class ADAuditAccount {
    # Constructor 1
        $this.UserName = $UserName
        $this.AccessRequired = $false
        $this.NeedMailBox = $false
    ) {
        $this.UserName = $UserName
        $this.FirstName = $FirstName
        $this.LastName = $LastName
        $this.UPN = $UPN
        $this.LastSignIn = ([DateTime]::FromFileTime($LastSignIn))
        $this.Enabled = $Enabled
        $this.LastSeen = $(
            switch (([DateTime]::FromFileTime($LastSeen))) {
                # Over 90 Days
                { ($_ -lt (Get-Date).Adddays( - (90))) } { '3+ months'; break }
                # Over 60 Days
                { ($_ -lt (Get-Date).Adddays( - (60))) } { '2+ months'; break }
                # Over 90 Days
                { ($_ -lt (Get-Date).Adddays( - (30))) } { '1+ month'; break }
                default { 'Recently' }
            } # End Switch
        ) # End LastSeen
        $this.OrgUnit = $OrgUnit -replace '^.*?,(?=[A-Z]{2}=)'
        $this.Title = $Title
        $this.Manager = $(
            switch ($Manager) {
                # Over 90 Days
                { if ($_) { return $true } } { "$((Get-ADUser -Identity $Manager).Name)"; break }
                # Over 60 Days
                default { 'NotFound' }
        ) # End Manager
        $this.AccessRequired = $AccessRequired
        $this.NeedMailbox = $NeedMailbox

enum DeviceType {
    Undefined = 0
    Compute = 1
    Storage = 2
    Networking = 4
    Communications = 8
    Power = 16
    Rack = 32
$Enabled = $true
[int]$DaysInactive = '90'
$time = (Get-Date).Adddays( - ($DaysInactive))
Get-aduser -Filter { LastLogonTimeStamp -lt $time -and Enabled -eq $true } -Properties `
    GivenName, Surname, Mail, UserPrincipalName, Title, `
    Description, Manager, lastlogontimestamp, samaccountname, DistinguishedName, Department -OutVariable Export
[ADAuditAccount]$ADDSAuditAccount = [ADAuditAccount]::new(
$AuditArray = @()
foreach ($accountItem in $Export) {
    $AuditArray += [ADAuditAccount]::new(
Write-Output $ADDSExport

function Export-AuditCSVtoZip {
    param (
    process {
            if ($Exported) {
            [PSCustomObject[]]$ExportObject = $Exported
            $membertype = "NoteProperty"
            else {
                $membertype = "Property"

            Write-TSLog "The $($script:MyInvocation.MyCommand.Name -replace '\..*') Export was successful. There are $($ExportObject.Count) objects listed with the following properties: "
            ($ExportObject | Get-Member -MemberType $membertype ).Name | Write-TSLog
            Write-TSLog "Exporting CSV to path: $CSVName"
            try {
                $ExportObject | Export-CSV -Path $CSVName -NoTypeInformation -ErrorVariable ExportErr -ErrorAction Stop
            catch {
                Write-TSLog "The CSV export failed with error: "
                write-tslog "Error" + $ExportErr.Exception.ErrorRecord
            Write-TSLog "Compressing file: $CSVName"
            Write-TSLog "to destination zip file: $ZipName"
            try {
                Compress-Archive -Path $CSVName -DestinationPath $ZipName -ErrorVariable ZipErr -ErrorAction Stop
            catch {
                Write-TSLog "Failed compressing file: "
                Write-TSLog $CSVName
                Write-TSLog "to destination zip file: "
                Write-TSLog $ZipName
                Write-TSLog "with error: "
                Write-TSLog -End
                write-tslog $ZipErr.Exception.ErrorRecord
            Write-TSLog "Removing CSV file: "
            Write-TSLog $CSVName
            Write-TSLog "from the file system."
            try {
                Remove-Item $CSVName -Force -ErrorVariable CSVDeleteErr -ErrorAction Stop
            catch {
                Write-TSLog "Failed to remove CSV file: $CSVName"
                Write-TSLog -LogError -LogErrorVar $CSVDeleteErr.Exception.ErrorRecord
            Write-TSLog "Removed CSV file: "
            Write-TSLog $CSVName
            Write-TSLog "from the file system."

Function Get-AdExtendedRight([Microsoft.ActiveDirectory.Management.ADObject] $ADObject) {
    $ExportER = @()
    Foreach ($Access in $ADObject.ntsecurityDescriptor.Access) {
        # Ignore well known and normal permissions
        if ($Access.AccessControlType -eq [System.Security.AccessControl.AccessControlType]::Deny) { continue }
        if ($Access.IdentityReference -eq "NT AUTHORITY\SYSTEM") { continue }
        if ($Access.IdentityReference -eq "NT AUTHORITY\SELF") { continue }
        if ($Access.IsInherited) { continue }
        # Check extended right
        if ($Access.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight) {
            $Right = "";
            # This is the list of dangerous extended attributs
            # see :
            switch ($Access.ObjectType) {
                "00299570-246d-11d0-a768-00aa006e0529" { $Right = "User-Force-Change-Password" }
                "45ec5156-db7e-47bb-b53f-dbeb2d03c40" { $Right = "Reanimate-Tombstones" }
                "bf9679c0-0de6-11d0-a285-00aa003049e2" { $Right = "Self-Membership" }
                "ba33815a-4f93-4c76-87f3-57574bff8109" { $Right = "Manage-SID-History" }
                "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" { $Right = "DS-Replication-Get-Changes-All" }
            } # End switch
            if ($Right -ne "") {
                $Rights = [ordered]@{
                    Actor                   = $($Access.IdentityReference)
                    CanActOnThePermissionof = "$($" + " " + "($($ADObject.DistinguishedName))"
                    WithExtendedRight       = $Right
                $ExportER += new-object -TypeName PSObject -Property $Rights

                #"$($Access.IdentityReference) can act on the permission of $($ ($($ADObject.DistinguishedName)) with extended right: $Right"
            } # Endif
        } # Endif
    } # End Foreach
    return $ExportER
} # End Function
function Get-ADGroupMemberof {
    param (
    process {
        $GroupStringArray = ((Get-ADuser -Identity $SamAccountName -Properties memberof).memberof | Get-ADGroup | Select-Object name | Sort-Object name).name
        $GroupString = $GroupStringArray -join " | "
        return $GroupString
function Get-TimeStamp {
    $Stamp = "[{0:yyyy/MM/dd} {0:HH:mm:ss}]" -f (Get-Date)
    return $Stamp

function Initialize-AuditBeginBlock {
    This is a sample Private function only visible within the module.
    This sample function is not exported to the module and only return the data passed as parameter.
    $null = Initialize-AuditBeginBlock -PrivateData 'NOTHING TO SEE HERE'
    .PARAMETER PrivateData
    The PrivateData parameter is what will be returned without transformation.

