<#
Active Directory Security Checkup
VolSec2 16.3.2021
E-V
82

>

cd\
if (!(Get-ChildItem(“C:\VOLSEC”)))
{md VOLSEC}
cd VOLSEC

$d = Get-Date -UFormat %d%m%Y
md $d
cd $d

New-Item -Name SecurityCHECK.txt -ItemType File

add-content securitycheck.txt “Exported Files to be in C:\VOLSEC\$d\”
add-content securitycheck.txt “======================================================”

repadmin /showbackup * > C:\VOLSEC\$d\1-ADBackupStatus.csv
$ADB = “rn 1.AD Backup is controlled”
$ADB| add-content securitycheck.txt

cls

(Get-ADObject -filter * -Properties * | ft DistinguishedName).count > 2-TotalObjectCountDN.csv
Get-ADObject -filter * -Properties * | ft DistinguishedName >> 2-TotalObjectCountDN.csv
$DN = “rn 2.DistinguishedName’s are exported”
$DN | add-content securitycheck.txt

cls

get-adforest > C:\VOLSEC\$d\3-ForestDomain.csv
get-addomain >> C:\VOLSEC\$d\3-ForestDomain.csv
$for = “rn 3.Exporting Forest and Domain info”
$for| add-content securitycheck.txt

Get-ADGroupMember “domain admins” | FT name, samaccountname > C:\VOLSEC\$d\4-DomainAdmins.csv
$domadm = “rn 4.Exporting Domain Admins group members”
$domadm| add-content securitycheck.txt
cls
Get-ADGroupMember “enterprise admins” | FT name, samaccountname > C:\VOLSEC\$d\5-EnterpriseAdmins.csv
$entadm = “rn 5.Exporting Enterprise Admins group members”
$entadm| add-content securitycheck.txt

Get-ADGroupMember “schema admins” | FT name, samaccountname > C:\VOLSEC\$d\6-SchemaAdmins.csv
$schadm = “rn 6.Exporting Schema Admins group members”
$schadm| add-content securitycheck.txt

Get-ADGroupMember “administrators” | FT name, samaccountname > C:\VOLSEC\$d\7-Administrators.csv
$adm = “rn 7.Exporting Administrators group members”
$adm| add-content securitycheck.txt

Get-ADGroupMember “server operators” | FT name, samaccountname > C:\VOLSEC\$d\8-ServerOperators.csv
$adm = “rn 8.Exporting Server Operators group members”
$adm| add-content securitycheck.txt

Get-ADGroupMember “backup operators” | FT name, samaccountname > C:\VOLSEC\$d\9-Administrators.csv
$adm = “rn 9.Exporting Backup Operators group members”
$adm| add-content securitycheck.txt

Get-ADGroupMember “print operators” | FT name, samaccountname > C:\VOLSEC\$d\10-PrintOperators.csv
$adm = “rn 10.Exporting Print Operators group members”
$adm| add-content securitycheck.txt

Get-ADGroupMember “Terminal Server License Servers” > C:\VOLSEC\$d\11-TerminalServerLicesnceServers.csv
$pe1 = “rn 11. Exporting Terminal Server License Servers Group Members.”
$pe1 | add-content securitycheck.txt

Get-ADGroupMember “group policy creator Owners” > C:\VOLSEC\$d\12-GPCOMembers.csv
$GPOL14 = “rn 12. Checking member of group policy creator owners group.”
$GPOL14 | add-content securitycheck.txt
cls

Get-ADGroupMember “Pre-Windows 2000 Compatible Access” > C:\VOLSEC\$d\13-Pre-Windows2000.csv
$up3 = “rn 13. Exporting Pre-Windows 2000 Group Members.”
$up3 | add-content securitycheck.txt

Get-ADGroupMember “protected users” | ft name > C:\VOLSEC\$d\ProtectedUsersGroupMembers.csv

$pu = “rn 14. Exporting Protected USers Group Member.”

