In Infra

Active Directory Health Check continuation

No Comments

Howdy,

Some time ago I have started new series regarding Active Directory Health Check.

Today I’d like to bring the memories in and continue this topic.

Script Run

The idea didn’t change and all the time we are going to use a Get-Audit script that will run all child scripts from the Scripts catalog.

In order to run the master script run the following line

.\Get-ADAudit.ps1 -AuditPath C:\Audit

As you can see there is only one parameter AuditPath which is the location for output files.

Scripts

Updated script package is available here: ADhealthCheck

Below you can find scripts that are a part of the package update:

  • Get-AccountsWithNeverExpirePasswords.ps1 – Listing all accounts with PasswordNeverExpires flag set to true
  • Get-ADFSMO.ps1 – self explanatory πŸ™‚
  • Get-ADLevels.ps1 – same as above
  • Get-AuthenticationPolicyDetails.ps1 – checking if there are any AuthenticationPolicies configured and listing most important properties. If you want to see everything remove | select-object Name, Enforce, UserTGTLifetimeMins from the code
  • Get-DHCPDetails.ps1 – checkign if there are any authorised DHCP servers within the environment
  • Get-ImportantAccountsDetails.ps1 – checking ‘Important accounts’ with main focus on:
    • Users with AdminCount flag set to 1
    • Users with PrimaryGroup not set to Domain Users
    • Users with old password (3 times longer that maximum configured for AD)
    • Users with SidHistory enabled
    • Users configured with fine grained password policy
    • and other interesting πŸ™‚
  • Get-NotSensitivePrivilegedUsers.ps1 – checking if members of specific grouops are set with flag AccountNotDelegated configured.
  • Get-PasswordPolicies.ps1 – Listing all password policies including Domain Policy and FGPP
  • Get-Pre200GroupMembers.ps1 – Checking if there are any users in the Pre-Windows 2000 group members group
  • Get-PrivilegedGroupsMembership.ps1 – Checking membership in more than 40 high privileged groups
  • Get-PSOwithPasswordLenghtBelow8.ps1 – Checking if there are PSO objects that allows password lenght less than 8 characters
  • Get-SPNDetails.ps1 – Listing all Service Principal Names configured in the AD
  • Get-SPNDuplicatesDetails.ps1 – checking if there are any Service Principal Name duplicates
  • Get-UsersWithAdminCount.ps1 – checkign if there are users with AdminCount flag set to 1

Script Usage

Script Run

After the script run you can find output files under the location that you have provided:

Script outputs

Conclusion

As you may notice some of the scripts are ‘the obvious ones’ but the idea was to have such a repo to create all required outputs for the next step which will be a Power BI report to visualize the situation.
Stay tuned for the next part related to Power Bi.

Author

Related Posts

Comments are closed.