import-module PKI # TODO # Check that the certificate is actually still valid (NotAfter attribute) # IDEAS # write the result of this script in an snmp performance counter and read it via monitoring system (leverage existing monitoring infrastructure) $From = "foo bar " $To = "Infrastructure Team " $Smtp = "internalsmtp.example.com" $CAName = "My Nifty CA" $CAFilter = "CertificateTemplate -eq VPN Users" $DomainName = "CORP" $LogFile = "C:\publish\pki-ad-check.log" $EventLog = New-Object System.Diagnostics.EventLog('Application') $EventLog.MachineName = "." $EventLog.Source = "PKI-AD-Script" $EventLog.WriteEntry("PKI-AD-Script Started $SyslogText") $Domain = New-Object System.DirectoryServices.DirectoryEntry $Searcher = New-Object System.DirectoryServices.DirectorySearcher $Searcher.SearchRoot = $Domain $Searcher.PageSize = 1000 $Searcher.SearchScope = "Subtree" $colProplist = @("name", "distinguishedname", "userAccountControl", "accountExpires") foreach ($i in $colPropList) { $Searcher.PropertiesToLoad.Add($i) } New-item -Force -Type File $LogFile $CA = Get-CertificationAuthority -Name $CAName $Count = 0 $DisabledCount = 0 $ExpiredCount = 0 $s = "List of Users in AD which are expired or disabled which have received a certificate in the past:`r`n" Add-Content -Path $LogFile -Value $s foreach ($cert in $CA | Get-IssuedRequest -Filter $CAFilter) { $samaccountname = $cert."Request.RequesterName".Replace("$DomainName\", "") $Filter = "(&(objectCategory=User)(samAccountName=$samaccountname))" $Searcher.Filter = $Filter $colResults = $Searcher.FindAll() if ($colResults.Count -le 0) { continue } foreach ($Result in $colResults) { $Item = $Result.Properties; if (($Item.useraccountcontrol[0]) -band 0x2) { $s = "DN :" + $Item.distinguishedname + " is disabled and certificate was found :" + $cert."Request.RequesterName" + " - Serial:" + $cert.SerialNumber + " - Not Before:" + $cert.NotBefore + " - Not After:" + $cert.NotAfter Write-Host -ForegroundColor red $s Add-Content -Path $LogFile -Value $s $DisabledCount = $DisabledCount + 1; } elseif (($Item.accountexpires[0] -gt 0)) { try { $expires = [datetime]::FromFileTime($Item.accountexpires[0]) } catch [Exception] { # Assume that if the value is so high the account is not expired continue } $now = Get-Date if (($expires - $now) -lt 0) { $s = "DN :" + $Item.distinguishedname + " expired on $expires and certificate was found :" + $cert."Request.RequesterName" + " - Serial:" + $cert.SerialNumber + " - Not Before:" + $cert.NotBefore + " - Not After:" + $cert.NotAfter Write-Host -ForegroundColor red $s Add-Content -Path $LogFile -Value $s $ExpiredCount = $ExpiredCount + 1 } } $Count = $Count + 1 } } $s = "`r`n`r`nPKI-AD-Script VPN Users Count: $Count - Disabled Count: $DisabledCount - Expired Count: $ExpiredCount" $EventLog.WriteEntry($s) Write-Host $s Add-Content -Path $LogFile -Value $s $s = "If the users above really left the company, the need to have their certificate revoked by a PKI admin" Add-Content -Path $LogFile -Value $s # If some expired or disabled accounts still have valid certificates, send a mail if (($ExpiredCount -gt 0) -or ($DisabledCount -gt 0)) { Write-Host "Sending mail" $Body = [System.IO.File]::ReadAllText($LogFile) Send-Mailmessage -from $From -to $To -subject "Certificate Check" -body $Body.ToString() -priority High -dno onSuccess, onFailure -smtpServer $Smtp }