            ValueFromPipeline = $true
        [string]$AttachmentFolderPathBegin = "C:\temp\ADDSAuditTasks",
            ValueFromPipelineByPropertyName = $true
            ValueFromPipelineByPropertyName = $true
            ValueFromPipelineByPropertyName = $true
            ValueFromPipelineByPropertyName = $true


    process {
        # Create Directory Path
        $AttachmentFolderPathCheck = Test-Path -Path $AttachmentFolderPathBegin
        If (!($AttachmentFolderPathCheck)) {
            Try {
                # If not present then create the dir
                New-Item -ItemType Directory $AttachmentFolderPathBegin -Force -ErrorAction Stop
            Catch {
                Write-TSLog -Begin
                Write-TSLog "Directory: $AttachmentFolderPathBegin was not created."
                Write-TSLog -LogErrorEnd
        # Begin Logging to $script:Logs
        Write-TSLog -Begin
        $script:LogOutputPath = "$AttachmentFolderPathBegin\$((Get-Date).ToString(''))_$($ScriptFunctionName)_$($env:USERDNSDOMAIN)_ADDSAuditlog.log"
        Write-TSLog "Log output path: $LogOutputPath"
        # If not Clean
        if (!($CleanBegin)) {
            # Import Active Directory Module
            $module = Get-Module -Name ActiveDirectory -ListAvailable
            if (-not $module) {
                Add-WindowsFeature RSAT-AD-PowerShell -IncludeAllSubFeature -Verbose -ErrorAction Stop
            try {
                Import-Module "activedirectory" -Global -ErrorAction Stop
            catch {
                Write-TSLog "The Module Was not installed. Use `"Add-WindowsFeature RSAT-AD-PowerShell`" or install using server manager under `"Role Administration Tools>AD DS and AD LDS Tools>Active Directory module for Windows Powershell`"."
                Write-TSLog -LogErrorEnd
            if ($SendEmailMessageBegin) {
                # Install / Import required modules.
                $module = Get-Module -Name Send-MailKitMessage -ListAvailable
                if (-not $module) {
                    Install-Module -Name Send-MailKitMessage -AllowPrerelease -Scope AllUsers -Force
                try {
                    Import-Module "Send-MailKitMessage" -Global -ErrorAction Stop
                catch {
                    # End run and log to file.
                    Write-TSLog "The Module Was not installed. Use `"Save-Module -Name Send-MailKitMessage -AllowPrerelease -Path C:\temp`" on another Windows Machine."
                    Write-TSLog -End
            elseif ($WinSCPBegin) {
                $module = Get-Module -Name WinSCP -ListAvailable
                if (-not $module) {
                    Install-Module WinSCP -Scope CurrentUser
                try {
                    Import-Module WinSCP -Global -ErrorAction Stop
                catch {
                    Write-TSLog "The Module Was not installed. Export WinSCP using: `"Save-Module WinSCP -Path <Path>`" and import to this machine."
                    Write-TSLog -LogErrorEnd
        # If SendMailMessage

        return $LogOutputPath

function Initialize-AuditEndBlock {
    This is a sample Private function only visible within the module.
    This sample function is not exported to the module and only return the data passed as parameter.
    $null = Initialize-AuditEndBlock -PrivateData 'NOTHING TO SEE HERE'
    .PARAMETER PrivateData
    The PrivateData parameter is what will be returned without transformation.

        #[string]$subject = "$($script:MyInvocation.MyCommand.Name -replace '\..*') report ran for $($env:USERDNSDOMAIN).",
    process {
        Write-TSLog "The Value of Clean is $CleanEnd."
        if ($CleanEnd) {
            Write-TSLog "Removing Send-MailKitMessage Module"
            try {
                # Remove Modules
                Remove-Module -Name "Send-MailKitMessage" -Force -Confirm:$false -ErrorAction Stop
            catch {
                Write-TSLog "Error removing Send-MailKitMessage Module"
                Write-TSLog -LogError
            Write-TSLog "Uninstalling Send-MailKitMessage Module"
            try {
                # Uninstall Modules
                Uninstall-Module -Name "Send-MailKitMessage" -AllowPrerelease -Force -Confirm:$false
            catch {
                Write-TSLog -LogError
                if (Get-Module -Name Send-MailKitMessage -ListAvailable) {
                    Write-TSLog "Error uninstalling Send-MailKitMessage Module"
            Write-TSLog "Removing directories and files in: "
            Write-TSLog "$AttachmentFolderPathEnd"
            try {
                Remove-Item -Path $AttachmentFolderPathEnd -Recurse -Force -ErrorAction Stop
            catch {
                Write-TSLog "Directory Cleanup error!"
                Write-TSLog -LogError
            Write-TSLog -End
            Write-TSLog -LogOutputPath C:\temp\ADDSAuditTaskCleanupLogs.log
        else {
            if ($SendEmailMessageEnd) {
                if ($Password) {
                    Send Attachment using O365 email account and password.
                    Must exclude from conditional access legacy authentication policies.

                    Write-TSLog "Account: $UserNameEnd,"
                    Write-TSLog "SENDING email to: $ToEnd,"
                    Write-TSLog "From USER: $FromEnd,"
                    Write-TSLog "Using PORT: $PortEnd,"
                    Write-TSLog "Using RELAY $SMTPServerEnd, with SSL"
                    Write-TSLog "With: PASSWORD"
                    Write-TSLog "Logs included in body"
                    Write-TSLog -End
                    Send-AuditEmail -smtpServer $SMTPServerEnd -port $PortEnd -username $UserNameEnd `
                        -body $script:Logs -pass $Password -from $FromEnd -to $ToEnd -attachmentfiles ($ZipEnd).Split(" ") -ssl
                    Remove-Item -Path $AttachmentFolderPath -Recurse -Force -ErrorAction Stop
                } # End if
                else {
                    Write-TSLog "Account: $UserNameEnd,"
                    Write-TSLog "SENDING email to: $ToEnd,"
                    Write-TSLog "From USER: $FromEnd,"
                    Write-TSLog "Using PORT: $PortEnd,"
                    Write-TSLog "Using RELAY: $SMTPServerEnd, with SSL"
                    Write-TSLog "Without: PASSWORD"
                    Write-TSLog "Logs included in body"
                    Write-TSLog -End
                    Send-AuditEmail -smtpServer $SMTPServerEnd -port $PortEnd -username $UsernameEnd `
                        -body $script:Logs -from $FromEnd -to $ToEnd -attachmentfiles ($ZipEnd).Split(" ") -ssl
                    Remove-Item -Path $AttachmentFolderPathEnd -Recurse -Force -ErrorAction Stop
            elseif ($FunctionAppEnd) {
                Send Attachment using O365 email account and Keyvault retrived password.
                Must exclude email account from conditional access legacy authentication policies.

                Write-TSLog "Account: $UserNameEnd,"
                Write-TSLog "SENDING email to: $ToEnd,"
                Write-TSLog "From USER: $FromEnd,"
                Write-TSLog "Using PORT: $PortEnd,"
                Write-TSLog "Using RELAY: $SMTPServerEnd, with SSL"
                Write-TSLog "Using FUNCTION APP: $FunctionAppEnd,"
                Write-TSLog "With FUNCTION: $FunctionEnd"
                Write-TSLog "Logs included in body"
                Write-TSLog -End
                Send-AuditEmail -smtpServer $SMTPServerEnd -port $PortEnd -username $UserNameEnd `
                    -body $script:Logs -Function $FunctionEnd -FunctionApp $FunctionAppEnd -token $ApiTokenEnd -from $FromEnd -to $ToEnd -attachmentfiles ($ZipEnd).Split(" ") -ssl
                Remove-Item -Path $AttachmentFolderPathEnd -Recurse -Force -ErrorAction Stop
            elseif ($WinSCPEnd) {
                Write-TSLog "Account: $UserNameEnd,"
                Write-TSLog "SENDING SFTP to: $FTPHostEnd,"
                Write-TSLog "For SshHostKeyFingerprint: "
                Write-TSLog "Files: $ZipEnd"
                Write-TSLog $SshHostKeyFingerprintEnd
                Submit-FTPUpload -FTPUserName $UserNameEnd -Password $Password `
                -FTPHostName $FTPHostEnd -LocalFilePath ($ZipEnd).Split(" ") -SshHostKeyFingerprint $SshHostKeyFingerprintEnd -RemoteFTPPath $RemotePathEnd -ErrorVariable SubmitFTPErr
                if ($?) {
                    Write-TSLog  "The ADDSAuditTask archive have been uploaded to ftp."
                    Write-TSLog -End
                    Write-TSLog -LogOutputPath $LogOutputPath
                else {
                    Write-TSLog -LogError $SubmitFTPErr
            elseif ($LocalDiskEnd) {
                #Confirm output path to console.
                Write-TSLog  "The ADDSAuditTask archive have been saved to: "
                Write-TSLog  "$ZipEnd"
                Write-TSLog -End
                Write-TSLog -LogOutputPath $LogOutputPath

function Send-AuditEmail {
    This is a sample Private function only visible within the module. It uses Send-MailkitMessage
    To send email messages.
    This sample function is not exported to the module and only return the data passed as parameter.
    Send-AuditEmail -smtpServer $SMTPServer -port $Port -username $Username -Function $Function -FunctionApp $FunctionApp -token $ApiToken -from $from -to $to -attachmentfilePath "$FilePath" -ssl
    .PARAMETER PrivateData
    The PrivateData parameter is what will be returned without transformation.

