AD Audit Report With Powershell: Part 2

I’ve updated my AD auditing report. The forest level report now includes AD integrated zones, GPOs, and fixed code to conform to strict v2 Powershell. I’ve also included a new domain level report! This report provides some user/group stats, all privileged group membership, and more.

Reporting Features

I’ve been gradually updating my server asset reporting script as part of this project. This means several output methods are baked right in from my earlier efforts and a few new ones have been added which are specific to the AD auditing scropt.

Report Containers/Types

Each report hash structure acts as a container for all the sections and report types available. The container can have any number of report type definitions. For the AD reports I define two structures. One for forest level reporting and another for domain level reporting. These each have their own report types which suit different needs.

$ADForestReport

This is for the forest level reporting. The report types to choose from are:

FullDocumentation – This is suitable for the HTML/PDF reports. This is the default report type.

ExcelExport – This is suitable for excel exports. Even though you can use the –ExportToExcel switch on any report type, this report has multiline output elements which require specially formatted html elements that do not lend themselves to excel workbooks. This is all the data in the FullDocumentation report but without the special HTML formatting. If you use this report type then you will want to suppress the HTML output (basically use the following flags: -ExportToExcel –NoReport)

$ADDomainReport

This is for the domain level reporting. There is only one type of report type to choose (so you don’t really have to even supply this in the function as it will default to the first reporttype).

FullDocumentation – This is suitable for HTML/PDF reports as well as excel exports.

HTML Templates

These HTML templates have not changed.

DynamicGrid – A heavily modified CSS layout. This is the default HTML output format.

EmailFriendly – A basic layout suitable for emailed embedded reports.

Saved Report Layout

There are a few different ways  PDF/HTMLs can be output. This AD information is mostly suited to individual reports.

Individual – Each asset saves as its own file

One big report – Only a single report will be generated.

Report Output

HTML – See the HTML templates for a few different options on this one.

PDF – This converts the HTML format to PDF files using a third-party open source DLL (so you still have to choose HTML templates when exporting to PDF).

Email – HTML embedded email.

Excel Export – Export all results to individual worksheets within Excel. Each section generates its own workbook.

Optional Report Output

The $ADDomainReport includes a few export options which can be set by global variables. The variables are:

$EXPORTTOCSV_ALLUSERS – Create a CSV file with all users of the domain.

$EXPORTTOCSV_PRIVUSERS – Create a separate CSV file with all privileged users of the domain.

This may slow down the report but the output can be quite interesting. Exporting all the users in each domain also includes appended output from a special function I wrote to pull out all useraccountcontrol information for a user account and another special function I wrote to normalize attribute information. This is useful when some users are exchange/lync enabled and some are not. Exchange/Lync enabling a user adds extra attributes which otherwise are not there. This normalization accounts for these attributes and assigns them a null value if unavailable.

Graphs

Aside from the report, additionally three diagrams can be created which this script is run against the $ADForestReport container:

  • Domain trusts
  • Site replication connections
  • Site adjacencies

You can choose to create a diagram source text file and/or a png file with the following global variables:

$AD_CreateDiagramSourceFiles
$AD_CreateDiagrams

To actually generate the diagrams you will need graphviz’s dot.exe executable which can be downloaded and installed here. Or here is a portable version of the application you can try utilizing. All you need is for the dot.exe file to work correctly to generate your diagram. You may have to modify this script to use the appropriate path to the executable if you use the portable version of graphviz.

You can specify the path of dot.exe with the following global variable:

$Graphviz_Path

Report Data

I’ve included only items which can be gathered from Active Directory with a regular user account and without any special AD modules. Each report contains different information worth checking out:

$ADForestReport

This contains forest wide information.

Forest Information

Forest Summary

  • Name
  • Functional Level
  • Domain Count
  • Site Count
  • DC Count
  • GC Count
  • Exchange Count
  • Lync/Pool counts

Forest Features

  • Tombstone Lifetime
  • Recycle Bin Enabled
  • Lync AD Container

Exchange Servers

  • Organization
  • Administrative Group
  • Name
  • Roles
  • Site
  • Serial/Product ID

Lync/OCS

  • Element (Server/Pool)
  • Type (Internal/Edge/Backend/Pool)
  • Name/FQDN
Site Information

Summary

  • Site Name
  • Location
  • Domains
  • DCs
  • Subnets

Details

  • Site Name
  • Options
  • ISTG
  • Links
  • Bridgeheads
  • Adjacencies

Subnets

  • Subnet
  • Site Name
  • Location

Site Connections

  • Enabled
  • Options
  • From
  • To
Domain Information

Forest Domains

  • Name
  • NetBIOS
  • Functional Level
  • Forest Root
  • Assigned FSMO Roles

Domain Password Policies

  • Domain Name
  • NetBIOS Name
  • Lockout Threshold
  • Pass History Length
  • Max Pass Age
  • Min Pass Age
  • Min Pass Length

