ADDSAuditTasks

Get-ADDSActiveAccountAudit

Active Directory Audit with Keyvault retrieval option.

Audit's Active Directory taking "days" as the input for how far back to check for a last sign in.
Output can be kept locally, or sent remotely via email or sftp.
Function App is the same as SendEmail except that it uses a password retrieved using the related Function App.
The related function app would need to be created.
Expects SecureString and Key as inputs to function app parameter set.

Syntax 

Get-ADDSActiveAccountAudit [-LocalDisk] [-AttachmentFolderPath <String>] [-ADDSAccountIsNotEnabled] [-DaysInactive <Int32>] [<CommonParameters>]

Get-ADDSActiveAccountAudit [-SendMailMessage] [-SMTPServer <String>] [-AttachmentFolderPath <String>] [-ADDSAccountIsNotEnabled] [-DaysInactive <Int32>] -UserName <String> [-Password <SecureString>] [-Port <Int32>] -To <String> [-From <String>] [<CommonParameters>]

Get-ADDSActiveAccountAudit [-WinSCP] [-AttachmentFolderPath <String>] [-ADDSAccountIsNotEnabled] [-DaysInactive <Int32>] -UserName <String> -Password <SecureString> -FTPHost <String> -SshHostKeyFingerprint <String> [-RemotePath <String>] [<CommonParameters>]

Get-ADDSActiveAccountAudit [-FunctionApp] <String> [-Function] <String> [-SMTPServer <String>] [-AttachmentFolderPath <String>] [-ADDSAccountIsNotEnabled] [-DaysInactive <Int32>] -UserName <String> [-Port <Int32>] -To <String> [-From <String>] -ApiToken <String> [<CommonParameters>]

Get-ADDSActiveAccountAudit [-Clean] [<CommonParameters>]

Parameters

Name Alias Description Required? Pipeline Input Default Value
-LocalDisk Only output data to local disk. true false False
-SendMailMessage Adds parameters for sending Audit Report as an Email. true false False
-WinSCP Adds parameters for sending Audit Report via SFTP. true true (ByPropertyName) False
-FunctionApp Azure Function App Name. true false
-Function Azure Function App's Function Name. Ex. "HttpTrigger1" true true (ByPropertyName)
-SMTPServer Defaults to Office 365 SMTP relay. Enter optional relay here. false true (ByPropertyName) smtp.office365.com
-AttachmentFolderPath Default path is C:\temp\ADDSActiveAccountAuditLogs.
This is the folder where attachments are going to be saved.		 false true (ByValue) C:\temp\ADDSActiveAccountAuditLogs
-ADDSAccountIsNotEnabled Defaults to not being set.
Choose to search for disabled Active Directory Users.		 false true (ByPropertyName) False
-DaysInactive Defaults to 90 days in the past.
Specifies how far back to look for accounts last logon.
If logon is within 90 days, it won't be included.		 false true (ByPropertyName) 90
-UserName Specify the account with an active mailbox and MFA disabled.
Ensure the account has delegated access for Send On Behalf for any
UPN set in the "$From" Parameter		 true true (ByPropertyName)
-Password Use: (Read-Host -AsSecureString) as in Examples.
May be omitted.		 false true (ByPropertyName)
-Port SMTP Port to Relay. Ports can be: "993", "995", "587", or "25" false true (ByPropertyName) 587
-To Recipient of the attachment outputs. true true (ByPropertyName)
-From Defaults to the same account as $UserName unless the parameter is set.
Ensure the Account has delegated access to send on behalf for the $From account.		 false true (ByPropertyName) $UserName
-ApiToken Private Function Key. true true (ByPropertyName)
-FTPHost SFTP Hostname. true true (ByPropertyName)
-SshHostKeyFingerprint Adds parameters for sending Audit Report via SFTP. true true (ByPropertyName)
-RemotePath Remove FTP path. Will be created in the user path under functionname folder if not specified. false true (ByPropertyName) ("./" + $($MyInvocation.MyCommand.Name -replace '\..*'))
-Clean Remove installed modules during run. Remove local files if not a LocalDisk run. true false False

Note

Can take password as input into secure string using (Read-Host -AsSecureString).

