Check Active Directory Accounts

thanks for the very usefull script
I have to make a little change, result.Count was allways empty

$result=invoke-expression $command
$SCount = ( $result | Measure-Object -Line).Lines
and in the following if and elseif
if($SCount -gt $maxCrit)
elseif($SCount -gt $maxWarn)
write-hoste
$output=$state+": "+$SCount+" "+$action+"|"+$action+"="+$SCount+";"+$maxWarn+";"+$maxCrit

Hi I'm getting this error " CRITICAL: action parameter can only be AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires. Provided $ "

Any help me on this

My syntax: ./check_nrpe -H XXXX -c check_ad_account -a AccountInactive "dc=xx,dc=xx,dc=xx,dc=xx" subtree 5 10

I've modified the powershell script so that you can pass an additional parameter of either "UsersOnly" or "ComputersOnly" otherwise it returns values for both users and computers objects.

# ====================================================================
# Search in AD for lockedout account. To be used through NRPE / nsclient++
# Author: Mathieu Chateau - LOTP
# mail: [email protected]
# version 0.1
# ====================================================================

#
# Require Set-ExecutionPolicy RemoteSigned.. or sign this script with your PKI
#

# ============================================================
#
# Do not change anything behind that line!
#
param
(
[string]$action = "LockedOut",
[string]$accountType = "",
[string]$searchBase = "",
[string]$searchScope = "Subtree",
[int]$maxWarn = 5,
[int]$maxCrit = 10
)

# check that powershell ActiveDirectory module is present
if(Get-Module -Name "ActiveDirectory" -ListAvailable)
{
try
{
Import-Module -Name ActiveDirectory
}
catch
{
Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module"
exit 2
}
}
else
{
Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module"
exit 2
}

# check params if provided
if($action -notmatch "^(AccountDisabled|AccountExpired|AccountExpiring|AccountInactive|LockedOut|PasswordExpired|PasswordNeverExpires)$")
{
Write-Host "CRITICAL: action parameter can only be AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires. Provided $action"
exit 2
}
if($accountType -notmatch "^(UsersOnly|ComputersOnly)$")
{
Write-Host "CRITICAL: accountType can only be UsersOnly,ComputersOnly. Provided $acctType"
}
if($searchScope -notmatch "^(Base|OneLevel|Subtree)$")
{
Write-Host "CRITICAL: searchScope parameter can only be Base,OneLevel,Subtree. Provided $searchScope"
exit 2
}
if(($searchBase -ne "") -and $searchBase -ne ((Get-ADDomain).DistinguishedName))
{
$search=Get-ADObject -Filter 'ObjectClass -eq "OrganizationalUnit" -and DistinguishedName -eq $searchBase'
if ($search.Count -ne 1)
{
Write-Host "CRITICAL: SearchBase not found or duplicate. Provided $searchBase"
exit 2
}
}
else
{
$searchBase=(Get-ADDomain).DistinguishedName
}

$command="Search-ADAccount -"+$action+" -"+$accountType+" -SearchBase '"+$searchBase+"' -SearchScope "+$searchScope
$result=invoke-expression $command

if($result.Count -gt $maxCrit)
{
$state="CRITICAL"
$exitcode=2
}
elseif($result.Count -gt $maxWarn)
{
$state="WARNING"
$exitcode=1
}
else
{
$state="OK"
$exitcode=0
}

$output=$state+": "+$result.Count+" "+$action+"|"+$action+"="+$result.Count+";"+$maxWarn+";"+$maxCrit
Write-Host $output
exit $exitcode

I tried this script with PasswordExpired and I found no result. When I ran:

Get-ADUser -Filter * -Property PasswordExpired | Where {$_.Enabled -eq 'True' -and $_.PasswordExpired -Eq 'True'}

I do get 1 result. It seems Search-ADAccount and Get-ADUser are giving different results.

I tried to change the script:

if($action -eq "PasswordExpired")
{
$command="Get-ADUser -Filter * -Property PasswordExpired | Where {$_.Enabled -eq 'True' -and $_.PasswordExpired -Eq 'True'}"
$result=invoke-expression $command
}
else
{
$command="Search-ADAccount -"+$action+" -SearchBase '"+$searchBase+"' -SearchScope "+$searchScope
$result=invoke-expression $command
}

I did not get any result with this change. How can I get the correct response for PasswordExpired accounts?

Works as described!

This useful script gives good control on the state of your AD accounts. I wanted to show a Warning at 1 and Critical at 2 or more errors, ran into a problem with the script.

Solution:

returning 0 or one element in an array results in a different return variable not supporting the .Count property

change the invoke-expression line to
$result=@(invoke-expression -Command "$command" -OutBuffer 1000)

to correctly process the return value of the script in the NSClient++ call of the powershell script and pass it on we need to use exit $lastexitcode otherwise we are passing on the success of powershell not the return value of the script itself.

So the NSClient++ ini file needs to contain lines like this:

check_ps_lotp_check_ad_account_disabled=cmd /c echo scriptslotp_check_ad_accounts.ps1 AccountDisabled "cn=AAA,dc=BBB,dc=com" Subtree 0 1; exit $lastexitcode | powershell.exe -noprofile -executionpolicy bypass -command -

cn= evaluation is not evaluated by the script, some changes are needed there too or just hardcode the SearchBase variable

That's it!