$pu | add-content securitycheck.txt

cd\
cd Volsec\$d
New-Item -Name 14-OtherPrivGroupMembers.csv -ItemType File
add-content C:\VOLSEC\$d\14-OtherPrivGroupMembers.csv “Other Privilege Admins Group Members”
add-content C:\VOLSEC\$d\14-OtherPrivGroupMembers.csv “Protected Users Group Members”
Get-ADGroupMember “Protected Users” | ft name >> C:\VOLSEC\$d\14-OtherPrivGroupMembers.csv
add-content C:\VOLSEC\$d\14-OtherPrivGroupMembers.csv “Enterprise Key Admins”
Get-ADGroupMember “enterprise key admins” | ft name >> C:\VOLSEC\$d\14-OtherPrivGroupMembers.csv
add-content C:\VOLSEC\$d\14-OtherPrivGroupMembers.csv “Organization Management Group Members”
Get-ADGroupMember “Organization Management” | ft name >> C:\VOLSEC\$d\14-OtherPrivGroupMembers.csv
$pu = “rn 14. Other Privilege Admins Group Members.”
$pu | add-content securitycheck.txt
cls

Get-ADGroupMember “domain admins” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp >> C:\VOLSEC\$d\15-Logondates.csv
$domadm1 = “rn 15.Exporting Logon time of Domain Admins group members.”
$domadm1| add-content securitycheck.txt

add-content 15-Logondates.csv “Enterprise Admins”
Get-ADGroupMember “enterprise admins” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp >> C:\VOLSEC\$d\15-Logondates.csv
$domadm2 = “rn 15.Exporting Logon time of Enterprise Admins group members.”
$domadm2| add-content securitycheck.txt
cls
add-content 15-Logondates.csv “Schema Admins”
Get-ADGroupMember “schema admins” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp >> C:\VOLSEC\$d\15-Logondates.csv
$domadm3 = “rn 15.Exporting Logon time of Schema Admins group members.”
$domadm3| add-content securitycheck.txt

add-content 15-Logondates.csv “Administrators”
Get-ADGroupMember “administrators” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp >> C:\VOLSEC\$d\15-Logondates.csv
$domadm4 = “rn 15.Exporting Logon time of Administrators group members.”
$domadm4| add-content securitycheck.txt

netdom query fsmo > C:\VOLSEC\$d\16-FSMORoles.csv
$fsmo = “rn 16.Checking FSMO roles.”
$fsmo | add-content securitycheck.txt

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion > C:\VOLSEC\$d\17-SchemaVersion.csv
$schmaver = “rn 17.Checking Schema version.”
$schmaver | add-content securitycheck.txt

dsquery user -inactive 12 -limit 10000 > C:\VOLSEC\$d\18-InActiveUsers.csv
$auser = “rn 18.Exporting list of people who did not loging last three months.”
$auser | add-content securitycheck.txt
cls
dsquery computer -inactive 12 -limit 10000 > C:\VOLSEC\$d\19-InActiveComputers.csv
$acomp = “rn 19.Exporting list of computers which did not authenticate last three months”
$acomp | add-content securitycheck.txt

Get-ADuser -filter “useraccountcontrol -band 524288” -Properties * | ft name > C:\VOLSEC\$d\20-TrustedDelegationComputers.csv
$GPOL74 = “rn 20. Checking Trusted Delegation Computers.”
$GPOL74 | add-content securitycheck.txt

cd\
cd c:\VOLSEC\$d
$ACC = “All User Account Counts:”
$ACC1 = (Get-ADUser -filter * -Properties *).count
$ACC| add-content 21-AllAccountCount.csv
$ACC1| add-content 21-AllAccountCount.csv

$ACC2 = “All Computer Account Counts:”
$ACC3 = (Get-ADComputer -filter * -Properties *).count
$ACC2| add-content 21-AllAccountCount.csv
$ACC3| add-content 21-AllAccountCount.csv

$ACC4 = “All Group Account Counts:”
$ACC5 = (Get-ADGroup -filter * -Properties *).count
$ACC4| add-content 21-AllAccountCount.csv
$ACC5| add-content 21-AllAccountCount.csv

