. This cmdlet is included with in the Active Directory Module and comes with some very cool parameters.Notice the -AccountExpiring parameter, that's what we need for our little script.
We can get more information by checking out the help
With the AccountExpiring parameter we can use either DateTime or TimeSpan parameter to specify the time range.
Example using the DateTime parameter
Search for account Expiring before 2015/05/26
Search-ADAccount -AccountExpiring -DateTime "2015/05/26" |
Example using the TimeSpan parameter |
Search-ADAccount -AccountExpiring -TimeSpan "10.00:00:00"
Ok we got the expiring accounts, now we need to generate a report.
Creating the report
The above output can be easily converted to HTML using the cmdlet ConvertTo-HTML, but before we do this, I need to find a nice and simple CSS to make my report looks nice :-)A quick Google search lead me to this little piece of code below (found on http://www.textfixer.com/tutorials/css-tables.php)
I'm adding this piece of code into the variable $CSS using the here-string construction method.
Here-String construction lets you bypass the complexities involved in assigning a multi-line string value to a variable.
Almost there! The next step is to add a Title above our report and a Foot Note to display the source and generated date/time.
# Define the Title of the report $PreContent = "<Title>Active Directory - Expiring Users (next $days days)</Title>" # Add a small line at the end to show the source of the report $NoteLine = "Generated from $($env:Computername.ToUpper()) on $(Get-Date -format 'yyyy/MM/dd HH:mm:ss')" $PostContent = "<br><p><font size='2'><i>$NoteLine</i></font>"
We use ConvertTo-HTML cmdlet to get everything together into the $body variable which will be used when sending the email.
$body = $Accounts | ConvertTo-Html -head $Css -PostContent $PostContent -PreContent $PreContent
The report is ready to be sent!
Download
The script is available on Technet Gallery and GitHubThanks for reading! If you have any questions, leave a comment or send me an email at fxcat@lazywinadmin.com. I invite you to follow me on Twitter @lazywinadm / Google+ / LinkedIn. You can also follow the LazyWinAdmin Blog on Facebook Page and Google+ Page.
No comments:
Post a Comment