When we have enough users in our organization, or above all, When they are a bit of moles, we can try and control your Active Directory accounts, to prevent and monitor possible failures, This is, We will be able to control whether user accounts are disabled, Your passwords have expired or are close to expiring, as well as if they have become blocked, among other options.

Thanks to Nagios or Centreon among others, We will be able to monitor this in a fairly simple way and obtain notifications in real time in case we have an affected user account. Through NRPE we will be able to run a PowerShell script on any Windows machine that will check the Active Directory in search of users with problems. If you don't have 'check_nrpe’ or you need to know how to install the necessary agent, Visit this document Nagios – Monitoring with NRPE.

We rely on the 'lotp_check_ad_accounts.ps1' script, that we can download from Exchange Nagios, from this same URL: https://exchange.nagios.org/directory/Plugins/Operating-Systems/Windows-NRPE/Check-Active-Directory-Accounts/details

We will be able to verify:

• Disabled accounts –> AccountDisabled
• Expired user accounts –> AccountExpired
• User accounts about to expire –> AccountExpiring
• Inactive accounts –> AccountInactive
• Blocked accounts –> LockedOut
• Accounts with expired passwords –> PasswordExpired
• Accounts that never have their passwords expire –>PasswordNeverExpires

If we want to test it from a PowerShell, we must execute the command with the following format:

[SourceCode]lotp_check_ad_accounts.ps1 AccountDisabled 'dc=openservices,dc=local’ Subtree 2 3[/SourceCode]

Where the above arguments would be, the first is the type of check that will be done, followed by the search string, The scope of the search (it can be Base/OneLevel/Subtree) and in numbers, the maximum result values for a Warning and Critical.

If we modify the following line of the script, we will be able to output the affected users in question,:

[SourceCode]$output=$state+&Quot;: &Quot;+$result. Count+&Quot; &Quot;+$action+&Quot;|&Quot;+$action+&Quot;=&Quot;+$result. Count+&Quot;;&Quot;+$maxWarn+&Quot;;&Quot;+$maxCrit[/SourceCode]

By the following:

[SourceCode]$output=$state+&Quot;: &Quot;+$result. Count+&Quot; &Quot;+$action+&Quot; &Quot;+$result+&Quot;|&Quot;+$action+&Quot;=&Quot;+$result. Count+&Quot;;&Quot;+$maxWarn+&Quot;;&Quot;+$maxCrit[/SourceCode]

Well! We start! We edit the file nsclient.ini as we already know! We must first define the alias and then the script in question that will execute:

[SourceCode][/settings/external scripts/scripts]
check_cuentas = cmd /c echo scripts\lotp_check_ad_accounts.ps1 $ARG 1$ &Quot;$ARG2&Quot; subtree $ARG$3 $ARG$4; exit ($Lastexticode) | powershell.exe –
[/settings/external scripts/alias]
check_cuentas = check_cuentas[/SourceCode]

As we can see, We can pass him 4 Arguments, even though everyone can do as they want! Remember to restart the NSClient service ++ after modifying the configuration file.

And then it will be enough to create the Service that will monitor each check on the users of our Active Directory. We create this service as usual and will bind it to the server that will run the PowerShell script, We will use the chech_nrpe command and in my case I do not have the arguments defined separately, we can put the churro with everyone directly, or set the check_nrpe command to support arguments. Well, to the subject, In this scenario, the service that will check the blocked Accounts in this case would thus be defined, Let's go to "Configuration" > "Services" > "Add" or clone one and indicate the following data at least:

• Description: The name we will see you with from the monitoring, will define the check performed, In this case, 'AD – Blocked accounts will be good for me'.
• Template: Normally, Select 'generic-active-service-custom'.
• Check Command: Select from the list of commands, 'check_nrpe'.
• Args: Here we must fill in the alias that we define in the INI file, in this document we will pass through NRPE the check 'check_cuentas'. And followed by a '-a’ to pass arguments to him, It would be as follows: check_cuentas -a LockedOut “dc=openservices,dc=local” 2 3

And we recorded with “Save”! We will provide as many services as we want to do in our surroundings!

And well, as usual, if we export the Centreon data and restart the engine, we will be able to start from "Monitoring" > "Status Details” check each monitored service, we will already have the user accounts of our Active Directory with Nagios or Centreon already controlled and monitored! We will avoid undue scares, TRUE?? I hope you find it useful, Thank you all for sharing!