PowerShell - Report Expiring User accounts

2015/05/18 | 2 minute read |

In the video game industry it is common practice to hire consultants to take care of the Quality Assurance, which consists of a means of the software engineering processes and methods used to ensure quality. Those people are most likely Testers and usually spend most of their day testing games in development to find bugs.

The problem is, once in a while managers forget to update the expiration dates of their Consultant/External Partners even if they got a couple of reminders, and since we have some automation process taking care of the off-boarding (thanks to PowerShell! ;-)…it is becoming fun when those guys can’t connect to their accounts on Monday morning…and they lost all their access.

So I wrote a tiny script to report any expiring user accounts and send it to the IT department every Monday morning, just to give us a heads up.

Report Example

Report Example

How does this work ?

Summary

This script that will retrieve all the users under a specified Organizational Unit and look for any expiring account in the time span specified (by default I set it to 10 days).

If some accounts are found, the script will generate a HTML report and send it via Email.

You will also need to create a scheduled task to run the script at the specific frequency, in my case it runs every Monday at 6 am.

Step by Step

  1. Look for user accounts expiring in the next 10 days using the cmdlet Search-ADAccount (from the Active Directory Module)
  2. If some accounts are found, Continue, else Stop.
  3. Generate a HTML Report,
  4. Send the Report to IT Support team.

Workflow

Finding Expiring Account

I am using the very neat cmdlet: Search-ADAccount. This cmdlet is included with in the Active Directory Module and comes with some very cool parameters.

Notice the -AccountExpiring parameter, that’s what we need for our little script.

We can get more information by checking out the help

With the -AccountExpiring parameter we can use either -DateTime or TimeSpan parameter to specify the time range.

Example using the DateTime parameter

Search for account Expiring before 2015/05/26

Search-ADAccount -AccountExpiring -DateTime "2015/05/26"

Example using the TimeSpan parameter

Search-ADAccount -AccountExpiring -TimeSpan "10.00:00:00"

Example using the -TimeSpan parameter

Ok we got the expiring accounts, now we need to generate a report.

Creating the report

The above output can be easily converted to HTML using the cmdlet ConvertTo-HTML, but before we do this, I need to find a nice and simple CSS to make my report looks nice :-)

A quick Google search lead me to this little piece of code below (found on http://www.textfixer.com/tutorials/css-tables.php)

I’m adding this piece of code into the variable $CSS using the here-string construction method. Here-String construction lets you bypass the complexities involved in assigning a multi-line string value to a variable.

Example using the TimeSpan parameter

Almost there! The next step is to add a Title above our report and a Foot Note to display the source and generated date/time.

# Define the Title of the report
$PreContent = "<Title>Active Directory - Expiring Users (next $days days)</Title>"

# Add a small line at the end to show the source of the report
$NoteLine = "Generated from $($env:Computername.ToUpper()) on $(Get-Date -format 'yyyy/MM/dd HH:mm:ss')"
$PostContent = "<br><p><font size='2'><i>$NoteLine</i></font>"

We use ConvertTo-HTML cmdlet to get everything together into the $body variable which will be used when sending the email.

$body = $Accounts |
    ConvertTo-Html -head $Css -PostContent $PostContent -PreContent $PreContent

The report is ready to be sent!

Download

The script is available on Technet Gallery and GitHub

Leave a Comment