Reporting on AD Users

Monitoring the Active Directory is a necessary albeit time-consuming task. With larger numbers of users and computers to manage, you need all the help you can get, and PowerShell makes it easy to keep track of things.

If a user has not logged on for a reasonable period, the account could be a security risk. Likewise, a user with membership in a privileged account (for example, Enterprise Admins) could be used by an attacker. IT professionals know how easy it is to put someone in a high privilege group rather than set up more fine-grained permissions using something like Just Enough Administration (see “Implementing JEA” in Chapter 8).

Regular reporting can help focus on accounts that could be usefully de-activated, removed from a security group, or possibly removed altogether.

In this recipe, you obtain all the accounts in the AD and examine potential security risks.