Active Directory Health Checkup
<#
Active Directory Health Checkup
Volsys10 7.7.2022
102
Garden
>
cd\
if (!(Get-ChildItem(“C:\volsys”)))
{md Volsys}
cd Volsys
$d = Get-Date -UFormat %d%m%Y
md $d
cd $d
New-Item -Name ADCHECK.txt -ItemType File
add-content adcheck.txt “Exported Files to be in C:\Volsys\$d\”
add-content adcheck.txt “======================================================”
repadmin /showbackup * > C:\Volsys\$d\1-ADBackupStatus.txt
$ADB = “rn 1.AD Backup is controlled”
$ADB| add-content adcheck.txt
cls
New-Item -Name 2-ADSnapshot.txt -ItemType File
add-content 2-adsnapshot.txt “Active Directory Snapshot is started”
ntdsutil “act inst ntds” snap cre “list all” q q
$ADSNAP = “rn 2.Active Directory SnapShot is taken”
$ADSNAP | add-content adcheck.txt
Get-ADObject -filter * -Properties * | ft DistinguishedName > 3-DN.txt
$DN = “rn 3.DistinguishedName’s are exported”
$DN | add-content adcheck.txt
New-Item -Name 4-GPOBackup.txt -ItemType File
add-content 4-gpobackup.txt “GPOs backup is started”
md GPOBackup
Backup-gpo -all -path c:\volsys\$d\GPOBackup
$GPOB = “rn 4.GPO backup is done”
$GPOB | add-content adcheck.txt
New-Item -Name 5-DNSExport.txt -ItemType File
add-content 5-dnsexport.txt “DNS Zones export”
$dns = (Get-ADDomain -Current LocalComputer).dnsroot
$dns1 = $dns.export
export-dnsserverzone $dns dnsbackup.export
$dnsex = “rn 5.DNS Zone Export is complete”
$dnsex | add-content adcheck.txt
cls
get-adforest > C:\Volsys\$d\6-ForestDomain.txt
get-addomain >> C:\Volsys\$d\6-ForestDomain.txt
$for = “rn 6.Exporting Forest and Domain info”
$for| add-content adcheck.txt
Get-ADGroupMember “domain admins” | FT name, samaccountname > C:\Volsys\$d\7-DomainAdmins.txt
$domadm = “rn 7.Exporting Domain Admins group members”
$domadm| add-content adcheck.txt
Get-ADGroupMember “enterprise admins” | FT name, samaccountname > C:\Volsys\$d\8-EnterpriseAdmins.txt
$entadm = “rn 8.Exporting Enterprise Admins group members”
$entadm| add-content adcheck.txt
cls
Get-ADGroupMember “schema admins” | FT name, samaccountname > C:\Volsys\$d\9-SchemAdmins.txt
$schadm = “rn 9.Exporting Schema Admins group members”
$schadm| add-content adcheck.txt
Get-ADGroupMember “administrators” | FT name, samaccountname > C:\Volsys\$d\10-Administrators.txt
$adm = “rn 10.Exporting Administrators group members”
$adm| add-content adcheck.txt
Get-ADGroupMember “domain admins” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp > C:\Volsys\$d\11-Logondates.txt
$domadm1 = “rn 11.Exporting Logon time of Domain Admins group members.”
$domadm1| add-content adcheck.txt
Get-ADGroupMember “enterprise admins” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp >> C:\Volsys\$d\11-Logondates.txt
$domadm2 = “rn 12.Exporting Logon time of Enterprise Admins group members.”
$domadm2| add-content adcheck.txt
cls
Get-ADGroupMember “schema admins” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp >> C:\Volsys\$d\11-Logondates.txt
$domadm3 = “rn 13.Exporting Logon time of Schema Admins group members.”
$domadm3| add-content adcheck.txt
Get-ADGroupMember “administrators” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp >> C:\Volsys\$d\11-Logondates.txt
$domadm4 = “rn 14.Exporting Logon time of Administrators group members.”
$domadm4| add-content adcheck.txt
cls
Dcdiag.exe /TEST:RidManager /v | find /i “Available RID Pool for the Domain” > C:\Volsys\$d\12-RIDPOOL.txt
$rid = “rn 15.Rid Pool control”
$rid| add-content adcheck.txt
Get-ChildItem c:\windows\ntds -recurse | Measure-Object -property length -sum > C:\Volsys\$d\13-NTDSSeize.txt
$ntds = “rn 16.Exporting NTDS size”
$ntds | add-content adcheck.txt
Get-ChildItem c:\windows\sysvol -recurse | Measure-Object -property length -sum > C:\Volsys\$d\14-SYSVOLSeize.txt
$sysvol = “rn 17.Exporting Sysvol size.”