        param (
            [string]$subject = "$($script:MyInvocation.MyCommand.Name -replace '\..*') report ran for $($env:USERDNSDOMAIN).",
        Import-Module Send-MailKitMessage
        # Recipient
        $RecipientList = [MimeKit.InternetAddressList]::new()
        # Attachment
        $AttachmentList = [System.Collections.Generic.List[string]]::new()
        foreach ($currentItem in $attachmentfiles) {

        # From
        $from = [MimeKit.MailboxAddress]$from
        # Mail Account variable
        $User = $username
        if ($pass) {
            # Set Credential to $Password parameter input.
            $Credential = `
            [System.Management.Automation.PSCredential]::new($User, $pass)
        elseif ($FunctionApp) {
            $url = "https://$($FunctionApp)$($Function)"
            # Retrieve credentials from function app url into a SecureString.
            $a, $b = (Invoke-RestMethod $url -Headers @{ 'x-functions-key' = "$token" }).split(',')
            $Credential = `
                [System.Management.Automation.PSCredential]::new($User, (ConvertTo-SecureString -String $a -Key $b.split(' ')) )
        # Create Parameter hashtable
        $Parameters = @{
            "UseSecureConnectionIfAvailable" = $ssl
            "Credential"                     = $Credential
            "SMTPServer"                     = $SMTPServer
            "Port"                           = $Port
            "From"                           = $From
            "RecipientList"                  = $RecipientList
            "Subject"                        = $subject
            "TextBody"                       = $body
            "AttachmentList"                 = $AttachmentList
        Send-MailKitMessage @Parameters
        Clear-Variable -Name "a", "b", "Credential", "token" -Scope Local -ErrorAction SilentlyContinue
function Submit-FTPUpload {
    param (
        # New-WinSCPSessionOption
        [ValidateSet("Sftp", "SCP", "FTP", "Webdav", "s3")]
        # New-WinSCPSessionOption
        [string]$Protocol = "Sftp",
        [ValidateSet("None", "Implicit ", "Explicit")]
        # New-WinSCPSessionOption
        [string]$FTPSecure = "None",
        # New-WinSCPSessionOption
        #[int]$FTPPort = 0,
        # New-WinSCPSessionOption
        # Mandatory with SFTP/SCP
        # New-WinSCPSessionOption
        # Send-WinSCPItem
        # './remoteDirectory'
    process {
        # This script will run in the context of the user. Please be sure it's a local admin with cached credentials.
        # Required Modules
        Import-Module WinSCP
        # Capture credentials.
        $Credential = [System.Management.Automation.PSCredential]::new($FTPUserName, $Password)
        # Open the session using the SessionOptions object.
        $sessionOption = New-WinSCPSessionOption -Credential $Credential -HostName $FTPHostName -SshHostKeyFingerprint $SshHostKeyFingerprint -Protocol $Protocol -FtpSecure $FTPSecure
        # New-WinSCPSession sets the PSDefaultParameterValue of the WinSCPSession parameter for all other cmdlets to this WinSCP.Session object.
        # You can set it to a variable if you would like, but it is only necessary if you will have more then one session open at a time.
        $WinSCPSession = New-WinSCPSession -SessionOption $sessionOption
        if (!(Test-WinSCPPath -Path $RemoteFTPPath -WinSCPSession $WinSCPSession)) {
            New-WinSCPItem -Path $RemoteFTPPath -ItemType Directory -WinSCPSession $WinSCPSession
        # Upload a file to the directory.
        $errorindex = 0
        foreach ($File in $LocalFilePath) {
            $sendvar = Send-WinSCPItem -Path $File -Destination $RemoteFTPPath -WinSCPSession $WinSCPSession -ErrorAction Stop -ErrorVariable SendWinSCPErr
            if ($sendvar.IsSuccess -eq $false) {
                write-tslog -LogErrorEnd -LogErrorVar $SendWinSCPErr
                $errorindex += 1
        if ($ErrorIndex -ne 0) {
            Write-Output "Error"
            throw 1
        # Close and remove the session object.
        Remove-WinSCPSession -WinSCPSession $WinSCPSession
function Write-TSLog {
    This is a sample Private function only visible within the module.
    This sample function is not exported to the module and only return the data passed as parameter.
    $null = Write-Logs -PrivateData 'NOTHING TO SEE HERE'
    .PARAMETER PrivateData
    The PrivateData parameter is what will be returned without transformation.

