6

AD 帳號問題快篩工具

 3 years ago
source link: https://blog.darkthread.net/blog/ad-account-status-quick-check/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

AD 帳號問題快篩工具

2020-12-24 10:08 PM 2 678

使用 Windows 整合驗驗的網站有時會接到使用者反映他們無法用 AD 帳號登入,常見原因有記錯密碼、帳號被鎖、密碼到期... 等等,另外也曾遇過一些罕見案例是與 Domain Controller 間網路不通、電腦時鐘不對。 處理 AD 帳號無法登入 SOP 的第一步應先排除常見的帳號被鎖、密碼過期等狀況再花時間調查,就像除濕機、微波爐、電視機的使用手冊最後都有張常見故障排除表,叫你先檢查電源線有沒有插、開關有沒開一樣,避免大家在低級錯誤上虛耗時間。

查詢 AD 帳號資訊多要靠網管人員操作 UI 找帳號看狀態,我花了點時間寫了以下 PowerShell 讓 SOP 最佳化,不需要開管理介面滑鼠,下指令敲帳號兩秒便知結果,就叫它「AD 帳號問題快篩」吧!

param (   
    [Parameter(Mandatory=$True)]
    [string] $userId 
)
$dc = "company-domain.com"
Write-Host "*** AD 帳號問題快篩 Ver 1.0***" -ForegroundColor Yellow
$ErrorActionPreference = "STOP"
$match = [System.Text.RegularExpressions.Regex]::Match($userId, "^(?<d>.+)\\(?<u>.+)`$")
if (!$match.Success) {
    Write-Host "請輸入 DomainName\UserId 帳號格式"
    Exit
}
$domain = $match.Groups["d"].Value
$userId = $match.Groups["u"].Value
try 
{
    [string]$svr = (Get-ADDomainController -Discover -Domain "$domain.$dc").HostName
    $user = Get-ADUser $userId -Properties LockedOut,LastLogonDate,PasswordLastSet,PasswordNeverExpires,msDS-UserPasswordExpiryTimeComputed -Server $svr
}
catch 
{
    Write-Host "找不到使用者 - $userId" 
    Exit
}

function Print([string]$label, [string]$value, $pass = $null) {
    Write-Host "$($label): " -ForegroundColor Cyan -NoNewline
    $color = [ConsoleColor]::White
    if ($null -ne $pass) {
        if ($pass -eq $true) { $color = [System.ConsoleColor]::Green }
        else { $color = [ConsoleColor]::Red }
    }
    Write-Host $value -ForegroundColor $color
}

function ToYN([bool]$bool) {
    if ($bool) {
        return "是"
    }
    return "否"
}
Print "登入帳號" $user.SamAccountName
Print "帳號名稱" "$($user.Name) / $($user.GivenName)"
Print "上次登入" $user.LastLogonDate.ToString("yyyy-MM-dd HH:mm:ss")
Print "是否啟用" (ToYN $user.Enabled) -pass ($user.Enabled)
Print "是否鎖定" (ToYN $user.LockedOut) -pass (!$user.LockedOut)
[DateTime]$lastPwdSet = $user.PasswordLastSet 
Print "上次密碼修改" $lastPwdSet.ToString("yyyy-MM-dd HH:mm:ss")
if (!$user.PasswordNeverExpires) 
{
    [DateTime]$nextChgDate = [DateTime]::FromFileTime($user."msDS-UserPasswordExpiryTimeComputed")
    [timespan]$timeLeft = $nextChgDate - [DateTime]::Now

    Print "密碼到期日" $nextChgDate.ToString("yyyy-MM-dd HH:mm:ss") -pass ($timeLeft.TotalSeconds -gt 0)
    Write-Host "密碼到期提示: " -NoNewline -ForegroundColor Cyan
    if ($timeLeft.TotalSeconds -lt 0) 
    {
        Write-Host "密碼己於 $($nextChgDate.ToString("yyyy-MM-dd HH:mm:ss")) 到期]" -ForegroundColor Red
    }
    else {
        $color = [ConsoleColor]::Yellow
        [int]$daysLeft = $timeLeft.TotalDays
        if ($daysLeft -le 7) { $color = [ConsoleColor]::Magenta }
        Write-Host "密碼還有 $($daysLeft) 天到期" -ForegroundColor $color
    }
}
else {
    Write-Host "** 密碼永久有效 **" -ForegroundColor Magenta
}

執行結果如下,輸入「網域名稱\AD帳號」即會顯示帳號是否啟用、是否被鎖定、上次登入時間、上次密碼修改時間、密碼到期時間等,方便先排除 AD 常見問題再進一步追查,有需要的朋友請自取。


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK