PowerShell: ActiveDirectory monitooringuskript
From ICO wiki
<Source lang="powershell">
<# .SYNOPSIS
Nagios monitoring script for Active Directory status.
.DESCRIPTION
This script checks Active Directory status. A user description is queried and checked whether proper result is returned.
.Parameter UserName
Specifies SamAccountName for the user to search. Required.
.Parameter SearchString
Specifies string to search from the account "Description" field. Optional argument. No spaces allowed.
.Parameter SearchRoot
Specifies an Active Directory path to search under. Optional, however recommended for optimal performance. No spaces allowed.
.Example
check_ad.ps1 -UserName monit -SearchString postkastiga -SearchRoot CN=Users,DC=deploy,DC=local Searches Active Directory under path 'CN=Users,DC=deploy,DC=local' for SamAccountName 'monit' Description field for string 'postkastiga'.
.Example
check_ad.ps1 -UserName monit -SearchString postkastiga Searches Active Directory for SamAccountName 'monit' Description field for string 'postkastiga' from localhost server. Optional parameters have not been included.
.Outputs
System.String. Script sends backup status description to standard output. The return code is also provided: Return code Service Status --------------------------- 0 Ok 1 Warning 2 Critical 3 Unknown
.NOTES
Author: Mauno Pihelgas Version: 0.5 Date: 24.04.2012 Changes: Backward compatible (with Server 2003 and 2008) .NET classes used for searching AD.
Version history: v0.1 - Initial implementation with AD module cmdlet Get-ADUser. Not compatible with pre 2008 R2 releases. v0.2&v0.3 - Improvments to initial release. v0.4 - OS detection added for backward compatibility.
.LINK
http://technet.microsoft.com/en-us/library/ff730967.aspx
- >
[cmdletbinding(DefaultParameterSetName="Action")] Param( [parameter(Mandatory=$true)]
[Alias("UN")] [string] $UserName,
[Alias("SS")] [string] $SearchString = "", [Alias("SR")] [string[]] $SearchRoot = ""
)
Set-StrictMode -Version Latest [string[]]$Prefix = "OK:", "WARNING:", "CRITICAL:", "UNKNOWN:" [int]$Status = 0
- Join the $SearchRoot array back to a string (if argument is given).
- This is due to NSClient++ security limitations. Blocking nasty characters like "'`´;& etc.
if ($SearchRoot[0] -eq "") {
[string]$SearchRoot = ""
} else {
[string]$SearchRoot = [string]::join(",", $SearchRoot) $SearchRoot = "LDAP://$SearchRoot"
}
- Get results
try {
Write-Verbose "Querying user `"$UserName`" info from AD with a SearchRoot of $SearchRoot"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("$SearchRoot") $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objSearcher.SearchRoot = $objDomain $objSearcher.ClientTimeout = "00:00:10" $objSearcher.Filter = "(&(objectCategory=User)(SAMAccountName=$UserName))" $objSearcher.SearchScope = "Subtree" $null = $objSearcher.PropertiesToLoad.Add("description")
$Result = $objSearcher.FindOne() [string]$Result = $Result.Properties.description
} catch {
$Status = 2 Write-Verbose "Problem retrieving data. Please verify server settings and given arguments." Write-Host $Prefix[$Status]"Could not retrieve information from AD" exit $Status
}
- Search description field for $SearchString
if ($Result.Contains($SearchString)) {
$Status = 0 Write-Verbose "Everything seems OK. Found user: $Username`nFound description: $Result" Write-Host $Prefix[$Status]"AD seems to be operating normally"
} else {
$Status = 1 Write-Verbose "Found string: $Result`nSearched for string: $SearchString" Write-Host $Prefix[$Status]"Expected user description not found"
} exit $Status