PowerShell:生成AD账号状态报告
一般企业会在AD里创建服务账号,比如备份使用的专用账号,监控使用的专用账号。如果不对这些服务账号进行良好地监控,这些账号可能会“年久失修”,最终成为安全隐患。解决这个问题,我的做法是:
1)所有服务账号放在一个专用的OU下,比如Service Accounts。
2)账号描述一定要写详细,清晰。比如“This account is for backup system, create dy Jackie Chen”。
3)配置定期自动运行以下Powershell脚本,会生成一个.csv报告,包含账号名,描述,何时创建,最后一次设定密码的时间,所属组信息。
4)把这个.csv报告导入Excel,运用Excel的filter功能来做分析。
[*]cls
[*]
[*]$searcher = new-object DirectoryServices.DirectorySearcher("")
[*]$searcher.filter = "(&(objectcategory=user))"
[*]$Searcher.SearchRoot ="LDAP://OU=Service Accounts,DC=Test,DC=Com"
[*]$Searcher.CacheResults = $true
[*]$Searcher.SearchScope = "Subtree"
[*]$userlist=$searcher.findall()
[*]
[*]$date = $(Get-Date -UFormat "%y-%m-%d-%H:%M").tostring()
[*]echo "SERVICE_ACCOUNTS_LIST Updated on $date" > service_accounts.csv
[*]echo "Name,Descriptions,Account_Created_Date,Password_Lastset_Date,Member_of" >> service_accounts.csv
[*]
[*]foreach ($user in $userlist)
[*]{
[*] $name = $($user.properties.cn).tostring()
[*]
[*] if($user.Properties.description -ne $null)
[*] {$notes = $($user.properties.description).tostring()}
[*] else
[*] {$notes = "N/A"}
[*]
[*] $whencreated = $($user.properties.whencreated).tostring()
[*]
[*] $pwdlastset = ::fromfiletime(($user.properties.pwdlastset))
[*]
[*] if($user.Properties.memberof -ne $null)
[*] {$memberof = $($user.properties.memberof).tostring()}
[*] else
[*] {$memberof = "N/A"}
[*]
[*] if($user.Properties.lastlogontimestamp -ne $null)
[*] {$lastlogon = ::fromfiletime(($user.properties.lastlogontimestamp))}
[*]
[*] out-file -InputObject $($name+","+$notes+","+$whencreated+","+$pwdlastset+","+$memberof) service_accounts.csv -Append
[*]}
页:
[1]