Active Directory User Analysis Tool

/0 Comments/in /by 

<#
.SYNOPSIS
Active Directory User Analysis Tool

.DESCRIPTION
This script analyzes user accounts in Active Directory, providing detailed information
about user properties, group memberships, account statuses, and potential security issues.

.NOTES
File Name      : ADUserAnalyzer.ps1
Author         : [Your Name]
Prerequisite   : PowerShell V5.1 or later, Active Directory module, and appropriate AD permissions
Version        : 1.0
Date           : [Current Date]

.EXAMPLE
.\ADUserAnalyzer.ps1
#>

# Import required modules
Import-Module ActiveDirectory

# Global variables
$global:reportPath = "$env:USERPROFILE\Desktop\AD_User_Analysis_Report_$(Get-Date -Format 'yyyyMMdd_HHmmss').html"

<#
.SYNOPSIS
Displays the main menu of the tool.
#>
function Show-Menu {
    Clear-Host
    Write-Host "=== Active Directory User Analysis Tool ===" -ForegroundColor Cyan
    Write-Host "1. Analyze User Account Statuses"
    Write-Host "2. Check Password Policies Compliance"
    Write-Host "3. Analyze Group Memberships"
    Write-Host "4. Identify Inactive User Accounts"
    Write-Host "5. Check for Privileged Accounts"
    Write-Host "6. Analyze User Account Properties"
    Write-Host "7. Check for Expired Accounts"
    Write-Host "8. Generate Comprehensive HTML Report"
    Write-Host "9. Exit"
}

<#
.SYNOPSIS
Analyzes user account statuses.

.OUTPUTS
Array of PSObjects containing user account status details.
#>
function Analyze-UserAccountStatuses {
    Write-Host "`nAnalyzing User Account Statuses..." -ForegroundColor Yellow
    $users = Get-ADUser -Filter * -Properties Enabled, LockedOut, PasswordExpired, PasswordNeverExpires
    $statuses = @()
    foreach ($user in $users) {
        $statuses += [PSCustomObject]@{
            Username = $user.SamAccountName
            Enabled = $user.Enabled
            LockedOut = $user.LockedOut
            PasswordExpired = $user.PasswordExpired
            PasswordNeverExpires = $user.PasswordNeverExpires
        }
    }
    $statuses | Format-Table -AutoSize
    return $statuses
}

<#
.SYNOPSIS
Checks password policies compliance.

.OUTPUTS
Array of PSObjects containing password policy compliance details.
#>
function Check-PasswordPoliciesCompliance {
    Write-Host "`nChecking Password Policies Compliance..." -ForegroundColor Yellow
    $defaultPolicy = Get-ADDefaultDomainPasswordPolicy
    $users = Get-ADUser -Filter * -Properties PasswordLastSet, PasswordNeverExpires
    $compliance = @()
    foreach ($user in $users) {
        $passwordAge = (Get-Date) - $user.PasswordLastSet
        $compliance += [PSCustomObject]@{
            Username = $user.SamAccountName
            PasswordLastSet = $user.PasswordLastSet
            PasswordAge = "$($passwordAge.Days) days"
            CompliantMaxAge = if ($user.PasswordNeverExpires) { "N/A" } elseif ($passwordAge.Days -le $defaultPolicy.MaxPasswordAge.Days) { $true } else { $false }
            PasswordNeverExpires = $user.PasswordNeverExpires
        }
    }
    $compliance | Format-Table -AutoSize
    return $compliance
}

<#
.SYNOPSIS
Analyzes group memberships.

.OUTPUTS
Array of PSObjects containing group membership details.
#>
function Analyze-GroupMemberships {
    Write-Host "`nAnalyzing Group Memberships..." -ForegroundColor Yellow
    $users = Get-ADUser -Filter * -Properties MemberOf
    $memberships = @()
    foreach ($user in $users) {
        $groups = $user.MemberOf | ForEach-Object { (Get-ADGroup $_).Name }
        $memberships += [PSCustomObject]@{
            Username = $user.SamAccountName
            GroupCount = $groups.Count
            Groups = $groups -join ", "
        }
    }
    $memberships | Format-Table -AutoSize
    return $memberships
}

<#
.SYNOPSIS
Identifies inactive user accounts.

.OUTPUTS
Array of PSObjects containing inactive user account details.
#>
function Identify-InactiveUserAccounts {
    Write-Host "`nIdentifying Inactive User Accounts..." -ForegroundColor Yellow
    $inactiveThreshold = (Get-Date).AddDays(-90)
    $users = Get-ADUser -Filter {Enabled -eq $true} -Properties LastLogonDate
    $inactiveUsers = @()
    foreach ($user in $users) {
        if ($user.LastLogonDate -lt $inactiveThreshold) {
            $inactiveUsers += [PSCustomObject]@{
                Username = $user.SamAccountName
                LastLogonDate = $user.LastLogonDate
                DaysSinceLastLogon = ((Get-Date) - $user.LastLogonDate).Days
            }
        }
    }
    $inactiveUsers | Format-Table -AutoSize
    return $inactiveUsers
}

<#
.SYNOPSIS
Checks for privileged accounts.

.OUTPUTS
Array of PSObjects containing privileged account details.
#>
function Check-PrivilegedAccounts {
    Write-Host "`nChecking for Privileged Accounts..." -ForegroundColor Yellow
    $privilegedGroups = @("Domain Admins", "Enterprise Admins", "Schema Admins", "Administrators")
    $privilegedAccounts = @()
    foreach ($group in $privilegedGroups) {
        $members = Get-ADGroupMember -Identity $group -Recursive | Where-Object {$_.objectClass -eq "user"}
        foreach ($member in $members) {
            $privilegedAccounts += [PSCustomObject]@{
                Username = $member.SamAccountName
                PrivilegedGroup = $group
            }
        }
    }
    $privilegedAccounts | Format-Table -AutoSize
    return $privilegedAccounts
}

<#
.SYNOPSIS
Analyzes user account properties.

.OUTPUTS
Array of PSObjects containing user account property details.
#>
function Analyze-UserAccountProperties {
    Write-Host "`nAnalyzing User Account Properties..." -ForegroundColor Yellow
    $users = Get-ADUser -Filter * -Properties *
    $properties = @()
    foreach ($user in $users) {
        $properties += [PSCustomObject]@{
            Username = $user.SamAccountName
            FullName = $user.Name
            Email = $user.EmailAddress
            Department = $user.Department
            Title = $user.Title
            Manager = if ($user.Manager) { (Get-ADUser $user.Manager).Name } else { "N/A" }
            Created = $user.Created
            LastModified = $user.Modified
        }
    }
    $properties | Format-Table -AutoSize
    return $properties
}

<#
.SYNOPSIS
Checks for expired accounts.

.OUTPUTS
Array of PSObjects containing expired account details.
#>
function Check-ExpiredAccounts {
    Write-Host "`nChecking for Expired Accounts..." -ForegroundColor Yellow
    $users = Get-ADUser -Filter {Enabled -eq $true -and AccountExpirationDate -lt (Get-Date)} -Properties AccountExpirationDate
    $expiredAccounts = @()
    foreach ($user in $users) {
        $expiredAccounts += [PSCustomObject]@{
            Username = $user.SamAccountName
            ExpirationDate = $user.AccountExpirationDate
            DaysExpired = ((Get-Date) - $user.AccountExpirationDate).Days
        }
    }
    $expiredAccounts | Format-Table -AutoSize
    return $expiredAccounts
}

<#
.SYNOPSIS
Generates a comprehensive HTML report of all analyses.

.PARAMETER AllResults
Hashtable containing all analysis results.

