Search Exchange
Search All Sites
Nagios Live Webinars
Let our experts show you how Nagios can help your organization.Login
Directory Tree
Check Active Directory Accounts
Meet The New Nagios Core Services Platform
Built on over 25 years of monitoring experience, the Nagios Core Services Platform provides insightful monitoring dashboards, time-saving monitoring wizards, and unmatched ease of use. Use it for free indefinitely.
Monitoring Made Magically Better
- Nagios Core on Overdrive
- Powerful Monitoring Dashboards
- Time-Saving Configuration Wizards
- Open Source Powered Monitoring On Steroids
- And So Much More!
-Account Disabled
-Account Expired
-Account Expiring
-Account Inactive
-Locked Out
-Password Expired
-Password Never Expires
Provide performance data to have graphes
Check for Active Directory Accounts using powershell through NRPE / nsclient++:
-Account Disabled
-Account Expired
-Account Expiring
-Account Inactive
-Locked Out
-Password Expired
-Password Never Expires
Provide performance data to have graphes
###############################################
Tested Setup:
Monitoring Box:
-Centos 6.4 x64
-Nagios 3.4.4
-check_nrpe 2.13
-Centreon 2.4.2
Active Directory:
-Windows Server 2008 R2 / Windows Server 2012
-nsclient++ 0.4.1 x64
-AD in 2008 native mode (no impact)
-tested on both Core & GUI Servers
###############################################
Scripts arguments
The script accept five arguments:
-action (LockedOut by default)
-searchBase (whole domain by default)
-seachScope (subtree by default)
-maxWarn (Warning if above)
-maxCrit (Critical if above)
action can be:
AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires
LockedOut if omitted
searchBase can be:
dc=mydomain,dc=com or ou=my users,dc=mydomain,dc=com
whole domain if omitted
seachScope can be:
Base,OneLevel,Subtree
Subtree if omitted
maxWarn and maxCrit but me integer
###############################################
Local execution example:
PS C:Program FilesNSClient++scripts> . .lotp_check_ad_accounts.ps1 AccountInactive "dc=mydomain,dc=com" subtree 5 10
CRITICAL: 216 AccountInactive|216;5;10
PS C:Program FilesNSClient++scripts>
NRPE execution:
[root~]# /usr/lib64/nagios/plugins/check_nrpe -H prd-dom-dc01 -n -c check_ad_account -a AccountInactive "dc=pmside,dc=net" subtree 5 10
CRITICAL: 216 AccountInactive|'AccountInactive'=216;5;10
[root~]#
###############################################
Installation:
On DC Servers:
-copy script in folder C:Program FilesNSClient++scripts
-enable powershell script execution without signed : Set-ExecutionPolicy RemoteSigned
-Add to nsclient.ini:
[/settings/external scripts/wrapped scripts]
check_ad_account=lotp_check_ad_accounts.ps1 $ARG1$ $ARG2$ $ARG3$ $ARG4$ $ARG5$
###############################################
Configuration:
For example, on Centreon:
-Add a new command:
$USER1$/check_nrpe -H $HOSTADDRESS$ -n -c check_ad_account -a $ARG1$ "$ARG2$" $ARG3$ $ARG4$ $ARG5$
Then add monitoring filling the ARGS.