    [CmdletBinding(DefaultParameterSetName = 'Default')]
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true,
            Mandatory = $true,
            ParameterSetName = 'Default',
            Position = 0
            ValueFromPipelineByPropertyName = $true,
            Mandatory = $true,
            ParameterSetName = 'Begin',
            Position = 0
            ValueFromPipelineByPropertyName = $true,
            Mandatory = $true,
            ParameterSetName = 'End',
            Position = 0
            ValueFromPipelineByPropertyName = $true,
            Mandatory = $true,
            ParameterSetName = 'LogError',
            Position = 0
            ValueFromPipelineByPropertyName = $true,
            Mandatory = $true,
            ParameterSetName = 'LogErrorEnd',
            Position = 0
        [Parameter(ParameterSetName = 'LogError', Position = 1)]
            ValueFromPipelineByPropertyName = $true,
            ParameterSetName = 'LogErrorEnd',
            Position = 1
            ValueFromPipelineByPropertyName = $true,
            Mandatory = $true,
            ParameterSetName = 'LogToFile',
            Position = 0
    process {
        # Change the ErrorActionPreference to 'Stop'
        $ErrorActionPreference = "SilentlyContinue"
        $ModuleName = $script:MyInvocation.MyCommand.Name.ToString() -replace '\..*'
        $ModuleVer = $MyInvocation.MyCommand.Version.ToString()
        $ErrorActionPreference = "Continue"
        if ($Begin) {
            Clear-Variable Logs -Scope Script -ErrorAction SilentlyContinue
            $TSLogString = "$(Get-TimeStamp) Begin Log for Module version $ModuleVer of Module: $ModuleName `n"
            $script:Logs += $TSLogString
        elseif ($End) {
            $TSLogString = "$(Get-TimeStamp) End Log for Module version $ModuleVer of Module: $ModuleName `n"
            $script:Logs += $TSLogString
            Write-Output $script:Logs
        elseif ($LogError) {
            if ($LogErrorVar) {
                #$TSLogString += "$(($LogErrorVar.Exception).ToString()) `n"
                $TSLogString += "$($global:Error[0].Exception.ErrorRecord) `n"
            else {
                $TSLogString = "$($global:Error[0].Exception.ErrorRecord) `n"
            $script:Logs += $TSLogString
        elseif ($LogErrorEnd) {
            if ($LogErrorVar) {
                $TSLogString = "$(Get-TimeStamp) An Error Occured. The Error Variable was: `n"
                $script:Logs += $TSLogString
                $TSLogString += "$($LogErrorVar.Exception.ErrorRecord)" + "Error`n"
                $script:Logs += $TSLogString
                $TSLogString = "$(Get-TimeStamp) End Log for Module version $ModuleVer of Module: $ModuleName `n"
                $script:Logs += $TSLogString
                $TSLogString = "$(Get-TimeStamp) ErrorLog output to 'C:\temp\ADDSAuditTasksErrors.log' `n"
                $script:Logs += $TSLogString
            else {
                $TSLogString = "$(Get-TimeStamp) An Error Occured. The exception was: `n"
                $script:Logs += $TSLogString
                $TSLogString = "$($global:Error[0].Exception.ErrorRecord) `n"
                $script:Logs += $TSLogString
                $TSLogString = "$(Get-TimeStamp) ErrorLog output to 'C:\temp\ADDSAuditTasksErrors.log' `n"
                $script:Logs += $TSLogString
            Write-Output $script:Logs
            $script:Logs | Out-File "C:\temp\ADDSAuditTasksErrors.log" -Encoding utf8 -Append -Force
        elseif ($LogOutputPath) {
            $script:Logs | Out-File $LogOutputPath -Encoding utf8 -Append -Force
            Write-Output "Logs saved to $LogOutputPath"
        else {
            $TSLogString = "$(Get-TimeStamp) $logstring `n"
            $script:Logs += $TSLogString
function Get-ADDSActiveAccountAudit {
        Active Directory Audit with Keyvault retrieval option.
        Audit's Active Directory taking "days" as the input for how far back to check for a last sign in.
        Output can be kept locally, or sent remotely via email or sftp.
        Function App is the same as SendEmail except that it uses a password retrieved using the related Function App.
        The related function app would need to be created.
        Expects SecureString and Key as inputs to function app parameter set.
        PS C:\> Get-ADDSActiveAccountAudit -LocalDisk -Verbose
        PS C:\> Get-ADDSActiveAccountAudit -SendMailMessage -SMTPServer $SMTPServer -UserName "" -Password (Read-Host -AsSecureString) -To "" -Verbose
        PS C:\> Get-ADDSActiveAccountAudit -FunctionApp $FunctionApp -Function $Function -SMTPServer $SMTPServer -UserName "" -To "" -Verbose
        PS C:\> Get-ADDSActiveAccountAudit -WinSCP -UserName "ftphostname.UserName" -Password (Read-Host -AsSecureString) -FTPHost "" -SshHostKeyFingerprint "<SShHostKeyFingerprint>" -Verbose
        PS C:\> Get-ADDSActiveAccountAudit -Clean -Verbose
    .PARAMETER LocalDisk
        Only output data to local disk.
    .PARAMETER SendMailMessage
        Adds parameters for sending Audit Report as an Email.
        Adds parameters for sending Audit Report via SFTP.
    .PARAMETER AttachmentFolderPath
        Default path is C:\temp\ADDSActiveAccountAuditLogs.
        This is the folder where attachments are going to be saved.
    .PARAMETER FunctionApp
        Azure Function App Name.
    .PARAMETER Function
        Azure Function App's Function Name. Ex. "HttpTrigger1"
    .PARAMETER ApiToken
        Private Function Key.
        Defaults to Office 365 SMTP relay. Enter optional relay here.
        SMTP Port to Relay. Ports can be: "993", "995", "587", or "25"
    .PARAMETER UserName
        Specify the account with an active mailbox and MFA disabled.
        Ensure the account has delegated access for Send On Behalf for any
        UPN set in the "$From" Parameter
    .PARAMETER Password
        Use: (Read-Host -AsSecureString) as in Examples.
        May be omitted.
        Recipient of the attachment outputs.
        Defaults to the same account as $UserName unless the parameter is set.
        Ensure the Account has delegated access to send on behalf for the $From account.
        SFTP Hostname.
    .PARAMETER RemotePath
        Remove FTP path. Will be created in the user path under functionname folder if not specified.
    .PARAMETER SshHostKeyFingerprint
        Adds parameters for sending Audit Report via SFTP.
    .PARAMETER DaysInactive
        Defaults to 90 days in the past.
        Specifies how far back to look for accounts last logon.
        If logon is within 90 days, it won't be included.
    .PARAMETER ADDSAccountIsNotEnabled
        Defaults to not being set.
        Choose to search for disabled Active Directory Users.
    .PARAMETER Clean
        Remove installed modules during run. Remove local files if not a LocalDisk run.
        Can take password as input into secure string using (Read-Host -AsSecureString).

    [CmdletBinding(DefaultParameterSetName = 'LocalDisk', HelpURI = "")]
    param (
            Mandatory = $true,
            ParameterSetName = 'LocalDisk',
            HelpMessage = 'Output to disk only',
            Position = 0
            Mandatory = $true,
            ParameterSetName = 'SendMailMessage',
            HelpMessage = 'Send Mail to a relay',
            Position = 0
            Mandatory = $true,
            ParameterSetName = 'WinSCP',
            HelpMessage = 'Send using SFTP via WinSCP Module',
            Position = 0,
            ValueFromPipelineByPropertyName = $true
            Mandatory = $true,
            ParameterSetName = 'FunctionApp',
            HelpMessage = 'Enter the FunctionApp name',
            Position = 0
            Mandatory = $true,
            ParameterSetName = 'FunctionApp',
            HelpMessage = 'Enter the FunctionApp Function name',
            ValueFromPipelineByPropertyName = $true,
            Position = 1
        [Parameter(ParameterSetName = 'FunctionApp')]
            ParameterSetName = 'SendMailMessage',
            HelpMessage = 'Enter the SMTP hostname' ,
            ValueFromPipelineByPropertyName = $true
        [string]$SMTPServer = "",
        [Parameter(ParameterSetName = 'FunctionApp')]
        [Parameter(ParameterSetName = 'SendMailMessage')]
        [Parameter(ParameterSetName = 'WinSCP')]
            ParameterSetName = 'LocalDisk',
            HelpMessage = 'Enter output folder path',
            ValueFromPipeline = $true
        [string]$AttachmentFolderPath = "C:\temp\ADDSActiveAccountAuditLogs",
        [Parameter(ParameterSetName = 'WinSCP')]
        [Parameter(ParameterSetName = 'FunctionApp')]
        [Parameter(ParameterSetName = 'SendMailMessage')]
            ParameterSetName = 'LocalDisk',
            HelpMessage = 'Active Directory User Enabled or not',
            ValueFromPipelineByPropertyName = $true
        [Parameter(ParameterSetName = 'WinSCP')]
        [Parameter(ParameterSetName = 'FunctionApp')]
        [Parameter(ParameterSetName = 'SendMailMessage')]
            ParameterSetName = 'LocalDisk',
            HelpMessage = 'Days back to check for recent sign in',
            ValueFromPipelineByPropertyName = $true
        [int]$DaysInactive = '90',
        [Parameter(Mandatory = $true, ParameterSetName = 'WinSCP')]
        [Parameter(Mandatory = $true, ParameterSetName = 'FunctionApp')]
            ParameterSetName = 'SendMailMessage',
            Mandatory = $true,
            HelpMessage = 'Enter the Sending Account UPN Ex:""',
            ValueFromPipelineByPropertyName = $true
        [Parameter(ParameterSetName = 'WinSCP', Mandatory = $true)]
            ParameterSetName = 'SendMailMessage',
            HelpMessage = 'Copy Paste the following: $Password = (Read-Host -AsSecureString)',
            ValueFromPipelineByPropertyName = $true
        [Parameter(ParameterSetName = 'FunctionApp')]
            ParameterSetName = 'SendMailMessage',
            HelpMessage = 'Enter the port n
                umber for the mail relay'
            ValueFromPipelineByPropertyName = $true
        [ValidateSet("993", "995", "587", "25")]
        [int]$Port = 587,
        [Parameter(Mandatory = $true, ParameterSetName = 'FunctionApp')]
            ParameterSetName = 'SendMailMessage',
            Mandatory = $true,
            HelpMessage = 'Enter the recipient email address',
            ValueFromPipelineByPropertyName = $true
        [Parameter(ParameterSetName = 'FunctionApp')]
            ParameterSetName = 'SendMailMessage',
            HelpMessage = 'Enter the name of the sender',
            ValueFromPipelineByPropertyName = $true
        [string]$From = $UserName,
            Mandatory = $true,
            ParameterSetName = 'FunctionApp',
            HelpMessage = 'Enter output folder path',
            ValueFromPipelineByPropertyName = $true
            Mandatory = $true,
            ParameterSetName = 'WinSCP',
            HelpMessage = 'Enter FTP HostName',
            ValueFromPipelineByPropertyName = $true
            Mandatory = $true,
            ParameterSetName = 'WinSCP',
            HelpMessage = 'Enter SshHostKeyFingerprint like: "ecdsa-sha2-nistp256 256 <Key>" ',
            ValueFromPipelineByPropertyName = $true
            ParameterSetName = 'WinSCP',
            HelpMessage = 'Enter ftp remote path "/path/" ',
            ValueFromPipelineByPropertyName = $true
        [string]$RemotePath = ("./" + $($MyInvocation.MyCommand.Name -replace '\..*')) ,
            Mandatory = $true,
            ParameterSetName = 'Clean',
            HelpMessage = 'Clean Modules and output path',
            Position = 0
    Begin {
        $ScriptFunctionName = $MyInvocation.MyCommand.Name -replace '\..*'
        try {
            Initialize-AuditBeginBlock -AttachmentFolderPathBegin $AttachmentFolderPath -ScriptFunctionName $ScriptFunctionName -SendEmailMessageBegin $SendMailMessage -WinSCPBegin $WinSCP -CleanBegin $Clean -ErrorVariable InitBeginErr -ErrorAction Stop
        catch {
            Write-TSLog "End Block last error for log: "
            Write-TSLog -LogError -LogErrorVar InitBeginErr
        if ($ADDSAccountIsNotEnabled) {
            $Enabled = $false
        else {
            $Enabled = $true
    Process {
        if (!($Clean)) {
            # Establish timeframe to review.
            $time = (Get-Date).Adddays( - ($DaysInactive))

