VOLSYS 10
Active Directory Domain X-Ray
Active Directory Security Checkup Tool
Active Directory sağlık ve güvenlik kontrolleri yapmak ayrıca, domaininizi çok detaylı güvenlik bakış açısı ile incelemek için aşağıdaki powershell scriptini kullanabilirsiniz.
<#
Active Directory Health – Security Checkup
Volsys10 10.9.2020
99
Conrad
#>
cd\
if (!(Get-ChildItem(“C:\volsys”)))
{md Volsys}
cd Volsys
$d = Get-Date -UFormat %d%m%Y
md $d
cd $d
New-Item -Name ADCHECK.txt -ItemType File
add-content adcheck.txt “Exported Files to be in C:\Volsys\$d\”
add-content adcheck.txt “======================================================”
repadmin /showbackup * > C:\Volsys\$d\1-ADBackupStatus.txt
$ADB = “`r`n 1.AD Backup is controlled”
$ADB| add-content adcheck.txt
cls
New-Item -Name 2-ADSnapshot.txt -ItemType File
add-content 2-adsnapshot.txt “Active Directory Snapshot is started”
ntdsutil “act inst ntds” snap cre “list all” q q
$ADSNAP = “`r`n 2.Active Directory SnapShot is taken”
$ADSNAP | add-content adcheck.txt
Get-ADObject -filter * -Properties * | ft DistinguishedName > 3-DN.txt
$DN = “`r`n 3.DistinguishedName’s are exported”
$DN | add-content adcheck.txt
New-Item -Name 4-GPOBackup.txt -ItemType File
add-content 4-gpobackup.txt “GPOs backup is started”
md GPOBackup
Backup-gpo -all -path c:\volsys\$d\GPOBackup
$GPOB = “`r`n 4.GPO backup is done”
$GPOB | add-content adcheck.txt
New-Item -Name 5-DNSExport.txt -ItemType File
add-content 5-dnsexport.txt “DNS Zones export”
$dns = (Get-ADDomain -Current LocalComputer).dnsroot
$dns1 = $dns.export
export-dnsserverzone $dns dnsbackup.export
$dnsex = “`r`n 5.DNS Zone Export is complete”
$dnsex | add-content adcheck.txt
cls
get-adforest > C:\Volsys\$d\6-ForestDomain.txt
get-addomain >> C:\Volsys\$d\6-ForestDomain.txt
$for = “`r`n 6.Exporting Forest and Domain info”
$for| add-content adcheck.txt
Get-ADGroupMember “domain admins” | FT name, samaccountname > C:\Volsys\$d\7-DomainAdmins.txt
$domadm = “`r`n 7.Exporting Domain Admins group members”
$domadm| add-content adcheck.txt
Get-ADGroupMember “enterprise admins” | FT name, samaccountname > C:\Volsys\$d\8-EnterpriseAdmins.txt
$entadm = “`r`n 8.Exporting Enterprise Admins group members”
$entadm| add-content adcheck.txt
cls
Get-ADGroupMember “schema admins” | FT name, samaccountname > C:\Volsys\$d\9-SchemAdmins.txt
$schadm = “`r`n 9.Exporting Schema Admins group members”
$schadm| add-content adcheck.txt
Get-ADGroupMember “administrators” | FT name, samaccountname > C:\Volsys\$d\10-Administrators.txt
$adm = “`r`n 10.Exporting Administrators group members”
$adm| add-content adcheck.txt
Get-ADGroupMember “domain admins” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp > C:\Volsys\$d\11-Logondates.txt
$domadm1 = “`r`n 11.Exporting Logon time of Domain Admins group members.”
$domadm1| add-content adcheck.txt
Get-ADGroupMember “enterprise admins” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp >> C:\Volsys\$d\11-Logondates.txt
$domadm2 = “`r`n 12.Exporting Logon time of Enterprise Admins group members.”
$domadm2| add-content adcheck.txt
cls
Get-ADGroupMember “schema admins” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp >> C:\Volsys\$d\11-Logondates.txt
$domadm3 = “`r`n 13.Exporting Logon time of Schema Admins group members.”
$domadm3| add-content adcheck.txt
Get-ADGroupMember “administrators” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp >> C:\Volsys\$d\11-Logondates.txt
$domadm4 = “`r`n 14.Exporting Logon time of Administrators group members.”
