PowerShell is a practical way to run fast Active Directory checks and triage common security signals. Below are 10 useful commands you can run in lab or admin environments.
Active Directory checks
# 1) Users with PasswordNeverExpires enabled
Get-ADUser -Filter {PasswordNeverExpires -eq $true} -Properties PasswordNeverExpires |
Select-Object Name, SamAccountName, PasswordNeverExpires# 2) Inactive users (last logon older than 90 days)
Get-ADUser -Filter * -Properties LastLogonDate |
Where-Object { $_.LastLogonDate -lt (Get-Date).AddDays(-90) } |
Select-Object Name, SamAccountName, LastLogonDate# 3) Accounts locked out now
Search-ADAccount -LockedOut -UsersOnly |
Select-Object Name, SamAccountName# 4) Members of Domain Admins
Get-ADGroupMember "Domain Admins" |
Select-Object Name, SamAccountName, objectClass# 5) AD users with no manager field
Get-ADUser -Filter * -Properties Manager |
Where-Object { -not $_.Manager } |
Select-Object Name, SamAccountNameBasic incident triage commands
# 6) Recent account lockout events (Event ID 4740)
Get-WinEvent -FilterHashtable @{
LogName='Security'
Id=4740
StartTime=(Get-Date).AddDays(-1)
} | Select-Object TimeCreated, Id, Message -First 30# 7) Recent successful logons (Event ID 4624)
Get-WinEvent -FilterHashtable @{
LogName='Security'
Id=4624
StartTime=(Get-Date).AddHours(-12)
} | Select-Object TimeCreated, Id, Message -First 30# 8) Running processes sorted by CPU
Get-Process | Sort-Object CPU -Descending |
Select-Object -First 15 Name, Id, CPU, WS# 9) Established network connections
Get-NetTCPConnection -State Established |
Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State# 10) Recently modified files in a path
Get-ChildItem "C:\Temp" -Recurse -File |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-24) } |
Select-Object FullName, LastWriteTimeNote: Run commands only where authorized, and validate outputs in a non-production context first.