{"id":531428,"date":"2025-09-24T09:55:02","date_gmt":"2025-09-24T09:55:02","guid":{"rendered":"https:\/\/www.ninjaone.com\/?post_type=script_hub&p=531428"},"modified":"2025-09-24T09:55:02","modified_gmt":"2025-09-24T09:55:02","slug":"creer-une-nouvelle-alerte-utilisateur-avec-powershell","status":"publish","type":"script_hub","link":"https:\/\/www.ninjaone.com\/fr\/script-hub\/creer-une-nouvelle-alerte-utilisateur-avec-powershell\/","title":{"rendered":"Comment cr\u00e9er une nouvelle alerte utilisateur avec PowerShell"},"content":{"rendered":"

Le contr\u00f4le de la cr\u00e9ation de nouveaux comptes utilisateur<\/strong> est un aspect fondamental du maintien d’un environnement informatique s\u00e9curis\u00e9. Que vous prot\u00e9giez un domaine Active Directory<\/a> d’entreprise ou que vous g\u00e9riez des postes de travail autonomes, la d\u00e9tection de la cr\u00e9ation d’utilisateurs non autoris\u00e9s ou inattendus peut s’av\u00e9rer essentielle pour pr\u00e9venir les menaces internes, les erreurs de configuration ou m\u00eame les violations externes. Cet article explore une solution bas\u00e9e sur PowerShell con\u00e7ue pour alerter les professionnels de l’informatique lorsque de nouveaux comptes utilisateurs sont cr\u00e9\u00e9s dans un d\u00e9lai donn\u00e9, en fournissant une int\u00e9gration optimale avec NinjaOne pour une visibilit\u00e9 centralis\u00e9e.<\/p>\n

Contexte<\/h2>\n

Dans les environnements d’entreprise, les administrateurs informatiques et les fournisseurs de services g\u00e9r\u00e9s (MSP) ont souvent du mal \u00e0 suivre chaque changement de compte, en particulier dans les infrastructures hybrides. Des acteurs malveillants peuvent cr\u00e9er de nouveaux comptes en guise de portes d\u00e9rob\u00e9es, ou des changements l\u00e9gitimes peuvent passer inaper\u00e7us, laissant des failles de s\u00e9curit\u00e9. Windows offre des possibilit\u00e9s d’audit par le biais des journaux d’\u00e9v\u00e9nements<\/a> et d’Active Directory, mais l’extraction et l’utilisation de ces donn\u00e9es par programme n’est pas triviale.<\/p>\n

Ce script PowerShell r\u00e9sout ce probl\u00e8me en automatisant la d\u00e9tection des nouveaux comptes utilisateurs et en poussant \u00e9ventuellement les donn\u00e9es d’alerte dans un champ personnalis\u00e9 multiligne de NinjaOne. Il prend en charge \u00e0 la fois les contr\u00f4leurs de domaine<\/a> (DC) et les syst\u00e8mes autonomes, ce qui le rend adaptable \u00e0 divers environnements Windows. Ce script est un script PowerShell avanc\u00e9 d’alerte pour les nouveaux utilisateurs et un outil de conformit\u00e9 fiable pour l’audit et la surveillance.<\/p>\n

Le script<\/h2>\n
#Requires -Version 5.1\r\n\r\n<#\r\n.SYNOPSIS\r\n    Finds and alerts on new user accounts created within a specified time frame, measured in minutes. If ran on a domain controller, it will use Active Directory to find new users, otherwise it will use the event log to find new users.\r\n.DESCRIPTION\r\n    This script finds and alerts on new user accounts created within a specified time frame, measured in minutes.\r\n    It can be used to monitor user creation activity in an Active Directory environment or an individual system.\r\n\r\n    On a domain controller, it retrieves new users from Active Directory. If the Active Directory Recycle Bin is enabled, it will also retrieve deleted users that were created within the specified time frame.\r\n    On an individual system, it retrieves new users from the event log. The event log will not retain these events indefinitely.\r\n\r\n    When running on an individual system, it checks if auditing is enabled for User Account Management.\r\n    If auditing is not enabled, the following will need to be run in an elevated PowerShell\/cmd session:\r\n    auditpol.exe \/set \/subcategory:{0CCE9235-69AE-11D9-BED3-505054503030} \/success:enable\r\n    This will enable auditing for user account management events, including user creation required to track new user creation events.\r\nBy using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https:\/\/www.ninjaone.com\/terms-of-use.