Active Directory Audit Report With Powershell

Not too long ago I wrote a quick post on how easy it is to gather information from AD. As a case in point example I provided a script to gather all the disabled user accounts which are still assigned Lync IDs. In this script I take it one step further and provide a full blown Active Directory reporting script which can be produced with any non-privileged domain user account.

Features

To create the output I repurposed my server asset reporting script. This means several output methods are baked right in.

  • Report Containers/Types
  • Documentation – Currently the only format for this type of report. This returns all data gathered in the report.
  • HTML Templates
    • DynamicGrid – A heavily modified CSS layout
    • EmailFriendly – A basic layout
  • Saved Report Layout
    • Individual – Each asset saves as its own file
    • One big report – Only a single report will be generated no matter which option you choose.
  • Saved Report File Format
    • HTML
    • PDF
  • Email Reports (HTML only)
  • Export all data to individual worksheets within Excel

Aside from the report, additionally three diagrams will be created which this script is run. One for domain trusts, another for site replication connections, and a third for site adjacencies. By default the diagram source text file and a png file will get created in the directory which you run the script.

To actually generate the diagrams you will need graphviz’s dot.exe executable which can be downloaded and installed here. Or here is a portable version of the application you can try utilizing. All you need is for the dot.exe file to work correctly to generate your diagram. You may have to modify this script to use the appropriate path to the executable if you use the portable version of graphviz.

(If you don’t care about the diagrams either comment out the code or ignore the errors as it tries to run dot.exe)

Report Data

I’ve included only items which can be gathered from Active Directory with a regular user account and without any special AD modules. This is what has been added thus far:

  • Forest Information
    • Forest Summary
      • Name/Functional Level
      • Domain/Site/DC/GC/Exchange/Lync/Pool counts
    • Forest Features
      • Tombstone Lifetime
      • Recycle Bin Enabled
      • Lync AD Container
    • Exchange Servers
      • Organization/Administrative Group/Name/Roles/Site
      • Serial/Product ID
    • Lync
      • Element (Server/Pool)
      • Type (Internal/Edge/Backend/Pool)
      • Name/FQDN
    • Site Information
      • Summary
        • Site Name/Location/Domains/DCs/Subnets
      • Details
        • Site Name/Options/ISTG/Links/Bridgeheads/Adjacencies
      • Subnets
        • Subnet/Site Name/Location
      • Site Connections
        • Enabled/Options/From/To
    • Domain Information
      • Domains
        • Name/NetBIOS/Functional Level/Forest Root/Assigned FSMO Roles
      • Domain Password Policies
        • Name/NetBIOS/Lockout Threshold/Pass History Length/Max Pass Age/Min Pass Age/Min Pass Length
      • Domain Controllers
        • Domain/Site/Name/OS/Time/IP/GC/FSMO Roles
      • Domain Trusts
        • Domain/Trusted Domain/Direction/Attributes/Trust Type/Created/Modified
      • Domain DFS Shares
        • Domain/Name/DN/Remote Server

Screenshots

Here are some screenshots of the reports and diagrams which can be created:

DCs-Screenshot

domains-screenshot

ForestSummary-screenshot

Lync-sreenshot

SiteConnections-screenshot

SiteSubnets-screenshot

Trusts-screenshot

trusts-screenshot2

Downloads

You can download the script from the technet galleries.

Comments (21)

  1. 11:04 PM, 10/24/2017sergio monge  / Reply

    Hello,

    Im sure this is a Rockies mistake, but Im getting this error when trying to run it

    Get-ADGroupMember : A positional parameter cannot be found that accepts argument ‘OU=Security’.
    At line:1 char:1
    + Get-ADGroupMember “CN=SG-WSUS-PROD,”OU=Security Groups”,OU=Groups,DC= …

    any advise will be welcome

  2. 4:43 AM, 04/01/2017Keenan Buck  / Reply

    Great script .. Thank you but having the same problems with generating the diagrams even though have installed full version of Graphviz… any help greatly appreciated

  3. 3:52 AM, 11/12/2015Jack Chuong  / Reply

    Hi Zachary, thanks for your script
    So I can run New-ADAssetReportGUI.ps1 , then it will call New-ADAssetReport.ps1 ?
    Your script has 12 parameters totally ?
    Please give me an example running your script with parameter by powershell.
    I don’t have Lync in my environment what should I do to exclude Lync from report ?
    About the diagrams I saved GVEditPortable-Install-2.26.3.1.exe as dot.exe and edit $Graphviz_Path in New-ADAssetReport.ps1 , is that enough ?

    • 5:26 PM, 02/20/2016Zachary Loeber  / Reply

      Lots of questions. I’d just use the GUI to create your report and skip the parameters. Lync is detected (loosely) based on what is found in AD and is not something that is optional (nor would it make sense to be in my opinion).

  4. 10:50 AM, 06/29/2015Andrew Fitzgerald  / Reply

    Thanks for sharing this tool. This will come in very useful for when im working with clients, especially will work with any AD health checks that i may work on. I will add your script to my recommended AD scripts: http://www.networkangel.net/active-directory-health-check-tools

    • 8:28 PM, 06/30/2015Zachary Loeber  / Reply

      I’m glad you like it Andrew. I’m honored to have it added to your list as well!

