Restrict scope to specific OU (recursively)

Question

Restrict scope to specific OU (recursively)

bezzoh opened this issue 2 years ago · 6 comments

Is there a way I can modify the audit powershell script to set the scope to a specific OU (or at least 'from' an OU, looking down recursively) rather than the entire AD subtree?

Its good that I can obviously filter by active/inactive accounts, but we retain years (therefore thousands) of inactive users and it therefore takes quite a while to audit.

Thanks in advance

Answer 1 · 2022-12-20T00:36:18.000Z

@bezzoh

Just add a Search root value and specify your OU

$Searcher.SearchRoot = "OU=XXX,DC=XXX"

The full script would look like this

Import-Module LithnetPasswordProtection

$file = "get-pwned-users.csv";

"accountName,UPN,pwdLastSet,lastLogin,accountDisabled" | out-file $file

$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.PageSize = 200
$Searcher.SearchScope = "subtree"
$Searcher.SearchRoot = "OU=XXX,DC=XXX"

$Searcher.Filter = "(&(objectCategory=person)(objectClass=user))"
$Attributes = @("PwdLastSet","lastLogonTimeStamp", "userAccountControl", "userPrincipalName", "name")
ForEach($Attribute In $Attributes)
{
    $Searcher.PropertiesToLoad.Add($Attribute) > $Null
}

$Results = $null
$Total = 0
$NumChanged = 0

$Searcher.FindAll() | % {
    $user = $_.Properties["UserPrincipalName"][0]

    if ($user -eq $null)
    {
        write-warning "User $($_.Properties["Name"][0]) has a null UPN";
        return;
    }

    $result = Test-IsADUserPasswordCompromised -UPN $user -server localhost 
    
    $pwdLastSet = $null
    $lastLogin = $null
    $disabled = $false;

    if ($_.Properties["PwdLastSet"][0] -gt 0)
    {
        $pwdLastSet = [DateTime]::FromFileTimeUtc($_.Properties["pwdLastSet"][0]).ToLocalTime()
    }

    if ($_.Properties["lastLogonTimeStamp"][0] -gt 0)
    {
        $lastLogin = [DateTime]::FromFileTimeUtc($_.Properties["lastLogonTimeStamp"][0]).ToLocalTime()
    }

    if (($_.Properties["userAccountControl"][0] -band 2) -eq 2)
    {
        $disabled = $true;
    }

    if ($result -ne $true)
    {  
        return;
    }

    $message = "$($_.Properties["Name"][0]),$user,$pwdLastSet,$lastLogin,$disabled"
    Write-Output $message
    $message | out-file $file -Append
}

Answer 2 · 2022-12-20T10:04:48.000Z

Awesome. Thanks again for the assist!

Answer 3 · 2022-12-21T08:33:01.000Z

Actually, I've given this a try.. Don't think I'm doing anything wrong, but I'm getting the following if trying to implement this;

Exception calling "FindAll" with "0" argument(s): "Unspecified error
"
At C:\support\Scripts\Get-Pwned-Staff.ps1:23 char:1

$Searcher.FindAll() | % {

  + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
  + FullyQualifiedErrorId : COMException

Answer 4 · 2022-12-21T09:14:22.000Z

Are you using the full DN of the OU?

Answer 5 · 2022-12-21T09:17:41.000Z

Oh you might need to prefix the DN with "LDAP://"

Answer 6 · 2022-12-21T09:27:20.000Z

Thats done it, needed the prefix. Thanks once again for the quick support. Really helpful!