Get-xOTP_Status.ps1
|
<#
.SYNOPSIS Shows SecureMFA.com OTP Status information. .DESCRIPTION Shows MFA status information. Dependencies: * System which executes a script must have Microsoft Framework 4.6.1 and above installed. * SecureMFA_SupportTools.dll file must be present in script directory. * SecureMFA_SupportTools.json configuration file must be present in script directory. Bellow is a sample of valid Json config file with minimal configuration required for script to work: { "sql_server": "asqlaol1.adatum.labnet", "sql_database": "SecureMfaOTP", "ui_input_text": "Please enter user's UPN", "ui_environment": "MyCompany", "data_encryption_passphrase": "d9GhT=7=Ox8-+LaZ" } .NOTES Version: 1.0.1.2 Author: SecureMfa.com Creation Date: 30/01/2021 Purpose/Change: Incorporated into module .EXAMPLE Get-xOTP_Status This command shows total number of OTP accounts with activation status. .EXAMPLE Get-xOTP_Status -upn user This command shows OTP account's details for the user. .EXAMPLE Get-xOTP_Status -show_all_users This command shows OTP accounts for all users. .EXAMPLE Get-xOTP_Status -show_pending_users This command shows last all OTP accounts which didn’t scan a QR code. .EXAMPLE Get-xOTP_Status -show_enabled_users This command shows all enabled OTP accounts. .EXAMPLE Get-xOTP_Status -show_disbaled_users This command shows all disabled OTP accounts. .EXAMPLE Get-xOTP_Status -show_locked_users This command shows all locked OTP accounts. .EXAMPLE Get-xOTP_Status -lastlogon This command shows last logons count for users by date. #> #> Function Get-xOTP_Status { Param ( [Parameter(Mandatory=$false,ParameterSetName="Default")] [String]$upn = $null, [Parameter(Mandatory=$false,ParameterSetName="Default")] [Switch]$show_all_users, [Parameter(Mandatory=$false,ParameterSetName="Default")] [Switch]$show_pending_users, [Parameter(Mandatory=$false,ParameterSetName="Default")] [Switch]$show_enabled_users, [Parameter(Mandatory=$false,ParameterSetName="Default")] [Switch]$show_disabled_users, [Parameter(Mandatory=$false,ParameterSetName="Default")] [Switch]$show_locked_users, [Parameter(Mandatory=$false,ParameterSetName="Default")] [Switch]$show_bypass_users, [Parameter(Mandatory=$false,ParameterSetName="Default")] [Switch]$lastlogons, [Parameter(Mandatory=$false,ParameterSetName="Default")] [Switch]$failedlogons ) DynamicParam { # create a dictionary to return, and collection of parameters $paramDictionary = New-Object -Type System.Management.Automation.RuntimeDefinedParameterDictionary $attributeCollection = New-Object -Type System.Collections.ObjectModel.Collection[System.Attribute] # create a new [string] parameter for all parameter sets, and decorate with a [ValidateSet] $dynParam = New-Object -Type System.Management.Automation.RuntimeDefinedParameter("Profile", [String], $attributeCollection) $attributes = New-Object System.Management.Automation.ParameterAttribute $fname = "Profiles.json" $paramOptions = New-Object System.Management.Automation.ValidateSetAttribute -ArgumentList (ConvertFrom-Json (Get-Content (join-path $PSScriptRoot $fname) -Raw)) $attributeCollection.Add($attributes) $attributeCollection.Add($paramOptions) $paramDictionary.Add("Profile", $dynParam) return $paramDictionary } Process { #Static Parameters $Event_Source = "SecureMFA_SupportTools" [Int16]$UserStatus = 0; #Checking Dependencies #EventLog source dependency $ErrMsg = "ResetOTP EventLog source is missing. Please execute following PS command 'New-EventLog -Source SecureMFA_SupportTools -LogName Application' on the system before using the app." if (((Get-ChildItem HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application).pschildname | where { $_ -eq $Event_Source} | measure).Count -eq 0) {write-host $ErrMsg -ForegroundColor red; pause; break} #Config file dependency if ( $PSBoundParameters.Keys.Contains("Profile") ) { $configfile = (Join-Path -Path $PSScriptRoot -ChildPath ($PSBoundParameters.Profile + '_SecureMFA_SupportTools.json')) } else {$configfile = (Join-Path -Path $PSScriptRoot -ChildPath SecureMFA_SupportTools.json)} #Test config file path. $ErrMsg = "$configfile file is missing. Please copy a file to script directory and try again." if (!