Dynamic Infrastructure Documentation with Powershell – Part 2

Before you continue with this tutorial I would recommend to read the first part of the blog which is to be able to write data into SQL database. We have configured the SQL database in part 1 and now we are going to get some data from Active Directory to write into SQL database. Before we start coding we need to figure out the organizational unit structure in Active Directory to be able to collect the information so we can mold the data based on our needs and write it into the SQL database. The structure is like this

There are many different ways to collect the data and we can use organizational unit to use as a information collection and we can also use custom attributes and in this scenario we are going to use both. The custom attribute we will use will be on the users which are in the external support because the department leader who has the secondary responsibility to the support user. The department who is responsible for the external user is required to pay the license cost for the user and is not globally unless the software provided from the external company is specifically used in all departments. The department organizational unit will also have a custom attribute which has the departmental number to link external users to the department and also other services that the department requires. The custom attribute in this case will be adminDescription but you can use what ever you want or even create your own custom attribute as long as you know what you are doing. Each organizational unit has a number between 1000 to 9000 so the first ou in the list will contain the number 1000, this is the identity of the department. Begin with creating two tables, the first one will contain information about the users that are allowed to be in the domain admins group.

The next one is to create alert so when an unauthorized user is detected in the domain admins group it will create a message in this table. Open up the DEPMSSQLActions.psm1 file and update it with this code Create a new file named GetADStatus.ps1 and save it to a folder named Tasks in the DynamicDocumentation folder. Insert this code

Now if you run this code you will insert the calculations for the total number of disabled users and total number of enabled users. When I run this I get the following

As you can see I have both disabled and enabled users in this field. If you run this daily you can get more statistics on how many users have been added, disabled and removed.

If I look at the Domain Admins alert I can see the following

This will allow me to see if these users have been added to the domain admins group and alert me if I would have some notification or monitoring software. The baseline for this should be ADGlobalAdmins and you would need to add the users that should have domain admins access.

Next we need to figure out to get information about software installed on all machines, get service accounts and server information. This will be in part 3.

End of part 2

Trackback from your site.