PowerShell Script to Audit User Account Details in Active Directory

Kommands

2 months ago

Managing user accounts in Active Directory (AD) is more than just creating and deleting users. Auditing user accounts can help administrators track security compliance, account activity, and access levels. With PowerShell, you can generate detailed reports for any user, including last password change, last logon, group membership, and applied group policies.

In this post, we’ll cover:

Why auditing user accounts matters
Key attributes to check for each user
A PowerShell script to generate a detailed report in table format

Why Audit User Accounts?

Regular audits of user accounts are crucial for:

Security Compliance: Ensuring accounts follow password policies and are not dormant.
Access Control: Checking group memberships and GPOs to verify correct permissions.
Activity Monitoring: Tracking user logons to detect inactive or suspicious accounts.
Troubleshooting: Identifying issues with user access and policy application.

Key Attributes to Audit

When auditing a user, consider including:

Username / Display Name – Basic identification.
Last Password Change – Helps track compliance with password policies.
Account Expiration / Enabled Status – Detects inactive or locked accounts.
Last Logon / Last Activity – Measures user activity.
Group Memberships – Determines access rights.
Applied Group Policies – Understand the settings affecting the user.
Email / Office / Title – Optional business information.

PowerShell Script to Audit User Account Details

The following PowerShell script gathers all these attributes for a single user or a list of users and outputs the report in a table format, which can also be exported to CSV.

# -----------------------------
# Active Directory User Audit
# -----------------------------

# Specify the user(s) to audit
$Users = @("jdoe","asmith")  # You can add multiple usernames

# Import Active Directory module if not already
Import-Module ActiveDirectory

# Initialize report array
$Report = @()

foreach ($User in $Users) {
    # Get user object
    $ADUser = Get-ADUser -Identity $User -Properties *
    
    # Get last logon from all DCs
    $DCs = Get-ADDomainController -Filter *
    $LastLogonTimes = @()
    foreach ($DC in $DCs) {
        $LastLogon = Get-ADUser -Identity $User -Server $DC.HostName -Properties LastLogon | Select-Object -ExpandProperty LastLogon
        if ($LastLogon) {
            $LastLogonTimes += [DateTime]::FromFileTime($LastLogon)
        }
    }
    $LastLogon = if ($LastLogonTimes.Count -gt 0) { ($LastLogonTimes | Sort-Object -Descending | Select-Object -First 1) } else { "Never" }

    # Get group membership
    $Groups = Get-ADUser -Identity $User -Properties MemberOf | Select-Object -ExpandProperty MemberOf
    $GroupList = if ($Groups) { ($Groups | ForEach-Object { ($_ -split ',')[0] -replace '^CN=','' }) -join '; ' } else { "None" }

    # Get applied Group Policies
    $GPOs = Get-GPResultantSetOfPolicy -ReportType Xml -User $ADUser.SamAccountName -Computer "localhost" | 
            Select-Xml -XPath "//GPO" | ForEach-Object { $_.Node.Name }
    $GPOList = if ($GPOs) { $GPOs -join '; ' } else { "None" }

    # Create report object
    $ReportObj = [PSCustomObject]@{
        "Username"           = $ADUser.SamAccountName
        "Display Name"       = $ADUser.Name
        "Email"              = $ADUser.EmailAddress
        "Title"              = $ADUser.Title
        "Enabled"            = $ADUser.Enabled
        "Account Expiration" = $ADUser.AccountExpirationDate
        "Last Password Change" = $ADUser.PasswordLastSet
        "Last Logon"         = $LastLogon
        "Group Memberships"  = $GroupList
        "Applied GPOs"       = $GPOList
    }

    $Report += $ReportObj
}

# Display report in table format
$Report | Format-Table -AutoSize

# Optional: Export to CSV
$Report | Export-Csv -Path "C:\ADUserAuditReport.csv" -NoTypeInformation

Write-Host "AD User Audit completed. Report generated."

How This Script Works

Retrieve User Info – Uses Get-ADUser to get all relevant attributes.
Last Logon Across Multiple DCs – Loops through all DCs to get the most recent logon time.
Group Memberships – Lists all AD groups the user belongs to.
Applied Group Policies – Uses Get-GPResultantSetOfPolicy to list GPOs applied to the user.
Output Table & CSV – Displays the report neatly and allows exporting for further analysis.

Tips for Production Use

Replace localhost in Get-GPResultantSetOfPolicy with the actual workstation if needed.
Schedule the script using Task Scheduler for regular audits.
Add more attributes if needed, such as Manager, Department, or Logon Scripts.
Combine this script with email automation to send reports automatically to administrators.

Conclusion

Auditing user accounts in Active Directory is vital for security, compliance, and operational insight. With PowerShell, you can automate these audits, collect comprehensive data, and even integrate it into daily or weekly reporting systems.

This script gives you a complete snapshot of any user account, making it easier to detect inactive users, improper access, or misconfigured policies before they become problems