Wednesday 15 July 2009

Quest Defender meets PowerShell

First off, a big thanks to my good friend and colleague Dmitry Kagansky for creating the first, of hopefully many, PowerShell scripts for Defender!

Taken directly from Dmitry's blog the details are as follows:

1. “Which tokens has which users assigned?”
foreach ($token in (Get-QADObject -IncludeAllProperties -Type "defender-tokenClass"))
{ Write-Output $token.Name $token."defender-tokenUsersDNs" }

2. The same question as number 1. above with the additional requirement to display user attributes as well (so you can no see violation counts etc.)
foreach ($token in (Get-QADObject -IncludeAllProperties -Type "defender-tokenClass"))
{
Write-Output $token.Name;
foreach ($user in $token."defender-TokenUsersDNs" | Where-Object{$token."defender-TokenUsersDNs".Count -gt 0})
{
Get-QADUser -Identity $user -IncludeAllProperties | Format-List samAccountName, "defender-violationCount",
"defender-resetCount", "defender-lockoutTime" ;
}
}

3. “Who can log in based on (direct) group membership allowed on the DAN (defender Access Node?”:
foreach ($dan in Get-QADObject -Type "defender-danClass" -IncludeAllProperties)
{
write-output "---";
Write-Output $dan.Name;
foreach ($ADGroup in Get-QADGroup -Identity $dan."defender-DANMembers")
{
Write-Host $ADGroup;
$ADGroup.Members | Get-QADUser | Format-List sAMAccountName;
}
}

I'm hoping that the simple yet effective examples Dmitry has provided for Defender will encourage others to embrace using PowerShell with Defender.

Which brings me to my next question, when are the other two factor authentication players going to join the PowerShell party? ;)