At my company, the IT department consists of several teams like Microsoft, Network, Storage, Linux and VMware. To administer our environment we do not use our regular accounts (duh… 🙂 ), but instead use what we call admin accounts. Over the years, the security structure used to assign permissions to these admin accounts became poluted. Groups nested in groups nested in other groups, different group membership for team members, etc. As a result, we failed a security audit and I was tasked with cleaning this mess up using a role based access control (RBAC) like structure to achieve a transparent method of assigning permissions.
Continue reading Create Active Directory administration OUTag Archives: user account
Active Directory user and computer account report
In this post, I will share with you a script I use to run a report on a number of special accounts in my environment. It reports on admin accounts, service accounts and computer accounts. It will collect information like the name of the account, enabled or disabled, last logon date, account expiration date, password expiration date, is the password expired, is Password Never Expires ticked, employeeIF (if used), location, etc. The collection information will be saved in a .html file and also sent by email.
Continue reading Active Directory user and computer account reportMonitor AD user account changes
At my company, the system administrators have separate admin accounts to administer our server infrastructure. These admin accounts are often highly privileged and powerful accounts. Therefore, I would like to receive an e-mail notification when a user account is added to or removed from a group (in my previous post I shared with you a script to monitor just that), but added to that I also would like to receive a notification when for example the Password Never Expires option is ticked. Other scenarios may include notification when an admin account is created or deleted. Or when the password of an admin account has been changed. And I would like to know who has made these changes and when. As and added benefit, you can also claim to any auditor that you have a log of all changed made to your admin accounts by simply saving the e-mails.
Continue reading Monitor AD user account changes