Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
################################################################################
## Script description
##
##
##
## Name
: ADReport.ps1
##
## Version : 0.2
##
## Date
: 2014-12-15
##
## Language : PowerShell cmd-lets
##
## License : Proprietary
##
## Owner
: Krzysztof Pytko (iSiek)
##
## Authors : Krzysztof Pytko (iSiek) <kpytko at go2 dot pl>
##
################################################################################
################################################################################
# Load PowerShell module for Active Directory
Import-Module ActiveDirectory
# Custom function to scan specified AD domain and collect data
function Get-DomainInfo($DomainName)
{
Write-Host ""
Write-Host -ForegroundColor white -BackgroundColor black "Collecting Act
ive Directory data..."
# Start of data collection for specified domain by function
$DomainInfo = Get-ADDomain $DomainName
# Variables definition
$domainSID = $DomainInfo.DomainSID
$domainDN = $DomainInfo.DistinguishedName
$domain = $DomainInfo.DNSRoot
$NetBIOS = $DomainInfo.NetBIOSName
$dfl = $DomainInfo.DomainMode
# Domain FSMO roles
$FSMOPDC = $DomainInfo.PDCEmulator
$FSMORID = $DomainInfo.RIDMaster
$FSMOInfrastructure = $DomainInfo.InfrastructureMaster
$DClist = $DomainInfo.ReplicaDirectoryServers
$RODCList = $DomainInfo.ReadOnlyReplicaDirectoryServers
$cmp_location = $DomainInfo.ComputersContainer
$usr_location = $DomainInfo.UsersContainer
$FGPPNo = "feature not supported"
# if there are more than one Windows Server 2008R2 Domain Controllers
else
{
# Get information about Default Domain Password Policy from the
first DC on the list
$pwdGPO = Get-ADDefaultDomainPasswordPolicy -Server $DCListFilte
red[0]
0
0
0
= 0
0
$cmp_srvos_2012r2 = 0
# Get information about Active Directory objects
$ou_objectsNo = (Get-ADOrganizationalUnit -Server $domain -Filter * | Me
asure-Object).Count
$cmp_objects = Get-ADComputer -Server $domain -Filter * -Properties oper
atingSystem
$cmp_objectsNo = $cmp_objects.Count
$cmp_objects | %{ if ($_.operatingSystem
l*") { $cmp_os_2000 = $cmp_os_2000 + 1 } }
$cmp_objects | %{ if ($_.operatingSystem
xp = $cmp_os_xp + 1 } }
$cmp_objects | %{ if ($_.operatingSystem
= $cmp_os_7 + 1 } }
$cmp_objects | %{ if ($_.operatingSystem
8 = $cmp_os_8 + 1 } }
$cmp_objects | %{ if ($_.operatingSystem
_81 = $cmp_os_81 + 1 } }
}
Write-Host ""
# End of Global Catalogs section
: "
: "
: "
: "
: "
Write-Host ""
Write-Host
Write-host
-NoNewLine
Write-Host
Write-host
-NoNewLine
Write-Host
Write-host
-NoNewLine
Write-Host
Write-host
-NoNewLine
Write-Host
Write-host
-NoNewLine
Write-Host
Write-host
-NoNewLine
Write-Host
: "
: "
: "
: "
: "
: "
Write-Host ""
# End of total OUs number
# Total number of domain users
Write-Host ""
: " -N
oNewLine
Write-Host -ForegroundColor green $usr_active_objectsNo
Write-host -ForegroundColor yellow " Inactive
: " -N
oNewLine
Write-Host -ForegroundColor green $usr_inactive_objectsNo
Write-host -ForegroundColor yellow " Locked out
: " -N
oNewLine
Write-Host -ForegroundColor green $usr_locked_objectsNo
Write-host -ForegroundColor yellow " Password not required
: " -N
oNewLine
Write-Host -ForegroundColor green $usr_pwdnotreq_objectsNo