$domadm4| add-content adcheck.txt
cls
Dcdiag.exe /TEST:RidManager /v | find /i “Available RID Pool for the Domain” > C:\Volsys\$d\12-RIDPOOL.txt
$rid = “`r`n 15.Rid Pool control”
$rid| add-content adcheck.txt
Get-ChildItem c:\windows\ntds -recurse | Measure-Object -property length -sum > C:\Volsys\$d\13-NTDSSeize.txt
$ntds = “`r`n 16.Exporting NTDS size”
$ntds | add-content adcheck.txt
Get-ChildItem c:\windows\sysvol -recurse | Measure-Object -property length -sum > C:\Volsys\$d\14-SYSVOLSeize.txt
$sysvol = “`r`n 17.Exporting Sysvol size.”
$sysvol| add-content adcheck.txt
Repadmin /showrepl * /csv | ConvertFrom-Csv | select “Source DSA”, “Naming Context”, “Destination DSA” ,”Number of Failures”,”Last Failure Time”, “Last Success Time”, “Last Failure Status” | ConvertTo-Html > C:\Volsys\$d\15-ADReplSum.html
$repl = “`r`n 18.Checking AD replication.”
$repl| add-content adcheck.txt
repadmin /showbackup * >> C:\Volsys\$d\16-ADBackupStatus.txt
$ADB = “`r`n 19.Exporting AD backup status after snapshut.”
$ADB| add-content adcheck.txt
cls
netdom query fsmo > C:\Volsys\$d\17-FSMORoles.txt
$fsmo = “`r`n 20.Checking FSMO roles.”
$fsmo | add-content adcheck.txt
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion > C:\Volsys\$d\18-SchemaVersion.txt
$schmaver = “`r`n 21.Checking Schema version.”
$schmaver | add-content adcheck.txt
W32tm /query /configuration > C:\Volsys\$d\19-TimeConfig.txt
W32tm /monitor >> C:\Volsys\$d\19-TimeConfig.txt
$time = “`r`n 22.Checking Time Server.”
$time | add-content adcheck.txt
dsquery user -inactive 12 -limit 5000 > C:\Volsys\$d\20-InActiveUsers.txt
$auser = “`r`n 23.Exporting list of people who did not loging last three months.”
$auser | add-content adcheck.txt
cls
dsquery computer -inactive 12 -limit 5000 > C:\Volsys\$d\21-InActiveComputers.txt
$acomp = “`r`n 24.Exporting list of computers which did not authenticate last three months”
$acomp | add-content adcheck.txt
Get-ADUser -Filter ‘useraccountcontrol -band 66048’ -Properties useraccountcontrol |sort-object enabled| FT Name,Samaccountname, Enabled > C:\Volsys\$d\22-PassNeverExpiredUsers.txt
$66048 = “`r`n 25.Exporting Password not required and password never expired users.”
$66048 | add-content adcheck.txt
Get-ADUser -Filter ‘useraccountcontrol -band 544’ -Properties useraccountcontrol | FT Name,Samaccountname, useraccountcontrol > C:\Volsys\$d\23-PassNotRequiredUsers.txt
$544 = “`r`n 26. Listing Password not required users.”
$544 | add-content adcheck.txt
get-aduser -filter * -properties * |sort-object badpasswordtime | ft name , badpwdcount, @{N=’badpasswordtime’; E={[DateTime]::FromFileTime($_.badpasswordtime)}}, lastlogondate > C:\volsys\$d\24-Security.txt
$AL = “`r`n 27.Listing users if Account Lock Out value is 5.”
$AL | add-content adcheck.txt
Get-ADDomainController -filter * | sort-object site | ft name,domain, site, IPv4Address, operatingsystem -Wrap > c:\volsys\$d\25-DCInfo.txt
$DCOSVER = “`r`n 28.Exporting OS and IP info of DCs.”
$DCOSVER | add-content adcheck.txt
cls
Repadmin /replsum > c:\Volsys\$d\26-Replication.txt
$REP = “`r`n 29.Exporting Replication configuration status.”
