AD Audit Report With Powershell: Part 2
I’ve updated my AD auditing report. The forest level report now includes AD integrated zones, GPOs, and fixed code to conform to strict v2 Powershell. I’ve also included a new domain level report! This report provides some user/group stats, all privileged group membership, and more.
Reporting Features
I’ve been gradually updating my server asset reporting script as part of this project. This means several output methods are baked right in from my earlier efforts and a few new ones have been added which are specific to the AD auditing scropt.
Report Containers/Types
Each report hash structure acts as a container for all the sections and report types available. The container can have any number of report type definitions. For the AD reports I define two structures. One for forest level reporting and another for domain level reporting. These each have their own report types which suit different needs.
$ADForestReport
This is for the forest level reporting. The report types to choose from are:
FullDocumentation – This is suitable for the HTML/PDF reports. This is the default report type.
ExcelExport – This is suitable for excel exports. Even though you can use the –ExportToExcel switch on any report type, this report has multiline output elements which require specially formatted html elements that do not lend themselves to excel workbooks. This is all the data in the FullDocumentation report but without the special HTML formatting. If you use this report type then you will want to suppress the HTML output (basically use the following flags: -ExportToExcel –NoReport)
$ADDomainReport
This is for the domain level reporting. There is only one type of report type to choose (so you don’t really have to even supply this in the function as it will default to the first reporttype).
FullDocumentation – This is suitable for HTML/PDF reports as well as excel exports.
HTML Templates
These HTML templates have not changed.
DynamicGrid – A heavily modified CSS layout. This is the default HTML output format.
EmailFriendly – A basic layout suitable for emailed embedded reports.
Saved Report Layout
There are a few different ways PDF/HTMLs can be output. This AD information is mostly suited to individual reports.
Individual – Each asset saves as its own file
One big report – Only a single report will be generated.
Report Output
HTML – See the HTML templates for a few different options on this one.
PDF – This converts the HTML format to PDF files using a third-party open source DLL (so you still have to choose HTML templates when exporting to PDF).
Email – HTML embedded email.
Excel Export – Export all results to individual worksheets within Excel. Each section generates its own workbook.
Optional Report Output
The $ADDomainReport includes a few export options which can be set by global variables. The variables are:
$EXPORTTOCSV_ALLUSERS – Create a CSV file with all users of the domain.
$EXPORTTOCSV_PRIVUSERS – Create a separate CSV file with all privileged users of the domain.
This may slow down the report but the output can be quite interesting. Exporting all the users in each domain also includes appended output from a special function I wrote to pull out all useraccountcontrol information for a user account and another special function I wrote to normalize attribute information. This is useful when some users are exchange/lync enabled and some are not. Exchange/Lync enabling a user adds extra attributes which otherwise are not there. This normalization accounts for these attributes and assigns them a null value if unavailable.
Graphs
Aside from the report, additionally three diagrams can be created which this script is run against the $ADForestReport container:
- Domain trusts
- Site replication connections
- Site adjacencies
You can choose to create a diagram source text file and/or a png file with the following global variables:
$AD_CreateDiagramSourceFiles
$AD_CreateDiagrams
To actually generate the diagrams you will need graphviz’s dot.exe executable which can be downloaded and installed here. Or here is a portable version of the application you can try utilizing. All you need is for the dot.exe file to work correctly to generate your diagram. You may have to modify this script to use the appropriate path to the executable if you use the portable version of graphviz.
You can specify the path of dot.exe with the following global variable:
$Graphviz_Path
Report Data
I’ve included only items which can be gathered from Active Directory with a regular user account and without any special AD modules. Each report contains different information worth checking out:
$ADForestReport
This contains forest wide information.
Forest Information
Forest Summary
- Name
- Functional Level
- Domain Count
- Site Count
- DC Count
- GC Count
- Exchange Count
- Lync/Pool counts
Forest Features
- Tombstone Lifetime
- Recycle Bin Enabled
- Lync AD Container
Exchange Servers
- Organization
- Administrative Group
- Name
- Roles
- Site
- Serial/Product ID
Lync/OCS
- Element (Server/Pool)
- Type (Internal/Edge/Backend/Pool)
- Name/FQDN
Site Information
Summary
- Site Name
- Location
- Domains
- DCs
- Subnets
Details
- Site Name
- Options
- ISTG
- Links
- Bridgeheads
- Adjacencies
Subnets
- Subnet
- Site Name
- Location
Site Connections
- Enabled
- Options
- From
- To
Domain Information
Forest Domains
- Name
- NetBIOS
- Functional Level
- Forest Root
- Assigned FSMO Roles
Domain Password Policies
- Domain Name
- NetBIOS Name
- Lockout Threshold
- Pass History Length
- Max Pass Age
- Min Pass Age
- Min Pass Length
Domain Controllers
- Domain
- Site
- Server Name
- OS
- Time
- IP
- GC
- FSMO Roles
Domain Trusts
- Domain
- Trusted Domain
- Trust Direction
- Attributes
- Trust Type
- Created
- Modified
DFS Shares
- Domain
- Name
- DN
- Remote Server
DFSR Shares
- Domain
- Name
- Content (shares)
- Remote Servers
Integrated DNS Zones
- Zone Name
- Domain
- Partition
- Record Count
- Created
- Changed
GPOs
- Domain
- Name
- Created
- Changed
$ADDomainReport
This contains per-domain account and group information which is largely focused on account security and discovery.
Account Statistics (count) 1
- Total User Accounts
- Enabled
- Disabled
- Locked
- Password Does Not Expire
- Password Must Change
Account Statistics (count) 2
- Password Not Required
- Dial-in Enabled
- Control Access With NPS
- Unconstrained Delegation
- Not Trusted For Delegation
- No Pre-Auth Required
Group Statistics
- Total Groups
- Built-in
- Universal Security
- Universal Distribution
- Global Security
- Global Distribution
- Domain Local Security
- Domain Local Distribution
Privileged Group Statistics
- Default Priv Group Name
- Current Group Name (if it were changed)
- Member Count
Privileged Group Membership for the following groups
- Enterprise Admins
- Schema Admins
- Domain Admins
- Administrators
- Cert Publishers
- Account Operators
- Server Operators
- Backup Operators
- Print Operators
Account information for the prior sections:
- Logon ID
- Name
- Password Age (Days)
- Last Logon Date
- Password Does Not Expire
- Password Reversable
- Password Not Required
Screenshots
Here are some reports from the Domain level report…
Conclusion
This script represents a good deal of work on my part so I’m thrilled to get any feedback or suggestions for improvement. If you browse through the code I think you will find a good deal to learn from (there are even some unused functions which do some neat things with LDAP paths tucked away in here).