Home Directory Plugins Operating Systems Windows NRPE Check Active Directory Accounts

Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

Check Active Directory Accounts

Current Version
0.2
Last Release Date
2013-04-29
Compatible With
  • Nagios 3.x
License
GPL
Hits
47292
Files:
FileDescription
lotp_check_ad_accounts.ps1lotp_check_ad_accounts.ps1
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
Check for Active Directory Accounts using powershell through NRPE / nsclient++:

-Account Disabled
-Account Expired
-Account Expiring
-Account Inactive
-Locked Out
-Password Expired
-Password Never Expires

Provide performance data to have graphes
Check for Active Directory Accounts using powershell through NRPE / nsclient++:

-Account Disabled
-Account Expired
-Account Expiring
-Account Inactive
-Locked Out
-Password Expired
-Password Never Expires

Provide performance data to have graphes

###############################################
Tested Setup:

Monitoring Box:
-Centos 6.4 x64
-Nagios 3.4.4
-check_nrpe 2.13
-Centreon 2.4.2

Active Directory:
-Windows Server 2008 R2 / Windows Server 2012
-nsclient++ 0.4.1 x64
-AD in 2008 native mode (no impact)
-tested on both Core & GUI Servers

###############################################

Scripts arguments
The script accept five arguments:
-action (LockedOut by default)
-searchBase (whole domain by default)
-seachScope (subtree by default)
-maxWarn (Warning if above)
-maxCrit (Critical if above)

action can be:
AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires
LockedOut if omitted

searchBase can be:
dc=mydomain,dc=com or ou=my users,dc=mydomain,dc=com
whole domain if omitted

seachScope can be:
Base,OneLevel,Subtree
Subtree if omitted

maxWarn and maxCrit but me integer


###############################################
Local execution example:

PS C:Program FilesNSClient++scripts> . .lotp_check_ad_accounts.ps1 AccountInactive "dc=mydomain,dc=com" subtree 5 10
CRITICAL: 216 AccountInactive|216;5;10
PS C:Program FilesNSClient++scripts>


NRPE execution:
[root~]# /usr/lib64/nagios/plugins/check_nrpe -H prd-dom-dc01 -n -c check_ad_account -a AccountInactive "dc=pmside,dc=net" subtree 5 10
CRITICAL: 216 AccountInactive|'AccountInactive'=216;5;10
[root~]#

###############################################
Installation:
On DC Servers:
-copy script in folder C:Program FilesNSClient++scripts
-enable powershell script execution without signed : Set-ExecutionPolicy RemoteSigned
-Add to nsclient.ini:
[/settings/external scripts/wrapped scripts]
check_ad_account=lotp_check_ad_accounts.ps1 $ARG1$ $ARG2$ $ARG3$ $ARG4$ $ARG5$

###############################################
Configuration:

For example, on Centreon:
-Add a new command:
$USER1$/check_nrpe -H $HOSTADDRESS$ -n -c check_ad_account -a $ARG1$ "$ARG2$" $ARG3$ $ARG4$ $ARG5$

Then add monitoring filling the ARGS.
For graph, enable performance data on the monitoring test









Reviews (5)
Hi I'm getting this error " CRITICAL: action parameter can only be AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires. Provided $ "

Any help me on this

My syntax: ./check_nrpe -H XXXX -c check_ad_account -a AccountInactive "dc=xx,dc=xx,dc=xx,dc=xx" subtree 5 10
I've modified the powershell script so that you can pass an additional parameter of either "UsersOnly" or "ComputersOnly" otherwise it returns values for both users and computers objects.

