PowerShell: ActiveDirectory monitooringuskript

From ICO wiki
Revision as of 14:18, 22 May 2012 by Mpihelga (talk | contribs) (Leht loodud)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

<Source lang="powershell">

<# .SYNOPSIS

 Nagios monitoring script for Active Directory status.

.DESCRIPTION

 This script checks Active Directory status. A user description is queried and checked whether proper result is 
 returned.
 

.Parameter UserName

 Specifies SamAccountName for the user to search. Required.

.Parameter SearchString

 Specifies string to search from the account "Description" field. Optional argument. No spaces allowed.

.Parameter SearchRoot

 Specifies an Active Directory path to search under. Optional, however recommended for optimal performance. No spaces allowed.
 

.Example

 check_ad.ps1 -UserName monit -SearchString postkastiga -SearchRoot CN=Users,DC=deploy,DC=local
 
 Searches Active Directory under path 'CN=Users,DC=deploy,DC=local' for SamAccountName 'monit' Description field 
 for string 'postkastiga'.

.Example

 check_ad.ps1 -UserName monit -SearchString postkastiga
 
 Searches Active Directory for SamAccountName 'monit' Description field for string 'postkastiga' from localhost 
 server. Optional parameters have not been included.

.Outputs

 System.String.  Script sends backup status description to standard output.  The return code is also provided:
 Return code    Service Status
 ---------------------------
      0         Ok
      1         Warning
      2         Critical
      3         Unknown

.NOTES

 Author:  Mauno Pihelgas
 Version: 0.5
 Date:    24.04.2012
 Changes: Backward compatible (with Server 2003 and 2008) .NET classes used for searching AD.
 Version history:
 v0.1      - Initial implementation with AD module cmdlet Get-ADUser. Not compatible with pre 2008 R2 releases.
 v0.2&v0.3 - Improvments to initial release.
 v0.4      - OS detection added for backward compatibility.
 

.LINK

 http://technet.microsoft.com/en-us/library/ff730967.aspx
  1. >

[cmdletbinding(DefaultParameterSetName="Action")] Param( [parameter(Mandatory=$true)]

       [Alias("UN")]
       [string]
       $UserName,
       [Alias("SS")]
       [string]
       $SearchString = "",
 
       [Alias("SR")]
       [string[]]
       $SearchRoot = ""

)

Set-StrictMode -Version Latest [string[]]$Prefix = "OK:", "WARNING:", "CRITICAL:", "UNKNOWN:" [int]$Status = 0


  1. Join the $SearchRoot array back to a string (if argument is given).
  2. This is due to NSClient++ security limitations. Blocking nasty characters like "'`´;& etc.

if ($SearchRoot[0] -eq "") {

   [string]$SearchRoot = ""

} else {

   [string]$SearchRoot = [string]::join(",", $SearchRoot)
   $SearchRoot = "LDAP://$SearchRoot"

}


  1. Get results

try {

   Write-Verbose "Querying user `"$UserName`" info from AD with a SearchRoot of $SearchRoot"
   $objDomain = New-Object System.DirectoryServices.DirectoryEntry("$SearchRoot")
   $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
   $objSearcher.SearchRoot = $objDomain
   $objSearcher.ClientTimeout = "00:00:10"
   $objSearcher.Filter = "(&(objectCategory=User)(SAMAccountName=$UserName))"
   $objSearcher.SearchScope = "Subtree"
   $null = $objSearcher.PropertiesToLoad.Add("description")
   $Result = $objSearcher.FindOne()
   [string]$Result = $Result.Properties.description

} catch {

   $Status = 2
   Write-Verbose "Problem retrieving data. Please verify server settings and given arguments."
   Write-Host $Prefix[$Status]"Could not retrieve information from AD"
   exit $Status

}


  1. Search description field for $SearchString

if ($Result.Contains($SearchString)) {

   $Status = 0
   Write-Verbose "Everything seems OK. Found user: $Username`nFound description: $Result"
   Write-Host $Prefix[$Status]"AD seems to be operating normally"

} else {

   $Status = 1
   Write-Verbose "Found string: $Result`nSearched for string: $SearchString"
   Write-Host $Prefix[$Status]"Expected user description not found"

} exit $Status