$REP | add-content adcheck.txt
repadmin /showoutcalls * > c:\Volsys\$d\27-Replconfig.txt
repadmin /bridgeheads * /verbose >> c:\Volsys\$d\27-Replconfig.txt
repadmin /istg * /verbose >> c:\Volsys\$d\27-Replconfig.txt
repadmin /failcache * >> c:\Volsys\$d\27-Replconfig.txt
Repadmin /showtrust * >> c:\Volsys\$d\27-Replconfig.txt
repadmin /bind * >> c:\Volsys\$d\27-Replconfig.txt
repadmin /queue * >> c:\Volsys\$d\27-Replconfig.txt
$REP = “`r`n 30.AD DC replication configuration is exported”
$REP | add-content adcheck.txt
$BPAModel = “Microsoft/Windows/DirectoryServices”
$LogPath = “c:\Volsys\$d”
Invoke-BpaModel -id $BPAModel
Get-BpaResult -id $BPAModel | Where-Object {$_.severity -ne “Information”} | Out-File -FilePath c:\Volsys\$d\28-BestPracticesWarnings.log
$REP = “`r`n 31.Exporting AD Best Practice Analyzer results.”
$REP | add-content adcheck.txt
Get-ADOrganizationalUnit -filter * -Properties * |sort-object ProtectedFromAccidentalDeletion | ft canonicalname, ProtectedFromAccidentalDeletion > c:\Volsys\$d\29-ProtectedOU.txt
$pro = “`r`n 32. Exporting Protected OU status.”
$pro | add-content adcheck.txt
cls
$GlobalOutput =@()
$forestinfo = Get-ADForest
$domaininfo = Get-ADDomain
$rootdomain = $domaininfo.Forest
$AllDCs = Get-ADComputer -Server $rootdomain -SearchBase $domaininfo.DomainControllersContainer -Filter *
Foreach ($child in $domaininfo.ChildDomains)
{$searchbase = Get-ADDomain -Server $child
$AllDCs = $AllDCs + (Get-ADComputer -Server $child -SearchBase $searchbase.DomainControllersContainer -Filter *)}
foreach ($Computer in $AllDCs )
{ $TestConnection = Test-Connection -ComputerName $Computer.Name -Quiet -Count 1
$Output = New-Object -TypeName psobject
$Output | Add-Member -MemberType ‘NoteProperty’ -Name ‘ComputerName’ -Value $Computer.Name
$Output | Add-Member -MemberType ‘NoteProperty’ -Name ‘BootDate’ -Value “Conn Error”
$Output | Add-Member -MemberType ‘NoteProperty’ -Name ‘BootTime’ -Value “Conn Error”
if((Test-Connection -Cn $Computer.Name -BufferSize 16 -Count 1 -ea 0 -quiet))
{ $a = ICM $Computer.Name {systeminfo | find “Boot Time”}
$Output.ComputerName = $Computer.Name
$b = $a.Split(‘e’)
$c = $b[2].Split(‘,’)
$Output.BootTime = $C[1].replace(” “,””)
$Output.BootDate = $c[0].Split(‘:’)[1].replace(” “,””)
$GlobalOutput += $Output
}
Else
{ $GlobalOutput += $Output }
}
$GlobalOutput >30-DCReboot.txt
cls
$pro = “`r`n 33. Exporting reboot time of DCs.”
$pro | add-content adcheck.txt
cls
import-module grouppolicy
function IsNotLinked($xmldata){
If ($xmldata.GPO.LinksTo -eq $null) {
Return $true
}
Return $false
}
$unlinkedGPOs = @()
Get-GPO -All | ForEach { $gpo = $_ ; $_ | Get-GPOReport -ReportType xml | ForEach { If(IsNotLinked([xml]$_)){$unlinkedGPOs += $gpo} }}
If ($unlinkedGPOs.Count -eq 0) {
“No Unlinked GPO’s Found” > c:\volsys\$d\31-UnlinkedGpo.txt
}
Else{
$unlinkedGPOs | Select DisplayName,ID | ft >> c:\volsys\$d\31-UnlinkedGpo.txt
}
$DCOSVER = “`r`n 34.Exporting list of GPO which has no link to anywere.”
$DCOSVER | add-content adcheck.txt
auditpol /get /category:* > c:\Volsys\$d\32-AuditPolicy.txt
$Audit = “`r`n 35. Exporting Audit Policy configuration.”
