Build precise queries to find exactly what you need
Press ESC to close
Your review has been submitted and is pending approval.
Check for Active Directory Accounts using powershell through NRPE / nsclient++: -Account Disabled -Account Expired -Account Expiring -Account Inactive -Locked Out -Password Expired -Password Never Expires Provide performance data to have graphes
Current Version
0.2
Last Release Date
2013-04-29
Owner
Mathieu Chateau
Website
http://www.lotp.fr
License
GPL
Compatible With
Check for Active Directory Accounts using powershell through NRPE / nsclient++:
-Account Disabled -Account Expired -Account Expiring -Account Inactive -Locked Out -Password Expired -Password Never Expires
Provide performance data to have graphes
############################################### Tested Setup:
Monitoring Box: -Centos 6.4 x64 -Nagios 3.4.4 -check_nrpe 2.13 -Centreon 2.4.2
Active Directory: -Windows Server 2008 R2 / Windows Server 2012 -nsclient++ 0.4.1 x64 -AD in 2008 native mode (no impact) -tested on both Core & GUI Servers
###############################################
Scripts arguments The script accept five arguments: -action (LockedOut by default) -searchBase (whole domain by default) -seachScope (subtree by default) -maxWarn (Warning if above) -maxCrit (Critical if above)
action can be: AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires LockedOut if omitted
searchBase can be: dc=mydomain,dc=com or ou=my users,dc=mydomain,dc=com whole domain if omitted
seachScope can be: Base,OneLevel,Subtree Subtree if omitted
maxWarn and maxCrit but me integer
############################################### Local execution example:
PS C:Program FilesNSClient++scripts> . .lotp_check_ad_accounts.ps1 AccountInactive "dc=mydomain,dc=com" subtree 5 10 CRITICAL: 216 AccountInactive|216;5;10 PS C:Program FilesNSClient++scripts>
NRPE execution: [root~]# /usr/lib64/nagios/plugins/check_nrpe -H prd-dom-dc01 -n -c check_ad_account -a AccountInactive "dc=pmside,dc=net" subtree 5 10 CRITICAL: 216 AccountInactive|'AccountInactive'=216;5;10 [root~]#
############################################### Installation: On DC Servers: -copy script in folder C:Program FilesNSClient++scripts -enable powershell script execution without signed : Set-ExecutionPolicy RemoteSigned -Add to nsclient.ini: [/settings/external scripts/wrapped scripts] check_ad_account=lotp_check_ad_accounts.ps1 $ARG1$ $ARG2$ $ARG3$ $ARG4$ $ARG5$
############################################### Configuration:
For example, on Centreon: -Add a new command: $USER1$/check_nrpe -H $HOSTADDRESS$ -n -c check_ad_account -a $ARG1$ "$ARG2$" $ARG3$ $ARG4$ $ARG5$
Then add monitoring filling the ARGS. For graph, enable performance data on the monitoring test
thanks for the very usefull script I have to make a little change, result.Count was allways empty $result=invoke-expression $command $SCount = ( $result | Measure-Object -Line).Lines and in the following if and elseif if($SCount -gt $maxCrit) elseif($SCount -gt $maxWarn) write-hoste $output=$state+": "+$SCount+" "+$action+"|"+$action+"="+$SCount+";"+$maxWarn+";"+$maxCrit
Hi I'm getting this error " CRITICAL: action parameter can only be AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires. Provided $ " Any help me on this My syntax: ./check_nrpe -H XXXX -c check_ad_account -a AccountInactive "dc=xx,dc=xx,dc=xx,dc=xx" subtree 5 10
I've modified the powershell script so that you can pass an additional parameter of either "UsersOnly" or "ComputersOnly" otherwise it returns values for both users and computers objects. # ==================================================================== # Search in AD for lockedout account. To be used through NRPE / nsclient++ # Author: Mathieu Chateau - LOTP # mail: [email protected] # version 0.1 # ==================================================================== # # Require Set-ExecutionPolicy RemoteSigned.. or sign this script with your PKI # # ============================================================ # # Do not change anything behind that line! # param ( [string]$action = "LockedOut", [string]$accountType = "", [string]$searchBase = "", [string]$searchScope = "Subtree", [int]$maxWarn = 5, [int]$maxCrit = 10 ) # check that powershell ActiveDirectory module is present if(Get-Module -Name "ActiveDirectory" -ListAvailable) { try { Import-Module -Name ActiveDirectory } catch { Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module" exit 2 } } else { Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module" exit 2 } # check params if provided if($action -notmatch "^(AccountDisabled|AccountExpired|AccountExpiring|AccountInactive|LockedOut|PasswordExpired|PasswordNeverExpires)$") { Write-Host "CRITICAL: action parameter can only be AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires. Provided $action" exit 2 } if($accountType -notmatch "^(UsersOnly|ComputersOnly)$") { Write-Host "CRITICAL: accountType can only be UsersOnly,ComputersOnly. Provided $acctType" } if($searchScope -notmatch "^(Base|OneLevel|Subtree)$") { Write-Host "CRITICAL: searchScope parameter can only be Base,OneLevel,Subtree. Provided $searchScope" exit 2 } if(($searchBase -ne "") -and $searchBase -ne ((Get-ADDomain).DistinguishedName)) { $search=Get-ADObject -Filter 'ObjectClass -eq "OrganizationalUnit" -and DistinguishedName -eq $searchBase' if ($search.Count -ne 1) { Write-Host "CRITICAL: SearchBase not found or duplicate. Provided $searchBase" exit 2 } } else { $searchBase=(Get-ADDomain).DistinguishedName } $command="Search-ADAccount -"+$action+" -"+$accountType+" -SearchBase '"+$searchBase+"' -SearchScope "+$searchScope $result=invoke-expression $command if($result.Count -gt $maxCrit) { $state="CRITICAL" $exitcode=2 } elseif($result.Count -gt $maxWarn) { $state="WARNING" $exitcode=1 } else { $state="OK" $exitcode=0 } $output=$state+": "+$result.Count+" "+$action+"|"+$action+"="+$result.Count+";"+$maxWarn+";"+$maxCrit Write-Host $output exit $exitcode
I tried this script with PasswordExpired and I found no result. When I ran: Get-ADUser -Filter * -Property PasswordExpired | Where {$_.Enabled -eq 'True' -and $_.PasswordExpired -Eq 'True'} I do get 1 result. It seems Search-ADAccount and Get-ADUser are giving different results. I tried to change the script: if($action -eq "PasswordExpired") { $command="Get-ADUser -Filter * -Property PasswordExpired | Where {$_.Enabled -eq 'True' -and $_.PasswordExpired -Eq 'True'}" $result=invoke-expression $command } else { $command="Search-ADAccount -"+$action+" -SearchBase '"+$searchBase+"' -SearchScope "+$searchScope $result=invoke-expression $command } I did not get any result with this change. How can I get the correct response for PasswordExpired accounts?
Works as described!
This useful script gives good control on the state of your AD accounts. I wanted to show a Warning at 1 and Critical at 2 or more errors, ran into a problem with the script. Solution: returning 0 or one element in an array results in a different return variable not supporting the .Count property change the invoke-expression line to $result=@(invoke-expression -Command "$command" -OutBuffer 1000) to correctly process the return value of the script in the NSClient++ call of the powershell script and pass it on we need to use exit $lastexitcode otherwise we are passing on the success of powershell not the return value of the script itself. So the NSClient++ ini file needs to contain lines like this: check_ps_lotp_check_ad_account_disabled=cmd /c echo scriptslotp_check_ad_accounts.ps1 AccountDisabled "cn=AAA,dc=BBB,dc=com" Subtree 0 1; exit $lastexitcode | powershell.exe -noprofile -executionpolicy bypass -command - cn= evaluation is not evaluated by the script, some changes are needed there too or just hardcode the SearchBase variable That's it!
You must be logged in to submit a review.
To:
From:
We’ve completely redesigned the world’s largest repository of Nagios plugins and monitoring tools. Join thousands of users sharing monitoring solutions for servers, applications, and everything in between.
Due to our redesign, all existing accounts require a password reset to access your account again.
Ready to explore 6,100+ projects and contribute to the community?
Reset Password Create Account
Happy Monitoring!