$sysvol| add-content adcheck.txt
Repadmin /showrepl * /csv | ConvertFrom-Csv | select “Source DSA”, “Naming Context”, “Destination DSA” ,”Number of Failures”,”Last Failure Time”, “Last Success Time”, “Last Failure Status” | ConvertTo-Html > C:\Volsys\$d\15-ADReplSum.html
$repl = “rn 18.Checking AD replication.”
$repl| add-content adcheck.txt
repadmin /showbackup * >> C:\Volsys\$d\16-ADBackupStatus.txt
$ADB = “rn 19.Exporting AD backup status after snapshut.”
$ADB| add-content adcheck.txt
cls
netdom query fsmo > C:\Volsys\$d\17-FSMORoles.txt
$fsmo = “rn 20.Checking FSMO roles.”
$fsmo | add-content adcheck.txt
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion > C:\Volsys\$d\18-SchemaVersion.txt
$schmaver = “rn 21.Checking Schema version.”
$schmaver | add-content adcheck.txt
W32tm /query /configuration > C:\Volsys\$d\19-TimeConfig.txt
W32tm /monitor >> C:\Volsys\$d\19-TimeConfig.txt
$time = “rn 22.Checking Time Server.”
$time | add-content adcheck.txt
dsquery user -inactive 12 -limit 5000 > C:\Volsys\$d\20-InActiveUsers.txt
$auser = “rn 23.Exporting list of people who did not loging last three months.”
$auser | add-content adcheck.txt
cls
dsquery computer -inactive 12 -limit 5000 > C:\Volsys\$d\21-InActiveComputers.txt
$acomp = “rn 24.Exporting list of computers which did not authenticate last three months”
$acomp | add-content adcheck.txt
Get-ADUser -Filter ‘useraccountcontrol -band 66048’ -Properties useraccountcontrol |sort-object enabled| FT Name,Samaccountname, Enabled > C:\Volsys\$d\22-PassNeverExpiredUsers.txt
$66048 = “rn 25.Exporting Password not required and password never expired users.”
$66048 | add-content adcheck.txt
Get-ADUser -Filter ‘useraccountcontrol -band 544’ -Properties useraccountcontrol | FT Name,Samaccountname, useraccountcontrol > C:\Volsys\$d\23-PassNotRequiredUsers.txt
$544 = “rn 26. Listing Password not required users.”
$544 | add-content adcheck.txt
get-aduser -filter * -properties * |sort-object badpasswordtime | ft name , badpwdcount, @{N=’badpasswordtime’; E={[DateTime]::FromFileTime($_.badpasswordtime)}}, lastlogondate > C:\volsys\$d\24-Security.txt
$AL = “rn 27.Listing users if Account Lock Out value is 5.”
$AL | add-content adcheck.txt
Get-ADDomainController -filter * | sort-object site | ft name,domain, site, IPv4Address, operatingsystem -Wrap > c:\volsys\$d\25-DCInfo.txt
$DCOSVER = “rn 28.Exporting OS and IP info of DCs.”
$DCOSVER | add-content adcheck.txt
cls
Repadmin /replsum > c:\Volsys\$d\26-Replication.txt
$REP = “rn 29.Exporting Replication configuration status.”
$REP | add-content adcheck.txt
repadmin /showoutcalls * > c:\Volsys\$d\27-Replconfig.txt
repadmin /bridgeheads * /verbose >> c:\Volsys\$d\27-Replconfig.txt
repadmin /istg * /verbose >> c:\Volsys\$d\27-Replconfig.txt
repadmin /failcache * >> c:\Volsys\$d\27-Replconfig.txt
Repadmin /showtrust * >> c:\Volsys\$d\27-Replconfig.txt
repadmin /bind * >> c:\Volsys\$d\27-Replconfig.txt
repadmin /queue * >> c:\Volsys\$d\27-Replconfig.txt
$REP = “rn 30.AD DC replication configuration is exported”
$REP | add-content adcheck.txt
$BPAModel = “Microsoft/Windows/DirectoryServices”
$LogPath = “c:\Volsys\$d”
Invoke-BpaModel -id $BPAModel
Get-BpaResult -id $BPAModel | Where-Object {$_.severity -ne “Information”} | Out-File -FilePath c:\Volsys\$d\28-BestPracticesWarnings.log
$REP = “rn 31.Exporting AD Best Practice Analyzer results.”
