I have spent about 2 hours today working on a script to query specific Domain Controllers on the network, then verify if a service account is locked or not. And before anyone asks, I am aware of the ALTools kit from Microsoft, but it’s clunky and slow, and I don’t need to query 300+ DC’s for my purposes.
That said, I like to see a clean output results, and when certain info is longer than others, everything is very crooked and ugly. Here are some examples of my current output vs. what I’d like it to be:
CURRENT OUTPUT:
[ DC Checked: 15CHARSVRNAME01 ] [ DC Site: SITE1 ] [ UserName: SVC-ACCT-NAME ] [ Is Locked Out: False ] [ LastBadPasswordAttempt: 01/01/1970 00:00:00 ]
[ DC Checked: 15CHARSVRNAME03 ] [ DC Site: SITE_NUMBER_TWO ] [ UserName: SVC-ACCT-NAME ] [ Is Locked Out: False ] [ LastBadPasswordAttempt: N/A ]
[ DC Checked: 15CHARSVRNAME05 ] [ DC Site: SITE_WITH_LONGEST_NAME ] [ UserName: SVC-ACCT-NAME ] [ Is Locked Out: False ] [ LastBadPasswordAttempt: 01/01/1970 00:00:00 ]
IDEAL OUTPUT:
[ DC Checked: 15CHARSVRNAME01 ] [ DC Site: SITE1 ] [ UserName: SVC-ACCT-NAME ] [ Is Locked Out: False ] [ LastBadPasswordAttempt: 01/01/1970 00:00:00 ]
[ DC Checked: 15CHARSVRNAME03 ] [ DC Site: SITE_NUMBER_TWO ] [ UserName: SVC-ACCT-NAME ] [ Is Locked Out: True ] [ LastBadPasswordAttempt: N/A ]
[ DC Checked: 15CHARSVRNAME05 ] [ DC Site: SITE_WITH_LONGEST_NAME ] [ UserName: SVC-ACCT-NAME ] [ Is Locked Out: False ] [ LastBadPasswordAttempt: 01/01/1970 00:00:00 ]
The culprits are the “Site”, “Locked” and “Lockout Attempt Time” columns. In my search for answers, I found this thread:
How to align spaces in PowerShell code output?
This is the closest I’ve came to an answer so far, but I don’t know how to format this method into the output I’m creating. Here is the script I’m using to create the output. I am handy with PS, but I’m no expert, so be gentle on your criticism of my mediocre code structure 😀
$AD_DC_Servers = Get-ADDomainController -Filter {name -like "15CHAR*"} |
where { ($_.name -like "*SITE1*" -or
$_.name -like "*TWO*" -or
$_.name -like "*LONGEST*" ) -and (
$_.site -notlike "*STAGING*" ) } |
Sort-Object Name
$UserProperties = @("AccountLockoutTime",
"DisplayName",
"Enabled",
"isDeleted",
"LastBadPasswordAttempt",
"LockedOut",
"lockoutTime",
"UserPrincipalName")
$AD_User = Read-Host -Prompt "Enter Username"
foreach($DC in $AD_DC_Servers){
$AD_User_Info = Get-ADUser -Server $dc -Identity $AD_User -Properties $UserProperties | select DisplayName, LockedOut, UserPrincipalName, LastBadPasswordAttempt
$DC_Site = $DC.Site
$UserName = $AD_User_Info.DisplayName
$LockedOut = $AD_User_Info.LockedOut
#IF statement to determine output of the "LastBadPasswordAttempt" variable
if($null -eq $AD_User_Info.LastBadPasswordAttempt){
$LastBadPasswordAttempt = "N/A"
}else{
$LastBadPasswordAttempt = $AD_User_Info.LastBadPasswordAttempt
}
$output = "[ DC Checked: $DC ] [ DC Site: $DC_Site ] [ UserName: $UserName ] [ Is Locked Out: $LockedOut ] [ LastBadPasswordAttempt: $LastBadPasswordAttempt ]"
Write-Host $output -ForegroundColor Cyan -BackgroundColor Black
}