# ====================================================================
# Search in AD for lockedout account. To be used through NRPE / nsclient++
# Author: Mathieu Chateau - LOTP
# mail: mathieu.chateau@lotp.fr
# version 0.1
# ====================================================================

#
# Require Set-ExecutionPolicy RemoteSigned.. or sign this script with your PKI
#

# ============================================================
#
# Do not change anything behind that line!
#
param
(
[string]$action = "LockedOut",
[string]$accountType = "",
[string]$searchBase = "",
[string]$searchScope = "Subtree",
[int]$maxWarn = 5,
[int]$maxCrit = 10
)

# check that powershell ActiveDirectory module is present
if(Get-Module -Name "ActiveDirectory" -ListAvailable)
{
try
{
Import-Module -Name ActiveDirectory
}
catch
{
Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module"
exit 2
}
}
else
{
Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module"
exit 2
}

# check params if provided
if($action -notmatch "^(AccountDisabled|AccountExpired|AccountExpiring|AccountInactive|LockedOut|PasswordExpired|PasswordNeverExpires)$")
{
Write-Host "CRITICAL: action parameter can only be AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires. Provided $action"
exit 2
}
if($accountType -notmatch "^(UsersOnly|ComputersOnly)$")
{
Write-Host "CRITICAL: accountType can only be UsersOnly,ComputersOnly. Provided $acctType"
}
if($searchScope -notmatch "^(Base|OneLevel|Subtree)$")
{
Write-Host "CRITICAL: searchScope parameter can only be Base,OneLevel,Subtree. Provided $searchScope"
exit 2
}
if(($searchBase -ne "") -and $searchBase -ne ((Get-ADDomain).DistinguishedName))
{
$search=Get-ADObject -Filter 'ObjectClass -eq "OrganizationalUnit" -and DistinguishedName -eq $searchBase'
if ($search.Count -ne 1)
{
Write-Host "CRITICAL: SearchBase not found or duplicate. Provided $searchBase"
exit 2
}
}
else
{
$searchBase=(Get-ADDomain).DistinguishedName
}

$command="Search-ADAccount -"+$action+" -"+$accountType+" -SearchBase '"+$searchBase+"' -SearchScope "+$searchScope
$result=invoke-expression $command

if($result.Count -gt $maxCrit)
{
$state="CRITICAL"
$exitcode=2
}
elseif($result.Count -gt $maxWarn)
{
$state="WARNING"
$exitcode=1
}
else
{
$state="OK"
$exitcode=0
}

$output=$state+": "+$result.Count+" "+$action+"|"+$action+"="+$result.Count+";"+$maxWarn+";"+$maxCrit
Write-Host $output
exit $exitcode
I tried this script with PasswordExpired and I found no result. When I ran:

Get-ADUser -Filter * -Property PasswordExpired | Where {$_.Enabled -eq 'True' -and $_.PasswordExpired -Eq 'True'}

I do get 1 result. It seems Search-ADAccount and Get-ADUser are giving different results.

I tried to change the script:

if($action -eq "PasswordExpired")
{
$command="Get-ADUser -Filter * -Property PasswordExpired | Where {$_.Enabled -eq 'True' -and $_.PasswordExpired -Eq 'True'}"
$result=invoke-expression $command
}
else
{
$command="Search-ADAccount -"+$action+" -SearchBase '"+$searchBase+"' -SearchScope "+$searchScope
$result=invoke-expression $command
}

I did not get any result with this change. How can I get the correct response for PasswordExpired accounts?
byjlovegrove, January 5, 2015
Works as described!
This useful script gives good control on the state of your AD accounts. I wanted to show a Warning at 1 and Critical at 2 or more errors, ran into a problem with the script.

Solution:

returning 0 or one element in an array results in a different return variable not supporting the .Count property

change the invoke-expression line to
$result=@(invoke-expression -Command "$command" -OutBuffer 1000)

to correctly process the return value of the script in the NSClient++ call of the powershell script and pass it on we need to use exit $lastexitcode otherwise we are passing on the success of powershell not the return value of the script itself.

So the NSClient++ ini file needs to contain lines like this:

check_ps_lotp_check_ad_account_disabled=cmd /c echo scripts\lotp_check_ad_accounts.ps1 AccountDisabled "cn=AAA,dc=BBB,dc=com" Subtree 0 1; exit $lastexitcode | powershell.exe -noprofile -executionpolicy bypass -command -

cn= evaluation is not evaluated by the script, some changes are needed there too or just hardcode the SearchBase variable

That's it!