PowerShell - Report Expiring User accounts
In the video game industry it is common practice to hire consultants to take care of the Quality Assurance, which consists of a means of the software engineering processes and methods used to ensure quality. Those people are most likely Testers and usually spend most of their day testing games in development to find bugs.
The problem is, once in a while managers forget to update the expiration dates of their Consultant/External Partners even if they got a couple of reminders, and since we have some automation process taking care of the off-boarding (thanks to PowerShell! ;-)…it is becoming fun when those guys can’t connect to their accounts on Monday morning…and they lost all their access.
So I wrote a tiny script to report any expiring user accounts and send it to the IT department every Monday morning, just to give us a heads up.
Report Example
How does this work ?
Summary
This script that will retrieve all the users under a specified Organizational Unit and look for any expiring account in the time span specified (by default I set it to 10 days).
If some accounts are found, the script will generate a HTML report and send it via Email.
You will also need to create a scheduled task to run the script at the specific frequency, in my case it runs every Monday at 6 am.
Step by Step
- Look for user accounts expiring in the next 10 days using the cmdlet
Search-ADAccount
(from the Active Directory Module) - If some accounts are found, Continue, else Stop.
- Generate a HTML Report,
- Send the Report to IT Support team.
Workflow
Finding Expiring Account
I am using the very neat cmdlet: Search-ADAccount
. This cmdlet is included with in the Active Directory Module and comes with some very cool parameters.
Notice the -AccountExpiring
parameter, that’s what we need for our little script.
We can get more information by checking out the help
With the -AccountExpiring
parameter we can use either -DateTime
or TimeSpan
parameter to specify the time range.
Search for account Expiring before 2015/05/26
Search-ADAccount -AccountExpiring -DateTime "2015/05/26"
Search-ADAccount -AccountExpiring -TimeSpan "10.00:00:00"
Ok we got the expiring accounts, now we need to generate a report.
Creating the report
The above output can be easily converted to HTML using the cmdlet ConvertTo-HTML
, but before we do this, I need to find a nice and simple CSS to make my report looks nice :-)
A quick Google search lead me to this little piece of code below (found on http://www.textfixer.com/tutorials/css-tables.php)
I’m adding this piece of code into the variable $CSS
using the here-string construction method.
Here-String construction lets you bypass the complexities involved in assigning a multi-line string value to a variable.
Almost there! The next step is to add a Title above our report and a Foot Note to display the source and generated date/time.
# Define the Title of the report
$PreContent = "<Title>Active Directory - Expiring Users (next $days days)</Title>"
# Add a small line at the end to show the source of the report
$NoteLine = "Generated from $($env:Computername.ToUpper()) on $(Get-Date -format 'yyyy/MM/dd HH:mm:ss')"
$PostContent = "<br><p><font size='2'><i>$NoteLine</i></font>"
We use ConvertTo-HTML
cmdlet to get everything together into the $body
variable which will be used when sending the email.
$body = $Accounts |
ConvertTo-Html -head $Css -PostContent $PostContent -PreContent $PreContent
The report is ready to be sent!
Download
The script is available on Technet Gallery and GitHub
Leave a comment