Write-host -ForegroundColor yellow " Password never expires
: " -N
oNewLine
Write-Host -ForegroundColor green $usr_pwdnotexp_objectsNo
Write-Host ""
# End of total domain users number
# Total number of domain groups
Write-Host "Total number of group objects : " -NoNewLine
Write-Host -ForegroundColor green $grp_objectsNo
Write-Host -ForegroundColor yellow " Global
: " -N
oNewLine
Write-Host -ForegroundColor green $grp_objects_globalNo
Write-Host -ForegroundColor yellow " Universal
: " -N
oNewLine
Write-Host -ForegroundColor green $grp_objects_universalNo
Write-Host -ForegroundColor yellow " Domain Local
oNewLine
Write-Host -ForegroundColor green $grp_objects_localNo
Write-Host ""
# End of total domain groups number
: " -N
}
Write-Host ""
Write-Host ""
# End of total domain administrators number
: " -NoNewLine
else
{
Write-Host -ForegroundColor Red "does not exist"
}
if ($gpoDefaultDomainController -ne $nul)
{
Write-Host "Default Domain Controllers policy : " -NoNewLine
Write-Host -ForegroundColor Green "exists"
}
else
{
Write-Host -ForegroundColor Red "does not exist"
}
Write-Host ""
# End of default domain policies check
)"
Write-Host "Password history count: " -NoNewLine
Write-Host -ForegroundColor green $pwdGPO.PasswordHistoryCount "unique p
assword(s)"
Write-Host "Password must meet complexity: " -NoNewLine
if ( $pwdGPO.ComplexityEnabled )
{
Write-Host -ForegroundColor green "yes"
}
else
{
Write-Host -ForegroundColor red "no"
}
Write-Host "Password uses reversible encryption: " -NoNewLine
if ( $pwdGPO.ReversibleEncryptionEnabled )
{
Write-Host -ForegroundColor red "yes"
}
else
{
Write-Host -ForegroundColor green "no"
}
Write-Host ""
Write-Host "Account lockout treshold: " -NoNewLine
if ($pwdGPO.LockoutThreshold -eq 0 )
{
Write-Host -ForegroundColor red "Account never locks out"
}
else
{
Write-Host -ForegroundColor green $pwdGPO.LockoutThreshold "inva
lid logon attempts"
Write-Host "Account lockout duration time: " -NoNewline
if ( $pwdGPO.LockoutDuration.days -eq 0 -and $pwdGPO.LockoutDura
tion.hours -eq 0 -and $pwdGPO.LockoutDuration.minutes -eq 0 )
{
Write-Host -ForegroundColor red "Password may be unlocke
d by an administrator only"
}
else
{
Write-Host -ForegroundColor yellow $pwdGPO.LockoutDurati
on.days "day(s)"$pwdGPO.LockoutDuration.hours "hour(s)"$pwdGPO.LockoutDuration.m
inutes "min(s)"
Write-Host "Account lockout counter resets after: " -NoN
ewline
Write-Host -ForegroundColor yellow $pwdGPO.LockoutObserv
ationWindow.days "day(s)"$pwdGPO.LockoutObservationWindow.hours "hour(s)"$pwdGPO
.LockoutObservationWindow.minutes "min(s)"
}
}
# End of Default Domain Password Policy details
$configPartition = $ForestInfo.PartitionsContainer.Replace("CN=Partitions,",
"")
Server 2
Server 2
Server 2
Server 2
Server 2
Server 2
Server 2
Server 2
Server 2
Server 2
Server 2
Server 2
Server 2
Server 2
- "$Exch
}
$ExchOrganization = (Get-ADObject -Server $forest -Identity "cn=Micr
osoft Exchange,cn=Services,$configPartition" -Properties templateRoots).template
Roots
$ExchOrgName = (Get-ADObject -Server $forest -Identity $($ExchOrgani
zation -Replace "cn=Addressing," , "") -Properties name).name
Write-Host ""