Domain Controllers

  • Domain
  • Site
  • Server Name
  • OS
  • Time
  • IP
  • GC
  • FSMO Roles

Domain Trusts

  • Domain
  • Trusted Domain
  • Trust Direction
  • Attributes
  • Trust Type
  • Created
  • Modified

DFS Shares

  • Domain
  • Name
  • DN
  • Remote Server

DFSR Shares

  • Domain
  • Name
  • Content (shares)
  • Remote Servers

Integrated DNS Zones

  • Zone Name
  • Domain
  • Partition
  • Record Count
  • Created
  • Changed

GPOs

  • Domain
  • Name
  • Created
  • Changed

$ADDomainReport

This contains per-domain account and group information which is largely focused on account security and discovery.

Account Statistics (count) 1

  • Total User Accounts
  • Enabled
  • Disabled
  • Locked
  • Password Does Not Expire
  • Password Must Change

Account Statistics (count) 2

  • Password Not Required
  • Dial-in Enabled
  • Control Access With NPS
  • Unconstrained Delegation
  • Not Trusted For Delegation
  • No Pre-Auth Required

Group Statistics

  • Total Groups
  • Built-in
  • Universal Security
  • Universal Distribution
  • Global Security
  • Global Distribution
  • Domain Local Security
  • Domain Local Distribution

Privileged Group Statistics

  • Default Priv Group Name
  • Current Group Name (if it were changed)
  • Member Count

Privileged Group Membership for the following groups

  • Enterprise Admins
  • Schema Admins
  • Domain Admins
  • Administrators
  • Cert Publishers
  • Account Operators
  • Server Operators
  • Backup Operators
  • Print Operators

Account information for the prior sections:

  • Logon ID
  • Name
  • Password Age (Days)
  • Last Logon Date
  • Password Does Not Expire
  • Password Reversable
  • Password Not Required

Screenshots

Trusts-screenshot.jpg trusts-screenshot2.jpg Lync-sreenshot.jpg SiteSubnets-screenshot.jpg SiteConnections-screenshot.jpg ForestSummary-screenshot.jpg DCs-Screenshot_thumb.jpg

Here are some reports from the Domain level report…

Domain-Stats-Screenshot Domain-Groups-Screenshot Domain-PrivGroupMembership-Screenshot

Conclusion

This script represents a good deal of work on my part so I’m thrilled to get any feedback or suggestions for improvement. If you browse through the code I think you will find a good deal to learn from (there are even some unused functions which do some neat things with LDAP paths tucked away in here).

Downloads

**Download from the technet gallery**

Comments (11)

  1. 3:24 AM, 05/10/2018Thiyagarajan  / Reply

    Hi, please help me to update the html reports with all users

  2. 10:19 AM, 08/26/2017Benjamin Nguyen  / Reply

    Great Works. Thank you so much for your time to develop the scripts !!

  3. 3:37 AM, 05/07/2015Simon Jackson  / Reply

    I found a slight mistake in your LDAP queries; line 6284-6285 =
    $Filter_User_UnconstrainedDelegation = ‘(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=524288)’
    $Filter_User_NotTrustedForDelegation = ‘(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=524288)’

    Those ldap filters are identical; sure it’s just a simple typo or one of them is missing a NOT statement.

    Hope it helps.

    • 8:48 AM, 05/08/2015Zachary Loeber  / Reply

      And this is why I like to publish my scripts online for all to review 🙂 Thanks for the heads up. I’m going to try to release an updated clean up version of this script in the next few months and will included this fix.

      • 9:30 AM, 05/08/2015Simon Jackson  / Reply

        if you want any help adding to it, tweaking it or offering more suggestions – please mail me. i’d be happy to assist.

  4. 10:29 AM, 05/05/2015Simon Jackson  / Reply

    A truly brilliant script. over 7000 lines i might add – WOAH!.

    One question: adding the script as a monthly windows scheduled task – how do I automate the delivery of HTML files via email? Do you include a switch or something?

    • 9:10 AM, 05/07/2015Zachary Loeber  / Reply

      I thought I included some email options in the script. The report output may need to be changed to the less pretty format in order for it to provide email readable results though.

      • 11:15 AM, 05/07/2015Simon Jackson  / Reply

        You did, but those switched are not accepted by the ps1 file. It looks like the new-deliverytype includes those switches. Where is the delivery type called from?

  5. 11:12 PM, 02/01/2015Mister Scott  / Reply

    Great work, I would like to use this. Keep it up !

  6. 5:12 AM, 01/21/2015CNenad  / Reply

    This is extraordinary peace of AD Art 🙂 KUGW 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Pingbacks (0)

› No pingbacks yet.

Follow

Get every new post delivered to your Inbox

Join other followers