<# .SYNOPSIS Audits the termination process. .DESCRIPTION Performs the necessary steps to identify the proper termination of Active Directory user accounts and prints log of checks performed. .NOTES Version : 1.5 Changes : Rewritten for powershell v4 & provides for error suppression systems procedures : Active Directory Rights Required : Access to : Active Directory Sched Task Req'd : No Author : Jeff Stein Year Written : 2016 Disclaimer : Resources used : : http://www.ehloworld.com/152 .EXAMPLE .\Run-Auditterm.ps1 .INPUTS None. You cannot pipe objects to this script. #> #Requires -Version 4.0 param( # [parameter(ValueFromPipeline=$false, ValueFromPipelineByPropertyName=$false, Mandatory=$false)] [string] $strFilenameTranscript = "AD_termination_audit" + " {0:yyyy-MM-dd hh-mmtt}.log" -f (Get-Date), [string] $opt = "None" ) $ErrorActionPreference = "silentlycontinue" #Suppresses errors generated during account checks. $cred = Get-Credential Start-Transcript -path .\$strFilenameTranscript | Out-Null $error.clear() Clear-Host Pushd write-host " ************************************** Active Directory Termination Audit ************************************** " #---------------------------------------------------------- # LOAD ASSEMBLIES AND MODULES #---------------------------------------------------------- Import-Module ActiveDirectory #Loads Active Directory module into powershell script do {$termname= read-host "Please enter the Active Directory username of the user you wish to audit"} until (dsquery user -samid $termname) "" if (dsquery user -samid $termname) {"Found user"} "" $managername= read-host "Please enter the Active Directory username of the user's manager you are auditing or type NO to skip step" "" if (dsquery user -samid $managername){"Found manager"} Elseif ($managername -eq "NO") {"Step skipped"} # Continue on Else {"Manager name not found"} "" $termticket= read-host "Please enter the termination ticket for the account you wish to audit or type NO to run audit without the ticket number" $ADusername= Get-ADUser -Identity $termname | select -property Name | select -expandproperty Name #Gets the full name of the user out of Active Directory write-host " *************************************************** Audit Options *************************************************** User actively being audited:" write-host " "$termname " " [string] $menu = @' Please select an option from the list below. 1) Audit Active Directory account 99) Exit Select an option.. [1-99]? '@ # Active Directory Functions function Get-ADdisablestatus{ # Verify AD account disabled $ADdisabled = Get-ADUser -Identity $termname | Select-Object -expandproperty Enabled if ($ADdisabled -eq $False){write-host "1. Account Disabled: Properly terminated, Account is disabled"} else {write-host "1. Account Disabled: Flag, Account is still enabled" -ForegroundColor Red} } # end Get-ADdisablestatus function Get-ADexpirestat{ # Verify AD account is set to expire $ADexpiredate = Get-ADUser -Identity $termname -Properties 'AccountExpirationDate' | select -expandProperty AccountExpirationDate if ($ADexpiredate -ne $NULL){write-host "2. Expiration Date: Properly terminated, Account was set to expire on: "$ADexpiredate} else {write-host "2. Expiration Date: Flag, Account is not set to expire" -ForegroundColor Red} } # end Get-ADexpirestat function Get-ADpasschange{ # Verify account password has been reset. $ADpassinfo = Get-ADUser $termname -Properties whenChanged | select -expandProperty whenChanged $Lastlogon = Get-ADUser $termname -Properties LastLogonDate | select -expandProperty LastLogonDate if ($ADpassinfo -ge $Lastlogon){write-host "3. Password Reset: Properly terminated, Account password was reset on: "$ADpassinfo} else {write-host "3. Password Reset: Flag, the account has not been reset since: "$ADpassinfo -ForegroundColor Red} } # end Get-ADpasschange function Get-ADmanager{ # Verify manager has been removed from the account. $ADmanager = Get-ADUser $termname -Properties Manager | select -expandProperty Manager if ($ADmanager -eq $Null){write-host "4. Manager: Properly terminated, Manager has been removed from the account"} else {write-host "4. Group List: Flag, the account still contains the following manager: "$ADFEmanager -ForegroundColor Red} } # end Get-ADmanager function Get-ADemailcheck{ # Verify email address has been removed from the account. $ADemailcheck = Get-ADUser $termname -Properties EmailAddress | select -expandProperty EmailAddress if ($ADemailcheck -eq $Null){write-host "5. Email Field: Properly terminated, Email address has been removed from the account"} else {write-host "5. Email Field: Flag, the account still contains the email address: "$ADemailcheck -ForegroundColor Red} } # end Get-ADemailcheck function Get-ADphonecheck{ # Verify Phone Number has been removed from the account. $ADphonecheck = Get-ADUser $termname -Properties OfficePhone | select -expandProperty OfficePhone if ($ADphonecheck -eq $Null){write-host "6. Phone Number field: Properly terminated, Phone Number has been removed from the account"} else {write-host "6. Phone Number field: Flag, the account still contains a phone number" -ForegroundColor Red} } # end Get-ADphonecheck function Get-ADdescription{ # Verify description contains termination ticket. $ADdescription = Get-ADUser $termname -Properties Description | select -expandProperty Description if ($ADdescription -match $termticket){write-host "7. Description field: Properly terminated, the termination ticket is in the description field. The full description is: "$ADdescription} elseif ($ADdescription -match 'IT'){write-host "7. Description field: Flag, a termination ticket is listed in the description field but may not be the termination ticket. Review the full description listed to verify the termination ticket is included: "$ADdescription -ForegroundColor Red} else {write-host "7. Description field: Flag, the field does not contain a termination ticket. The full description is: "$ADdescription -ForegroundColor Red} } # end Get-ADdescription Do { $opt = Read-Host $menu switch ($opt) { 1 { # Active Directory auditing steps "" Write-host "Active Directory Audit Option" "" Write-Host "Verifying actions..." "" Get-ADdisablestatus "" Get-ADexpirestat "" Get-ADpasschange "" Get-ADmanager "" Get-ADemailcheck "" Get-ADphonecheck "" Get-ADdescription "" Write-Host "Audit complete" "" "" Write-Host "Exiting..." "" "" Stop-Transcript } 99 { # Exit if (($WasInstalled -eq $false) -and (Get-Module BitsTransfer)){ Write-Host "BitsTransfer: Removing..." -NoNewLine Remove-Module BitsTransfer Write-Host "`b`b`b`b`b`b`b`b`b`b`bremoved! " -ForegroundColor Green } popd Write-Host "" Write-Host "Exiting..." "" Stop-Transcript } default {Write-Host "You haven't selected any of the available options. "} } } while ($opt -le 1)