Security in Obscurity

A script by Jeff Stein
      Run-Auditterm.ps1
      Audits the active directory termination process, July 2016
    
The script entitled "Run-Auditterm" will perform the necessary steps to review the active directory user termination process and prints a log of checks performed. The script is designed for the Microsoft Windows operating system, leveraging PowerShell 4.0 and above. It compliments the Run-Term.ps1 script which I previously posted to automate the active directory user termination process.
DISCLAIMERThis script is offered 'as is' with no warranty. While it has been tested and verified to work in my environment, it is recommended that you test this script in a test environment before utilizing in your own production environment. 
InstallationTo get started download the files listed in the resource section and save the Run-Auditterm.txt as a .ps1 file. It should be extracted to the desktop of the Windows machine where the script will run from. The Active Directory module should be installed on the machine for the script to run properly. Once extracted, the Run-Auditterm.ps1 file can be right-clicked and "Run with PowerShell" can be selected. It is recommended that this is an account that has administrator privileges. Alternatively, PowerShell can be manually opened on the system and the terminal navigated to the appropriate directory where the script is located and executed from there. With either option, it is recommended the action to run the script is done with an account that has administrator privileges.
OverviewThe script will review the current state of an Active Directory account of a terminated user and check common objects in the account which should have been removed. The script will generate a log of each check performed that can be used to validate the audit. You can see an sample of the code below:

Load Assemblies And Modules 

Import-Module ActiveDirectory

do {$termname= read-host "Please enter the Active Directory username of the user you wish to audit"}

until (dsquery user -samid $termname)

""

if (dsquery user -samid $termname) {"Found user"}

""

$managername= read-host "Please enter the Active Directory username of the user's manager you are auditing or type NO to skip step"

""

if (dsquery user -samid $managername){"Found manager"}

Elseif ($managername -eq "NO") {"Step skipped"}

Else {"Manager name not found"}	

""	

$termticket= read-host "Please enter the termination ticket for the account you wish to audit or type NO to run audit without the ticket number"
		
$ADusername= Get-ADUser -Identity $termname | select -property Name | select -expandproperty Name

write-host

"

After information on the terminated user has been gathered the audit functions will run a series of checks against the AD account. The steps that will be taken are:
Check if the account is disabled.
Check if the account is set to expire
Check if there is a email address associated with the account.
Check if there is a phone number associated with the account.
Check if there is a manager associated with the account.
Check is the account password has been reset.
Check if the account description contains the termination ticket.
 
You can see the sample code to do this below:
Audit Functions

function Get-ADdisablestatus{

      $ADdisabled = Get-ADUser -Identity $termname | Select-Object -expandproperty Enabled

	  if ($ADdisabled -eq $False){write-host "1. Account Disabled: Properly terminated, Account is disabled"}

else {write-host "1. Account Disabled: Flag, Account is still enabled" -ForegroundColor Red}

} 

function Get-ADexpirestat{

       $ADexpiredate = Get-ADUser -Identity $termname -Properties 'AccountExpirationDate' | select -expandProperty AccountExpirationDate

	  if ($ADexpiredate -ne $NULL){write-host "2. Expiration Date: Properly terminated, Account was set to expire on: "$ADexpiredate}

else {write-host "2. Expiration Date: Flag, Account is not set to expire" -ForegroundColor Red}

} 

function Get-ADpasschange{

  	$ADpassinfo = Get-ADUser $termname -Properties whenChanged | select -expandProperty whenChanged

  	$Lastlogon = Get-ADUser $termname -Properties LastLogonDate | select -expandProperty LastLogonDate

  	if ($ADpassinfo -ge $Lastlogon){write-host "3. Password Reset: Properly terminated, Account password was reset on: "$ADpassinfo}

else {write-host "3. Password Reset: Flag, the account has not been reset since: "$ADpassinfo -ForegroundColor Red}

}

Once the functions have been read the next step is to execute on the functions. A sample of the code is below:
Execute Functions

Do { 
	 	
  	$opt = Read-Host $menu

  	switch ($opt)    {

  		1 {

  			 ""

  			Write-host "Active Directory Audit Option"

  			 ""

  			Write-Host "Verifying actions..."

  			 ""

  			Get-ADdisablestatus

  			 ""

  			Get-ADexpirestat

  			 ""

  			Get-ADpasschange

  			 ""

  			Get-ADmanager

  			 ""

  			Get-ADemailcheck

  			 ""

  			Get-ADphonecheck

  			 ""

  			Get-ADdescription

  			 ""

  			Write-Host "Audit complete"

  			 ""

  			 ""

  			}
	
	}

      Resources
    
Run-Auditterm.txt

Readme.txt
VIEW NEXT >>

      Tags
    
Security Vulnerabilities IDS/IPS
      Malware Policies PowerShell
      Python Splunk Cloud
      Script PKI 
    
      Topics
    
        Thoughts

        Scripts

        Published Works

        Courses