$PROf1 = “rn 21. Exporting ALL Account Count.”
$PROf1 | add-content securitycheck.TXT

get-adcomputer -filter “useraccountcontrol -band 2” -properties useraccountcontrol | ft name > C:\VOLSEC\$d\22-DisableComputer.csv
$GPOL8 = “rn 22. Checking disabled computers.”
$GPOL8 | add-content securitycheck.txt
cls
get-aduser -filter “useraccountcontrol -band 2” -properties useraccountcontrol | ft name > C:\VOLSEC\$d\23-DisableUsers.csv
$GPOL9 = “rn 23. Listing disabled users.”
$GPOL9 | add-content securitycheck.txt

get-aduser -filter “admincount -eq 1” -Properties * | ft name, Enabled > C:\VOLSEC\$d\24-AdminCount.csv
$GPOL10 = “rn 24. Listing users with Admin Count set to 1.”
$GPOL10 | add-content securitycheck.txt

Get-ADUser -Filter ‘useraccountcontrol -band 66048’ -Properties useraccountcontrol |sort-object enabled| FT Name,Samaccountname, Enabled > C:\VOLSEC\$d\25-PassNeverExpiredUsers.csv
$66048 = “rn 25.Exporting Password not required and password never expired users.”
$66048 | add-content securitycheck.txt

Get-ADGroupMember -Identity ‘Domain Admins’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires, LastLogonDate | select Name, PasswordLastSet, PasswordNeverExpires, LastLogonDate} > C:\VOLSEC\$d\26-PrivGroupsMemberPassNevExpires.csv
Get-ADGroupMember -Identity ‘Enterprise Admins’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires,LastLogonDate | select Name, PasswordLastSet, PasswordNeverExpires, LastLogonDate} >> C:\VOLSEC\$d\26-PrivGroupsMemberPassNevExpires.csv
Get-ADGroupMember -Identity ‘Administrators’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires, LastLogonDate | select Name, PasswordLastSet, PasswordNeverExpires, LastLogonDate} >> C:\VOLSEC\$d\26-PrivGroupsMemberPassNevExpires.csv
Get-ADGroupMember -Identity ‘Account Operators’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires,LastLogonDate | select Name, PasswordLastSet, PasswordNeverExpires, LastLogonDate} >> C:\VOLSEC\$d\26-PrivGroupsMemberPassNevExpires.csv
Get-ADGroupMember -Identity ‘Server Operators’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires,LastLogonDate | select Name, PasswordLastSet, PasswordNeverExpires, LastLogonDate} >> C:\VOLSEC\$d\26-PrivGroupsMemberPassNevExpires.csv
Get-ADGroupMember -Identity ‘Backup Operators’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires, LastLogonDate | select Name, PasswordLastSet, PasswordNeverExpires, LastLogonDate} >> C:\VOLSEC\$d\26-PrivGroupsMemberPassNevExpires.csv
Get-ADGroupMember -Identity ‘Print Operators’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires,LastLogonDate | select Name, PasswordLastSet, PasswordNeverExpires, LastLogonDate} >> C:\VOLSEC\$d\26-PrivGroupsMemberPassNevExpires.csv
$GPOL6 = “rn 26. Listing users who has password never expire and member of admin groups.”
$GPOL6 | add-content securitycheck.txt

Get-ADUser -Filter ‘useraccountcontrol -band 544’ -Properties useraccountcontrol | FT Name,Samaccountname, useraccountcontrol > C:\VOLSEC\$d\27-PassNotRequiredUsers.csv
$544 = “rn 27. Listing Password not required users.”
$544 | add-content securitycheck.txt

Get-ADComputer -filter “useraccountcontrol -band 32” -Properties * | ft name > C:\VOLSEC\$d\28-PasswordNotRequiredComputers.csv
$GPOL71 = “rn 28. Exporting TSL info.”
$GPOL71 | add-content securitycheck.txt

get-aduser -filter * -properties * |sort-object badpasswordtime | ft name , badpwdcount, @{N=’badpasswordtime’; E={[DateTime]::FromFileTime($_.badpasswordtime)}}, lastlogondate > C:\VOLSEC\$d\29-BadLogonAttempt.csv
$AL = “rn 29.Listing users if Account Lock Out value is 5.”
$AL | add-content securitycheck.txt