\r\n    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. \r\n    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. \r\n    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. \r\n    Warranty Disclaimer: The script is provided \u201cas is\u201d and \u201cas available\u201d, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. \r\n    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. \r\n    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. \r\n    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).\r\n\r\n.PARAMETER TimeFrameInMinutes\r\n    The time frame in minutes to check for new users.\r\n    Minimum value is 5 minutes.\r\n    Maximum value is 525600 minutes (1 year).\r\n.PARAMETER MultilineCustomFieldName\r\n    The name of the multiline custom field to set with the new user information.\r\n    This field will be populated with the names and creation times of the new users.\r\n\r\n.EXAMPLE\r\n    -TimeFrameInMinutes 10000 -MultilineCustomFieldName \"Multiline\"\r\n\r\n    This example checks for new users created within the last 10000 minutes and sets the multiline custom field \"Multiline\" with the user information.\r\n    Example output:\r\n    [Alert] New users created within the last 10000 minutes:\r\n    [Alert] Username: test, Full Name: test test, Created On: 05\/20\/2025 13:13:35\r\n    [Alert] Username: anewaccount, Full Name: Another New Account, Created On: 05\/20\/2025 15:01:10\r\n\r\n    [Info] Attempting to set Custom Field 'Multiline'.\r\n    [Info] Successfully set Custom Field 'Multiline'!\r\n\r\n.EXAMPLE\r\n    -TimeFrameInMinutes 2440\r\n\r\n    This example checks for new users created within the last 1440 minutes (24 hours).\r\n    Example output:\r\n    [Alert] New users created within the last 1440 minutes:\r\n    [Alert] Username: test, Full Name: test test, Created On: 05\/20\/2025 13:13:35\r\n    [Alert] Username: anewaccount, Full Name: Another New Account, Created On: 05\/20\/2025 15:01:10\r\n\r\n.NOTES\r\n    Minimum OS Architecture Supported: Windows 10, Windows Server 2016\r\n    Release Notes: Initial release\r\n#>\r\n\r\n[CmdletBinding()]\r\nparam (\r\n    $TimeFrameInMinutes,\r\n    [string]$MultilineCustomFieldName\r\n)\r\n\r\nbegin {\r\n    # Import the script variables\r\n    if ($env:timeFrameInMinutes) { $TimeFrameInMinutes = $env:timeFrameInMinutes }\r\n    if ($env:multilineCustomFieldName) { $MultilineCustomFieldName = $env:multilineCustomFieldName }\r\n\r\n    function Test-IsElevated {\r\n        [CmdletBinding()]\r\n        param ()\r\n\r\n        # Get the current Windows identity of the user running the script\r\n        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()\r\n\r\n        # Create a WindowsPrincipal object based on the current identity\r\n        $p = New-Object System.Security.Principal.WindowsPrincipal($id)\r\n\r\n        # Check if the current user is in the Administrator role\r\n        # The function returns $True if the user has administrative privileges, $False otherwise\r\n        # 544 is the value for the Built In Administrators role\r\n        # Reference: https:\/\/learn.microsoft.com\/en-us\/dotnet\/api\/system.security.principal.windowsbuiltinrole\r\n        $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]'544')\r\n    }\r\n\r\n    function Test-IsDomainJoined {\r\n        # Check the PowerShell version to determine the appropriate cmdlet to use\r\n        try {\r\n            if ($PSVersionTable.PSVersion.Major -lt 3) {\r\n                return $(Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain\r\n            }\r\n            else {\r\n                return $(Get-CimInstance -Class Win32_ComputerSystem).PartOfDomain\r\n            }\r\n        }\r\n        catch {\r\n            Write-Host -Object \"[Error] Unable to validate whether or not this device is a part of a domain.\"\r\n            Write-Host -Object \"[Error] $($_.Exception.Message)\"\r\n            exit 1\r\n        }\r\n    }\r\n\r\n    function Test-IsDomainController {\r\n        # Determine the method to retrieve the operating system information based on PowerShell version\r\n        try {\r\n            $OS = if ($PSVersionTable.PSVersion.Major -lt 3) {\r\n                Get-WmiObject -Class Win32_OperatingSystem -ErrorAction Stop\r\n            }\r\n            else {\r\n                Get-CimInstance -ClassName Win32_OperatingSystem -ErrorAction Stop\r\n            }\r\n        }\r\n        catch {\r\n            Write-Host -Object \"[Error] Unable to validate whether or not this device is a domain controller.