  5. 12:42 PM, 03/27/2015Floyd  / Reply

    Hi Zachary,

    I greatly appreciate all of your hard work of this script. Just curious if you have release any additional updates to Active Directory Audit Report With Powershell ?

    • 12:53 PM, 05/20/2015Zachary Loeber  / Reply

      Not yet, sorry. I just uploaded to github so I’ll start cleanup soon!

  6. 5:41 AM, 11/14/2014Tarun  / Reply

    Hey great work,Zach.I successfully ran the script and got the results.This is really helpful!!

  7. 8:39 AM, 05/15/2014Carlo  / Reply

    Hello,
    I would like to receive these reports by email but it doesn’t work. I modified smtp server, sender, recipient and subject but I never receive any mails. Any idea?

    Thanks!

  8. 10:19 AM, 02/26/2014Ron  / Reply

    Hi Zachary,

    I love the script and it helps a lot. I’m using it to report information to the admin team. I want to be able to sent it to the management team also but they don’t need all the details. Is there a way to be able to choose what sections you want in the report at run time?
    Thanks again,
    Ron

    • 12:06 PM, 02/26/2014Zachary Loeber  / Reply

      Ron,

      The reports are actually have a high level of customization but it takes a bit of effort (I’ve yet to get a GUI created for the task). You need to modify the appropriate report definition variable directly in the script. Aside from the general option variables you can also modify the $ADForestReport and $ADDomainReport variables to include/exclude or tweak the output of any section. You can disable or enable any section by changing the ‘Enabled’ = $true lines for each of the sections listed in the definition variable.

      Glad you dig the script and are able to get value from it in your environment!

      Zach

  9. 6:21 AM, 01/09/2014matt  / Reply

    Hi Zachary,

    Awesome script, though how do I produce a report (currently learning so a bit stuck)

    Cheers

    Matt

    • 9:30 AM, 01/09/2014Zachary Loeber  / Reply

      Copy the script to a domain joined system, open a powershell prompt as administrator, set-executionpolicy remotesigned, ./new-adauditreport.ps1 should be all you need to do for the most part.

  10. 6:30 AM, 11/13/2013Stefanie  / Reply

    Hey great work! I had a simular idea but more into troubleshooting and not so fancy on the diagrams. I’ve had some trouble getting it to work though, i filled in the path of dot.exe, in generates png’s but they are empty. I first did it on a 2012 DC got a LOT of errors so i figured maybe it’s not supported yet, so now i tried on a 2008R2 but still the same errors. The html files are nicely generated though, just not the diagrams and i would really love those, nice add-on in a health check for AD. I also have the Active Directory topology Diagrammer tool, it used to work fine on 2008R2, but can’t make it work on 2012
    Please provide some help on how to make the script work properly
    thanks in advance!

    • 7:39 AM, 11/16/2013Zachary Loeber  / Reply

      I have an updated version which works without the errors on 2012 (and adds more to the output as well). Keep posted for an update sometime this weekend. I’d also really appreciate any extra sectional data ideas which you would like added. This version is focused strictly on what information can be gathered with a non-admin account (I’m starting a mental checklist for running an administrative report as well, just haven’t started that project yet….).

      • 3:58 AM, 11/18/2013Stefanie  / Reply

        First of all, thanks for the reply. Oké I’ll look for the update then and try again.
        About the extra sectional data ideas, I think you got a good replacement for the Active Directory topolocy Diagrammer tool (check it out and compare, maybe i’m forgetting something), als there a new tool “AD replication status tool” it’s fancy but i’m missing some details. Maybe you could somehow integrate the troubleshooting cmdline tools like dcdiag, repadmin, dfsrdiag etc, show the output of those in a html page or something.
        integration with viso would be nice instead of the graphviz’s, dunno if thats possible? would be nice to be able to edit the diagrams….

        • 11:49 AM, 11/18/2013Zachary Loeber  / Reply

          Thanks for all the suggestions! Some of them are harder than others but I’ll add ’em to the list of desired features. I released a new version of the script on the technet gallery link just the other day. Give that a whirl and let me know your thoughts.

          Thanks!
          Zach

          • 10:30 AM, 11/19/2013Stefanie 

            oké tested it again (win8, win2012,win2008R2) i can run it now, still some errors though and still no diagrams 🙁 twitteld with those global var’s but no change. I don’t even get the source files in order to generate the diagrams. A while back I downloaded a zip file somewhere with the ps1 and a dll: NReco.PdfGenerator.dll do i’ve to register this dll or something?

          • 1:35 PM, 11/20/2013Zachary Loeber 

            Hello,

            The dll was just for PDF output and is not needed. Why don’t you send me an email with the errors you are receiving and we can take this offline. [email protected]

            Thanks!
            Zach

  11. 12:55 PM, 10/18/2013Francois-Xavier Cat (@LazyWinAdm)  / Reply

    Awesome Work Zachary!!! Will test it out

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Pingbacks (0)

› No pingbacks yet.

Follow

Get every new post delivered to your Inbox

Join other followers