$BPAModel = “Microsoft/Windows/DirectoryServices”
$LogPath = “c:\VOLSEC\$d”
Invoke-BpaModel -id $BPAModel
Get-BpaResult -id $BPAModel | Where-Object {$_.severity -ne “Information”} | Out-File -FilePath c:\VOLSEC\$d\30-BestPracticesWarnings.csv
$REP = “rn 30.Exporting AD Best Practice Analyzer results.”
$REP | add-content securitycheck.txt

$GlobalOutput =@()
$forestinfo = Get-ADForest
$domaininfo = Get-ADDomain
$rootdomain = $domaininfo.Forest
$AllDCs = Get-ADComputer -Server $rootdomain -SearchBase $domaininfo.DomainControllersContainer -Filter *
Foreach ($child in $domaininfo.ChildDomains)
{$searchbase = Get-ADDomain -Server $child
$AllDCs = $AllDCs + (Get-ADComputer -Server $child -SearchBase $searchbase.DomainControllersContainer -Filter *)}

foreach ($Computer in $AllDCs )
{ $TestConnection = Test-Connection -ComputerName $Computer.Name -Quiet -Count 1
$Output = New-Object -TypeName psobject
$Output | Add-Member -MemberType ‘NoteProperty’ -Name ‘ComputerName’ -Value $Computer.Name
$Output | Add-Member -MemberType ‘NoteProperty’ -Name ‘BootDate’ -Value “Conn Error”
$Output | Add-Member -MemberType ‘NoteProperty’ -Name ‘BootTime’ -Value “Conn Error”

if((Test-Connection -Cn $Computer.Name -BufferSize 16 -Count 1 -ea 0 -quiet))
{ $a = ICM $Computer.Name {systeminfo | find “Boot Time”}
$Output.ComputerName = $Computer.Name
$b = $a.Split(‘e’)
$c = $b[2].Split(‘,’)
$Output.BootTime = $C[1].replace(” “,””)
$Output.BootDate = $c[0].Split(‘:’)[1].replace(” “,””)
$GlobalOutput += $Output
}

Else
{ $GlobalOutput += $Output }
}
$GlobalOutput >31-DCReboot.csv
cls
$pro = “rn 31. Exporting reboot time of DCs.”
$pro | add-content securitycheck.txt

cls

import-module grouppolicy

function IsNotLinked($xmldata){
If ($xmldata.GPO.LinksTo -eq $null) {
Return $true
}

Return $false

}

$unlinkedGPOs = @()

Get-GPO -All | ForEach { $gpo = $_ ; $_ | Get-GPOReport -ReportType xml | ForEach { If(IsNotLinked([xml]$_)){$unlinkedGPOs += $gpo} }}

If ($unlinkedGPOs.Count -eq 0) {
“No Unlinked GPO’s Found” > c:\VOLSEC\$d\32-UnlinkedGpo.txt
}
Else{
$unlinkedGPOs | Select DisplayName,ID | ft >> c:\VOLSEC\$d\32-UnlinkedGpo.csv
}
$DCOSVER = “rn 32.Exporting list of GPO which has no link to anywere.”
$DCOSVER | add-content securitycheck.txt

auditpol /get /category:* > c:\VOLSEC\$d\33-AuditPolicyConfig.csv
$Audit = “rn 33. Exporting Audit Policy configuration.”
$Audit | add-content securitycheck.txt

Get-ADComputer -Filter * -Property Name,OperatingSystem,OperatingSystemServicePack| Where-Object{($_.operatingsystem -like “XP“) -or ($_.operatingsystem -like “2000“) -or ($_.operatingsystem -like “2003“) -or ($_.operatingsystemversion -like “4.0“) -or ($_.operatingsystem -like “7“) -or ($_.operatingsystem -like “2008“)}| Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -AutoSize > c:\VOLSEC\$d\34-LegacyOS.csv
$OSS = “rn 34. Listing Legacy OS.”
$OSS | add-content securitycheck.txt

get-host | ft version, cur* > c:\VOLSEC\$d\35-PSVersion.csv
$GPOL = “rn 35. Checking PowerSehll version.”
$GPOL | add-content securitycheck.txt