            # Add Datetime to filename
            $csvFileName = "$AttachmentFolderPath\$((Get-Date).ToString(''))_$($ScriptFunctionName)_$($env:USERDNSDOMAIN)"
            # Create FileNames
            $csv = "$csvFileName.csv"
            $zip = "$"
            Write-TSLog "Searching for users who have not signed in within the last $DaysInactive days, where parameter Enabled = $Enabled"
            # Audit Script with export to csv and zip. Paramters for Manager, lastLogonTimestamp and DistinguishedName normalized.

            # GetActiveUsers
            Get-aduser -Filter { LastLogonTimeStamp -lt $time -and Enabled -eq $Enabled } -Properties `
                samaccountname,GivenName, Surname, UserPrincipalName,lastlogontimestamp, DistinguishedName, `
                Title, Enabled, Description, Manager, Department -OutVariable ADExport
            $Export = @()

            foreach ($accountItem in $ADExport) {
                $Export += [ADAuditAccount]::new(
            | Select-Object `
            @{N = 'UserName'; E = { $_.samaccountname } }, `
            @{N = 'FirstName'; E = { $_.GivenName } }, `
            @{N = 'LastName'; E = { $_.Surname } }, `
            @{N = 'UPN'; E = { $_.UserPrincipalName } }, `
            @{N = "Last Sign-in"; E = { ([DateTime]::FromFileTime($_.lastLogonTimestamp)) } }, `
                Enabled, `
            @{N = 'Last Seen?'; `
                    E = {
                    switch (([DateTime]::FromFileTime($_.lastLogonTimestamp))) {
                            # Over 90 Days
                            { ($_ -lt $time90) } { '3+ months'; break }
                            # Over 60 Days
                            { ($_ -lt $time60) } { '2+ months'; break }
                            # Over 90 Days
                            { ($_ -lt $time30) } { '1+ month'; break }
                        default { 'Recently' }
            }, `
            @{N = 'OrgUnit'; E = { $_.DistinguishedName -replace '^.*?,(?=[A-Z]{2}=)' } }, `
                Title, `
                @{N = 'Manager'; E = { (Get-ADUser -Identity $_.manager).Name } }, `
                Department, "Access Required?", "Need Mailbox?" -OutVariable Export -ErrorVariable ExportErr | Out-Null

            try {
                Export-AuditCSVtoZip -Exportobject $Export -csv $csv -zip $zip -ErrorAction Stop -ErrorVariable ExportAuditCSVZipErr
            catch {
                Write-TSLog -LogErrorEnd -LogErrorVar $ExportAuditCSVZipErr.Exception.ErrorRecord
        } # End If Clean Region
    } ## End Process Region
    End {
        try {
            Initialize-AuditEndBlock -SendEmailMessageEnd $SendMailMessage -WinSCPEnd $WinSCP -FTPHostend $FTPHost -SshHostKeyFingerprintEnd $SshHostKeyFingerprint -SmtpServerEnd $SMTPServer -PortEnd $Port -UserNameEnd $UserName -FromEnd $From -ToEnd $To `
                -AttachmentFolderPathEnd $AttachmentFolderPath -Password $Password -FunctionEnd $function -FunctionAppEnd $FunctionApp `
                -ApiTokenEnd $ApiToken -ZipEnd $zip -RemotePathEnd $RemotePath -LocalDiskEnd $LocalDisk -CleanEnd $Clean -ErrorVariable InitEndErr
        catch {
            Write-TSLog "End Block last error for log: "
            Write-TSLog -LogError
        # Clear Variables
        Clear-Variable -Name "Function", "FunctionApp", "ApiToken"
function Get-ADDSDepartedUsersAccountAudit {
        Active Directory Audit with Keyvault retrieval option.
        Audit's Active Directory taking a Prefix used as a Wildcard as input for checking user accounts.
        Output can be kept locally, or sent remotely via email or sftp.
        Function App is the same as SendEmail except that it uses a password retrieved using the related Function App.
        The related function app would need to be created.
        Expects SecureString and Key as inputs to function app parameter set.
        PS C:\> Get-ADDSDepartedUsersAccountAudit -LocalDisk -WildCardIdentifier "<StringToSearchFor>" -Verbose
        PS C:\> Get-ADDSDepartedUsersAccountAudit -SendMailMessage -SMTPServer $SMTPServer -UserName "" -Password (Read-Host -AsSecureString) -To "" -WildCardIdentifier "<StringToSearchFor>" -Verbose
        PS C:\> Get-ADDSDepartedUsersAccountAudit -FunctionApp $FunctionApp -Function $Function -SMTPServer $SMTPServer -UserName "" -To "" -WildCardIdentifier "<StringToSearchFor>" -Verbose
        PS C:\> Get-ADDSDepartedUsersAccountAudit -WinSCP -UserName "ftphostname.UserName" -Password (Read-Host -AsSecureString) -FTPHost "" -SshHostKeyFingerprint "<SShHostKeyFingerprint>" -WildCardIdentifier "<StringToSearchFor>" -Verbose
        PS C:\> Get-ADDSDepartedUsersAccountAudit -Clean -Verbose
    .PARAMETER LocalDisk
        Only output data to local disk.
    .PARAMETER SendMailMessage
        Adds parameters for sending Audit Report as an Email.
        Adds parameters for sending Audit Report via SFTP.
    .PARAMETER AttachmentFolderPath
        Default path is C:\temp\ADDSDepartedUsersAuditLogs.
        This is the folder where attachments are going to be saved.
    .PARAMETER FunctionApp
        Azure Function App Name.
    .PARAMETER Function
        Azure Function App's Function Name. Ex. "HttpTrigger1"
    .PARAMETER ApiToken
        Private Function Key.
        Defaults to Office 365 SMTP relay. Enter optional relay here.
        SMTP Port to Relay. Ports can be: "993", "995", "587", or "25"
    .PARAMETER UserName
        Specify the account with an active mailbox and MFA disabled.
        Ensure the account has delegated access for Send On Behalf for any
        UPN set in the "$From" Parameter
    .PARAMETER Password
        Use: (Read-Host -AsSecureString) as in Examples.
        May be omitted.
        Recipient of the attachment outputs.
        Defaults to the same account as $UserName unless the parameter is set.
        Ensure the Account has delegated access to send on behalf for the $From account.
    .PARAMETER WildCardIdentifier
        Name wildcard appended to user account.
    .PARAMETER Clean
        Remove installed modules during run. Remove local files if not a LocalDisk run.
        Can take password as input into secure string using (Read-Host -AsSecureString).