\"\r\n            Write-Host -Object \"[Error] $($_.Exception.Message)\"\r\n            exit 1\r\n        }\r\n\r\n        # Check if the ProductType is \"2\", which indicates that the system is a domain controller\r\n        if ($OS.ProductType -eq \"2\") {\r\n            return $true\r\n        }\r\n    }\r\n\r\n    function Set-NinjaPropertyValue {\r\n        [CmdletBinding()]\r\n        Param(\r\n            [Parameter(Mandatory = $True)]\r\n            [String]$Name,\r\n            [Parameter(Mandatory = $True, ValueFromPipeline = $True)]\r\n            $Value,\r\n            [Parameter()]\r\n            [String]$Type,\r\n            [Parameter()]\r\n            [String]$DocumentName,\r\n            [Parameter()]\r\n            [Switch]$Piped\r\n        )\r\n\r\n        if ($Type -eq \"Date Time\") { $Type = \"DateTime\" }\r\n        if ($Type -match \"[-]\") { $Type = $Type -replace '-' }\r\n        if ($Type -match \"[\/]\") { $Type = $Type -replace '\/' }\r\n\r\n        # Remove the non-breaking space character\r\n        if ($Type -eq \"WYSIWYG\") {\r\n            $Value = $Value -replace '\u00a0', '&nbsp;'\r\n        }\r\n\r\n        if ($Type -eq \"DateTime\" -or $Type -eq \"Date\") {\r\n            $Type = \"Date or Date Time\"\r\n        }\r\n\r\n        # Measure the number of characters in the provided value\r\n        $Characters = $Value | ConvertTo-Json | Measure-Object -Character | Select-Object -ExpandProperty Characters\r\n\r\n        # Throw an error if the value exceeds the character limit of 200,000 characters\r\n        if ($Piped -and $Characters -ge 200000) {\r\n            throw [System.ArgumentOutOfRangeException]::New(\"Character limit exceeded: the value is greater than or equal to 200,000 characters.\")\r\n        }\r\n\r\n        if (!$Piped -and $Characters -ge 45000) {\r\n            throw [System.ArgumentOutOfRangeException]::New(\"Character limit exceeded: the value is greater than or equal to 45,000 characters.\")\r\n        }\r\n\r\n        # Initialize a hashtable for additional documentation parameters\r\n        $DocumentationParams = @{}\r\n\r\n        # If a document name is provided, add it to the documentation parameters\r\n        if ($DocumentName) { $DocumentationParams[\"DocumentName\"] = $DocumentName }\r\n\r\n        # Define a list of valid field types\r\n        $ValidFields = \"Checkbox\", \"Date\", \"Date or Date Time\", \"DateTime\", \"Decimal\", \"Dropdown\", \"Email\", \"Integer\", \"IP Address\", \"MultiLine\",\r\n        \"MultiSelect\", \"Phone\", \"Secure\", \"Text\", \"Time\", \"URL\", \"WYSIWYG\"\r\n\r\n        # Warn the user if the provided type is not valid\r\n        if ($Type -and $ValidFields -notcontains $Type) { Write-Warning \"$Type is an invalid type. Please check here for valid types: https:\/\/ninjarmm.zendesk.com\/hc\/en-us\/articles\/16973443979789-Command-Line-Interface-CLI-Supported-Fields-and-Functionality\" }\r\n\r\n        # Define types that require options to be retrieved\r\n        $NeedsOptions = \"Dropdown\", \"MultiSelect\"\r\n\r\n        # If the property is being set in a document or field and the type needs options, retrieve them\r\n        if ($DocumentName) {\r\n            if ($NeedsOptions -contains $Type) {\r\n                $NinjaPropertyOptions = Ninja-Property-Docs-Options -AttributeName $Name @DocumentationParams 2>&1\r\n            }\r\n        }\r\n        else {\r\n            if ($NeedsOptions -contains $Type) {\r\n                $NinjaPropertyOptions = Ninja-Property-Options -Name $Name 2>&1\r\n            }\r\n        }\r\n\r\n        # Throw an error if there was an issue retrieving the property options\r\n        if ($NinjaPropertyOptions.Exception) { throw $NinjaPropertyOptions }\r\n\r\n        # Process the property value based on its