The Surly Admin

Simple Day to Day Administration

Been so long since my last update!  Why haven’t I posted more?  Well, for one I’m usually so tired from coming home from work I just don’t have any extra energy for PowerShelling.  Another factor has been there are so many people doing so many interesting things I just couldn’t find anything that someone else wasn’t already doing much better than I am.  The last bit is having an interesting project to talk about.  I’ve been doing a lot of things at work, but it had to do with Windows cluster node moves, SQL Availability Group moves and so on.  But ultimately the scripts become pretty specific to athena so it’s difficult to translate for general use.

I think I finally have something interesting, though, with Get-SAUser so read on!

Introduction

My greatest passion is creating tools, especially when other people use them.  I really do get a great thrill from seeing something I’ve written help someone out.  Next best is when it helps me out.  My Get-ComputerInfo (and thanks Microsoft for stealing my function name!) and Restart-ComputerAndWait functions are two of my favorites.  For athena I also wrote a script early on that just provisions a new VM with all the proper settings and that script has gotten so popular in my group that most of us would struggle to provision a VM manually!

And that’s really where Get-SAUser came from.  In my group we’re mostly engineering, so we don’t have to deal with the day to day care and feeding of users but we do have to essentially do the administration for the engineering teams, and honestly ourselves.  We have an interesting setup at athena where we have FIVE different logins we have to keep track of, and inevitably someone forgets a password somewhere so we’re always unlocking and resetting each other’s passwords.  Finding out if someone is locked is easy:

But it’s a lot to type each and every time and the default view for Get-ADUser leaves some to be desired.  Is the Password Expired?  What’s the Bad Password Count?  What’s the Title or Description–don’t want to change the wrong password!  I started work on a tool that would leverage RSAT and some other tools we already built to address this.  Get-AHUser (athena health, get it?!) was born and it worked pretty well.  I didn’t do a ton of work on it after initially publishing it because I was the only one using it and it did what I needed, so meh.

Then I discovered that at least one other guy was using it and that makes all the difference in the world.  And I thought with the right tweaking this would make a really cool general tool for anyone to use.  Get-AHUser also relied on RSAT being installed–something I could have reasonably assumed any admin would have–and AH.Automation, which is a common module we use where we put all our cool functions.  Something no one would have–so a bit of a problem.  To add some challenge I also wanted to eliminate the need for RSAT.

Get-SAUser

At it’s heart, Get-SAUser creates a global variable called $SAUser, which is just a [PSCustomObject] type where I’ve added some custom members to.  One of the cool features you can add is ScriptProperties which will evaluate a scriptblock before displaying a value–and you can even update other values in the object.  Sound familiar?  Yep, it’s essentially a class but without the PowerShell 5.0 requirement.

First version of Get-AHUser just got the data and let you manipulate the global variable using methods I’d defined.  But to see the results of what you did you had to re-execute Get-AHUser which would then refresh $AHUser.  Get-SAUser eliminates that requirement by dynamically updating some of the fields every time you look at the values.

Cool features

There are some cool features to Get-SAUser that might be completely obvious too.  Not sure what the SamAccountName is?  Just type a name, if Get-SAUser can’t find an exact match it will go for a general match on the DisplayName, the present you with a window where you can choose which user you want to work on.  This same functionality works in the AddGroup() and RemoveGroup() methods.

Last logon is one of those incredibly painful exercises that we all seem to have to go through.  We think we change just grab the LastLogonDate and we’ve got a banging report, except that it isn’t and getting that last logon information is a pain.  Get-SAUser makes it as easy as typing $SAUser.GetLastLogon().  It’ll discover all your domain controllers and hit them all to find the latest and greatest Last Logon.

Here are a couple of examples (no test domain right now, so having to black out a bunch of stuff):

I just bought a new laptop so am excited to get my home/lab AD up and going again and can display things without the redacting!

I hope you find Get-SAUser helpful, or at least some of the techniques and code something you can cherry pick and use in your own products.

Get-SAUser on GitHub

August 11, 2016 - Posted by Martin9700 | PowerShell | Active Directory, Advanced Function