$Audit | add-content adcheck.txt
Get-ADComputer -Filter * -Property Name,OperatingSystem,OperatingSystemServicePack| Where-Object{($_.operatingsystem -like “*XP*”) -or ($_.operatingsystem -like “*2000*”) -or ($_.operatingsystem -like “*2003*”) -or ($_.operatingsystemversion -like “*4.0*”)} -or ($_.operatingsystem -like “*2008*”)| Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -AutoSize > c:\volsys\$d\33-OSSeize.txt
$OSS = “`r`n 36. Listing Legacy OS.”
$OSS | add-content adcheck.txt
DCdiag > c:\Volsys\$d\34-DCdiag.txt
$DCD = “`r`n 37. DCDiag “
$DCD| add-content adcheck.txt
cls
#Requires -Version 3.0
#Requires -Modules GroupPolicy
function Get-GPOLink {
<#
.
#>
[CmdletBinding()]
param (
[Parameter(Mandatory,
ValueFromPipeline,
ValueFromPipelineByPropertyName)]
[Alias(‘DisplayName’)]
[string[]]$Name
)
PROCESS {
foreach ($n in $Name) {
$problem = $false
try {
Write-Verbose -Message “Attempting to produce XML report for GPO: $n”
[xml]$report = Get-GPOReport -Name $n -ReportType Xml -ErrorAction Stop
}
catch {
$problem = $true
Write-Warning -Message “An error occured while attempting to query GPO: $n”
}
if (-not($problem)) {
Write-Verbose -Message “Returning results for GPO: $n”
[PSCustomObject]@{
‘GPOName’ = $report.GPO.Name
‘LinksTo’ = $report.GPO.LinksTo.SOMName
‘Enabled’ = $report.GPO.LinksTo.Enabled
‘NoOverride’ = $report.GPO.LinksTo.NoOverride
‘CreatedDate’ = ([datetime]$report.GPO.CreatedTime).ToShortDateString()
‘ModifiedDate’ = ([datetime]$report.GPO.ModifiedTime).ToShortDateString()
}
}
}
}
}
get-gpo -all | Get-GPOLink | ft -AutoSize > c:\Volsys\$d\35-GPOLinks.txt
$GPOL = “`r`n 38. Exporting GPO links.”
$GPOL | add-content adcheck.txt
CLS
get-host | ft version, cur* > c:\Volsys\$d\36-PSVersion.txt
$GPOL = “`r`n 39. Checking PowerSehll version.”
$GPOL | add-content adcheck.txt
Get-ADGroup -Filter * -Properties Members | where {-not $_.members} |ft name > c:\Volsys\$d\37-EmptyGroups.txt
$GPOL = “`r`n 40. Checking empty groups.”
$GPOL | add-content adcheck.txt
Get-ADOrganizationalUnit -Filter * | Where-Object {-not ( Get-ADObject -Filter * -SearchBase $_.Distinguishedname -SearchScope OneLevel -ResultSetSize 1 )} | Select Name,DistinguishedName > c:\Volsys\$d\38-EmptyOUs.txt
$GPOL = “`r`n 41. Checking empty OUs.”
$GPOL | add-content adcheck.txt
Get-ChildItem c:\windows\sysvol\ *.xml -Recurse -force > c:\Volsys\$d\39-GpoXml.txt
$GPOL = “`r`n 42. Checking XML files within Sysvol folder.”
$GPOL | add-content adcheck.txt
cls
$BA = (Get-ADDomain).domainsid
$BA = $BA.ToString() + “-500”
Get-ADUser -Identity $BA -properties * > c:\Volsys\$d\40-RID500Info.txt
$GPOL = “`r`n 43. Checking RID-500 Account info.”
$GPOL | add-content adcheck.txt
$DN = (Get-ADDomain -Current LocalComputer).DistinguishedName
ldifde -f 58-Infra_DomainDNSZones.ldf -d “CN=Infrastructure,DC=DomainDnsZones,$DN” -l fSMORoleOwner >> c:\Volsys\$d\41-FsmoRoleOwner.txt
$GPOL = “`r`n 44. Listing FSMO Owner info.”
$GPOL | add-content adcheck.txt
cls
$DC=Get-ADDomainController -Filter *
$Dcs = $DC.Name
#$DCS
foreach ($a in $DCS)
{
$a
$b = Invoke-Command -ComputerName $a -ScriptBlock { Net Session }
$a >> c:\volsys\$d\80-Session.txt
$b.count >> c:\volsys\$d\80-Session.txt
}
$GPOL11 = “`r`n 80. Exporting DC Sessions Count.”
$GPOL11 | add-content adcheck.txt
Setspn -x -f > 42-SPN.txt
$GPOL = “`r`n 45. Listing Dublicate SPNs.”
$GPOL | add-content adcheck.txt
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Write-Host ‘..current domain is’ $dom
Write-Host ‘..getting all domain controllers in domain’
$dcs = $dom | % { $_.DomainControllers } | Select Name
$at = ($dcs | Measure-Object).count
foreach ($dc in $dcs)
{
$path = ‘\\’ + $dc.name + ‘\admin$\debug\netlogon.log’
if ((test-path $path) -eq $true)
{
Write-Host “..collecting logfile from ($at)” $path
[array]$colLogs += gc $path
}
$at —
}
Write-Host ‘..combining logs’
$outFile = ‘C:\volsys\d$\43-MissSubnet.txt’
$colLogs | Out-File $outFile
Write-Host ‘..importing combined log as csv’
$importString = Import-Csv $outFile -Delimiter ‘ ‘ -Header Date,Time,Domain,Error,Name,IPAddress
Write-Host ‘..exporting results’
$importString | select Date, Name, IPAddress | sort IPAddress -Unique | Export-Csv 43-MissSubnet.csv
$GPOL = “`r`n 46. Checking missing subnets.”
$GPOL | add-content adcheck.txt
cls
cd\
copy C:\Windows\debug\netlogon.log c:\Volsys\$d\44-Netlogon.txt
$GPOL1 = “`r`n 47. Copying Netlogon.log file.”
cd c:\Volsys\$d\
$GPOL1 | add-content adcheck.txt
cls
w32tm /resync /rediscover > C:\Volsys\$d\45-DCNtpSync.TXT
$GPOL2 = “`r`n 48. Checking sync of DC and NTP server.”
$GPOL2 | add-content adcheck.txt
Get-ADReplicationSiteLink -filter * > C:\Volsys\$d\46-DSSiteConfig.TXT
Get-ADReplicationSite >> C:\Volsys\$d\46-DSSiteConfig.TXT
Get-ADReplicationConnection >> C:\Volsys\$d\46-DSSiteConfig.TXT
Get-ADReplicationSubnet -filter * >> C:\Volsys\$d\46-DSSiteConfig.TXT
$GPOL3 = “`r`n 49. Exporting site configuratoin.”
$GPOL3 | add-content adcheck.txt
Get-ADDefaultDomainPasswordPolicy -Current LocalComputer > C:\Volsys\$d\47-DomainPolicy.TXT
$GPOL4 = “`r`n 50. Exporting DDPP configuration.”
$GPOL4 | add-content adcheck.txt
cls
Get-ADGroupMember -Identity ‘Domain Admins’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} > C:\Volsys\$d\48-PrivGroupsMemberPassNevExpires.TXT
Get-ADGroupMember -Identity ‘Enterprise Admins’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\48-PrivGroupsMemberPassNevExpires.TXT
Get-ADGroupMember -Identity ‘Administrators’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\48-PrivGroupsMemberPassNevExpires.TXT
Get-ADGroupMember -Identity ‘Account Operators’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\48-PrivGroupsMemberPassNevExpires.TXT
Get-ADGroupMember -Identity ‘Server Operators’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\48-PrivGroupsMemberPassNevExpires.TXT
Get-ADGroupMember -Identity ‘Backup Operators’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\48-PrivGroupsMemberPassNevExpires.TXT
Get-ADGroupMember -Identity ‘Print Operators’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\48-PrivGroupsMemberPassNevExpires.TXT
$GPOL6 = “`r`n 51. Listing users who has password never expire and member of admin groups.”
$GPOL6 | add-content adcheck.txt
Get-hotfix > C:\Volsys\$d\49-Hotfix.TXT
$GPOL7 = “`r`n 52. Checking Hotfix details.”
$GPOL7 | add-content adcheck.txt
get-adcomputer -filter “useraccountcontrol -band 2” -properties useraccountcontrol | ft name > C:\Volsys\$d\50-DisableComp.TXT
$GPOL8 = “`r`n 53. Checking disabled computers.”
