Active Directory Reporting Suite

Why I built this

I got tired of finding out about AD changes after they caused problems. A contractor's account expired and locked them out of a production system on a Friday afternoon. Someone created a service account with no description and nobody knew what it was for three months later. A batch of workstations hadn't checked in for weeks and nobody noticed until a site visit.

So I built a set of reporting scripts that run on a schedule and email the results to the ops team. The idea was simple: if something changes in AD, we should know about it the same week it happens.

The weekly change report

The core script is WeeklyADReport.ps1. It queries AD for everything that changed in the last seven days and builds an HTML email with styled tables. New users, new groups, new computers, deleted objects, group membership changes. For each new object, it even pulls the msDS-CreatorSID to show who created it.

$When = ((Get-Date).AddDays(-7)).Date

$users = Get-ADUser -Filter {whenCreated -ge $When} `
    -Properties Created, Description, DistinguishedName |
    Select-Object Name, Created, SamAccountName,
    @{Name="CreatedBy";Expression={Get-Creator $_.DistinguishedName}} |
    Sort-Object Created -Descending

That Get-Creator function was surprisingly useful. When a random service account shows up and nobody remembers creating it, having the creator logged right there in the report saves a lot of detective work.

Expiring account alerts

The second most useful script emails managers directly when their direct reports have accounts expiring within 33 days. We had a lot of contractors and temporary employees with expiration dates set, and the pattern was always the same: the account expires, the contractor can't log in, they call the helpdesk, the manager calls IT asking why nobody warned them.

Now the script groups expiring accounts by manager, builds a personalized HTML table for each one, and sends it to their email. The manager gets a heads up with enough lead time to either extend the account or plan for the departure.

Stale workstations

OldADComputersReporting.ps1 finds computer objects that haven't authenticated recently. In an environment with 100+ locations, workstations go offline for all kinds of reasons. Sometimes a club closes temporarily, sometimes a workstation dies and gets replaced but the old object stays in AD. This report keeps the directory clean and gives us an early warning when a site might have hardware issues.

Daily hardware inventory

The daily club workstation specs script collects hardware information from every reachable club workstation and logs it. This was partly for asset tracking and partly because we kept running into situations where a workstation was underspecced for the software it was supposed to run, and nobody had a quick way to check without remoting into it.

All of these run as scheduled tasks. Monday morning, the weekly report lands in the team inbox. Daily, the workstation specs update. The expiring accounts script runs weekly with a 33-day window so managers get multiple reminders. It's not glamorous work, but it closed a visibility gap that was causing real problems.