(Test-Path $configfile)) { write-host $ErrMsg -ForegroundColor red; pause; break } #DLL file dependency $dllpath = (Join-Path -Path $PSScriptRoot -ChildPath SecureMFA_SupportTools.dll) $ErrMsg = "$configfile file is missing. Please copy a file to script directory and try again." if (!(Test-Path $dllpath)) { write-host $ErrMsg -ForegroundColor red; pause; break } #Read JSON file Configuration $json = Get-Content -Raw $configfile | ConvertFrom-Json $sqlinstance = $json.sqlserver $sqldbname = $json.sqldbname $sqlintegratedsecurity = $json.sqlintegratedsecurity $sqluseraccount = $json.sqluseraccount $sqluserpassword = $json.sqluserpassword $input_text = $json.ui_input_text $environment = $json.ui_environment $encryption_passphrase = $json.data_encryption_passphrase $auth_mode = ($json.auth_mode).toupper().Trim() $sqlConnectString = "server=" + $sqlinstance + ";initial catalog=" + $sqldbname + ";integrated security=" + $sqlintegratedsecurity + ";User ID=" + $sqluseraccount + ";Password=" + $sqluserpassword; #Get user's input if required write-host " --- Get OTP Status for $environment using auth mode: $auth_mode ---" -ForegroundColor Green Try { [System.Reflection.Assembly]::LoadFile($dllpath) | Out-Null if ($upn) { if ($upn.Length -le 1) {Do { $upn = read-host $input_text} while ($upn -eq "")} [bool]$ExistUser = $false; if($auth_mode -eq "AD") {$ExistUser = [SecureMFA_SupportTools.OTP]::isUserExistAD($upn, [ref] $UserStatus)} else {$ExistUser = [SecureMFA_SupportTools.OTP]::isUserExist($upn, $sqlConnectString, [ref] $UserStatus)} if ($ExistUser) { #$CodeList = [SecureMFA_SupportTools.OTP]::GetUserStatus($upn, $sqlConnectString,$env:username,$env:computername) if($auth_mode -eq "AD") {$CodeList = [SecureMFA_SupportTools.OTP]::GetUserStatusAD($upn,$env:username,$env:computername)} else {$CodeList = [SecureMFA_SupportTools.OTP]::GetUserStatus($upn, $sqlConnectString,$env:username,$env:computername)} $CodeList | % { switch($_.item3){ 0 {$UserStatusValue = "ACCOUNT: NOTUSED"} 1 {$UserStatusValue = "ACCOUNT: ENABLED"} 2 {$UserStatusValue = "ACCOUNT: DISABLED"} 3 {$UserStatusValue = "ACCOUNT: LOCKED"} 9 {$UserStatusValue = "ACCOUNT: BYPASS"} } write-host "INDEX:" $_.item1 "`nUPN:" $_.item2 "`n$UserStatusValue`nLASTLOGON:" $_.item4 "`nLOGONCOUNT:" $_.item5 "`nFAILEDLOGONCOUNT:" $_.item6 "`nDATA" $_.item7 -ForegroundColor Green} } else { write-host "User: [$upn] doesn’t exist in OTP database. " } } elseif ($show_all_users) { if($auth_mode -eq "AD") {$CodeList = [SecureMFA_SupportTools.OTP]::GetAllUsersAD($env:username,$env:computername)} else {$CodeList = [SecureMFA_SupportTools.OTP]::GetAllUsers($sqlConnectString,$env:username,$env:computername)} write-host "OTP All Users Total:" $CodeList.count $CodeList | % { switch($_.item3){ 0 {$UserStatusValue = "ACCOUNT: NOTUSED"} 1 {$UserStatusValue = "ACCOUNT: ENABLED"} 2 {$UserStatusValue = "ACCOUNT: DISABLED"} 3 {$UserStatusValue = "ACCOUNT: LOCKED"} 9 {$UserStatusValue = "ACCOUNT: BYPASS"} } write-host "$UserStatusValue `t:UPN:"$_.item2 -ForegroundColor Green} } elseif ($show_pending_users) { if($auth_mode -eq "AD") {$CodeList = [SecureMFA_SupportTools.OTP]::GetPendingUsersAD($env:username,$env:computername)} else {$CodeList = [SecureMFA_SupportTools.OTP]::GetPendingUsers($sqlConnectString,$env:username,$env:computername)} write-host "OTP Pending Users Total:" $CodeList.count $CodeList | % { switch($_.item3){ 0 {$UserStatusValue = "ACCOUNT: NOTUSED"} 1 {$UserStatusValue = "ACCOUNT: ENABLED"} 2 {$UserStatusValue = "ACCOUNT: DISABLED"} 3 {$UserStatusValue = "ACCOUNT: LOCKED"} 9 {$UserStatusValue = "ACCOUNT: BYPASS"} } write-host "$UserStatusValue `t:UPN:"$_.item2 -ForegroundColor Green} } elseif ($show_enabled_users) { if($auth_mode -eq "AD") {$CodeList = [SecureMFA_SupportTools.OTP]::GetEnabledUsersAD($env:username,$env:computername)} else {$CodeList = [SecureMFA_SupportTools.OTP]::GetEnabledUsers($sqlConnectString,$env:username,$env:computername)} write-host "OTP Enbaled Users Total:" $CodeList.count $CodeList | % { switch($_.item3){ 0 {$UserStatusValue = "ACCOUNT: NOTUSED"} 1 {$UserStatusValue = "ACCOUNT: ENABLED"} 2 {$UserStatusValue = "ACCOUNT: DISABLED"} 3 {$UserStatusValue = "ACCOUNT: LOCKED"} 9 {$UserStatusValue = "ACCOUNT: BYPASS"} } write-host "$UserStatusValue `t:UPN:"$_.item2 -ForegroundColor Green} } elseif ($show_disabled_users) { if($auth_mode -eq "AD") {$CodeList = [SecureMFA_SupportTools.OTP]::GetDisbaledUsersAD($env:username,$env:computername)} else {$CodeList = [SecureMFA_SupportTools.OTP]::GetDisbaledUsers($sqlConnectString,$env:username,$env:computername)} write-host "OTP Disbaled Users Total:" $CodeList.count $CodeList | % { switch($_.item3){ 0 {$UserStatusValue = "ACCOUNT: NOTUSED"} 1 {$UserStatusValue = "ACCOUNT: ENABLED"} 2 {$UserStatusValue = "ACCOUNT: DISABLED"} 3 {$UserStatusValue = "ACCOUNT: LOCKED"} 9 {$UserStatusValue = "ACCOUNT: BYPASS"} } write-host "$UserStatusValue `t:UPN:"$_.item2 -ForegroundColor Green} } elseif ($show_locked_users) { if($auth_mode -eq "AD") {$CodeList = [SecureMFA_SupportTools.OTP]::GetLockedUsersAD($env:username,$env:computername)} else {$CodeList = [SecureMFA_SupportTools.OTP]::GetLockedUsers($sqlConnectString,$env:username,$env:computername)} write-host "OTP Locked Users Total:" $CodeList.count $CodeList | % { switch($_.item3){ 0 {$UserStatusValue = "ACCOUNT: NOTUSED"} 1 {$UserStatusValue = "ACCOUNT: ENABLED"} 2 {$UserStatusValue = "ACCOUNT: DISABLED"} 3 {$UserStatusValue = "ACCOUNT: LOCKED"} 9 {$UserStatusValue = "ACCOUNT: BYPASS"} } write-host "$UserStatusValue `t:UPN:"$_.item2 -ForegroundColor Green} } elseif ($show_bypass_users) { if($auth_mode -eq "AD") {$CodeList = [SecureMFA_SupportTools.OTP]::GetBypassUsersAD($env:username,$env:computername)} else {$CodeList = [SecureMFA_SupportTools.OTP]::GetBypassUsers($sqlConnectString,$env:username,$env:computername)} write-host "OTP Bypass Users Total:" $CodeList.count $CodeList | % { switch($_.item3){ 0 {$UserStatusValue = "ACCOUNT: NOTUSED"} 1 {$UserStatusValue = "ACCOUNT: ENABLED"} 2 {$UserStatusValue = "ACCOUNT: DISABLED"} 3 {$UserStatusValue = "ACCOUNT: LOCKED"} 9 {$UserStatusValue = "ACCOUNT: BYPASS"} } write-host "$UserStatusValue `t:UPN:"$_.item2 -ForegroundColor Green} } elseif ($lastlogons) { if($auth_mode -eq "AD") { write-host "A parameter is not supported for AD auth mode." -ForegroundColor Yellow} else { $CodeList = [SecureMFA_SupportTools.OTP]::GetLogonStatus($sqlConnectString,$env:username,$env:computername) write-host "Last logons count for users by date" $CodeList | % { write-host "TOTAL:" $_.item2 " DATE:" $_.item3 -ForegroundColor Green } } } elseif ($failedlogons) { if($auth_mode -eq "AD") { write-host "A parameter is not supported for AD auth mode." -ForegroundColor Yellow} else { $CodeList = [SecureMFA_SupportTools.OTP]::GetFailedLogonStatus($sqlConnectString,$env:username,$env:computername) write-host "Failed logons count for users by date" $CodeList | % { write-host "TOTAL:" $_.item2 " DATE:" $_.item3 -ForegroundColor Green } } } else { if($auth_mode -eq "AD") {$CodeList = [SecureMFA_SupportTools.OTP]::GetStatusAD($env:username,$env:computername)} else {$CodeList = [SecureMFA_SupportTools.OTP]::GetStatus($upn, $sqlConnectString,$env:username,$env:computername)} $CodeList | % { switch($_.item2){ 0 {$UserStatusValue = "Display QR for users total: "} 1 {$UserStatusValue = "Enrolled users total: "} 2 {$UserStatusValue = "Disabled users total: "} 3 {$UserStatusValue = "Locked users total: "} 9 {$UserStatusValue = "Bypass login for users total: "} Default { $UserStatusValue = "Users with invalid status total: " } } write-host $UserStatusValue $_.item3 -ForegroundColor Green } } } #On error acction catch [System.Exception] { $completed = get-date $line = $_.InvocationInfo.ScriptLineNumber $msg = $_.Exception.Message Write-Host -ForegroundColor Red "Error: $msg" Write-EventLog –LogName Application –Source $Event_Source –EntryType Error –EventID 5559 –Message “$msg Executed by: $env:username Computer: $env:computername Line: $line” } } } |