$GPOL8 | add-content adcheck.txt
cls
get-aduser -filter “useraccountcontrol -band 2” -properties useraccountcontrol | ft name > C:\Volsys\$d\51-DisableUsers.TXT
$GPOL9 = “`r`n 54. Listing disabled users.”
$GPOL9 | add-content adcheck.txt
get-aduser -filter “admincount -eq 1” -Properties * | ft name, Enabled > C:\Volsys\$d\52-AdminCount.TXT
$GPOL10 = “`r`n 55. Listing users with Admin Count set to 1.”
$GPOL10 | add-content adcheck.txt
Gpresult /H C:\Volsys\$d\53-Gpresult.html
$GPOL11 = “`r`n 56. Exporting policies applied to DCs.”
$GPOL11 | add-content adcheck.txt
cls
get-fileshare > C:\Volsys\$d\54-FileShare.TXT
$GPOL12 = “`r`n 57. Exporting file shares on DCs.”
$GPOL12 | add-content adcheck.txt
Get-ADFineGrainedPasswordPolicy -Filter {Name -like “*”} | ft Name, Precedence,MaxPasswordAge,MinPasswordLength > C:\Volsys\$d\55-FGPP.TXT
$GPOL13 = “`r`n 58. Exporting FGPP info.”
$GPOL13 | add-content adcheck.txt
Get-ADGroupMember “group policy creator Owners” > C:\Volsys\$d\56-GPCOMembers.TXT
$GPOL14 = “`r`n 59. Checking member of group policy creator owners group.”
$GPOL14 | add-content adcheck.txt
cls
Get-ScheduledTask > C:\Volsys\$d\57-SchTask.TXT
$GPOL15 = “`r`n 60.Checking Schedule tasks running on DCs. “
$GPOL15 | add-content adcheck.txt
Import-module servermanager ; Get-WindowsFeature | where-object {$_.Installed -eq $True} | format-list DisplayName > C:\Volsys\$d\58-FeatureS.TXT
$GPOL58 = “`r`n 61.Checking active features on DCs. “
$GPOL58 | add-content adcheck.txt
Get-ADObject -Filter {objectClass -eq “trustedDomain”} -Properties TrustPartner,TrustDirection,trustType | FT Name,TrustPartner,TrustDirection,TrustType > C:\Volsys\$d\59-TrustValidationCheck.txt
$GPOL59 = “`r`n 62.Validating Domain trusts. “
$GPOL59 | add-content adcheck.txt
systeminfo > C:\Volsys\$d\60-SystemInfo.txt
$GPOL60 = “`r`n 63.Exporting System Info. “
$GPOL60 | add-content adcheck.txt
cls
schtasks /query /fo LIST /v > C:\Volsys\$d\61-ScheduleTask.Txt
$GPOL61 = “`r`n 64.Exporting Scheduled tasks. “
$GPOL61 | add-content adcheck.txt
tasklist /FI “username eq system” /v > C:\Volsys\$d\62-TaskList.Txt
$GPOL62 = “`r`n 65. Exporting to single list. “
$GPOL62 | add-content adcheck.txt
netsh advfirewall show all state > C:\Volsys\$d\63-FWStatus.Txt
$GPOL63 = “`r`n 66. Checking Firewall status. “
$GPOL63 | add-content adcheck.txt
Get-WinEvent -FilterHashtable @{logname=’Security’ ; ID=4624} | where {$_.message -match “ntlm v1”} | fl > C:\Volsys\$d\64-Ntlmv1.txt
$GPOL64 = “`r`n 67. NTLM V1 is in use.”
$GPOL64 | add-content adcheck.txt
dfsrmig /getglobalstate > C:\Volsys\$d\65-SysvolState.txt
dfsrmig /getmigrationstate >> C:\Volsys\$d\65-SysvolState.txt
$GPOL65 = “`r`n 68. Sysvol is in use.”
$GPOL65 | add-content adcheck.txt
cls
Get-Process | where {$_.mainWindowTitle} | Format-Table id, name, mainwindowtitle -autosize > C:\Volsys\$d\66-DCProcessControl.txt
$GPOL66 = “`r`n 69. Exporting processes running on DCs.”
$GPOL66 | add-content adcheck.txt
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize > C:\Volsys\$d\67-SoftwareControl.txt
$GPOL67 = “`r`n 70. Listing processes running on DCs.”
$GPOL67 | add-content adcheck.txt
(Get-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$((Get-ADRootDSE).configurationNamingContext)” -Properties tombstoneLifetime).tombstoneLifetime > C:\Volsys\$d\68-TSL.txt
$GPOL68 = “`r`n 71. Checking TLS time.”
$GPOL68 | add-content adcheck.txt
Get-ADOptionalFeature -Filter ‘name -like “Recycle Bin Feature”‘ > C:\Volsys\$d\69-RecycleBinCheck.txt
$GPOL69 = “`r`n 72. Listing TLS time.”
$GPOL69 | add-content adcheck.txt
cls
get-aduser guest -Properties * | FL > C:\Volsys\$d\70-Guest.txt
$GPOL70 = “`r`n 73. Checking guest info.”
$GPOL70 | add-content adcheck.txt
Get-ADComputer -filter “useraccountcontrol -band 32” -Properties * | ft name > C:\Volsys\$d\71-PasswordNotRequiredComputers.txt
$GPOL71 = “`r`n 74. Exporting TSL info.”
$GPOL71 | add-content adcheck.txt
Get-ADuser -filter “useraccountcontrol -band 2097152” -Properties * | ft name > C:\Volsys\$d\72-DESusage.txt
$GPOL72 = “`r`n 75. Exporting DES usage.”
$GPOL72 | add-content adcheck.txt
cls
Klist > C:\Volsys\$d\73-KerberosInfo.txt
Klist tgt >> C:\Volsys\$d\73-KerberosInfo.txt
Klist sessions >> C:\Volsys\$d\73-KerberosInfo.txt
Klist kcd_cache >> C:\Volsys\$d\73-KerberosInfo.txt
$GPOL73 = “`r`n 76. Exporting Kerberos info.”
$GPOL73 | add-content adcheck.txt
cls
Get-ADuser -filter “useraccountcontrol -band 524288” -Properties * | ft name > C:\Volsys\$d\74-TrustedDelegationComputers.txt
$GPOL74 = “`r`n 77. Checking Trusted Delegation Computers.”
$GPOL74 | add-content adcheck.txt
cls
Get-DnsServer > C:\Volsys\$d\75-DnsServer.txt
$GPOL75 = “`r`n 78. Checking DNS Servers.”
$GPOL75 | add-content adcheck.txt
cls
Get-DfsrServiceConfiguration > C:\Volsys\$d\76-DFSRConfiguration.txt
$GPOL76 = “`r`n 79. Checking DFSR Configuration.”
$GPOL76 | add-content adcheck.txt
cls
Get-ChildItem c:\users > C:\Volsys\$d\77-UsersFolder.txt
$PROf = “`r`n 81. Exporting Users Folder Profiles.”
$PROf | add-content adcheck.txt
$ds = (Get-ADDomain -Current LocalComputer).dnsroot
$ht = hostname
Get-GPOReport -All -Domain $ds -Server $ht -ReportType htmL -Path “C:\Volsys\$d\78-GPOReportsAll.html”
$PROf = “`r`n 82. Exporting ALL GPOs Settings.”
$PROf | add-content adcheck.txt
cls
cd\
cd c:\volsys\$d
$ACC = “All User Account Counts:”
$ACC1 = (Get-ADUser -filter * -Properties *).count
$ACC| add-content 79-AllAccountCount.txt
$ACC1| add-content 79-AllAccountCount.txt
$ACC2 = “All Computer Account Counts:”
$ACC3 = (Get-ADComputer -filter * -Properties *).count
$ACC2| add-content 79-AllAccountCount.txt
$ACC3| add-content 79-AllAccountCount.txt
$ACC4 = “All Group Account Counts:”
$ACC5 = (Get-ADGroup -filter * -Properties *).count
$ACC4| add-content 79-AllAccountCount.txt
$ACC5| add-content 79-AllAccountCount.txt
$PROf1 = “`r`n 83. Exporting ALL Account Count.”
$PROf1 | add-content adcheck.txt
$ACL
$DN = (Get-ADDomain -Current LocalComputer).DistinguishedName
get-acl -path ad:$DN | fl > C:\Volsys\$d\81-RootACL.TXT
$PROf10 = “`r`n 84. Exporting Directory ACL Scan.”
