Zachary Loeber

I eat complexity and am never without a meal.

Active Directory Audit Report With Powershell

Not too long ago I wrote a quick post on how easy it is to gather information from AD. As a case in point example I provided a script to gather all the disabled user accounts which are still assigned Lync IDs. In this script I take it one step further and provide a full blown Active Directory reporting script which can be produced with any non-privileged domain user account.

Features

To create the output I repurposed my server asset reporting script. This means several output methods are baked right in.

  • Report Containers/Types

  • Documentation – Currently the only format for this type of report. This returns all data gathered in the report.

  • HTML Templates

    • DynamicGrid – A heavily modified CSS layout
    • EmailFriendly – A basic layout
  • Saved Report Layout

    • Individual – Each asset saves as its own file
    • One big report – Only a single report will be generated no matter which option you choose.
  • Saved Report File Format

    • HTML
    • PDF
  • Email Reports (HTML only)

  • Export all data to individual worksheets within Excel

Aside from the report, additionally three diagrams will be created which this script is run. One for domain trusts, another for site replication connections, and a third for site adjacencies. By default the diagram source text file and a png file will get created in the directory which you run the script.

To actually generate the diagrams you will need graphviz’s dot.exe executable which can be downloaded and installed here. Or here is a portable version of the application you can try utilizing. All you need is for the dot.exe file to work correctly to generate your diagram. You may have to modify this script to use the appropriate path to the executable if you use the portable version of graphviz.

(If you don’t care about the diagrams either comment out the code or ignore the errors as it tries to run dot.exe)

Report Data

I’ve included only items which can be gathered from Active Directory with a regular user account and without any special AD modules. This is what has been added thus far:

  • Forest Information
    • Forest Summary
      • Name/Functional Level
      • Domain/Site/DC/GC/Exchange/Lync/Pool counts
    • Forest Features
      • Tombstone Lifetime
      • Recycle Bin Enabled
      • Lync AD Container
    • Exchange Servers
      • Organization/Administrative Group/Name/Roles/Site
      • Serial/Product ID
    • Lync
      • Element (Server/Pool)
      • Type (Internal/Edge/Backend/Pool)
      • Name/FQDN
    • Site Information
      • Summary
        • Site Name/Location/Domains/DCs/Subnets
      • Details
        • Site Name/Options/ISTG/Links/Bridgeheads/Adjacencies
      • Subnets
        • Subnet/Site Name/Location
      • Site Connections
        • Enabled/Options/From/To
    • Domain Information
      • Domains
        • Name/NetBIOS/Functional Level/Forest Root/Assigned FSMO Roles
      • Domain Password Policies
        • Name/NetBIOS/Lockout Threshold/Pass History Length/Max Pass Age/Min Pass Age/Min Pass Length
      • Domain Controllers
        • Domain/Site/Name/OS/Time/IP/GC/FSMO Roles
      • Domain Trusts
        • Domain/Trusted Domain/Direction/Attributes/Trust Type/Created/Modified
      • Domain DFS Shares
        • Domain/Name/DN/Remote Server

Screenshots

Here are some screenshots of the reports and diagrams which can be created:

Downloads

You can download the script from the technet galleries.