Write-Host "Microsoft Exchange Organization name"
Write-Host -ForegroundColor Green $ExchOrgName
} #end if
else
{
Write-Host -ForegroundColor green "(not present)"
}
Write-Host ""
# End of Exchange version
else
{
Write-Host -ForegroundColor green "(not present)"
}
Write-Host ""
# End of Lync version
# Forest tombstoneLifetime
$tombstoneLifetime = (Get-ADobject -Server $forest -Identity "cn=Directory S
ervice,cn=Windows NT,cn=Services,$configPartition" -Properties tombstoneLifetime
).tombstoneLifetime
Write-Host "Tombstone lifetime"
if ($tombstoneLifetime -ne $nul)
{
Write-Host -ForegroundColor Green $tombstoneLifetime" day(s)"
}
else
{
# Trusts enumeration
Write-Host "List of trusts"
$ADTrusts = Get-ADObject -Server $forest -Filter { objectClass -eq "trustedD
omain" } -Properties CanonicalName,trustDirection
if ($ADTrusts.Count -gt 0)
{
foreach ($Trust in $ADTrusts)
{
switch ($Trust.trustDirection)
{
3 { $trustInfo=($Trust.CanonicalName).Replace("/Syst
em/"," <===> ") }
2 { $trustInfo=($Trust.CanonicalName).Replace("/Syst
em/"," <---- ") }
1 { $trustInfo=($Trust.CanonicalName).Replace("/Syst
em/"," ----> ") }
}
# Sites enumeration
$ConfigurationPart = ($ForestInfo.PartitionsContainer -Replace "CN=Partition
s,","")
$AllSites = Get-ADObject -Server $forest -Filter { objectClass -eq "site" }
-SearchBase $ConfigurationPart -Properties *
# Loop for Sites and Subnets
foreach ( $Site in $AllSites )
{
Write-Host -ForegroundColor black -BackgroundColor yellow "Site:"$Si
te.Name
Write-Host
Write-Host -ForegroundColor yellow "Server(s) in site:"
Write-Host
$ServersInSite = Get-ADObject -Server $forest -Filter { objectClass
-eq "server" } -SearchBase $Site.distinguishedName -SearchScope Subtree -Propert
ies Name | Select Name | Sort-Object Name
# Loop for Domain Controller details
foreach ($Server in $ServersInSite)
{
# If any DC is in Site
if ( $Server -ne $nul )
{
$dcDetails = Get-ADDomainController $Server.Name
$dcDN = $dcDetails.ComputerObjectDN -Replace $dcDeta
ils.Name,""
$dcDN = $dcDN -Replace "CN=,",""
$dcFRS = "CN=Domain System Volume (SYSVOL share),CN=
NTFRS Subscriptions,$($dcdetails.computerobjectdn)"
$dcDFSR = "CN=SYSVOL Subscription,CN=Domain System V
olume,CN=DFSR-LocalSettings,$($dcdetails.computerobjectdn)"
$dcFRSinfo = Get-ADObject -Filter { distinguishedNam
e -eq $dcFRS } -Properties fRSRootPath
$dcDFSRinfo = Get-ADObject -Filter { distinguishedNa
me -eq $dcDFSR } -Properties msDFSR-RootPath, msDFSR-RootSizeInMb
: "$dcDetails.ipv4add
ress
# IPv6 address
if ($dcDetails.ipv6address -ne $nul)
{
Write-Host "IP address (v6)
: "$dcDetails
: (none)"
.ipv6address
}
else
{
}
# End of IPv6 address section
: "$dcDetails
.operatingSystemServicePack
}
# End of operating system and service pack level sec
tion
{
Write-Host "SYSVOL replication : FRS"
Write-Host "SYSVOL location
: "$dcFRSinfo
.fRSRootPath.toUpper()
}
# End of SYSVOL FRS section
: "$d
: 4G
cDFSRinfo."msDFSR-RootSizeInMb"
}
else
{
B (default setting)"
}
# End of SYSVOL size
}
# End of SYSVOL DFS-R section
}
# End of section where DC is in Site
# If no DC in Site
else
{
Write-Host -ForegroundColor green "(none)"
}
# End of section where no DC in Site
Write-Host ""
} # End of sub foreach for Domain Controllers details