Check Active Directory User Accont if it is locked out
Posted: Wed May 24, 2017 1:57 pm
Hello, I am trying to find a way to monitor a specific Active Directory account to check if it is locked out.
I would like the status to be critical on locked out, and Normal on non locked out.
I have an Active Directory Account that is used to run specific proceses, so I need to know if it get locked out.
I can´t find any plugin to do that, the only thing I found is the plugin developed by "mathieu.chateau" --> "Check Active Directory Accounts".
https://exchange.nagios.org/directory/P ... ts/details
But this plugin checks the amount of accounts locked out.
So, I try to create a new one (I have zero experince doing that) based on Mathieu´s Plugin.
Mathieu´s Plugin uses powershell through NRPE / nsclient++ to execute "Search-ADAccount" PowerShell script.
I like to change Search-ADAccount command for Get-ADUser
So, my script is this:
*****************
param
(
[string]$user = ""
)
#$command="Get-ADUser "+$user+" -Properties * | select-object LockedOut | findstr True"
$result = (Get-ADUser $user -Properties *).LockedOut
#$result=invoke-expression $command
echo $result
if ($result -eq $True) {
$state="CRITICAL"
$exitcode=2
} else {
$state="OK"
$exitcode=0}
Write-Host $state
exit $exitcode
*****************
If I execute from PowerShell locally on a domain controller, y got this reply:
PS C:\Program Files\NSClient++> .\Check_AD_User_Account.ps1 [UserName]
False
OK
and If the user get´s locked out this is the command output:
PS C:\Program Files\NSClient++> .\Check_AD_User_Account.ps1 [UserName]
True
CRITICAL
So far, so good.
Next, the script is saved under C:\Program Files\NSClient++
and I have edited the NSClient Options file NSC.INI as follow
under [Script Wrappings] tag added this line:
Check_AD_User_Account=Check_AD_User_Account.ps1 $ARG1$
Next on Nagios Core Config - Commands - I have created a command definition:
Command Name - check_nrpe_Locked_User
Command Line - $USER1$/check_nrpe -H $HOSTADDRESS$ -n -c Check_AD_User_Account -a $ARG1$
Command Type - Check_Command
Active - yes
And finally defined a new service to check on the Domain Controller using my command "check_nrpe_Locked_User" and on the $ARG1$ [UserName]
but is not working.
Result gathered by nagios is :
"CHECK_NRPE: Error receiving data from daemon."
I really apreciate your help on this, thanks in advance
I would like the status to be critical on locked out, and Normal on non locked out.
I have an Active Directory Account that is used to run specific proceses, so I need to know if it get locked out.
I can´t find any plugin to do that, the only thing I found is the plugin developed by "mathieu.chateau" --> "Check Active Directory Accounts".
https://exchange.nagios.org/directory/P ... ts/details
But this plugin checks the amount of accounts locked out.
So, I try to create a new one (I have zero experince doing that) based on Mathieu´s Plugin.
Mathieu´s Plugin uses powershell through NRPE / nsclient++ to execute "Search-ADAccount" PowerShell script.
I like to change Search-ADAccount command for Get-ADUser
So, my script is this:
*****************
param
(
[string]$user = ""
)
#$command="Get-ADUser "+$user+" -Properties * | select-object LockedOut | findstr True"
$result = (Get-ADUser $user -Properties *).LockedOut
#$result=invoke-expression $command
echo $result
if ($result -eq $True) {
$state="CRITICAL"
$exitcode=2
} else {
$state="OK"
$exitcode=0}
Write-Host $state
exit $exitcode
*****************
If I execute from PowerShell locally on a domain controller, y got this reply:
PS C:\Program Files\NSClient++> .\Check_AD_User_Account.ps1 [UserName]
False
OK
and If the user get´s locked out this is the command output:
PS C:\Program Files\NSClient++> .\Check_AD_User_Account.ps1 [UserName]
True
CRITICAL
So far, so good.
Next, the script is saved under C:\Program Files\NSClient++
and I have edited the NSClient Options file NSC.INI as follow
under [Script Wrappings] tag added this line:
Check_AD_User_Account=Check_AD_User_Account.ps1 $ARG1$
Next on Nagios Core Config - Commands - I have created a command definition:
Command Name - check_nrpe_Locked_User
Command Line - $USER1$/check_nrpe -H $HOSTADDRESS$ -n -c Check_AD_User_Account -a $ARG1$
Command Type - Check_Command
Active - yes
And finally defined a new service to check on the Domain Controller using my command "check_nrpe_Locked_User" and on the $ARG1$ [UserName]
but is not working.
Result gathered by nagios is :
"CHECK_NRPE: Error receiving data from daemon."
I really apreciate your help on this, thanks in advance