PowerShell: ActiveDirectory monitooringuskript

From ICO wiki
Jump to navigationJump to search

<Source lang="powershell">


 Nagios monitoring script for Active Directory status.


 This script checks Active Directory status. A user description is queried and checked whether proper result is 

.Parameter UserName

 Specifies SamAccountName for the user to search. Required.

.Parameter SearchString

 Specifies string to search from the account "Description" field. Optional argument. No spaces allowed.

.Parameter SearchRoot

 Specifies an Active Directory path to search under. Optional, however recommended for optimal performance. No spaces allowed.


 check_ad.ps1 -UserName monit -SearchString postkastiga -SearchRoot CN=Users,DC=deploy,DC=local
 Searches Active Directory under path 'CN=Users,DC=deploy,DC=local' for SamAccountName 'monit' Description field 
 for string 'postkastiga'.


 check_ad.ps1 -UserName monit -SearchString postkastiga
 Searches Active Directory for SamAccountName 'monit' Description field for string 'postkastiga' from localhost 
 server. Optional parameters have not been included.


 System.String.  Script sends backup status description to standard output.  The return code is also provided:
 Return code    Service Status
      0         Ok
      1         Warning
      2         Critical
      3         Unknown


 Author:  Mauno Pihelgas
 Version: 0.5
 Date:    24.04.2012
 Changes: Backward compatible (with Server 2003 and 2008) .NET classes used for searching AD.
 Version history:
 v0.1      - Initial implementation with AD module cmdlet Get-ADUser. Not compatible with pre 2008 R2 releases.
 v0.2&v0.3 - Improvments to initial release.
 v0.4      - OS detection added for backward compatibility.


  1. >

[cmdletbinding(DefaultParameterSetName="Action")] Param( [parameter(Mandatory=$true)]

       $SearchString = "",
       $SearchRoot = ""


Set-StrictMode -Version Latest [string[]]$Prefix = "OK:", "WARNING:", "CRITICAL:", "UNKNOWN:" [int]$Status = 0

  1. Join the $SearchRoot array back to a string (if argument is given).
  2. This is due to NSClient++ security limitations. Blocking nasty characters like "'`´;& etc.

if ($SearchRoot[0] -eq "") {

   [string]$SearchRoot = ""

} else {

   [string]$SearchRoot = [string]::join(",", $SearchRoot)
   $SearchRoot = "LDAP://$SearchRoot"


  1. Get results

try {

   Write-Verbose "Querying user `"$UserName`" info from AD with a SearchRoot of $SearchRoot"
   $objDomain = New-Object System.DirectoryServices.DirectoryEntry("$SearchRoot")
   $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
   $objSearcher.SearchRoot = $objDomain
   $objSearcher.ClientTimeout = "00:00:10"
   $objSearcher.Filter = "(&(objectCategory=User)(SAMAccountName=$UserName))"
   $objSearcher.SearchScope = "Subtree"
   $null = $objSearcher.PropertiesToLoad.Add("description")
   $Result = $objSearcher.FindOne()
   [string]$Result = $Result.Properties.description

} catch {

   $Status = 2
   Write-Verbose "Problem retrieving data. Please verify server settings and given arguments."
   Write-Host $Prefix[$Status]"Could not retrieve information from AD"
   exit $Status


  1. Search description field for $SearchString

if ($Result.Contains($SearchString)) {

   $Status = 0
   Write-Verbose "Everything seems OK. Found user: $Username`nFound description: $Result"
   Write-Host $Prefix[$Status]"AD seems to be operating normally"

} else {

   $Status = 1
   Write-Verbose "Found string: $Result`nSearched for string: $SearchString"
   Write-Host $Prefix[$Status]"Expected user description not found"

} exit $Status