.OUTPUTS
Saves an HTML report to the desktop.
#>
function Generate-HTMLReport {
    param([hashtable]$AllResults)

    Write-Host "`nGenerating Comprehensive HTML Report..." -ForegroundColor Yellow
    $reportContent = @"
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>AD User Analysis Report</title>
    <style>
        body { font-family: Arial, sans-serif; line-height: 1.6; color: #333; max-width: 1200px; margin: 0 auto; padding: 20px; }
        h1, h2, h3 { color: #0078D4; }
        table { border-collapse: collapse; width: 100%; margin-bottom: 20px; }
        th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
        th { background-color: #f2f2f2; }
    </style>
</head>
<body>
    <h1>Active Directory User Analysis Report</h1>
    <p>Generated on: $(Get-Date)</p>

    <h2>User Account Statuses</h2>
    $($AllResults.AccountStatuses | ConvertTo-Html -Fragment)

    <h2>Password Policies Compliance</h2>
    $($AllResults.PasswordCompliance | ConvertTo-Html -Fragment)

    <h2>Group Memberships</h2>
    $($AllResults.GroupMemberships | ConvertTo-Html -Fragment)

    <h2>Inactive User Accounts</h2>
    $($AllResults.InactiveAccounts | ConvertTo-Html -Fragment)

    <h2>Privileged Accounts</h2>
    $($AllResults.PrivilegedAccounts | ConvertTo-Html -Fragment)

    <h2>User Account Properties</h2>
    $($AllResults.AccountProperties | ConvertTo-Html -Fragment)

    <h2>Expired Accounts</h2>
    $($AllResults.ExpiredAccounts | ConvertTo-Html -Fragment)
</body>
</html>
"@

    $reportContent | Out-File -FilePath $global:reportPath
    Write-Host "Report generated and saved to: $global:reportPath" -ForegroundColor Green
}

# Main program loop
$allResults = @{}

do {
    Show-Menu
    $choice = Read-Host "`nEnter your choice (1-9)"

    switch ($choice) {
        "1" { $allResults.AccountStatuses = Analyze-UserAccountStatuses }
        "2" { $allResults.PasswordCompliance = Check-PasswordPoliciesCompliance }
        "3" { $allResults.GroupMemberships = Analyze-GroupMemberships }
        "4" { $allResults.InactiveAccounts = Identify-InactiveUserAccounts }
        "5" { $allResults.PrivilegedAccounts = Check-PrivilegedAccounts }
        "6" { $allResults.AccountProperties = Analyze-UserAccountProperties }
        "7" { $allResults.ExpiredAccounts = Check-ExpiredAccounts }
        "8" { Generate-HTMLReport -AllResults $allResults }
        "9" { Write-Host "Exiting program..." -ForegroundColor Yellow; break }
        default { Write-Host "Invalid choice. Please try again." -ForegroundColor Red }
    }

    if ($choice -ne "9") {
        Read-Host "`nPress Enter to continue..."
    }
} while ($choice -ne "9")

This Active Directory User Analysis Tool includes:

  1. A menu-driven interface for easy navigation.
  2. Functions to analyze various aspects of user accounts:
    • User account statuses (enabled, locked out, password expired)
    • Password policies compliance
    • Group memberships
    • Inactive user accounts
    • Privileged accounts
    • User account properties
    • Expired accounts
  3. Comprehensive error handling for each analysis function.
  4. A function to generate an HTML report of all collected data.

Key features:

  • Detailed analysis of user account statuses and properties
  • Checking password policy compliance across all users
  • Identification of inactive and expired accounts
  • Analysis of group memberships, including privileged groups
  • Comprehensive overview of user account properties
  • HTML report generation for easy sharing and viewing of results

This tool is particularly useful for:

  • Active Directory administrators managing user accounts
  • IT security professionals auditing user account security
  • HR departments needing reports on user account statuses and properties
  • Compliance officers ensuring adherence to password policies

To use this script effectively:

  1. Run PowerShell as an administrator
  2. Ensure you have the necessary permissions to query AD user information
  3. Have the Active Directory PowerShell module installed

This script provides a comprehensive overview of user accounts in an Active Directory environment, making it easier to identify security issues, compliance problems, or outdated account information. It can significantly streamline the process of auditing and maintaining user accounts in large or complex AD environments.

You might also like
Network Traffic Analyzer Tool
Certificates Analyzer Tool
Task Manager and Process Monitor
System Information Gatherer
Azure Active Directory Monitoring Tool
RDS User Disconnected Monitor and Action Script
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *