powershell scripts that monitor domain controller health?

[blade1000]

All-

Are there any powershell scripts out there (more freeware based if possible) that monitor domain controller health? something I could either run in a GPO or locally on the dc that checks for netlogon or rpc or even replication errors?

I am combing thru the forums and some script havens and if I find some I will post the urls to my inquiry here.

thanks for any support on this

blade

 

[58sniper]

How are you monitoring the event logs of these servers? There are tools that do that, and you can certainly query the event logs from PowerShell using something like

Get-EventLog System | ? {$_.EntryType -ne "Information"}

and then doing something with it, like sending an email.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[blade1000]

hi Pat, we are using Netpro now owned by Quest, tools like Change Auditor and DIR Analyzer which are very viable tools. thing is, we have "many" hub and spoke environments and unfortunately do not have the $$$'s the throw at these remote sites where we can manage daily up-to-the-second dynamic changes that occur within our domain.

But I use it here in NY and the tools are terrific, tells you info from when a service starts to when a user objects takes a modification and of course alot of DC information. If I could compile some of your script that you replied to me with and couple that with more ADSI based info so I can capture for Domain controller info such as if replication is failing or broken between to site link bridges, or an interface is down and somehow post it to an html page, it would be great. This will probably take alot of research and have been reading "Powershell in Action" -great book and getting some ideas. Wish there was a url with some of the code already posted where I can add/change the snippets I need.

Thanks for all your support

blade

 

[crobin1]

I've been thinking about something along this line for a while, but haven't actually implemented it yet. My thought is to periodically run the REPADMIN tool (from the free Windows 2003 Support Tools), parse the output with PowerShell, then if there is an error send a warning (probably with a freeware e-mail program). Creating a Web page should be possible with the ConvertTo-HTML cmdlet.

Anyone up for the challenge? If I come up with anything soon I'll post it back here.

 

[blade1000]

thanks crobin1-

I will do the same. I just downloaded Powershell GUI and will start this project now..
Good idea concerning repadmin, not sure how to parse it to PS yet but half the fun is the journey itself right!?

Thanks
blade

 

[58sniper]

You don't need a freeware program to email anything - you can do that within PowerShell.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[blade1000]

Hey Pat-

I had to ask here, do you know of a somewhat "canned" powershell script that will tell me how many days a user has before their password expires?

So if I piped in any given user and retrieve how many days their password has (password age) before the user needs to reset..

I can do this piecemeal within ldap as I'm sure you have seen this time and time again. Just looking for something a bit more automated.. even if it is in vbscript..

Just curious if you've seen this potential piece of work in your travels sir..

thanks again

blade

 

[58sniper]

Actually, I was looking into that the other day. I want to create a PowerShell script that will notify users when their password is going to expire - like send an email 7 days before it expires.

I started digging through things, but every example used some third party plugs or items - something I avoid. I haven't had the chance to get back to that yet...

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[crobin1]

Assuming users are supposed to change their passwords every 60 days:

Straight PowerShell

$old = (Get-Date).AddDays(-60)
$searcher = New-Object DirectoryServices.DirectorySearcher
$root = New-Object DirectoryServices.DirectoryEntry "LDAP://OU=testou,DC=testc,DC=com"
$searcher.SearchRoot = $root
$searcher.Filter = "(&(objectcategory=person)(objectclass=user))"
$searcher.FindAll() | 
   where {([datetime]::fromfiletime($_.properties.item("pwdLastSet")[0]) - $old).days -le 7} |
   magic-process-to-notify-user

Using Quest's free AD cmdlets

$old = (Get-Date).AddDays(-60)
Get-Qaduser -SearchRoot "OU=testou,DC=testc,DC=com" -IncludedProperties pwdLastSet |
   where {($_.pwdLastSet - $old).days -le 7} |
   magic-process-to-notify-user

Credits to multiple places including blogs by MoW and Brandon Shell and "Managing Active Directory with Windows PowerShell" by Jeffery Hicks.

 

[58sniper]

Interesting. I couldn't get the first example to work right. In my troubleshooting, I did realize that even if it did work, it doesn't take into account users who are have the password never expires option checked.

I'm cleaning up my version now. As soon as I get it done, I'll post it.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[crobin1]

Yeah, I wasn't going for thorough, just quick

The "straight PowerShell" example took me a while to get working on my system. It doesn't quite match any of the examples I found, and I'm not sure why it didn't work the same as the examples.

That being said, that's another reason I love the Quest AD cmdlets, because they make it so much easier.