Examples

EXAMPLE 1 
Get-ADDSActiveAccountAudit -LocalDisk -Verbose
EXAMPLE 2 
Get-ADDSActiveAccountAudit -SendMailMessage -SMTPServer $SMTPServer -UserName "helpdesk@domain.com" -Password (Read-Host -AsSecureString) -To "support@domain.com" -Verbose
EXAMPLE 3 
Get-ADDSActiveAccountAudit -FunctionApp $FunctionApp -Function $Function -SMTPServer $SMTPServer -UserName "helpdesk@domain.com" -To "support@domain.com" -Verbose
EXAMPLE 4 
Get-ADDSActiveAccountAudit -WinSCP -UserName "ftphostname.UserName" -Password (Read-Host -AsSecureString) -FTPHost "ftphost.domain.com" -SshHostKeyFingerprint "<SShHostKeyFingerprint>" -Verbose
EXAMPLE 5 
Get-ADDSActiveAccountAudit -Clean -Verbose

Top of page

Get-ADDSAssetInventoryAudit

Active Directory Server and Workstation Audit with Report export option (Can also be piped to CSV if Report isn't specified).

Audit's Active Directory taking "days" as the input for how far back to check for a device's last sign in.
Output can be piped to a csv manually, or automatically to C:\temp or a specified path in "DirPath" using
the -Report Switch.
Use the Tab key for the -HostType Parameter.

Syntax 

Get-ADDSAssetInventoryAudit [-HostType] <String> [[-DaystoConsiderAHostInactive] <Int32>] [[-Report]] [[-DirPath] <String>] [-Enabled <Boolean>] [<CommonParameters>]

Get-ADDSAssetInventoryAudit [-OSType] <String> [[-DaystoConsiderAHostInactive] <Int32>] [[-Report]] [[-DirPath] <String>] [-Enabled <Boolean>] [<CommonParameters>]

Parameters

Name Alias Description Required? Pipeline Input Default Value
-HostType Select from Windows Server or Windows 10 plus. true true (ByValue)
-OSType Search an OS String. Wildcards can be omitted as the function will automatically add the
wildcard characters before searching.		 true true (ByValue)
-DaystoConsiderAHostInactive false true (ByPropertyName) 90
-Report Add report output as csv to DirPath directory. false true (ByPropertyName) False
-DirPath The path to the -Report output directory. false false C:\temp\ADDSAssetInventoryAudit
-Enabled false true (ByPropertyName) True

Note

Outputs to C:\temp by default. For help type: help Get-ADDSAssetInventoryAudit -ShowWindow

Examples

EXAMPLE 1 
Get-ADDSInventoryAudit -HostType WindowsServers
EXAMPLE 2 
Get-ADDSInventoryAudit -HostType WindowsWorkstations -DirPath "C:\Temp\" -Report
EXAMPLE 3 
Get-ADDSInventoryAudit -HostType WindowsServers -DirPath "C:\Temp\" -Report
EXAMPLE 4 
Get-ADDSInventoryAudit -OSType "2008" -DirPath "C:\Temp\" -Report

Top of page

Get-ADDSDepartedUsersAccountAudit

Active Directory Audit with Keyvault retrieval option.

Audit's Active Directory taking a Prefix used as a Wildcard as input for checking user accounts.
Output can be kept locally, or sent remotely via email or sftp.
Function App is the same as SendEmail except that it uses a password retrieved using the related Function App.
The related function app would need to be created.
Expects SecureString and Key as inputs to function app parameter set.