    [CmdletBinding(DefaultParameterSetName = 'LocalDisk' , HelpURI = "")]
    param (
            Mandatory = $true,
            ParameterSetName = 'LocalDisk',
            HelpMessage = 'Output to disk only',
            Position = 0
            Mandatory = $true,
            ParameterSetName = 'SendMailMessage',
            HelpMessage = 'Send Mail to a relay',
            Position = 0
            Mandatory = $true,
            ParameterSetName = 'WinSCP',
            HelpMessage = 'Send using SFTP via WinSCP Module',
            Position = 0,
            ValueFromPipelineByPropertyName = $true
            Mandatory = $true,
            ParameterSetName = 'FunctionApp',
            HelpMessage = 'Enter the FunctionApp name',
            Position = 0
            Mandatory = $true,
            ParameterSetName = 'FunctionApp',
            HelpMessage = 'Enter the FunctionApp Function name',
            ValueFromPipelineByPropertyName = $true,
            Position = 1
        [Parameter(ParameterSetName = 'FunctionApp')]
            ParameterSetName = 'SendMailMessage',
            HelpMessage = 'Enter the SMTP hostname' ,
            ValueFromPipelineByPropertyName = $true
        [string]$SMTPServer = "",
        [Parameter(ParameterSetName = 'FunctionApp')]
        [Parameter(ParameterSetName = 'SendMailMessage')]
        [Parameter(ParameterSetName = 'WinSCP')]
            ParameterSetName = 'LocalDisk',
            HelpMessage = 'Enter output folder path',
            ValueFromPipeline = $true
        [string]$AttachmentFolderPath = "C:\temp\ADDSDepartedUsersAuditLogs",
        [Parameter(Mandatory = $true, ParameterSetName = 'WinSCP')]
        [Parameter(Mandatory = $true, ParameterSetName = 'FunctionApp')]
            ParameterSetName = 'SendMailMessage',
            Mandatory = $true,
            HelpMessage = 'Enter the Sending Account UPN Ex:""',
            ValueFromPipelineByPropertyName = $true
        [Parameter(ParameterSetName = 'WinSCP', Mandatory = $true)]
            ParameterSetName = 'SendMailMessage',
            HelpMessage = 'Copy Paste the following: $Password = (Read-Host -AsSecureString)',
            ValueFromPipelineByPropertyName = $true
        [Parameter(ParameterSetName = 'FunctionApp')]
            ParameterSetName = 'SendMailMessage',
            HelpMessage = 'Enter the port n
                umber for the mail relay'
            ValueFromPipelineByPropertyName = $true
        [ValidateSet("993", "995", "587", "25")]
        [int]$Port = 587,
        [Parameter(Mandatory = $true, ParameterSetName = 'FunctionApp')]
            ParameterSetName = 'SendMailMessage',
            Mandatory = $true,
            HelpMessage = 'Enter the recipient email address',
            ValueFromPipelineByPropertyName = $true
        [Parameter(ParameterSetName = 'FunctionApp')]
            ParameterSetName = 'SendMailMessage',
            HelpMessage = 'Enter the name of the sender',
            ValueFromPipelineByPropertyName = $true
        [string]$From = $UserName,
            Mandatory = $true,
            ParameterSetName = 'FunctionApp',
            HelpMessage = 'Enter output folder path',
            ValueFromPipelineByPropertyName = $true
            Mandatory = $true,
            ParameterSetName = 'WinSCP',
            HelpMessage = 'Enter FTP HostName',
            ValueFromPipelineByPropertyName = $true
            Mandatory = $true,
            ParameterSetName = 'WinSCP',
            HelpMessage = 'Enter SshHostKeyFingerprint like: "ecdsa-sha2-nistp256 256 <Key>" ',
            ValueFromPipelineByPropertyName = $true
            ParameterSetName = 'WinSCP',
            HelpMessage = 'Enter ftp remote path "/path/" ',
            ValueFromPipelineByPropertyName = $true
        [string]$RemotePath = ("./" + $($MyInvocation.MyCommand.Name -replace '\..*')) ,
            Mandatory = $true,
            ParameterSetName = 'Clean',
            HelpMessage = 'Clean Modules and output path',
            Position = 0
        [Parameter(ParameterSetName = 'WinSCP', Mandatory = $true)]
        [Parameter(ParameterSetName = 'FunctionApp',Mandatory = $true)]
        [Parameter(ParameterSetName = 'SendMailMessage', Mandatory = $true)]
            Mandatory = $true,
            ParameterSetName = 'LocalDisk',
            HelpMessage = 'Name filter attached to users.',
            ValueFromPipelineByPropertyName = $true
    begin {
        $ScriptFunctionName = $MyInvocation.MyCommand.Name -replace '\..*'
        try {
            Initialize-AuditBeginBlock -AttachmentFolderPathBegin $AttachmentFolderPath -ScriptFunctionName $ScriptFunctionName -SendEmailMessageBegin $SendMailMessage -CleanBegin $Clean -ErrorVariable InitBeginErr -ErrorAction Stop
        catch {
            Write-TSLog "End Block last error for log: "
            Write-TSLog -LogError -LogErrorVar InitBeginErr

    process {
        if (!($Clean)) {
            # Add Datetime to filename
            $csvFileName = "$AttachmentFolderPath\$((Get-Date).ToString(''))_$($ScriptFunctionName)_$($env:USERDNSDOMAIN)"
            # Create FileNames
            $csv = "$csvFileName.csv"
            $zip = "$"
            Write-TSLog "Searching for users appended with:`"$WildCardIdentifier`" in Active Directory."
            # Audit Script with export to csv and zip.
            # Get ad user with Name String Filter
            $WildCardIdentifierstring = '*' + $WildCardIdentifier + '*'
                Get-aduser -Filter { Name -like $WildCardIdentifierstring } -Properties `
                samaccountname,GivenName, Surname, UserPrincipalName,lastlogontimestamp, DistinguishedName, `
                Title, Enabled, Description, Manager, Department -OutVariable ADExport | Out-Null
            $Export = @()

            foreach ($accountItem in $ADExport) {
                $Export += [ADAuditAccount]::new(

