Check Active Directory Accounts

thanks for the very usefull script I have to make a little change, result.Count was allways empty $result=invoke-expression $command $SCount = ( $result | Measure-Object -Line).Lines and in the following if and elseif if($SCount -gt $maxCrit) elseif($SCount -gt $maxWarn) write-hoste $output=$state+": "+$SCount+" "+$action+"|"+$action+"="+$SCount+";"+$maxWarn+";"+$maxCrit

Hi I'm getting this error " CRITICAL: action parameter can only be AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires. Provided $ " Any help me on this My syntax: ./check_nrpe -H XXXX -c check_ad_account -a AccountInactive "dc=xx,dc=xx,dc=xx,dc=xx" subtree 5 10

I've modified the powershell script so that you can pass an additional parameter of either "UsersOnly" or "ComputersOnly" otherwise it returns values for both users and computers objects. # ==================================================================== # Search in AD for lockedout account. To be used through NRPE / nsclient++ # Author: Mathieu Chateau - LOTP # mail: mathieu.chateau@lotp.fr # version 0.1 # ==================================================================== # # Require Set-ExecutionPolicy RemoteSigned.. or sign this script with your PKI # # ============================================================ # # Do not change anything behind that line! # param ( [string]$action = "LockedOut", [string]$accountType = "", [string]$searchBase = "", [string]$searchScope = "Subtree", [int]$maxWarn = 5, [int]$maxCrit = 10 ) # check that powershell ActiveDirectory module is present if(Get-Module -Name "ActiveDirectory" -ListAvailable) { try { Import-Module -Name ActiveDirectory } catch { Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module" exit 2 } } else { Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module" exit 2 } # check params if provided if($action -notmatch "^(AccountDisabled|AccountExpired|AccountExpiring|AccountInactive|LockedOut|PasswordExpired|PasswordNeverExpires)$") { Write-Host "CRITICAL: action parameter can only be AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires. Provided $action" exit 2 } if($accountType -notmatch "^(UsersOnly|ComputersOnly)$") { Write-Host "CRITICAL: accountType can only be UsersOnly,ComputersOnly. Provided $acctType" } if($searchScope -notmatch "^(Base|OneLevel|Subtree)$") { Write-Host "CRITICAL: searchScope parameter can only be Base,OneLevel,Subtree. Provided $searchScope" exit 2 } if(($searchBase -ne "") -and $searchBase -ne ((Get-ADDomain).DistinguishedName)) { $search=Get-ADObject -Filter 'ObjectClass -eq "OrganizationalUnit" -and DistinguishedName -eq $searchBase' if ($search.Count -ne 1) { Write-Host "CRITICAL: SearchBase not found or duplicate. Provided $searchBase" exit 2 } } else { $searchBase=(Get-ADDomain).DistinguishedName } $command="Search-ADAccount -"+$action+" -"+$accountType+" -SearchBase '"+$searchBase+"' -SearchScope "+$searchScope $result=invoke-expression $command if($result.Count -gt $maxCrit) { $state="CRITICAL" $exitcode=2 } elseif($result.Count -gt $maxWarn) { $state="WARNING" $exitcode=1 } else { $state="OK" $exitcode=0 } $output=$state+": "+$result.Count+" "+$action+"|"+$action+"="+$result.Count+";"+$maxWarn+";"+$maxCrit Write-Host $output exit $exitcode

I tried this script with PasswordExpired and I found no result. When I ran: Get-ADUser -Filter * -Property PasswordExpired | Where {$_.Enabled -eq 'True' -and $_.PasswordExpired -Eq 'True'} I do get 1 result. It seems Search-ADAccount and Get-ADUser are giving different results. I tried to change the script: if($action -eq "PasswordExpired") { $command="Get-ADUser -Filter * -Property PasswordExpired | Where {$_.Enabled -eq 'True' -and $_.PasswordExpired -Eq 'True'}" $result=invoke-expression $command } else { $command="Search-ADAccount -"+$action+" -SearchBase '"+$searchBase+"' -SearchScope "+$searchScope $result=invoke-expression $command } I did not get any result with this change. How can I get the correct response for PasswordExpired accounts?

Works as described!

This useful script gives good control on the state of your AD accounts. I wanted to show a Warning at 1 and Critical at 2 or more errors, ran into a problem with the script. Solution: returning 0 or one element in an array results in a different return variable not supporting the .Count property change the invoke-expression line to $result=@(invoke-expression -Command "$command" -OutBuffer 1000) to correctly process the return value of the script in the NSClient++ call of the powershell script and pass it on we need to use exit $lastexitcode otherwise we are passing on the success of powershell not the return value of the script itself. So the NSClient++ ini file needs to contain lines like this: check_ps_lotp_check_ad_account_disabled=cmd /c echo scriptslotp_check_ad_accounts.ps1 AccountDisabled "cn=AAA,dc=BBB,dc=com" Subtree 0 1; exit $lastexitcode | powershell.exe -noprofile -executionpolicy bypass -command - cn= evaluation is not evaluated by the script, some changes are needed there too or just hardcode the SearchBase variable That's it!