Powershell has gotten a lot of attention lately as a pentesters tool of choice, since it has access to pretty much every low-level system function in the Microsoft ecosystem, and the AV industry isnt dealing well with that yet (aside from ignoring powershell completely that is).
But what about day-to-day system administration? Really, the possibilities for admins are just as limitless as for pentesters - thats what Powershell was invented for after all !
A simple call like ">get-aduser -filter * -properties * can get you everything you want on domain user accounts. However, most sysadmins will look at this and give me the TLDR response - its just too much information to process effectively.
But how about filtering that- lets find all users who arent required to reset their passwords?
Or who dont have passwords at all?
How about have never reset their passwords (ie - haven">get-aduser -filter * -properties * | select samaccountname,passwordlastset
Operationally - lets add to the list - say folks whove had their accounts locked. This might be a reset password on Friday, cant remember on Monday symptom, but might also be someone brute forcing that account on the corporate website or VPN">get-aduser -filter * -properties * | select samaccountname,passwordlastset,lockedout
You can use the above to also find out whos left the organization. If youre like lots of IT groups, maybe HR isnt so timely in letting you know about departures! Lets dig to see who hasnt logged in in 4 weeks. 8 weeks? 12 weeks? Best call HR with this list in-hand to see if these folks are on longer term leave, or if they">get-aduser -filter * -properties * | select samaccountname,lastlogondate
At this point it becomes obvious that you want to sort these lists.">get-aduser -filter * -properties * | select samaccountname,passwordlastset | out-gridview
I find the CSV output, which can then be imported to excel - to be the most useful.">get-aduser -filter * -properties * | select samaccountname, name, enabled, scriptpath, passwordlastset, passwordexpired, passwordneverexpires, passwordnotrequired, lockedout, lastlogondate, cannotchangepassword, accountexiprationdate | export-csv c:\pathspec\account-problems-yy-mm-dd.csv
This imports directly into Excel (or any other spreadsheet), where you can slice and dice to your hearts content.
In closing, let me acknowledge Jason Fossen and SANS SEC 505 for re-kindling my enthusiasm for Powershell ! If you want to dig deeper into Powershell with a security slant, Ill be posting on this topic for a while, stay tuned. But if you want 6 days solid of concentrated powershell+windows goodness, take a look at SEC 505!
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.