$PROf10 | add-content adcheck.txt
cls
Get-SmbServerConfiguration > C:\Volsys\$d\82-SmbConfig.TXT
$PROf15 = “`r`n 85. Exporting SMB Server Configuration.”
$PROf15 | add-content adcheck.txt
cls
get-eventlog “Directory Service” | select entrytype, source, eventid, message > C:\Volsys\$d\83-DSEvent.TXT
$event = “`r`n 86. Exporting Directory Services Event Logs.”
$event | add-content adcheck.txt
Get-ADReplicationSite > C:\Volsys\$d\84-ADSiteLink.TXT
Get-ADReplicationSiteLink -filter * >> C:\Volsys\$d\84-ADSitelink.TXT
$SL = “`r`n 87.Exporting Active Directory Site and Sitelink Information.”
$SL | add-content adcheck.txt
Get-Aduser -filter “userPassword -like ‘*’ ” | ft name, userPassword > C:\Volsys\$d\85-UserPass.TXT
$up1 = “`r`n 88. Exporting User Password Attribute.”
$up1 | add-content adcheck.txt
$DN = (Get-ADDomain -Current LocalComputer).DistinguishedName
Dsacls “CN=AdminSDHolder,CN=System,$DN” > C:\Volsys\$d\86-AdminSDHolderACLs.TXT
$up2 = “`r`n 89. Exporting AdminSD Holder Security ACLs.”
$up2 | add-content adcheck.txt
Get-ADGroupMember “Pre-Windows 2000 Compatible Access” > C:\Volsys\$d\87-Pre-Windows2000.TXT
$up3 = “`r`n 90. Exporting Pre-Windows 2000 Group Members.”
$up3 | add-content adcheck.txt
Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | Format-List > C:\Volsys\$d\88-StartupApps.TXT
$up4 = “`r`n 91. Exporting Startup Application List.”
$up4 | add-content adcheck.txt
Get-ADGroupMember “protected users” | ft name > C:\Volsys\$d\89-ProtectedUsersGroupMembers.TXT
$pu = “`r`n 92. Exporting Protected USers Group Member.”
$pu | add-content adcheck.txt
Get-ADUser -filter * -properties PasswordLastSet, PasswordExpired, PasswordNeverExpires | sort PasswordExpired | ft Name, PasswordLastSet, PasswordExpired, PasswordNeverExpires > C:\Volsys\$d\90-PasswordExpires.TXT
$pe = “`r`n 93. Exporting Password Expires Users.”
$pe | add-content adcheck.txt
cd..
Cls
Get-ADOrganizationalUnit -Properties CanonicalName -Filter *| Sort-Object CanonicalName | Format-List CanonicalName, DistinguishedName > C:\Volsys\$d\91-ADOUStructure.TXT
$pe1 = “`r`n 94. Exporting AD OU Structure.”
$pe1 | add-content adcheck.txt
cd..
Cls
$DN = (Get-ADDomain -Current LocalComputer).DNSRoot
get-gpo -all -domain $DN | sort-object creationTime | ft Displayname, CreationTime, ModificationTime > C:\Volsys\$d\92-GPOCMDate.TXT
$pe5 = “`r`n 95. Exporting GPO Create and Modify Dates.”
$pe5 | add-content adcheck.txt
cd..
Cls
Get-ADGroupMember “Terminal Server License Servers” > C:\Volsys\$d\93-TerminalServerLicesnceServers.TXT
$pe1 = “`r`n 96. Exporting Terminal Server License Servers Group Members.”
$pe1 | add-content adcheck.txt
cd..
Cls
Get-FileHash -Algorithm sha256 -Path “c:\Windows\system32\*.*” | FL > C:\Volsys\$d\94-FileHashes.TXT
$pe51 = “`r`n 97. Exporting System32 Folders, Hashes.”
$pe51 | add-content adcheck.txt
cd..
Cls
Get-Service > C:\Volsys\$d\95-Services.TXT
$pe51 = “`r`n 98. Exporting Services.”
$pe51 | add-content adcheck.txt
cd..
Cls
Search-ADAccount -LockedOut C:\Volsys\$d\96-LockedAccount.TXT
$pe52 = “`r`n 99. Exporting Services.”
$pe52 | add-content adcheck.txt
cd..
Cls
Write-Host
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ V O L S Y S is finished. You can check the C:\Volsys folder ‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host
Azure Security - Cyber Security 