Get-ADGroup -Filter * -Properties Members | where {-not $_.members} |ft name > c:\VOLSEC\$d\36-EmptyGroups.csv
$GPOL = “rn 36. Checking empty groups.”
$GPOL | add-content securitycheck.txt

Get-ADOrganizationalUnit -Filter * | Where-Object {-not ( Get-ADObject -Filter * -SearchBase $_.Distinguishedname -SearchScope OneLevel -ResultSetSize 1 )} | Select Name,DistinguishedName > c:\VOLSEC\$d\37-EmptyOUs.csv
$GPOL = “rn 37. Checking empty OUs.”
$GPOL | add-content securitycheck.txt

Get-ChildItem c:\windows\sysvol\ *.xml -Recurse -force > c:\VOLSEC\$d\38-GroupsXml.csv
$GPOL = “rn 38. Checking XML files within Sysvol folder.”
$GPOL | add-content securitycheck.txt

cls

$BA = (Get-ADDomain).domainsid
$BA = $BA.ToString() + “-500”

Get-ADUser -Identity $BA -properties * > c:\VOLSEC\$d\39-RID500Info.csv
$GPOL = “rn 39. Checking RID-500 Account info.”
$GPOL | add-content securitycheck.txt

Get-ADUser krbtgt -properties * > c:\VOLSEC\$d\40-KRBTGTInfo.csv
$GPOL = “rn 40. Checking KRBTGT Account info.”
$GPOL | add-content securitycheck.txt

get-aduser guest -Properties * | FL > C:\VOLSEC\$d\41-GuestInfo.csv
$GPOL70 = “rn 41. Checking Guest info.”
$GPOL70 | add-content securitycheck.txt

$DC=Get-ADDomainController -Filter *
$Dcs = $DC.Name

$DCS

foreach ($a in $DCS)
{
$a
$b = Invoke-Command -ComputerName $a -ScriptBlock { Net Session }
$a >> c:\VOLSEC\$d\42-DCSessions.Csv
$b.count >> c:\VOLSEC\$d\42-DCSessions.csv
}
$GPOL11 = “rn 42. Exporting DC Sessions Count.”
$GPOL11 | add-content securitycheck.txt

Setspn -x -f > 43-SPN.csv
$GPOL = “rn 43. Listing Dublicate SPNs.”
$GPOL | add-content securitycheck.txt

cd\
copy C:\Windows\debug\netlogon.log c:\VOLSEC\$d\44-Netlogon.csv
$GPOL1 = “rn 44. Copying Netlogon.log file.”
cd c:\VOLSEC\$d\
$GPOL1 | add-content securitycheck.txt

cls

Get-ADDefaultDomainPasswordPolicy -Current LocalComputer > C:\VOLSEC\$d\45-PasswordAccountPolicy.csv
$GPOL4 = “rn 45. Exporting DDPP configuration.”
$GPOL4 | add-content securitycheck.txt

Get-ADFineGrainedPasswordPolicy -Filter {Name -like “*”} | ft Name, Precedence,MaxPasswordAge,MinPasswordLength > C:\VOLSEC\$d\46-FGPP.csv
$GPOL13 = “rn 46. Exporting FGPP info.”
$GPOL13 | add-content securitycheck.txt

Get-hotfix > C:\VOLSEC\$d\47-Hotfix.csv
$GPOL7 = “rn 47. Checking Hotfix details.”
$GPOL7 | add-content securitycheck.txt

Gpresult /H C:\VOLSEC\$d\48-GPResult.html
$GPOL11 = “rn 48. Exporting policies applied to DCs.”
$GPOL11 | add-content securitycheck.txt

