Directory

I've modified the powershell script so that you can pass an additional parameter of either "UsersOnly" or "ComputersOnly" otherwise it returns values for both users and computers objects.

# ====================================================================
# Search in AD for lockedout account. To be used through NRPE / nsclient++
# Author: Mathieu Chateau - LOTP
# mail: mathieu.chateau@lotp.fr
# version 0.1
# ====================================================================

#
# Require Set-ExecutionPolicy RemoteSigned.. or sign this script with your PKI
#

# ============================================================
#
# Do not change anything behind that line!
#
param
(
[string]$action = "LockedOut",
[string]$accountType = "",
[string]$searchBase = "",
[string]$searchScope = "Subtree",
[int]$maxWarn = 5,
[int]$maxCrit = 10
)

# check that powershell ActiveDirectory module is present
if(Get-Module -Name "ActiveDirectory" -ListAvailable)
{
try
{
Import-Module -Name ActiveDirectory
}
catch
{
Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module"
exit 2
}
}
else
{
Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module"
exit 2
}

# check params if provided
if($action -notmatch "^(AccountDisabled|AccountExpired|AccountExpiring|AccountInactive|LockedOut|PasswordExpired|PasswordNeverExpires)$")
{
Write-Host "CRITICAL: action parameter can only be AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires. Provided $action"
exit 2
}
if($accountType -notmatch "^(UsersOnly|ComputersOnly)$")
{
Write-Host "CRITICAL: accountType can only be UsersOnly,ComputersOnly. Provided $acctType"
}
if($searchScope -notmatch "^(Base|OneLevel|Subtree)$")
{
Write-Host "CRITICAL: searchScope parameter can only be Base,OneLevel,Subtree. Provided $searchScope"
exit 2
}
if(($searchBase -ne "") -and $searchBase -ne ((Get-ADDomain).DistinguishedName))
{
$search=Get-ADObject -Filter 'ObjectClass -eq "OrganizationalUnit" -and DistinguishedName -eq $searchBase'
if ($search.Count -ne 1)
{
Write-Host "CRITICAL: SearchBase not found or duplicate. Provided $searchBase"
exit 2
}
}
else
{
$searchBase=(Get-ADDomain).DistinguishedName
}

$command="Search-ADAccount -"+$action+" -"+$accountType+" -SearchBase '"+$searchBase+"' -SearchScope "+$searchScope
$result=invoke-expression $command

if($result.Count -gt $maxCrit)
{
$state="CRITICAL"
$exitcode=2
}
elseif($result.Count -gt $maxWarn)
{
$state="WARNING"
$exitcode=1
}
else
{
$state="OK"
$exitcode=0
}

$output=$state+": "+$result.Count+" "+$action+"|"+$action+"="+$result.Count+";"+$maxWarn+";"+$maxCrit
Write-Host $output
exit $exitcode

Work great on a Windows 7 computer... however if you run this on Windows 2012 R2 you will need to modify the registry path the the script looks at from "SOFTWAREMcAfeeAVEngine" to "SOFTWAREWow6432NodeMcAfeeAVEngine".

I have this working great on Windows 2003 with Exchange 2007, however I seem to have an issue running it on Windows 2008 with Exchange 2007.

If I run the command from the "nsclien++ /test" it works fine and the result comes back in a few seconds.

If I run it from the command line on the Nagios server, again it works fine, just takes a lot longer to return the output.

When I then run it as a Nagios check it fails with "(Service Check Timed Out)".

I have the timeout set to 300 seconds.

Not sure why it is failing on 2008.

If you want ot monitor your NetApp then use this. It works great on our NetApp 3170