Syntax 

Get-ADDSDepartedUsersAccountAudit [-LocalDisk] [-AttachmentFolderPath <String>] -WildCardIdentifier <String> [<CommonParameters>]

Get-ADDSDepartedUsersAccountAudit [-SendMailMessage] [-SMTPServer <String>] [-AttachmentFolderPath <String>] -UserName <String> [-Password <SecureString>] [-Port <Int32>] -To <String> [-From <String>] -WildCardIdentifier <String> [<CommonParameters>]

Get-ADDSDepartedUsersAccountAudit [-WinSCP] [-AttachmentFolderPath <String>] -UserName <String> -Password <SecureString> -FTPHost <String> -SshHostKeyFingerprint <String> [-RemotePath <String>] -WildCardIdentifier <String> [<CommonParameters>]

Get-ADDSDepartedUsersAccountAudit [-FunctionApp] <String> [-Function] <String> [-SMTPServer <String>] [-AttachmentFolderPath <String>] -UserName <String> [-Port <Int32>] -To <String> [-From <String>] -ApiToken <String> -WildCardIdentifier <String> [<CommonParameters>]

Get-ADDSDepartedUsersAccountAudit [-Clean] [<CommonParameters>]

Parameters

Name Alias Description Required? Pipeline Input Default Value
-LocalDisk Only output data to local disk. true false False
-SendMailMessage Adds parameters for sending Audit Report as an Email. true false False
-WinSCP Adds parameters for sending Audit Report via SFTP. true true (ByPropertyName) False
-FunctionApp Azure Function App Name. true false
-Function Azure Function App's Function Name. Ex. "HttpTrigger1" true true (ByPropertyName)
-SMTPServer Defaults to Office 365 SMTP relay. Enter optional relay here. false true (ByPropertyName) smtp.office365.com
-AttachmentFolderPath Default path is C:\temp\ADDSDepartedUsersAuditLogs.
This is the folder where attachments are going to be saved.		 false true (ByValue) C:\temp\ADDSDepartedUsersAuditLogs
-UserName Specify the account with an active mailbox and MFA disabled.
Ensure the account has delegated access for Send On Behalf for any
UPN set in the "$From" Parameter		 true true (ByPropertyName)
-Password Use: (Read-Host -AsSecureString) as in Examples.
May be omitted.		 false true (ByPropertyName)
-Port SMTP Port to Relay. Ports can be: "993", "995", "587", or "25" false true (ByPropertyName) 587
-To Recipient of the attachment outputs. true true (ByPropertyName)
-From Defaults to the same account as $UserName unless the parameter is set.
Ensure the Account has delegated access to send on behalf for the $From account.		 false true (ByPropertyName) $UserName
-ApiToken Private Function Key. true true (ByPropertyName)
-FTPHost true true (ByPropertyName)
-SshHostKeyFingerprint true true (ByPropertyName)
-RemotePath false true (ByPropertyName) ("./" + $($MyInvocation.MyCommand.Name -replace '\..*'))
-Clean Remove installed modules during run. Remove local files if not a LocalDisk run. true false False
-WildCardIdentifier Name wildcard appended to user account. true true (ByPropertyName)

Note

Can take password as input into secure string using (Read-Host -AsSecureString).

Examples

EXAMPLE 1 
Get-ADDSDepartedUsersAccountAudit -LocalDisk -WildCardIdentifier "<StringToSearchFor>" -Verbose
EXAMPLE 2 
Get-ADDSDepartedUsersAccountAudit -SendMailMessage -SMTPServer $SMTPServer -UserName "helpdesk@domain.com" -Password (Read-Host -AsSecureString) -To "support@domain.com" -WildCardIdentifier "<StringToSearchFor>" -Verbose
EXAMPLE 3 
Get-ADDSDepartedUsersAccountAudit -FunctionApp $FunctionApp -Function $Function -SMTPServer $SMTPServer -UserName "helpdesk@domain.com" -To "support@domain.com" -WildCardIdentifier "<StringToSearchFor>" -Verbose
EXAMPLE 4 
Get-ADDSDepartedUsersAccountAudit -WinSCP -UserName "ftphostname.UserName" -Password (Read-Host -AsSecureString) -FTPHost "ftphost.domain.com" -SshHostKeyFingerprint "<SShHostKeyFingerprint>" -WildCardIdentifier "<StringToSearchFor>" -Verbose
EXAMPLE 5 
Get-ADDSDepartedUsersAccountAudit -Clean -Verbose

Top of page

Get-ADDSPrivilegedAccountAudit

Active Directory Audit with Keyvault retrieval option.

