User Lockout Report

calendar May 30, 2024 · 3 min read · PowerShell  ·
Share on: linkedin copy

Overview

This PowerShell script generates an HTML diagnostics report for user lockouts in the Active Directory. The script imports the Active Directory module and retrieves all user accounts that are not disabled. It fetches password-related properties and calculates the password age and expiration details for each user. The results are filtered, sorted, and converted into an HTML report with CSS styling for better readability. The final HTML report is saved to a file and opened in the default web browser.

 1# Import the Active Directory module
 2Import-Module ActiveDirectory
 3
 4# Get all users who are not disabled
 5$users = Get-ADUser -Filter * -Property pwdLastSet, Enabled, LockedOut, PasswordExpired
 6
 7# Get the result of `net accounts`
 8$netAccounts = net accounts
 9$maxPwdAgeLine = $netAccounts | Select-String -Pattern "Maximum password age"
10$maxPwdAgeValue = ($maxPwdAgeLine -split "\s+")[4] # Extract the value from the line
11
12# Handle the "Unlimited" case
13if ($maxPwdAgeValue -eq "Unlimited") {
14    $maxPwdAge = [int]::MaxValue
15} else {
16    $maxPwdAge = [int]$maxPwdAgeValue
17}
18
19# Create a custom object to store the results
20$results = @()
21
22foreach ($user in $users) {
23    # Convert pwdLastSet to a readable date if it is greater than 0
24    if ($user.pwdLastSet -gt 0) {
25        $pwdLastSetDate = [datetime]::FromFileTimeUtc($user.pwdLastSet)
26        $daysSincePwdLastSet = [math]::Round(((Get-Date) - $pwdLastSetDate).TotalDays)
27        $daysUntilPwdExpiration = $maxPwdAge - $daysSincePwdLastSet
28    } else {
29        $pwdLastSetDate = $null
30        $daysSincePwdLastSet = $null
31        $daysUntilPwdExpiration = $null
32    }
33    $results += [PSCustomObject]@{
34        UserName                  = $user.SamAccountName
35        pwdLastSet                = $pwdLastSetDate
36        DaysSincePwdLastSet       = $daysSincePwdLastSet
37        DaysUntilPwdExpiration    = $daysUntilPwdExpiration
38        Enabled                   = $user.Enabled
39        LockedOut                 = $user.LockedOut
40        PasswordExpired           = $user.PasswordExpired
41    }
42}
43
44# Filter out users with pwdLastSet set to null
45$filteredResults = $results | Where-Object { $_.pwdLastSet -ne $null }
46
47# Sort the results by pwdLastSet in descending order
48$sortedResults = $filteredResults | Sort-Object -Property pwdLastSet -Descending
49
50# Convert the results to HTML
51$html = $sortedResults | ConvertTo-Html -Property UserName, pwdLastSet, DaysSincePwdLastSet, DaysUntilPwdExpiration, Enabled, LockedOut, PasswordExpired -Title "User Password Status" -PreContent "<h1>User Password Status</h1>"
52
53# Add CSS for table styling
54$style = @"
55    <style>
56        table {
57            width: 100%;
58            border-collapse: collapse;
59        }
60        table, th, td {
61            border: 1px solid black;
62        }
63        th, td {
64            padding: 1px;
65            text-align: left;
66        }
67        th {
68            background-color: #f2f2f2;
69        }
70        tr:nth-child(even) {
71            background-color: #f9f9f9;
72        }
73    </style>
74"@
75
76$htmlContent = "$style$html"
77
78# Save the HTML file
79$htmlPath = "pwdLastSet.html"
80$htmlContent | Out-File -FilePath $htmlPath
81
82# Open the HTML file in the default browser
83Start-Process "powershell.exe" -ArgumentList "Start-Process $htmlPath"