            try {
                Export-AuditCSVtoZip -Exportobject $Export -csv $csv -zip $zip -ErrorAction Stop -ErrorVariable ExportAuditCSVZipErr
            catch {
                Write-TSLog -LogErrorEnd -LogErrorVar $ExportAuditCSVZipErr
                throw $ExportAuditCSVZipErr
        } # End if (!($Clean)) {...}
    } # End process region
    End {
        try {
            Initialize-AuditEndBlock -SendEmailMessageEnd $SendMailMessage -WinSCPEnd $WinSCP -FTPHostend $FTPHost -SshHostKeyFingerprintEnd $SshHostKeyFingerprint -SmtpServerEnd $SMTPServer -PortEnd $Port -UserNameEnd $UserName -FromEnd $From -ToEnd $To `
                -AttachmentFolderPathEnd $AttachmentFolderPath -Password $Password -FunctionEnd $function -FunctionAppEnd $FunctionApp `
                -ApiTokenEnd $ApiToken -ZipEnd $zip -RemotePathEnd $RemotePath -LocalDiskEnd $LocalDisk -CleanEnd $Clean -ErrorVariable InitEndErr
        catch {
            Write-TSLog "End Block last error for log: "
            Write-TSLog -LogError
        # Clear Variables
        Clear-Variable -Name "Function", "FunctionApp", "ApiToken"
function Get-ADDSPrivilegedAccountAudit {
        Active Directory Audit with Keyvault retrieval option.
        Audit's Active Directory for priviledged users and groups, and extended rights.
        Output can be kept locally, or sent remotely via email or sftp.
        Function App is the same as SendEmail except that it uses a password retrieved using the related Function App.
        The related function app would need to be created.
        Expects SecureString and Key as inputs to function app parameter set.
        PS C:\> Get-ADDSPrivilegedAccountAudit -LocalDisk -Verbose
        PS C:\> Get-ADDSPrivilegedAccountAudit -SendMailMessage -SMTPServer $SMTPServer -UserName "" -Password (Read-Host -AsSecureString) -To "" -Verbose
        PS C:\> Get-ADDSPrivilegedAccountAudit -FunctionApp $FunctionApp -Function $Function -SMTPServer $SMTPServer -UserName "" -To "" -Verbose
        PS C:\> Get-ADDSPrivilegedAccountAudit -WinSCP -UserName "ftphostname.UserName" -Password (Read-Host -AsSecureString) -FTPHost "" -SshHostKeyFingerprint "<SShHostKeyFingerprint>" -Verbose
        PS C:\> Get-ADDSPrivilegedAccountAudit -Clean -Verbose
    .PARAMETER LocalDisk
        Only output data to local disk.
    .PARAMETER SendMailMessage
        Adds parameters for sending Audit Report as an Email.
        Adds parameters for sending Audit Report via SFTP.
    .PARAMETER AttachmentFolderPath
        Default path is C:\temp\ADDSPrivilegedAccountAuditLogs.
        This is the folder where attachments are going to be saved.
    .PARAMETER FunctionApp
        Azure Function App Name.
    .PARAMETER Function
        Azure Function App's Function Name. Ex. "HttpTrigger1"
    .PARAMETER ApiToken
        Private Function Key.
        Defaults to Office 365 SMTP relay. Enter optional relay here.
        SMTP Port to Relay. Ports can be: "993", "995", "587", or "25"
    .PARAMETER UserName
        Specify the account with an active mailbox and MFA disabled.
        Ensure the account has delegated access for Send On Behalf for any
        UPN set in the "$From" Parameter
    .PARAMETER Password
        Use: (Read-Host -AsSecureString) as in Examples.
        May be omitted.
        Recipient of the attachment outputs.
        Defaults to the same account as $UserName unless the parameter is set.
        Ensure the Account has delegated access to send on behalf for the $From account.
        SFTP Hostname.
    .PARAMETER RemotePath
        Remove FTP path. Will be created in the user path under functionname folder if not specified.
    .PARAMETER SshHostKeyFingerprint
        Adds parameters for sending Audit Report via SFTP.
    .PARAMETER Clean
        Remove installed modules during run. Remove local files if not a LocalDisk run.
        Can take password as input into secure string using (Read-Host -AsSecureString).

    [CmdletBinding(DefaultParameterSetName = 'LocalDisk' , HelpURI = "")]
    param (
            Mandatory = $true,
            ParameterSetName = 'LocalDisk',
            HelpMessage = 'Output to disk only',
            Position = 0
            Mandatory = $true,
            ParameterSetName = 'SendMailMessage',
            HelpMessage = 'Send Mail to a relay',
            Position = 0
            Mandatory = $true,
            ParameterSetName = 'WinSCP',
            HelpMessage = 'Send using SFTP via WinSCP Module',
            Position = 0,
            ValueFromPipelineByPropertyName = $true
            Mandatory = $true,
            ParameterSetName = 'FunctionApp',
            HelpMessage = 'Enter the FunctionApp name',
            Position = 0
            Mandatory = $true,
            ParameterSetName = 'FunctionApp',
            HelpMessage = 'Enter the FunctionApp Function name',
            ValueFromPipelineByPropertyName = $true,
            Position = 1
        [Parameter(ParameterSetName = 'FunctionApp')]
            ParameterSetName = 'SendMailMessage',
            HelpMessage = 'Enter the SMTP hostname' ,
            ValueFromPipelineByPropertyName = $true
        [string]$SMTPServer = "",
        [Parameter(ParameterSetName = 'FunctionApp')]
        [Parameter(ParameterSetName = 'SendMailMessage')]
        [Parameter(ParameterSetName = 'WinSCP')]
            ParameterSetName = 'LocalDisk',
            HelpMessage = 'Enter output folder path',
            ValueFromPipeline = $true
        [string]$AttachmentFolderPath = "C:\temp\ADDSPrivilegedAccountAuditLogs",
        [Parameter(Mandatory = $true, ParameterSetName = 'WinSCP')]
        [Parameter(Mandatory = $true, ParameterSetName = 'FunctionApp')]
            ParameterSetName = 'SendMailMessage',
            Mandatory = $true,
            HelpMessage = 'Enter the Sending Account UPN or FTP Username if using WinSCP. Ex:"" or "ftphost.helpdesk"',
            ValueFromPipelineByPropertyName = $true
        [Parameter(ParameterSetName = 'WinSCP', Mandatory = $true)]
            ParameterSetName = 'SendMailMessage',
            HelpMessage = 'Copy Paste the following: $Password = (Read-Host -AsSecureString)',
            ValueFromPipelineByPropertyName = $true
        [Parameter(ParameterSetName = 'FunctionApp')]
            ParameterSetName = 'SendMailMessage',
            HelpMessage = 'Enter the port number for the mail relay',
            ValueFromPipelineByPropertyName = $true
        [ValidateSet("993", "995", "587", "25")]
        [int]$Port = 587,
        [Parameter(Mandatory = $true, ParameterSetName = 'FunctionApp')]
            ParameterSetName = 'SendMailMessage',
            Mandatory = $true,
            HelpMessage = 'Enter the recipient email address',
            ValueFromPipelineByPropertyName = $true
        [Parameter(ParameterSetName = 'FunctionApp')]
            ParameterSetName = 'SendMailMessage',
            HelpMessage = 'Enter the name of the sender',
            ValueFromPipelineByPropertyName = $true
        [string]$From = $UserName,
            Mandatory = $true,
            ParameterSetName = 'FunctionApp',
            HelpMessage = 'Enter output folder path',
            ValueFromPipelineByPropertyName = $true
            Mandatory = $true,
            ParameterSetName = 'WinSCP',
            HelpMessage = 'Enter FTP HostName',
            ValueFromPipelineByPropertyName = $true
            Mandatory = $true,
            ParameterSetName = 'WinSCP',
            HelpMessage = 'Enter SshHostKeyFingerprint like: "ecdsa-sha2-nistp256 256 <Key>" ',
            ValueFromPipelineByPropertyName = $true
            ParameterSetName = 'WinSCP',
            HelpMessage = 'Enter ftp remote path "/path/" ',
            ValueFromPipelineByPropertyName = $true
        [string]$RemotePath = ("./" + $($MyInvocation.MyCommand.Name -replace '\..*')) ,
            Mandatory = $true,
            ParameterSetName = 'Clean',
            HelpMessage = 'Clean Modules and output path',
            Position = 0
    begin {
        $ScriptFunctionName = $MyInvocation.MyCommand.Name -replace '\..*'
        try {
            Initialize-AuditBeginBlock -AttachmentFolderPathBegin $AttachmentFolderPath -ScriptFunctionName $ScriptFunctionName -SendEmailMessageBegin $SendMailMessage -CleanBegin $Clean -ErrorVariable InitBeginErr -ErrorAction Stop
        catch {
            Write-TSLog "End Block last error for log: "
            Write-TSLog -LogError -LogErrorVar InitBeginErr