Audit's Active Directory for priviledged users and groups, and extended rights.
Output can be kept locally, or sent remotely via email or sftp.
Function App is the same as SendEmail except that it uses a password retrieved using the related Function App.
The related function app would need to be created.
Expects SecureString and Key as inputs to function app parameter set.

Syntax 

Get-ADDSPrivilegedAccountAudit [-LocalDisk] [-AttachmentFolderPath <String>] [<CommonParameters>]

Get-ADDSPrivilegedAccountAudit [-SendMailMessage] [-SMTPServer <String>] [-AttachmentFolderPath <String>] -UserName <String> [-Password <SecureString>] [-Port <Int32>] -To <String> [-From <String>] [<CommonParameters>]

Get-ADDSPrivilegedAccountAudit [-WinSCP] [-AttachmentFolderPath <String>] -UserName <String> -Password <SecureString> -FTPHost <String> -SshHostKeyFingerprint <String> [-RemotePath <String>] [<CommonParameters>]

Get-ADDSPrivilegedAccountAudit [-FunctionApp] <String> [-Function] <String> [-SMTPServer <String>] [-AttachmentFolderPath <String>] -UserName <String> [-Port <Int32>] -To <String> [-From <String>] -ApiToken <String> [<CommonParameters>]

Get-ADDSPrivilegedAccountAudit [-Clean] [<CommonParameters>]

Parameters

Name Alias Description Required? Pipeline Input Default Value
-LocalDisk Only output data to local disk. true false False
-SendMailMessage Adds parameters for sending Audit Report as an Email. true false False
-WinSCP Adds parameters for sending Audit Report via SFTP. true true (ByPropertyName) False
-FunctionApp Azure Function App Name. true false
-Function Azure Function App's Function Name. Ex. "HttpTrigger1" true true (ByPropertyName)
-SMTPServer Defaults to Office 365 SMTP relay. Enter optional relay here. false true (ByPropertyName) smtp.office365.com
-AttachmentFolderPath Default path is C:\temp\ADDSPrivilegedAccountAuditLogs.
This is the folder where attachments are going to be saved.		 false true (ByValue) C:\temp\ADDSPrivilegedAccountAuditLogs
-UserName Specify the account with an active mailbox and MFA disabled.
Ensure the account has delegated access for Send On Behalf for any
UPN set in the "$From" Parameter		 true true (ByPropertyName)
-Password Use: (Read-Host -AsSecureString) as in Examples.
May be omitted.		 false true (ByPropertyName)
-Port SMTP Port to Relay. Ports can be: "993", "995", "587", or "25" false true (ByPropertyName) 587
-To Recipient of the attachment outputs. true true (ByPropertyName)
-From Defaults to the same account as $UserName unless the parameter is set.
Ensure the Account has delegated access to send on behalf for the $From account.		 false true (ByPropertyName) $UserName
-ApiToken Private Function Key. true true (ByPropertyName)
-FTPHost SFTP Hostname. true true (ByPropertyName)
-SshHostKeyFingerprint Adds parameters for sending Audit Report via SFTP. true true (ByPropertyName)
-RemotePath Remove FTP path. Will be created in the user path under functionname folder if not specified. false true (ByPropertyName) ("./" + $($MyInvocation.MyCommand.Name -replace '\..*'))
-Clean Remove installed modules during run. Remove local files if not a LocalDisk run. true false False

Note

Can take password as input into secure string using (Read-Host -AsSecureString).

