User Lockout Report

calendar May 30, 2024 · 3 min read · PowerShell  ·
Share on: linkedin copy

Overview

This PowerShell script generates an HTML diagnostics report for user lockouts in the Active Directory. The script imports the Active Directory module and retrieves all user accounts that are not disabled. It fetches password-related properties and calculates the password age and expiration details for each user. The results are filtered, sorted, and converted into an HTML report with CSS styling for better readability. The final HTML report is saved to a file and opened in the default web browser.

 1# Import the Active Directory module
 2Import-Module ActiveDirectory
 3
 4# Get all users who are not disabled
 5$users = Get-ADUser -Filter * -Property pwdLastSet, Enabled, LockedOut, PasswordExpired, WhenCreated, LastLogonDate
 6
 7# Get the result of `net accounts`
 8$netAccounts = net accounts
 9$maxPwdAgeLine = $netAccounts | Select-String -Pattern "Maximum password age"
10$maxPwdAgeValue = ($maxPwdAgeLine -split "\s+")[4] # Extract the value from the line
11
12# Handle the "Unlimited" case
13if ($maxPwdAgeValue -eq "Unlimited") {
14    $maxPwdAge = [int]::MaxValue
15} else {
16    $maxPwdAge = [int]$maxPwdAgeValue
17}
18
19# Create a custom object to store the results
20$results = @()
21
22foreach ($user in $users) {
23    # Convert pwdLastSet to a readable date if it is greater than 0
24    if ($user.pwdLastSet -gt 0) {
25        $pwdLastSetDate = [datetime]::FromFileTimeUtc($user.pwdLastSet)
26        $daysSincePwdLastSet = [math]::Round(((Get-Date) - $pwdLastSetDate).TotalDays)
27        $daysUntilPwdExpiration = $maxPwdAge - $daysSincePwdLastSet
28    } else {
29        $pwdLastSetDate = $null
30        $daysSincePwdLastSet = $null
31        $daysUntilPwdExpiration = $null
32    }
33    $results += [PSCustomObject]@{
34        UserName                  = $user.SamAccountName
35        pwdLastSet                = $pwdLastSetDate
36        DaysSincePwdLastSet       = $daysSincePwdLastSet
37        DaysUntilPwdExpiration    = $daysUntilPwdExpiration
38        Enabled                   = $user.Enabled
39        LockedOut                 = $user.LockedOut
40        PasswordExpired           = $user.PasswordExpired
41        WhenCreated               = $user.WhenCreated
42        LastSignIn                = $user.LastLogonDate
43    }
44}
45
46# Filter out users with pwdLastSet set to null
47$filteredResults = $results | Where-Object { $_.pwdLastSet -ne $null }
48
49# Sort the results by pwdLastSet in descending order
50$sortedResults = $filteredResults | Sort-Object -Property pwdLastSet -Descending
51
52# Convert the results to HTML
53$html = $sortedResults | ConvertTo-Html -Property UserName, pwdLastSet, DaysSincePwdLastSet, DaysUntilPwdExpiration, Enabled, LockedOut, PasswordExpired, WhenCreated, LastSignIn -Title "User Password Status" -PreContent "<h1>User Password Status</h1>"
54
55# Add CSS for table styling
56$style = @"
57    <style>
58        table {
59            width: 100%;
60            border-collapse: collapse;
61        }
62        table, th, td {
63            border: 1px solid black;
64        }
65        th, td {
66            padding: 1px;
67            text-align: left;
68        }
69        th {
70            background-color: #f2f2f2;
71        }
72        tr:nth-child(even) {
73            background-color: #f9f9f9;
74        }
75    </style>
76"@
77
78$htmlContent = "$style$html"
79
80# Save the HTML file
81$htmlPath = "pwdLastSet.html"
82$htmlContent | Out-File -FilePath $htmlPath
83
84# Open the HTML file in the default browser
85Start-Process "powershell.exe" -ArgumentList "Start-Process $htmlPath"