$REP | add-content adcheck.txt
Get-ADOrganizationalUnit -filter * -Properties * |sort-object ProtectedFromAccidentalDeletion | ft canonicalname, ProtectedFromAccidentalDeletion > c:\Volsys\$d\29-ProtectedOU.txt
$pro = “rn 32. Exporting Protected OU status.”
$pro | add-content adcheck.txt
cls
$GlobalOutput =@()
$forestinfo = Get-ADForest
$domaininfo = Get-ADDomain
$rootdomain = $domaininfo.Forest
$AllDCs = Get-ADComputer -Server $rootdomain -SearchBase $domaininfo.DomainControllersContainer -Filter *
Foreach ($child in $domaininfo.ChildDomains)
{$searchbase = Get-ADDomain -Server $child
$AllDCs = $AllDCs + (Get-ADComputer -Server $child -SearchBase $searchbase.DomainControllersContainer -Filter *)}
foreach ($Computer in $AllDCs )
{ $TestConnection = Test-Connection -ComputerName $Computer.Name -Quiet -Count 1
$Output = New-Object -TypeName psobject
$Output | Add-Member -MemberType ‘NoteProperty’ -Name ‘ComputerName’ -Value $Computer.Name
$Output | Add-Member -MemberType ‘NoteProperty’ -Name ‘BootDate’ -Value “Conn Error”
$Output | Add-Member -MemberType ‘NoteProperty’ -Name ‘BootTime’ -Value “Conn Error”
if((Test-Connection -Cn $Computer.Name -BufferSize 16 -Count 1 -ea 0 -quiet))
{ $a = ICM $Computer.Name {systeminfo | find “Boot Time”}
$Output.ComputerName = $Computer.Name
$b = $a.Split(‘e’)
$c = $b[2].Split(‘,’)
$Output.BootTime = $C[1].replace(” “,””)
$Output.BootDate = $c[0].Split(‘:’)[1].replace(” “,””)
$GlobalOutput += $Output
}
Else
{ $GlobalOutput += $Output }
}
$GlobalOutput >30-DCReboot.txt
cls
$pro = “rn 33. Exporting reboot time of DCs.”
$pro | add-content adcheck.txt
cls
import-module grouppolicy
function IsNotLinked($xmldata){
If ($xmldata.GPO.LinksTo -eq $null) {
Return $true
}
Return $false
}
$unlinkedGPOs = @()
Get-GPO -All | ForEach { $gpo = $_ ; $_ | Get-GPOReport -ReportType xml | ForEach { If(IsNotLinked([xml]$_)){$unlinkedGPOs += $gpo} }}
If ($unlinkedGPOs.Count -eq 0) {
“No Unlinked GPO’s Found” > c:\volsys\$d\31-UnlinkedGpo.txt
}
Else{
$unlinkedGPOs | Select DisplayName,ID | ft >> c:\volsys\$d\31-UnlinkedGpo.txt
}
$DCOSVER = “rn 34.Exporting list of GPO which has no link to anywere.”
$DCOSVER | add-content adcheck.txt
auditpol /get /category:* > c:\Volsys\$d\32-AuditPolicy.txt
$Audit = “rn 35. Exporting Audit Policy configuration.”
$Audit | add-content adcheck.txt
Get-ADComputer -Filter * -Property Name,OperatingSystem,OperatingSystemServicePack| Where-Object{($_.operatingsystem -like “XP“) -or ($_.operatingsystem -like “2000“) -or ($_.operatingsystem -like “2003“) -or ($_.operatingsystemversion -like “4.0“)} -or ($_.operatingsystem -like “2008“)| Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -AutoSize > c:\volsys\$d\33-OSSeize.txt
$OSS = “rn 36. Listing Legacy OS.”
$OSS | add-content adcheck.txt
DCdiag > c:\Volsys\$d\34-DCdiag.txt
$DCD = “rn 37. DCDiag “
$DCD| add-content adcheck.txt
cls
get-gpo -all | Get-GPOLink | ft -AutoSize > c:\Volsys\$d\35-GPOLinks.txt
$GPOL = “rn 38. Exporting GPO links.”
$GPOL | add-content adcheck.txt
CLS
get-host | ft version, cur* > c:\Volsys\$d\36-PSVersion.txt
$GPOL = “rn 39. Checking PowerSehll version.”
$GPOL | add-content adcheck.txt
Get-ADGroup -Filter * -Properties Members | where {-not $_.members} |ft name > c:\Volsys\$d\37-EmptyGroups.txt
$GPOL = “rn 40. Checking empty groups.”
$GPOL | add-content adcheck.txt
Get-ADOrganizationalUnit -Filter * | Where-Object {-not ( Get-ADObject -Filter * -SearchBase $_.Distinguishedname -SearchScope OneLevel -ResultSetSize 1 )} | Select Name,DistinguishedName > c:\Volsys\$d\38-EmptyOUs.txt
$GPOL = “rn 41. Checking empty OUs.”
$GPOL | add-content adcheck.txt
Get-ChildItem c:\windows\sysvol\ *.xml -Recurse -force > c:\Volsys\$d\39-GpoXml.txt
$GPOL = “rn 42. Checking XML files within Sysvol folder.”
$GPOL | add-content adcheck.txt
cls
$BA = (Get-ADDomain).domainsid
$BA = $BA.ToString() + “-500”
Get-ADUser -Identity $BA -properties * > c:\Volsys\$d\40-RID500Info.txt
$GPOL = “rn 43. Checking RID-500 Account info.”
$GPOL | add-content adcheck.txt
$DN = (Get-ADDomain -Current LocalComputer).DistinguishedName
ldifde -f 58-Infra_DomainDNSZones.ldf -d “CN=Infrastructure,DC=DomainDnsZones,$DN” -l fSMORoleOwner >> c:\Volsys\$d\41-FsmoRoleOwner.txt
$GPOL = “rn 44. Listing FSMO Owner info.”
$GPOL | add-content adcheck.txt
cls
$DC=Get-ADDomainController -Filter *
$Dcs = $DC.Name
$DCS
foreach ($a in $DCS)
{
$a
$b = Invoke-Command -ComputerName $a -ScriptBlock { Net Session }
$a >> c:\volsys\$d\80-Session.txt
$b.count >> c:\volsys\$d\80-Session.txt
}
$GPOL11 = “rn 80. Exporting DC Sessions Count.”
$GPOL11 | add-content adcheck.txt
Setspn -x -f > 42-SPN.txt
$GPOL = “rn 45. Listing Dublicate SPNs.”
$GPOL | add-content adcheck.txt
$GPOL = “rn 46. Checking missing subnets.”
$GPOL | add-content adcheck.txt
cls
cd\
copy C:\Windows\debug\netlogon.log c:\Volsys\$d\44-Netlogon.txt
$GPOL1 = “rn 47. Copying Netlogon.log file.”
cd c:\Volsys\$d\
$GPOL1 | add-content adcheck.txt
cls
w32tm /resync /rediscover > C:\Volsys\$d\45-DCNtpSync.TXT
$GPOL2 = “rn 48. Checking sync of DC and NTP server.”
$GPOL2 | add-content adcheck.txt
Get-ADReplicationSiteLink -filter * > C:\Volsys\$d\46-DSSiteConfig.TXT
Get-ADReplicationSite >> C:\Volsys\$d\46-DSSiteConfig.TXT
Get-ADReplicationConnection >> C:\Volsys\$d\46-DSSiteConfig.TXT
Get-ADReplicationSubnet -filter * >> C:\Volsys\$d\46-DSSiteConfig.TXT
$GPOL3 = “rn 49. Exporting site configuratoin.”
$GPOL3 | add-content adcheck.txt
Get-ADDefaultDomainPasswordPolicy -Current LocalComputer > C:\Volsys\$d\47-DomainPolicy.TXT
$GPOL4 = “rn 50. Exporting DDPP configuration.”
$GPOL4 | add-content adcheck.txt
cls
Get-ADGroupMember -Identity ‘Domain Admins’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} > C:\Volsys\$d\48-PrivGroupsMemberPassNevExpires.TXT
Get-ADGroupMember -Identity ‘Enterprise Admins’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\48-PrivGroupsMemberPassNevExpires.TXT
Get-ADGroupMember -Identity ‘Administrators’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\48-PrivGroupsMemberPassNevExpires.TXT
Get-ADGroupMember -Identity ‘Account Operators’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\48-PrivGroupsMemberPassNevExpires.TXT
Get-ADGroupMember -Identity ‘Server Operators’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\48-PrivGroupsMemberPassNevExpires.TXT
Get-ADGroupMember -Identity ‘Backup Operators’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\48-PrivGroupsMemberPassNevExpires.TXT
Get-ADGroupMember -Identity ‘Print Operators’ |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\48-PrivGroupsMemberPassNevExpires.TXT
$GPOL6 = “rn 51. Listing users who has password never expire and member of admin groups.”
$GPOL6 | add-content adcheck.txt
Get-hotfix > C:\Volsys\$d\49-Hotfix.TXT
$GPOL7 = “rn 52. Checking Hotfix details.”