type\r\n        switch ($Type) {\r\n            \"Checkbox\" {\r\n                # Convert the value to a boolean for Checkbox type\r\n                $NinjaValue = [System.Convert]::ToBoolean($Value)\r\n            }\r\n            \"Date or Date Time\" {\r\n                # Convert the value to a Unix timestamp for Date or Date Time type\r\n                $Date = (Get-Date $Value).ToUniversalTime()\r\n                $TimeSpan = New-TimeSpan (Get-Date \"1970-01-01 00:00:00\") $Date\r\n                [long]$NinjaValue = $TimeSpan.TotalSeconds\r\n            }\r\n            \"Dropdown\" {\r\n                # Convert the dropdown value to its corresponding GUID\r\n                $Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header \"GUID\", \"Name\"\r\n                $Selection = $Options | Where-Object { $_.Name -eq $Value } | Select-Object -ExpandProperty GUID\r\n\r\n                # Throw an error if the value is not present in the dropdown options\r\n                if (!($Selection)) {\r\n                    throw [System.ArgumentOutOfRangeException]::New(\"Value is not present in dropdown options.\")\r\n                }\r\n\r\n                $NinjaValue = $Selection\r\n            }\r\n            \"MultiSelect\" {\r\n                $Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header \"GUID\", \"Name\"\r\n                $Selections = New-Object System.Collections.Generic.List[String]\r\n                if ($Value -match \"[,]\") {\r\n                    $Value = $Value -split ',' | ForEach-Object { $_.Trim() } | Where-Object { $_ }\r\n                }\r\n\r\n                $Value | ForEach-Object {\r\n                    $GivenValue = $_\r\n                    $Selection = $Options | Where-Object { $_.Name -eq $GivenValue } | Select-Object -ExpandProperty GUID\r\n\r\n                    # Throw an error if the value is not present in the dropdown options\r\n                    if (!($Selection)) {\r\n                        throw [System.ArgumentOutOfRangeException]::New(\"Value is not present in dropdown options.\")\r\n                    }\r\n\r\n                    $Selections.Add($Selection)\r\n                }\r\n\r\n                $NinjaValue = $Selections -join \",\"\r\n            }\r\n            \"Time\" {\r\n                # Convert the value to a Unix timestamp for Date or Date Time type\r\n                $LocalTime = (Get-Date $Value)\r\n                $LocalTimeZone = [TimeZoneInfo]::Local\r\n                $UtcTime = [TimeZoneInfo]::ConvertTimeToUtc($LocalTime, $LocalTimeZone)\r\n\r\n                [long]$NinjaValue = ($UtcTime.TimeOfDay).TotalSeconds\r\n            }\r\n            default {\r\n                # For other types, use the value as is\r\n                $NinjaValue = $Value\r\n            }\r\n        }\r\n\r\n        # Set the property value in the document if a document name is provided\r\n        if ($DocumentName) {\r\n            $CustomField = Ninja-Property-Docs-Set -AttributeName $Name -AttributeValue $NinjaValue @DocumentationParams 2>&1\r\n        }\r\n        else {\r\n            try {\r\n                # Otherwise, set the standard property value\r\n                if ($Piped) {\r\n                    $CustomField = $NinjaValue | Ninja-Property-Set-Piped -Name $Name 2>&1\r\n                }\r\n                else {\r\n                    $CustomField = Ninja-Property-Set -Name $Name -Value $NinjaValue 2>&1\r\n                }\r\n            }\r\n            catch {\r\n                throw $_.Exception.Message\r\n            }\r\n        }\r\n\r\n        # Throw an error if setting the property failed\r\n        if ($CustomField.Exception) {\r\n            throw $CustomField\r\n        }\r\n    }\r\n\r\n    function Get-OSVersion {\r\n        # Get the OS version information\r\n        return [System.Environment]::OSVersion.Version\r\n    }\r\n\r\n    function Test-IsSystem {\r\n        [CmdletBinding()]\r\n        param ()\r\n\r\n        # Get the current Windows identity of the user running the script\r\n        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()\r\n\r\n        # Check if the current identity's name matches \"NT AUTHORITY*\"\r\n        # or if the identity represents the SYSTEM account\r\n        return $id.Name -like \"NT AUTHORITY*\" -or $id.IsSystem\r\n    }\r\n\r\n    # If time frame in minutes exists, validate that it is an integer\r\n    # If it does not exist, error out because it is required\r\n    if (-not [string]::IsNullOrWhiteSpace($TimeFrameInMinutes)) {\r\n        # Convert the value to an integer\r\n        try {\r\n            $TimeFrameInMinutes = [int]$TimeFrameInMinutes\r\n        }\r\n        catch {\r\n            Write-Host -Object \"[Error] Error while converting the value for 'Time Frame In Minutes' to an integer:\"\r\n            Write-Host -Object \"[Error] $($_.Exception.Message)\"\r\n            Write-Host -Object \"[Error] The value for 'Time Frame In Minutes' must be an integer between 5 and 525600.\"\r\n            exit 1\r\n        }\r\n\r\n        # Validate the TimeFrameInMinutes is within the valid range\r\n        if ($TimeFrameInMinutes -lt 5 -or $TimeFrameInMinutes -gt 525600) {\r\n            Write-Host -Object \"[Error] An invalid value was provided for 'Time Frame In Minutes': '$TimeFrameInMinutes'\"\r\n            Write-Host -Object \"[Error] The value for 'Time Frame In Minutes' must be an integer between 5 and 525600.\"\r\n            exit 1\r\n        }\r\n    }\r\n    else {\r\n        Write-Host -Object \"[Error] The value for 'Time Frame In Minutes' is required and must be provided.\"\r\n        exit 1\r\n    }\r\n\r\n    # Validate the custom field name if it exists\r\n    if ($MultilineCustomFieldName) {\r\n        # Error if the custom field name is empty\r\n        if ([string]::IsNullOrWhiteSpace($MultilineCustomFieldName)) {\r\n            Write-Host -Object \"[Error] The value for 'Multiline Custom Field Name' cannot be empty.\"\r\n            exit 1\r\n        }\r\n\r\n        # Trim whitespace from the custom field name\r\n        $MultilineCustomFieldName = $MultilineCustomFieldName.Trim()\r\n\r\n        # Validate that the field name contains only alphanumeric characters\r\n        if ($MultilineCustomFieldName -match \"[^0-9A-Z]\") {\r\n            Write-Host -Object \"[Error] The 'Multiline Custom Field Name' of '$MultilineCustomFieldName' is invalid as it contains invalid characters.\"\r\n            Write-Host -Object \"[Error] Please provide a valid multiline custom field name to save the results, or leave it blank.\"\r\n            Write-Host -Object \"[Error] https:\/\/ninjarmm.zendesk.com\/hc\/en-us\/articles\/360060920631-Custom-Field-Setup\"\r\n            exit 1\r\n        }\r\n    }\r\n\r\n    # Get the OS version information\r\n    try {\r\n        $osVersion = Get-OSVersion -ErrorAction Stop\r\n    }\r\n    catch {\r\n        Write-Host -Object \"[Error] Failed to retrieve the OS version information.\"\r\n        Write-Host -Object \"[Error] $($_.Exception.Message)\"\r\n        exit 1\r\n    }\r\n\r\n    # Check if the OS version is supported\r\n    if ($osVersion.Major -lt 10 -or ($osVersion.Major -eq 10 -and $osVersion.Build -lt 14393)) {\r\n        Write-Host -Object \"[Error] This script requires Windows 10 or Windows Server 2016 or later.\"\r\n        exit 1\r\n    }\r\n\r\n}\r\nprocess {\r\n    # Check if the script is running with administrative privileges\r\n    if (-not (Test-IsElevated)) {\r\n        Write-Host -Object \"[Error] This script requires administrative privileges. Please run as an administrator.\"\r\n        exit 1\r\n    }\r\n\r\n    # Error if not running as system\r\n    if (-not (Test-IsSystem)) {\r\n        Write-Host -Object \"[Error] This script must be run as the SYSTEM account. Please run as the SYSTEM account.\"\r\n        exit 1\r\n    }\r\n\r\n    $ExitCode = 0\r\n\r\n    # Get the current date and time\r\n    try {\r\n        $currentDateTime = Get-Date -ErrorAction Stop\r\n    }\r\n    catch {\r\n        Write-Host -Object \"[Error] Failed to retrieve the current date and time.\"\r\n        Write-Host -Object \"[Error] $($_.Exception.Message)\"\r\n        exit 1\r\n    }\r\n\r\n    try {\r\n        # Calculate the start date and time based on the specified time frame\r\n        $startDateTime = $currentDateTime.AddMinutes(-$TimeFrameInMinutes)\r\n    }\r\n    catch {\r\n        Write-Host -Object \"[Error] Failed to calculate the start date and time.\"\r\n        Write-Host -Object \"[Error] $($_.Exception.Message)\"\r\n        exit 1\r\n    }\r\n\r\n    # Get the list of new users created within the specified time frame\r\n    # If host is a DC, get new users from Active Directory\r\n    # Otherwise, get new users from the event log\r\n    if (Test-IsDomainController) {\r\n        Write-Host -Object \"`n[Info] This host is a domain controller. Checking for new users in Active Directory created within the last $TimeFrameInMinutes minutes.\"\r\n\r\n        $IsDomainController = $true\r\n\r\n        # Initialize a list to hold new users\r\n        $newUsers = [System.Collections.Generic.List[PSCustomObject]]::new()\r\n\r\n        # Check if the AD Recycle Bin is enabled\r\n        try {\r\n            $ADRecycleBinEnabled = (Get-ADOptionalFeature -Filter { Name -eq \"Recycle Bin Feature\" } -ErrorAction Stop).FeatureScope\r\n        }\r\n        catch {\r\n            Write-Host -Object \"[Error] Failed to check if the AD Recycle Bin is enabled.\"\r\n            Write-Host -Object \"[Error] $($_.Exception.Message)\"\r\n            exit 1\r\n        }\r\n\r\n        if (-not $ADRecycleBinEnabled) {\r\n            Write-Host -Object \"[Warning] The Active Directory Recycle Bin is not enabled. Deleted users cannot be tracked until the Recycle Bin is enabled. This may lead to less accurate results.\"\r\n        }\r\n        else {\r\n            try {\r\n                # If the Recycle Bin is enabled, try to find deleted users created within the time frame\r\n                $deletedADUsers = Get-ADObject -Filter {\r\n                    ObjectClass -eq \"User\" -and\r\n                    ObjectClass -ne \"Computer\" -and\r\n                    IsDeleted -eq $TRUE -and\r\n                    WhenCreated -ge $startDateTime\r\n                } -Properties SamAccountName, WhenCreated -IncludeDeletedObjects -ErrorAction Stop\r\n\r\n                # Format the deleted users to include only the necessary properties and add a status property\r\n                $deletedADUsers = $deletedADUsers | Select-Object Name,\r\n                SamAccountName,\r\n                @{\r\n                    Name       = \"WhenCreated\"\r\n                    Expression = { $_.WhenCreated.ToShortDateString() + \" \" + $_.WhenCreated.ToLongTimeString() }\r\n                },\r\n                @{\r\n                    Name       = \"Status\"\r\n                    Expression = { \"Deleted\" }\r\n                }\r\n            }\r\n            catch {\r\n                Write-Host -Object \"[Error] Failed to retrieve deleted users from Active Directory.\"\r\n                Write-Host -Object \"[Error] $($_.Exception.Message)\"\r\n                exit 1\r\n            }\r\n        }\r\n\r\n        try {\r\n            # Find new users in AD created within the time frame\r\n            $newUsersInAD = Get-ADUser -Filter { WhenCreated -ge $startDateTime } -Properties WhenCreated -ErrorAction Stop\r\n\r\n            # Format new users in AD to include only the necessary properties and add a status property\r\n            $newUsersInAD = $newUsersInAD | Select-Object Name,\r\n            SamAccountName,\r\n            @{\r\n                Name       = \"WhenCreated\";\r\n                Expression = { $_.WhenCreated.ToShortDateString() + \" \" + $_.WhenCreated.ToLongTimeString() }\r\n            },\r\n            @{\r\n                Name       = \"Status\";\r\n                Expression = {\r\n                    if ($_.Enabled) {\r\n                        \"Enabled\"\r\n                    }\r\n                    else {\r\n                        \"Disabled\"\r\n                    }\r\n                }\r\n            }\r\n        }\r\n        catch {\r\n            Write-Host -Object \"[Error] Failed to retrieve users from Active Directory.