For graph, enable performance data on the monitoring test
-Account Disabled
-Account Expired
-Account Expiring
-Account Inactive
-Locked Out
-Password Expired
-Password Never Expires
Provide performance data to have graphes
###############################################
Tested Setup:
Monitoring Box:
-Centos 6.4 x64
-Nagios 3.4.4
-check_nrpe 2.13
-Centreon 2.4.2
Active Directory:
-Windows Server 2008 R2 / Windows Server 2012
-nsclient++ 0.4.1 x64
-AD in 2008 native mode (no impact)
-tested on both Core & GUI Servers
###############################################
Scripts arguments
The script accept five arguments:
-action (LockedOut by default)
-searchBase (whole domain by default)
-seachScope (subtree by default)
-maxWarn (Warning if above)
-maxCrit (Critical if above)
action can be:
AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires
LockedOut if omitted
searchBase can be:
dc=mydomain,dc=com or ou=my users,dc=mydomain,dc=com
whole domain if omitted
seachScope can be:
Base,OneLevel,Subtree
Subtree if omitted
maxWarn and maxCrit but me integer
###############################################
Local execution example:
PS C:Program FilesNSClient++scripts> . .lotp_check_ad_accounts.ps1 AccountInactive "dc=mydomain,dc=com" subtree 5 10
CRITICAL: 216 AccountInactive|216;5;10
PS C:Program FilesNSClient++scripts>
NRPE execution:
[root~]# /usr/lib64/nagios/plugins/check_nrpe -H prd-dom-dc01 -n -c check_ad_account -a AccountInactive "dc=pmside,dc=net" subtree 5 10
CRITICAL: 216 AccountInactive|'AccountInactive'=216;5;10
[root~]#
###############################################
Installation:
On DC Servers:
-copy script in folder C:Program FilesNSClient++scripts
-enable powershell script execution without signed : Set-ExecutionPolicy RemoteSigned
-Add to nsclient.ini:
[/settings/external scripts/wrapped scripts]
check_ad_account=lotp_check_ad_accounts.ps1 $ARG1$ $ARG2$ $ARG3$ $ARG4$ $ARG5$
###############################################
Configuration:
For example, on Centreon:
-Add a new command:
$USER1$/check_nrpe -H $HOSTADDRESS$ -n -c check_ad_account -a $ARG1$ "$ARG2$" $ARG3$ $ARG4$ $ARG5$
Then add monitoring filling the ARGS.
For graph, enable performance data on the monitoring test
Reviews (6)
byStefan.Rudat, August 24, 2023
thanks for the very usefull script
I have to make a little change, result.Count was allways empty
$result=invoke-expression $command
$SCount = ( $result | Measure-Object -Line).Lines
and in the following if and elseif
if($SCount -gt $maxCrit)
elseif($SCount -gt $maxWarn)
write-hoste
$output=$state+": "+$SCount+" "+$action+"|"+$action+"="+$SCount+";"+$maxWarn+";"+$maxCrit
I have to make a little change, result.Count was allways empty
$result=invoke-expression $command
$SCount = ( $result | Measure-Object -Line).Lines
and in the following if and elseif
if($SCount -gt $maxCrit)
elseif($SCount -gt $maxWarn)
write-hoste
$output=$state+": "+$SCount+" "+$action+"|"+$action+"="+$SCount+";"+$maxWarn+";"+$maxCrit
bygopinathnagios, May 17, 2017
Hi I'm getting this error " CRITICAL: action parameter can only be AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires. Provided $ "
Any help me on this
My syntax: ./check_nrpe -H XXXX -c check_ad_account -a AccountInactive "dc=xx,dc=xx,dc=xx,dc=xx" subtree 5 10
Any help me on this
My syntax: ./check_nrpe -H XXXX -c check_ad_account -a AccountInactive "dc=xx,dc=xx,dc=xx,dc=xx" subtree 5 10
bysafurniss, August 2, 2016
I've modified the powershell script so that you can pass an additional parameter of either "UsersOnly" or "ComputersOnly" otherwise it returns values for both users and computers objects.