$DN = (Get-ADDomain -Current LocalComputer).DNSRoot
get-gpo -all -domain $DN | sort-object creationTime | ft Displayname, CreationTime, ModificationTime > C:\VOLSEC\$d\49-GPOCMDate.csv
$pe5 = “rn 49. Exporting GPO Create and Modify Dates.”
$pe5 | add-content securitycheck.txt

cls

get-fileshare > C:\VOLSEC\$d\50-FileShare.csv
$GPOL12 = “rn 50. Exporting file shares on DCs.”
$GPOL12 | add-content securitycheck.txt

Get-ScheduledTask > C:\VOLSEC\$d\51-ScheduleTaskList.csv
$GPOL15 = “rn 51.Checking Schedule tasks running on DCs. “
$GPOL15 | add-content securitycheck.txt

schtasks /query /fo LIST /v > C:\VOLSEC\$d\52-ScheduleTaskDetails.csv
$GPOL61 = “rn 52.Exporting Scheduled tasks. “
$GPOL61 | add-content securitycheck.txt

Get-ADObject -Filter {objectClass -eq “trustedDomain”} -Properties TrustPartner,TrustDirection,trustType | FT Name,TrustPartner,TrustDirection,TrustType > C:\VOLSEC\$d\53-TrustValidationCheck.csv
$GPOL59 = “rn 53.Validating Domain trusts. “
$GPOL59 | add-content securitycheck.txt

tasklist /FI “username eq system” /v > C:\VOLSEC\$d\54-TaskList.csv
$GPOL62 = “rn 54. Exporting to single list. “
$GPOL62 | add-content securitycheck.txt

Get-Service > C:\VOLSEC\$d\55-Services.csv
$pe51 = “rn 55. Exporting Services.”
$pe51 | add-content securitycheck.txt

Get-Process | where {$_.mainWindowTitle} | Format-Table id, name, mainwindowtitle -autosize > C:\VOLSEC\$d\56-DCProcessControl.csv
$GPOL66 = “rn 56. Exporting processes running on DCs.”
$GPOL66 | add-content securitycheck.txt

netsh advfirewall show all state > C:\VOLSEC\$d\57-FWStatus.csv
$GPOL63 = “rn 57. Checking Firewall status. “
$GPOL63 | add-content securitycheck.txt

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize > C:\VOLSEC\$d\58-SoftwareControl.csv
$GPOL67 = “rn 58. hecking active softwares on DCs.”
$GPOL67 | add-content securitycheck.txt

Import-module servermanager ; Get-WindowsFeature | where-object {$_.Installed -eq $True} | format-list DisplayName > C:\VOLSEC\$d\59-FeatureS.csv
$GPOL58 = “rn 59.Checking active features on DCs. “
$GPOL58 | add-content securitycheck.txt

Get-ADuser -filter “useraccountcontrol -band 2097152” -Properties * | ft name > C:\VOLSEC\$d\60-DESusage.csv
$GPOL72 = “rn 60. Exporting DES usage.”
$GPOL72 | add-content securitycheck.txt

Get-ChildItem c:\users > C:\VOLSEC\$d\61-UsersFolder.csv
$PROf = “rn 61. Exporting Users Folder Profiles.”
$PROf | add-content securitycheck.txt

$ACL
$DN = (Get-ADDomain -Current LocalComputer).DistinguishedName
get-acl -path ad:$DN | fl > C:\VOLSEC\$d\62-RootACL.csv
$PROf10 = “rn 62. Exporting Directory ACL Scan.”
$PROf10 | add-content securitycheck.txt

$DN = (Get-ADDomain -Current LocalComputer).DistinguishedName
Dsacls “CN=AdminSDHolder,CN=System,$DN” > C:\VOLSEC\$d\63-AdminSDHolderACLs.csv
$up2 = “rn 63. Exporting AdminSD Holder Security ACLs.”
$up2 | add-content securitycheck.txt

Get-SmbServerConfiguration > C:\VOLSEC\$d\64-SmbConfig.csv
$PROf15 = “rn 64. Exporting SMB Server Configuration.”
$PROf15 | add-content securitycheck.txt

Get-Aduser -filter “userPassword -like ‘*’ ” | ft name, userPassword > C:\VOLSEC\$d\65-UserPassAttribute.csv
$up1 = “rn 65. Exporting User Password Attribute.”
$up1 | add-content securitycheck.txt

Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | Format-List > C:\VOLSEC\$d\66-StartupApps.csv
$up4 = “rn 66. Exporting Startup Application List.”
$up4 | add-content securitycheck.txt

Get-ADServiceAccount -Filter * -Properties * > C:\VOLSEC\$d\67-ServiceAccounts.csv
$up11 = “rn 67. Exporting Service Accounts.”
$up11 | add-content securitycheck.txt

Get-ADUser -Filter * -Property sIDHistory | Where sIDHistory | Select-Object name, sIDHistory -ExpandProperty sidHistory | Format-Table name, sIDHistory –AutoSize > C:\VOLSEC\$d\68-SidHistory.csv
$up15 = “rn 68. Exporting Sid History Accounts.”
$up15 | add-content securitycheck.txt

Get-WMIObject -Namespace root\Subscription -Class __EventFilter > C:\VOLSEC\$d\69-VMIAudit.csv
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer >> C:\VOLSEC\$d\69-VMIAudit.csv
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding >> C:\VOLSEC\$d\69-VMIAudit.csv
$up19 = “rn 69. Exporting WMI Event Consumer.”
$up19 | add-content securitycheck.txt

Get-ChildItem c:\windows\Temp > C:\VOLSEC\$d\70-WinTemp.csv
$up19 = “rn 70. Exporting Windows Temp Directory.”
$up19 | add-content securitycheck.txt

cd C:\VOLSEC\$d\
reg export hklm\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 71-AutoPlayReg.csv
$up21 = “rn 71. Exporting Auto Play Status.”
$up21 | add-content securitycheck.txt

reg export “hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration” 72-RemoteConnEncry.csv
$up22 = “rn 72. Exporting Remote Connection Enyreption Type Status.”
$up22 | add-content securitycheck.txt

reg export hklm\System\CurrentControlSet\Services\LanmanWorkstation\Parameters 73-DigitalSignCom.csv
$up23 = “rn 73. Exporting Digitally Sgin Communication Status.”
$up23 | add-content securitycheck.txt

reg export hklm\Software\Policies\Microsoft\Windows\WinRM\Service 74-WinRMRunas.csv
$up24 = “rn 74. Exporting WinRM Runas Disable Status.”
$up24 | add-content securitycheck.txt

reg export hklm\Software\Policies\Microsoft\Windows\System 75-SmartScreen.csv
$up25 = “rn 75. Exporting Smart Screen Status.”
$up25 | add-content securitycheck.txt

reg export “hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” 76-DriveRedirection.csv
$up26 = “rn 76. Exporting Do Not Allow Drive Redirection Status.”
$up26 | add-content securitycheck.txt

reg export HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\ 77-KerberosArmoring.csv
$up27 = “rn 77. Exporting Kerberos Armoring Status.”
$up27 | add-content securitycheck.txt

reg export HKLM\System\CurrentControlSet\Control\Lsa\ 78-NTLMLevel.csv
$up28 = “rn 78. Exporting NTLM Level Status.”
$up28 | add-content securitycheck.txt

reg export HKLM\System\CurrentControlSet\Services\NTDS\Parameters\ 79-LdapSigning.csv
$up29 = “rn 79. Exporting Ldap Signing Status.”
$up29 | add-content securitycheck.txt

reg export HKLM\Software\Policies\Microsoft\Windows\WinRM\Client\ 80-WinRMDigest.csv
$up30 = “rn 80. Exporting WinRM Digest Status.”
$up30 | add-content securitycheck.txt

reg export HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\ 81-WdigestAuth.csv
$up31 = “rn 81. Exporting WDigest Authentication Status.”
$up31 | add-content securitycheck.txt
Cls

reg export HKLM\Software\Policies\Microsoft\Windows\Personalization 82-NoLockScreenCamera.csv
$up31 = “rn 82. Exporting NoLockScreenCamera Status.”
$up31 | add-content securitycheck.txt

cls

Write-Host
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ V O L S E C is finished. You can check the C:\VOLSEC folder ‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host