Examples

EXAMPLE 1 
Get-ADDSPrivilegedAccountAudit -LocalDisk -Verbose
EXAMPLE 2 
Get-ADDSPrivilegedAccountAudit -SendMailMessage -SMTPServer $SMTPServer -UserName "helpdesk@domain.com" -Password (Read-Host -AsSecureString) -To "support@domain.com" -Verbose
EXAMPLE 3 
Get-ADDSPrivilegedAccountAudit -FunctionApp $FunctionApp -Function $Function -SMTPServer $SMTPServer -UserName "helpdesk@domain.com" -To "support@domain.com" -Verbose
EXAMPLE 4 
Get-ADDSPrivilegedAccountAudit -WinSCP -UserName "ftphostname.UserName" -Password (Read-Host -AsSecureString) -FTPHost "ftphost.domain.com" -SshHostKeyFingerprint "<SShHostKeyFingerprint>" -Verbose
EXAMPLE 5 
Get-ADDSPrivilegedAccountAudit -Clean -Verbose

Top of page

Get-ADUsersLastLogon

Takes SamAccountName as input to retrieve most recent LastLogon from all DC's.

Takes SamAccountName as input to retrieve most recent LastLogon from all DC's and output as DateTime.

Syntax 

Get-ADUsersLastLogon [-SamAccountName] <Object> [<CommonParameters>]

Parameters

Name Alias Description Required? Pipeline Input Default Value
-SamAccountName Identity, UserName, Account The SamAccountName of the user being checked for LastLogon. true true (ByValue)

Outputs

The output type is the type of the objects that the cmdlet emits.

  • System.DateTime

Examples

EXAMPLE 1 
Get-ADUsersLastLogon -SamAccountName "UserName"

Top of page

Get-NetworkScan

Discovers local network and runs port scans on all hosts found for specific or default sets of ports.

Scans the network for open ports specified by the user or default ports if no ports are specified.
Creates reports if report switch is active.

Syntax 

Get-NetworkScan [[-Ports] <Int32[]>] [-LocalSubnets] [-Report] [<CommonParameters>]

Get-NetworkScan [[-Ports] <Int32[]>] [-Computers] <String[]> [-Report] [<CommonParameters>]

Parameters

Name Alias Description Required? Pipeline Input Default Value
-Ports Default ports are:
"21", "22", "23", "25", "53", "67", "68", "80", "443", `
"88", "464", "123", "135", "137", "138", "139", `
"445", "389", "636", "514", "587", "1701", `
"3268", "3269", "3389", "5985", "5986"

If you want to supply a port, do so as an integer or an array of integers.
"22","80","443", etc.		 false true (ByPropertyName)
-LocalSubnets true true (ByPropertyName) False
-Computers true true (ByPropertyName)
-Report Specify this switch if you would like a report generated in C:\temp. false false False

Note

Installs PSnmap if not found and can output a report, or just the results.

Examples

EXAMPLE 1 
Get-NetworkScan -report

Top of page

Links

Switch-SurnameWithGivenName

Takes CSV input as "LastName<space>FirstName" and flips it to "Firstname<space>Lastname"

Takes a CSV that was formatted as 'LastName, FirstName' with the comma and space removed, to 'FirstName Lastname'.

Syntax 

Switch-SurnameWithGivenName [[-RosterCSV] <String>] [[-AttachmentFolder] <String>] [<CommonParameters>]

Parameters

Name Alias Description Required? Pipeline Input Default Value
-RosterCSV false true (ByValue, ByPropertyName)
-AttachmentFolder false true (ByPropertyName) C:\temp\Switch-SurnameWithGivenName

Note

This function depends on the name column in the employee roster name column, to have been formatted in excel using a find and replace to replace ", " with " ". In other words: The file needs to have "comma space" replaces with "space" in the name column to be easily compared to ADUser output.

Examples

EXAMPLE 1 
Switch-SurnameWithGivenName -RosterCSV "C:\temp\RosterNameColumnFormattedLastNameSpaceFirstname.csv" -Verbose

Top of page

Links