# ====================================================================
# Search in AD for lockedout account. To be used through NRPE / nsclient++
# Author: Mathieu Chateau - LOTP
# mail: mathieu.chateau@lotp.fr
# version 0.1
# ====================================================================
#
# Require Set-ExecutionPolicy RemoteSigned.. or sign this script with your PKI
#
# ============================================================
#
# Do not change anything behind that line!
#
param
(
[string]$action = "LockedOut",
[string]$accountType = "",
[string]$searchBase = "",
[string]$searchScope = "Subtree",
[int]$maxWarn = 5,
[int]$maxCrit = 10
)
# check that powershell ActiveDirectory module is present
if(Get-Module -Name "ActiveDirectory" -ListAvailable)
{
try
{
Import-Module -Name ActiveDirectory
}
catch
{
Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module"
exit 2
}
}
else
{
Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module"
exit 2
}
# check params if provided
if($action -notmatch "^(AccountDisabled|AccountExpired|AccountExpiring|AccountInactive|LockedOut|PasswordExpired|PasswordNeverExpires)$")
{
Write-Host "CRITICAL: action parameter can only be AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires. Provided $action"
exit 2
}
if($accountType -notmatch "^(UsersOnly|ComputersOnly)$")
{
Write-Host "CRITICAL: accountType can only be UsersOnly,ComputersOnly. Provided $acctType"
}
if($searchScope -notmatch "^(Base|OneLevel|Subtree)$")
{
Write-Host "CRITICAL: searchScope parameter can only be Base,OneLevel,Subtree. Provided $searchScope"
exit 2
}
if(($searchBase -ne "") -and $searchBase -ne ((Get-ADDomain).DistinguishedName))
{
$search=Get-ADObject -Filter 'ObjectClass -eq "OrganizationalUnit" -and DistinguishedName -eq $searchBase'
if ($search.Count -ne 1)
{
Write-Host "CRITICAL: SearchBase not found or duplicate. Provided $searchBase"
exit 2
}
}
else
{
$searchBase=(Get-ADDomain).DistinguishedName
}
$command="Search-ADAccount -"+$action+" -"+$accountType+" -SearchBase '"+$searchBase+"' -SearchScope "+$searchScope
$result=invoke-expression $command
if($result.Count -gt $maxCrit)
{
$state="CRITICAL"
$exitcode=2
}
elseif($result.Count -gt $maxWarn)
{
$state="WARNING"
$exitcode=1
}
else
{
$state="OK"
$exitcode=0
}
$output=$state+": "+$result.Count+" "+$action+"|"+$action+"="+$result.Count+";"+$maxWarn+";"+$maxCrit
Write-Host $output
exit $exitcode
# ====================================================================
# Search in AD for lockedout account. To be used through NRPE / nsclient++
# Author: Mathieu Chateau - LOTP
# mail: mathieu.chateau@lotp.fr
# version 0.1
# ====================================================================
#
# Require Set-ExecutionPolicy RemoteSigned.. or sign this script with your PKI
#
# ============================================================
#
# Do not change anything behind that line!
#
param
(
[string]$action = "LockedOut",
[string]$accountType = "",
[string]$searchBase = "",
[string]$searchScope = "Subtree",
[int]$maxWarn = 5,
[int]$maxCrit = 10
)
# check that powershell ActiveDirectory module is present
if(Get-Module -Name "ActiveDirectory" -ListAvailable)
{
try
{
Import-Module -Name ActiveDirectory
}
catch
{
Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module"
exit 2
}
}
else
{
Write-Host "CRITICAL: Missing PowerShell ActiveDirectory module"
exit 2
}
# check params if provided
if($action -notmatch "^(AccountDisabled|AccountExpired|AccountExpiring|AccountInactive|LockedOut|PasswordExpired|PasswordNeverExpires)$")
{
Write-Host "CRITICAL: action parameter can only be AccountDisabled,AccountExpired,AccountExpiring,AccountInactive,LockedOut,PasswordExpired,PasswordNeverExpires. Provided $action"
exit 2
}
if($accountType -notmatch "^(UsersOnly|ComputersOnly)$")
{
Write-Host "CRITICAL: accountType can only be UsersOnly,ComputersOnly. Provided $acctType"
}
if($searchScope -notmatch "^(Base|OneLevel|Subtree)$")
{
Write-Host "CRITICAL: searchScope parameter can only be Base,OneLevel,Subtree. Provided $searchScope"
exit 2
}
if(($searchBase -ne "") -and $searchBase -ne ((Get-ADDomain).DistinguishedName))
{
$search=Get-ADObject -Filter 'ObjectClass -eq "OrganizationalUnit" -and DistinguishedName -eq $searchBase'
if ($search.Count -ne 1)
{
Write-Host "CRITICAL: SearchBase not found or duplicate. Provided $searchBase"
exit 2
}
}
else
{
$searchBase=(Get-ADDomain).DistinguishedName
}
$command="Search-ADAccount -"+$action+" -"+$accountType+" -SearchBase '"+$searchBase+"' -SearchScope "+$searchScope
$result=invoke-expression $command
if($result.Count -gt $maxCrit)
{
$state="CRITICAL"
$exitcode=2
}
elseif($result.Count -gt $maxWarn)
{
$state="WARNING"
$exitcode=1
}
else
{
$state="OK"
$exitcode=0
}
$output=$state+": "+$result.Count+" "+$action+"|"+$action+"="+$result.Count+";"+$maxWarn+";"+$maxCrit
Write-Host $output
exit $exitcode
byTimon, March 30, 2015
I tried this script with PasswordExpired and I found no result. When I ran:
Get-ADUser -Filter * -Property PasswordExpired | Where {$_.Enabled -eq 'True' -and $_.PasswordExpired -Eq 'True'}
I do get 1 result. It seems Search-ADAccount and Get-ADUser are giving different results.
