Hello,
Do you know how we can monitor AD users' expiration dates (not password expiration dates) through Zabbix.
Do you know how we can monitor AD users' expiration dates (not password expiration dates) through Zabbix.
-
-
Hello Beki4,
With Powershell, you could set up a script that retrieves user names along with their expiration dates and stores them in a CSV file.
And then you could create a function that allows you to either find users without an expiration date or with a past expiration date.
After you create your script, you could specify the path to your Zabbix agent so that Zabbix can execute it.
Like, this is for the installation of the module
And this to get the names with the expriration dateCode:Import-Module ActiveDirectory
Good LuckCode:Get-ADUser -Filter * -Properties AccountExpirationDate | Select-Object Name, AccountExpirationDate | Export-Csv -Path "C:\chemin\vers\le\fichier\dates_expiration.csv" -NoTypeInformation
-
I've got powershell script that is used with discovery however for password expiration - you can modify it easily to get the stuff you need from the right place this way you will have proper discovery with items/per user and dates
fell free to use it if you are good with PowerShell (note this isn't the best script but gets job done)
preprocessing for item prototype:
Code:# Import the Active Directory module Import-Module ActiveDirectory # Define the security group name $securityGroupName = "Password Change Group Policy" # Get the Distinguished Name (DN) of the security group $securityGroupDN = (Get-ADGroup -Filter {Name -eq $securityGroupName}).DistinguishedName # Get the Fine-Grained Password Policy linked to the specified security group $fgpp = Get-ADFineGrainedPasswordPolicy -Filter {AppliesTo -eq $securityGroupDN} # Check if a Fine-Grained Password Policy is linked to the group if ($fgpp) { # Retrieve the Maximum Password Age from Fine-Grained Password Policy and convert to days $daysDuration = [math]::floor($fgpp.MaxPasswordAge.Days) $epoch = New-Object DateTime 1970, 1, 1, 0, 0, 0, ([DateTimeKind]::Utc) # Get all users from the specified security group $users = Get-ADGroupMember -Identity $securityGroupDN | Get-ADUser -Properties EmailAddress, GivenName, PasswordLastSet, SamAccountName, DisplayName, LockedOut # Create an array to store user objects $userArray = @() # Loop through each user and create a custom object with the desired attributes foreach ($user in $users) { $passwordLastSetUnixTimestamp = [math]::round(($user.PasswordLastSet - $epoch).TotalMilliseconds) $expiryDate = $user.PasswordLastSet.AddDays($daysDuration) $expiryDateFormatted = $expiryDate.ToString("dd MMMM yyyy") $expiryDateDaysDifference = [math]::floor(($expiryDate.Date - (Get-Date).Date).TotalDays) # Calculate "Expired" value based on today's date and ExpiryDateCalculated $expired = if ($expiryDate -lt (Get-Date)) { '1' } else { '2' } $userObject = [PSCustomObject]@{ EmailAddress = $user.EmailAddress -replace '"', '\"' GivenName = $user.GivenName -replace '"', '\"' PasswordLastSet = "$passwordLastSetUnixTimestamp" SamAccountName = $user.SamAccountName -replace '"', '\"' DisplayName = $user.DisplayName -replace '"', '\"' LockedOut = "$($user.LockedOut)" ExpiryDateCalculated = $expiryDateFormatted DaysDifference = "$expiryDateDaysDifference" Expired = "$expired" } # Add the user object to the array $userArray += $userObject } # Manually handle square brackets based on the number of users if ($userArray.Count -eq 1) { Write-Host "[" Write-Output $userArray | ConvertTo-Json Write-Host "]" } elseif ($userArray.Count -gt 1) { $userArray | ConvertTo-Json } } else { Write-Host "No Fine-Grained Password Policy found for '$securityGroupName' or the group is not specified in any policy." }Last edited by PeterZielony; 18-06-2024, 17:39.
Hiring in the UK? Drop a messageComment
-
I will try to compose a PS1 script with zabbix trapperLast edited by Beki4; 20-06-2024, 14:08.Comment
-
I have some user in active directory that have an expiration date, i want to clear Expiration date to be never, i tried to use nullable datetime and put value null in a value for “set user expiration date” activity but it didn’t help.Hello Beki4,
With Powershell, you could set up a script that retrieves user names along with their expiration dates and stores them in a CSV file.
And then you could create a function that allows you to either find users without an expiration date or with a past expiration date.
After you create your script, you could specify the path to your Zabbix agent so that Zabbix can execute it.
Like, this is for the installation of the module
And this to get the names with the expriration dateCode:Import-Module ActiveDirectory
Good LuckCode:Get-ADUser -Filter * -Properties AccountExpirationDate | Select-Object Name, AccountExpirationDate | Export-Csv -Path "C:\chemin\vers\le\fichier\dates_expiration.csv" -NoTypeInformation
Comment
-
Hello,
I have managed to write a PS script that provides information about the accounts' expiration date and dates until expiry, but Zabbix trapper does not catch the info If I do not run the zabbix_sender command manually. How I can automate the process? Please help
Comment
-
Windows task scheduler if you insist on using trapper item
trapper is just receiver in Zabbix - it doesn't trigger by itselfLast edited by PeterZielony; 25-06-2024, 16:54.
Hiring in the UK? Drop a messageComment
Comment