    } # End begin
    process {
        if (!($Clean)) {
            $csvFileName = "$AttachmentFolderPath\$((Get-Date).ToString(''))_$($ScriptFunctionName)_$($env:USERDNSDOMAIN)"
            # Create FileNames
            $csv = "$csvFileName.csv"
            $zip = "$"
            # AD Privileged Groups Array
            $AD_PrivilegedGroups = @(
                'Enterprise Admins',
                'Schema Admins',
                'Domain Admins',
                'Cert Publishers',
                'Account Operators',
                'Server Operators',
                'Backup Operators',
                'Print Operators',
                'DHCP Administrators'
            # Time Variables
            $time90 = (Get-Date).Adddays( - (90))
            $time60 = (Get-Date).Adddays( - (60))
            $time30 = (Get-Date).Adddays( - (30))
            # Create Arrays
            $members = @()
            $ADUsers = @()
            foreach ($group in $AD_PrivilegedGroups) {
                Clear-Variable GroupMember -ErrorAction SilentlyContinue
                Get-ADGroupMember -Identity $group -Recursive -OutVariable GroupMember | Out-Null
                $GroupMember | Select-Object SamAccountName, Name, ObjectClass, `
                @{N = 'PriviledgedGroup'; E = { $group } }, `
                @{N = 'Enabled'; E = { (Get-ADUser -Identity $_.samaccountname).Enabled } }, `
                @{N = "LastSign-in"; E = { [DateTime]::FromFileTime((Get-ADUser -Identity $_.samaccountname -Properties lastLogonTimestamp).lastLogonTimestamp) } }, `
                @{N = 'LastSeen?'; E = {
                        switch ([DateTime]::FromFileTime((Get-ADUser -Identity $_.samaccountname -Properties lastLogonTimestamp).lastLogonTimestamp)) {
                            # Over 90 Days
                            { ($_ -lt $time90) } { '3+ months'; break }
                            # Over 60 Days
                            { ($_ -lt $time60) } { '2+ months'; break }
                            # Over 90 Days
                            { ($_ -lt $time30) } { '1+ month'; break }
                            default { 'Recently' }
                }, `
                @{N = 'OrgUnit'; E = { $_.DistinguishedName -replace '^.*?,(?=[A-Z]{2}=)' } }, `
                @{N = 'GroupMemberships'; E = { Get-ADGroupMemberof -SamAccountName $_.samaccountname } }, `
                    Title, `
                @{N = 'Manager'; E = { (Get-ADUser -Identity $_.manager).Name } }, `
                    Department, "AccessRequired?", "NeedMailbox?" -OutVariable members | Out-Null
                $ADUsers += $members
            $Export = @()
            # Create $Export Object
            foreach ($User in $ADUsers) {
                new-object -TypeName PSCustomObject -Property @{
                    SamAccountName    = $User.SamAccountName
                    Name              = $User.Name
                    PriviledgedGroup  = $User.PriviledgedGroup
                    Enabled           = $User.Enabled
                    "LastSign-in"     = $User."LastSign-in"
                    "LastSeen?"       = $User."LastSeen?"
                    Title             = $User.Title
                    Manager           = $User.Manager
                    Department        = $User.Department
                    OrgUnit           = $User.OrgUnit
                    "AccessRequired?" = $User."AccessRequired?"
                    "NeedMailbox?"    = $User."NeedMailbox?"
                    ObjectClass       = $User.ObjectClass
                    GroupMemberships  = $User.GroupMemberships
                } -OutVariable PSObject | Out-Null
                $Export += $PSObject
            # Create filenames
            $csv2 = $csv -replace ".csv", ".ExtendedPermissions.csv"
            $zip2 = $zip -replace ".zip", ""
            # Get PDC
            $dc = (Get-ADDomainController -Discover -DomainName $env:USERDNSDOMAIN -Service PrimaryDC).Name
            # Get DN of AD Root.
            $rootou = (Get-ADRootDSE).defaultNamingContext
            # Get ad objects from the PDC for the root ou. #TODO Check
            $Allobjects = Get-ADObject -Server $dc -Searchbase $rootou -SearchScope subtree -LDAPFilter `
            "(&(objectclass=user)(objectcategory=person))" -Properties ntSecurityDescriptor -ResultSetSize $null
            # "(|(objectClass=domain)(objectClass=organizationalUnit)(objectClass=group)(sAMAccountType=805306368)(objectCategory=Computer)(&(objectclass=user)(objectcategory=person)))"
            # Create $Export2 Object
            $Export2 = Foreach ($ADObject in $Allobjects) {
                Get-AdExtendedRight $ADObject
            # Try first export.
            Export-AuditCSVtoZip -Exported $Export -CSVName $csv -ZipName $zip -ErrorVariable ExportAuditCSVZipErr
            # Try second export.
            Export-AuditCSVtoZip -Exported $Export2 -CSVName $csv2 -ZipName $zip2 -ErrorVariable ExportAuditCSVZipErr2
        } # End If
    } # End process
    End {

        try {
            Initialize-AuditEndBlock -SendEmailMessageEnd $SendMailMessage -WinSCPEnd $WinSCP -FTPHostend $FTPHost -SshHostKeyFingerprintEnd $SshHostKeyFingerprint -SmtpServerEnd $SMTPServer -PortEnd $Port -UserNameEnd $UserName -FromEnd $From -ToEnd $To `
                -AttachmentFolderPathEnd $AttachmentFolderPath -Password $Password -FunctionEnd $function -FunctionAppEnd $FunctionApp `
                -ApiTokenEnd $ApiToken -ZipEnd $zip, $zip2 -RemotePathEnd $RemotePath -LocalDiskEnd $LocalDisk -CleanEnd $Clean -ErrorVariable InitEndErr
        catch {
            Write-TSLog "End Block last error for log: "
            Write-TSLog -LogError
        # Clear Variables
        Clear-Variable -Name "Function", "FunctionApp", "ApiToken"
    } # End end
function Get-ADUsersLastLogon {
    Takes SamAccountName as input to retrieve most recent LastLogon from all DC's.
    Takes SamAccountName as input to retrieve most recent LastLogon from all DC's and output as DateTime.
    Get-ADUsersLastLogon -SamAccountName "UserName"
    .PARAMETER SamAccountName
    The SamAccountName of the user being checked for LastLogon.

    [CmdletBinding(HelpURI = "")]
    param (
            Mandatory = $true,
            HelpMessage = 'Enter the SamAccountName',
            ValueFromPipeline = $true
    process {
        $dcs = Get-ADDomainController -Filter { Name -like "*" }
        $user = Get-ADUser -Identity $SamAccountName
        $time = 0
        $dt = @()
        foreach ($dc in $dcs) {
            $hostname = $dc.HostName
            $usertime = $user | Get-ADObject -Server $hostname -Properties lastLogon
            if ($usertime.LastLogon -gt $time) {
                $time = $usertime.LastLogon
            $dt += [DateTime]::FromFileTime($time)
        return ($dt | Sort-Object -Descending)[0]
#EndRegion '.\Public\Get-ADUsersLastLogon.ps1' 39