\"\r\n            Write-Host -Object \"[Error] $($_.Exception.Message)\"\r\n            exit 1\r\n        }\r\n\r\n        # Add each new user in AD to the list of new users\r\n        foreach ($user in $newUsersInAD) {\r\n            $newUsers.Add($user)\r\n        }\r\n\r\n        # Add each deleted AD user that was created within the time frame to the list of new users\r\n        foreach ($user in $deletedADUsers) {\r\n            # Modify the name of the user to only include the first line before adding it to the list\r\n            $user.Name = $user.Name -split \"`n\" | Select-Object -First 1\r\n            $newUsers.Add($user)\r\n        }\r\n    }\r\n    else {\r\n        Write-Host -Object \"`n[Info] Checking for new local users created within the last $TimeFrameInMinutes minutes in the event log.\"\r\n\r\n        # Warn if domain-joined that only local users will be included\r\n        if (Test-IsDomainJoined) {\r\n            Write-Host -Object \"`n[Warning] This host is domain-joined but not a domain controller. Only local users will be included in the results.\"\r\n            Write-Host -Object \"[Warning] Please run this script on a domain controller if you'd like to alert on domain user accounts.\"\r\n        }\r\n\r\n        # Check if user account creation auditing is enabled\r\n        $AuditPolicy = (Get-ItemProperty HKLM:\\Security\\Policy\\PolAdtEv\\ -ErrorAction SilentlyContinue).\"(default)\"\r\n\r\n        if ($AuditPolicy) {\r\n            # If enabled, the value of this should be 1 (success only) or 3 (success and failure)\r\n            $UserCreationAuditingValue = $AuditPolicy[102]\r\n\r\n            if ($UserCreationAuditingValue -ne 1 -and $UserCreationAuditingValue -ne 3) {\r\n                Write-Host -Object \"[Error] Auditing is not enabled for User Account Management. Please enable it to track new user creation events.\"\r\n                Write-Host -Object \"[Info] After auditing is enabled, only new user creation events after the change will be tracked.\"\r\n                Write-Host -Object \"[Info] To enable auditing, run the following command in an elevated PowerShell\/cmd session:\"\r\n                Write-Host -Object \"[Info] auditpol.exe \/set \/subcategory:'{0CCE9235-69AE-11D9-BED3-505054503030}' \/success:enable\"\r\n                exit 1\r\n            }\r\n        }\r\n        else {\r\n            Write-Host -Object \"[Error] Failed to check if auditing is enabled for User Account Management. This is usually due to the script not running as the SYSTEM account.\"\r\n            exit 1\r\n        }\r\n\r\n        # Get new users from the event log\r\n        # Event ID 4720 corresponds to \"A user account was created\"\r\n        $eventLog = @(Get-WinEvent -FilterHashtable @{LogName = \"Security\"; Id = 4720; StartTime = $startDateTime } -ErrorAction SilentlyContinue)\r\n\r\n        # Process each event log entry to extract the user information\r\n        $newUsers = foreach ($event in $eventLog) {\r\n            # Convert the event to an XML object\r\n            $eventXML = [xml]$event.ToXml()\r\n\r\n            # Extract the username from the XML\r\n            $userName = $eventXml.Event.EventData.Data | Where-Object { $_.Name -eq \"TargetUserName\" } | Select-Object -ExpandProperty '#text'\r\n\r\n            # If a username is found, attempt to retrieve the local user's full name from their username\r\n            # Otherwise, error and continue to the next event log entry\r\n            if ($userName) {\r\n                try {\r\n                    $localUser = Get-LocalUser -Name $UserName -ErrorAction Stop\r\n\r\n                    # Determine the status of the user account\r\n                    $status = if ($localUser.Enabled) { \"Enabled\" } else { \"Disabled\" }\r\n\r\n                    if (-not [string]::IsNullOrWhiteSpace($localUser.FullName)) {\r\n                        $fullName = $localUser.FullName\r\n                    }\r\n                    elseif (-not [string]::IsNullOrWhiteSpace($localUser.Name)) {\r\n                        $fullName = $localUser.Name\r\n                    }\r\n                    else {\r\n                        $fullName = \"Unknown\"\r\n                    }\r\n                }\r\n                catch [Microsoft.PowerShell.Commands.UserNotFoundException] {\r\n                    # If the user is not found, it may have been deleted or renamed, so set the status to \"No Longer Exists\"\r\n                    $fullName = \"Unknown\"\r\n                    $Status = \"No Longer Exists\"\r\n                }\r\n                catch {\r\n                    Write-Host -Object \"[Error] Unable to retrieve the full name of the user '$userName'.