I tried to change the script:
if($action -eq "PasswordExpired")
{
$command="Get-ADUser -Filter * -Property PasswordExpired | Where {$_.Enabled -eq 'True' -and $_.PasswordExpired -Eq 'True'}"
$result=invoke-expression $command
}
else
{
$command="Search-ADAccount -"+$action+" -SearchBase '"+$searchBase+"' -SearchScope "+$searchScope
$result=invoke-expression $command
}
I did not get any result with this change. How can I get the correct response for PasswordExpired accounts?
Get-ADUser -Filter * -Property PasswordExpired | Where {$_.Enabled -eq 'True' -and $_.PasswordExpired -Eq 'True'}
I do get 1 result. It seems Search-ADAccount and Get-ADUser are giving different results.
I tried to change the script:
if($action -eq "PasswordExpired")
{
$command="Get-ADUser -Filter * -Property PasswordExpired | Where {$_.Enabled -eq 'True' -and $_.PasswordExpired -Eq 'True'}"
$result=invoke-expression $command
}
else
{
$command="Search-ADAccount -"+$action+" -SearchBase '"+$searchBase+"' -SearchScope "+$searchScope
$result=invoke-expression $command
}
I did not get any result with this change. How can I get the correct response for PasswordExpired accounts?
byjlovegrove, January 5, 2015
Works as described!
bycarlschulz, June 5, 2014
This useful script gives good control on the state of your AD accounts. I wanted to show a Warning at 1 and Critical at 2 or more errors, ran into a problem with the script.
Solution:
returning 0 or one element in an array results in a different return variable not supporting the .Count property
change the invoke-expression line to
$result=@(invoke-expression -Command "$command" -OutBuffer 1000)
to correctly process the return value of the script in the NSClient++ call of the powershell script and pass it on we need to use exit $lastexitcode otherwise we are passing on the success of powershell not the return value of the script itself.
So the NSClient++ ini file needs to contain lines like this:
check_ps_lotp_check_ad_account_disabled=cmd /c echo scripts\lotp_check_ad_accounts.ps1 AccountDisabled "cn=AAA,dc=BBB,dc=com" Subtree 0 1; exit $lastexitcode | powershell.exe -noprofile -executionpolicy bypass -command -
cn= evaluation is not evaluated by the script, some changes are needed there too or just hardcode the SearchBase variable
That's it!
Solution:
returning 0 or one element in an array results in a different return variable not supporting the .Count property
change the invoke-expression line to
$result=@(invoke-expression -Command "$command" -OutBuffer 1000)
to correctly process the return value of the script in the NSClient++ call of the powershell script and pass it on we need to use exit $lastexitcode otherwise we are passing on the success of powershell not the return value of the script itself.
So the NSClient++ ini file needs to contain lines like this:
check_ps_lotp_check_ad_account_disabled=cmd /c echo scripts\lotp_check_ad_accounts.ps1 AccountDisabled "cn=AAA,dc=BBB,dc=com" Subtree 0 1; exit $lastexitcode | powershell.exe -noprofile -executionpolicy bypass -command -
cn= evaluation is not evaluated by the script, some changes are needed there too or just hardcode the SearchBase variable
That's it!