This script will help you to fing all type of privilege accounts in your active directory and generate report of the same.

 

To Determine Privilege accounts across the domain base on user group membership.
1.High Privilege Accounts - Users who's account is member of Domain Admin, Administrators, Enterprise Admin, Schema Admin group
2.Limited Privilege Accounts – Users member of “Server Operators & Backup Operators”
3.System Accounts – Built-In Accounts
4.Non Privilege Accounts – Normal User Accounts

 

How to run the script:

1>save the file as ADPrivilegeAccounts-Audit-v1.ps1 under specific folder, Also make sure that activedirectory module is installed on the machine.

2>run the powershell command-let with domain account and browse the script location from the command-let, type script name (PS C:\> .\ADPrivilegeAccounts-Audit-v1.ps1) to audit user accounts in your logon domain OR Specify domain name to Audit user accounts ( ie.. PS C:\> .\ADPrivilegeAccounts-Audit-v1.ps1 -Domain f40.com)

3> Script will generate output in CSV format under same script folder.

PowerShell
Edit|Remove
If($MemberOf -like "*Domain Admin*" -or $MemberOf -like "*Administrators*" -or $MemberOf -like "*Enterprise Admin*" -or $MemberOf -like "*Schema Admin*") 
    { 
    $accountType = "High Privilege Account" 
$hpa+=1 
    } 
    elseIf($MemberOf -like "*server operator*" -or $MemberOf -like "*backup operator*" ) 
    { 
    $accountType = "Limited Privilege Account" 
$lpa+=1 
    } 
    elseIf($Description -like "Built-in*") 
    { 
    $accountType = "System Account" 
$sa+=1 
    } 
    else 
    { 
    $accountType = "Non privileged account" 
$npa+=1 
    }