Zachary Loeber

The personal website of Zachary Loeber.

AD Audit Report With Powershell: Part 2

I’ve updated my AD auditing report. The forest level report now includes AD integrated zones, GPOs, and fixed code to conform to strict v2 Powershell. I’ve also included a new domain level report! This report provides some user/group stats, all privileged group membership, and more.

Reporting Features

I’ve been gradually updating my server asset reporting script as part of this project. This means several output methods are baked right in from my earlier efforts and a few new ones have been added which are specific to the AD auditing scropt.

Report Containers/Types

Each report hash structure acts as a container for all the sections and report types available. The container can have any number of report type definitions. For the AD reports I define two structures. One for forest level reporting and another for domain level reporting. These each have their own report types which suit different needs.


This is for the forest level reporting. The report types to choose from are:

FullDocumentation – This is suitable for the HTML/PDF reports. This is the default report type.

ExcelExport – This is suitable for excel exports. Even though you can use the –ExportToExcel switch on any report type, this report has multiline output elements which require specially formatted html elements that do not lend themselves to excel workbooks. This is all the data in the FullDocumentation report but without the special HTML formatting. If you use this report type then you will want to suppress the HTML output (basically use the following flags: -ExportToExcel –NoReport)


This is for the domain level reporting. There is only one type of report type to choose (so you don’t really have to even supply this in the function as it will default to the first reporttype).

FullDocumentation – This is suitable for HTML/PDF reports as well as excel exports.

HTML Templates

These HTML templates have not changed.

DynamicGrid – A heavily modified CSS layout. This is the default HTML output format.

EmailFriendly – A basic layout suitable for emailed embedded reports.

Saved Report Layout

There are a few different ways  PDF/HTMLs can be output. This AD information is mostly suited to individual reports.

Individual – Each asset saves as its own file

One big report – Only a single report will be generated.

Report Output

HTML – See the HTML templates for a few different options on this one.

PDF – This converts the HTML format to PDF files using a third-party open source DLL (so you still have to choose HTML templates when exporting to PDF).

Email – HTML embedded email.

Excel Export – Export all results to individual worksheets within Excel. Each section generates its own workbook.

Optional Report Output

The $ADDomainReport includes a few export options which can be set by global variables. The variables are:

$EXPORTTOCSV_ALLUSERS – Create a CSV file with all users of the domain.

$EXPORTTOCSV_PRIVUSERS – Create a separate CSV file with all privileged users of the domain.

This may slow down the report but the output can be quite interesting. Exporting all the users in each domain also includes appended output from a special function I wrote to pull out all useraccountcontrol information for a user account and another special function I wrote to normalize attribute information. This is useful when some users are exchange/lync enabled and some are not. Exchange/Lync enabling a user adds extra attributes which otherwise are not there. This normalization accounts for these attributes and assigns them a null value if unavailable.


Aside from the report, additionally three diagrams can be created which this script is run against the $ADForestReport container:

  • Domain trusts
  • Site replication connections
  • Site adjacencies

You can choose to create a diagram source text file and/or a png file with the following global variables:



To actually generate the diagrams you will need graphviz’s dot.exe executable which can be downloaded and installed here. Or here is a portable version of the application you can try utilizing. All you need is for the dot.exe file to work correctly to generate your diagram. You may have to modify this script to use the appropriate path to the executable if you use the portable version of graphviz.

You can specify the path of dot.exe with the following global variable:


Report Data

I’ve included only items which can be gathered from Active Directory with a regular user account and without any special AD modules. Each report contains different information worth checking out:


This contains forest wide information.

Forest Information

Forest Summary

  • Name
  • Functional Level
  • Domain Count
  • Site Count
  • DC Count
  • GC Count
  • Exchange Count
  • Lync/Pool counts

Forest Features

  • Tombstone Lifetime
  • Recycle Bin Enabled
  • Lync AD Container

Exchange Servers

  • Organization
  • Administrative Group
  • Name
  • Roles
  • Site
  • Serial/Product ID


  • Element (Server/Pool)
  • Type (Internal/Edge/Backend/Pool)
  • Name/FQDN
Site Information


  • Site Name
  • Location
  • Domains
  • DCs
  • Subnets


  • Site Name
  • Options
  • ISTG
  • Links
  • Bridgeheads
  • Adjacencies


  • Subnet
  • Site Name
  • Location

Site Connections

  • Enabled
  • Options
  • From
  • To
Domain Information

Forest Domains

  • Name
  • NetBIOS
  • Functional Level
  • Forest Root
  • Assigned FSMO Roles

Domain Password Policies

  • Domain Name
  • NetBIOS Name
  • Lockout Threshold
  • Pass History Length
  • Max Pass Age
  • Min Pass Age
  • Min Pass Length

Domain Controllers

  • Domain
  • Site
  • Server Name
  • OS
  • Time
  • IP
  • GC
  • FSMO Roles

Domain Trusts

  • Domain
  • Trusted Domain
  • Trust Direction
  • Attributes
  • Trust Type
  • Created
  • Modified

DFS Shares

  • Domain
  • Name
  • DN
  • Remote Server

DFSR Shares

  • Domain
  • Name
  • Content (shares)
  • Remote Servers

Integrated DNS Zones

  • Zone Name
  • Domain
  • Partition
  • Record Count
  • Created
  • Changed


  • Domain
  • Name
  • Created
  • Changed


This contains per-domain account and group information which is largely focused on account security and discovery.

Account Statistics (count) 1

  • Total User Accounts
  • Enabled
  • Disabled
  • Locked
  • Password Does Not Expire
  • Password Must Change

Account Statistics (count) 2

  • Password Not Required
  • Dial-in Enabled
  • Control Access With NPS
  • Unconstrained Delegation
  • Not Trusted For Delegation
  • No Pre-Auth Required

Group Statistics

  • Total Groups
  • Built-in
  • Universal Security
  • Universal Distribution
  • Global Security
  • Global Distribution
  • Domain Local Security
  • Domain Local Distribution

Privileged Group Statistics

  • Default Priv Group Name
  • Current Group Name (if it were changed)
  • Member Count

Privileged Group Membership for the following groups

  • Enterprise Admins
  • Schema Admins
  • Domain Admins
  • Administrators
  • Cert Publishers
  • Account Operators
  • Server Operators
  • Backup Operators
  • Print Operators

Account information for the prior sections:

  • Logon ID
  • Name
  • Password Age (Days)
  • Last Logon Date
  • Password Does Not Expire
  • Password Reversable
  • Password Not Required


Trusts-screenshot.jpg trusts-screenshot2.jpg Lync-sreenshot.jpg SiteSubnets-screenshot.jpg SiteConnections-screenshot.jpg ForestSummary-screenshot.jpg DCs-Screenshot_thumb.jpg

Here are some reports from the Domain level report…

Domain-Stats-Screenshot Domain-Groups-Screenshot Domain-PrivGroupMembership-Screenshot


This script represents a good deal of work on my part so I’m thrilled to get any feedback or suggestions for improvement. If you browse through the code I think you will find a good deal to learn from (there are even some unused functions which do some neat things with LDAP paths tucked away in here).


Download from the technet gallery

comments powered by Disqus