\"\r\n                    Write-Host -Object \"[Error] $($_.Exception.Message)\"\r\n                    $fullName = \"Unknown\"\r\n                    $Status = \"Unknown\"\r\n                    $ExitCode = 1\r\n                }\r\n\r\n                # Create a custom object with the user information\r\n                [PSCustomObject]@{\r\n                    UserName    = $userName\r\n                    Name        = $fullName\r\n                    Status      = $status\r\n                    WhenCreated = $event.TimeCreated.ToShortDateString() + \" \" + $event.TimeCreated.ToLongTimeString()\r\n                }\r\n            }\r\n            else {\r\n                Write-Host -Object \"[Error] Failed to extract the username from the event data.\"\r\n                $ExitCode = 1\r\n                continue\r\n            }\r\n        }\r\n    }\r\n\r\n    # If new users are found not from AD, filter out any duplicate users in the list, keeping the most recently created instance only\r\n    if ($newUsers.Count -gt 1 -and -not $IsDomainController) {\r\n        # Group the users by username and select the most recent entry for each group\r\n        $newUsers = $newUsers | Group-Object -Property UserName | ForEach-Object {\r\n            $_.Group | Sort-Object -Property WhenCreated -Descending | Select-Object -First 1\r\n        }\r\n    }\r\n\r\n    # Check if any new users were found\r\n    if ($newUsers) {\r\n        Write-Host -Object \"`n[Alert] New users have been created within the last $TimeFrameInMinutes minutes:`n\"\r\n\r\n        # Format the new users object for output, showing the Enabled accounts first, then the Disabled accounts\r\n        $newUsers = $newUsers | Sort-Object -Property { $_.Status -eq \"Enabled\"; $_.Status -eq \"Disabled\" }, WhenCreated -Descending | Select-Object @{\r\n            Name       = \"Username\"\r\n            Expression = { if ($IsDomainController) { $_.SamAccountName } else { $_.UserName } }\r\n        }, @{\r\n            Name       = \"Full Name\"\r\n            Expression = { $_.Name }\r\n        }, @{\r\n            Name       = \"Created On\"\r\n            Expression = { $_.WhenCreated }\r\n        }, Status\r\n\r\n        # Format it as a list and trim the whitespace\r\n        $newUsers = ($newUsers | Format-List | Out-String).Trim()\r\n\r\n        # Output to the activity feed\r\n        $newUsers | Out-Host\r\n    }\r\n    elseif ($MultilineCustomFieldName) {\r\n        Write-Host -Object \"[Info] No new users have been created within the last $TimeFrameInMinutes minutes. The custom field '$MultilineCustomFieldName' will not be modified.\"\r\n    }\r\n    else {\r\n        Write-Host -Object \"[Info] No new users have been created within the last $TimeFrameInMinutes minutes.\"\r\n    }\r\n\r\n    # Write to custom field if there are new users\r\n    if ($newUsers -and $MultilineCustomFieldName) {\r\n        try {\r\n            Write-Host -Object \"`n[Info] Attempting to set the custom field '$MultilineCustomFieldName'.\"\r\n\r\n            Set-NinjaPropertyValue -Name $MultilineCustomFieldName -Value $newUsers -Type \"MultiLine\"\r\n\r\n            Write-Host -Object \"[Info] Successfully set the custom field '$MultilineCustomFieldName'!\"\r\n        }\r\n        catch {\r\n            Write-Host -Object \"[Error] Error setting the custom field '$MultilineCustomFieldName'.\"\r\n            Write-Host -Object \"[Error] $($_.Exception.Message)\"\r\n            $ExitCode = 1\r\n        }\r\n    }\r\n\r\n    exit $ExitCode\r\n}\r\n\r\nend {\r\n    \r\n    \r\n    \r\n}<\/pre>\n
 <\/p>\n\n
Description d\u00e9taill\u00e9e<\/h2>\n
Voici comment fonctionne le script, divis\u00e9 en \u00e9tapes logiques :<\/p>\n
1. Validation des entr\u00e9es<\/h3>\n