$GPOL7 | add-content adcheck.txt
get-adcomputer -filter “useraccountcontrol -band 2” -properties useraccountcontrol | ft name > C:\Volsys\$d\50-DisableComp.TXT
$GPOL8 = “rn 53. Checking disabled computers.”
$GPOL8 | add-content adcheck.txt
cls
get-aduser -filter “useraccountcontrol -band 2” -properties useraccountcontrol | ft name > C:\Volsys\$d\51-DisableUsers.TXT
$GPOL9 = “rn 54. Listing disabled users.”
$GPOL9 | add-content adcheck.txt
get-aduser -filter “admincount -eq 1” -Properties * | ft name, Enabled > C:\Volsys\$d\52-AdminCount.TXT
$GPOL10 = “rn 55. Listing users with Admin Count set to 1.”
$GPOL10 | add-content adcheck.txt
Gpresult /H C:\Volsys\$d\53-Gpresult.html
$GPOL11 = “rn 56. Exporting policies applied to DCs.”
$GPOL11 | add-content adcheck.txt
cls
get-fileshare > C:\Volsys\$d\54-FileShare.TXT
$GPOL12 = “rn 57. Exporting file shares on DCs.”
$GPOL12 | add-content adcheck.txt
Get-ADFineGrainedPasswordPolicy -Filter {Name -like “*”} | ft Name, Precedence,MaxPasswordAge,MinPasswordLength > C:\Volsys\$d\55-FGPP.TXT
$GPOL13 = “rn 58. Exporting FGPP info.”
$GPOL13 | add-content adcheck.txt
Get-ADGroupMember “group policy creator Owners” > C:\Volsys\$d\56-GPCOMembers.TXT
$GPOL14 = “rn 59. Checking member of group policy creator owners group.”
$GPOL14 | add-content adcheck.txt
cls
Get-ScheduledTask > C:\Volsys\$d\57-SchTask.TXT
$GPOL15 = “rn 60.Checking Schedule tasks running on DCs. “
$GPOL15 | add-content adcheck.txt
Import-module servermanager ; Get-WindowsFeature | where-object {$_.Installed -eq $True} | format-list DisplayName > C:\Volsys\$d\58-FeatureS.TXT
$GPOL58 = “rn 61.Checking active features on DCs. “
$GPOL58 | add-content adcheck.txt
Get-ADObject -Filter {objectClass -eq “trustedDomain”} -Properties TrustPartner,TrustDirection,trustType | FT Name,TrustPartner,TrustDirection,TrustType > C:\Volsys\$d\59-TrustValidationCheck.txt
$GPOL59 = “rn 62.Validating Domain trusts. “
$GPOL59 | add-content adcheck.txt
systeminfo > C:\Volsys\$d\60-SystemInfo.txt
$GPOL60 = “rn 63.Exporting System Info. “
$GPOL60 | add-content adcheck.txt
cls
schtasks /query /fo LIST /v > C:\Volsys\$d\61-ScheduleTask.Txt
$GPOL61 = “rn 64.Exporting Scheduled tasks. “
$GPOL61 | add-content adcheck.txt
tasklist /FI “username eq system” /v > C:\Volsys\$d\62-TaskList.Txt
$GPOL62 = “rn 65. Exporting to single list. “
$GPOL62 | add-content adcheck.txt
netsh advfirewall show all state > C:\Volsys\$d\63-FWStatus.Txt
$GPOL63 = “rn 66. Checking Firewall status. “
$GPOL63 | add-content adcheck.txt
Get-WinEvent -FilterHashtable @{logname=’Security’ ; ID=4624} | where {$_.message -match “ntlm v1” } | where {$_.message -match “49194” }| fl > C:\NTLMv1.txt\$d\64-Ntlmv1.txt
$GPOL64 = “rn 67. NTLM V1 is in use.”
$GPOL64 | add-content adcheck.txt
dfsrmig /getglobalstate > C:\Volsys\$d\65-SysvolState.txt
dfsrmig /getmigrationstate >> C:\Volsys\$d\65-SysvolState.txt
$GPOL65 = “rn 68. Sysvol is in use.”
$GPOL65 | add-content adcheck.txt
cls
Get-Process | where {$_.mainWindowTitle} | Format-Table id, name, mainwindowtitle -autosize > C:\Volsys\$d\66-DCProcessControl.txt
$GPOL66 = “rn 69. Exporting processes running on DCs.”
$GPOL66 | add-content adcheck.txt
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize > C:\Volsys\$d\67-SoftwareControl.txt
$GPOL67 = “rn 70. Listing processes running on DCs.”
$GPOL67 | add-content adcheck.txt
(Get-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$((Get-ADRootDSE).configurationNamingContext)” -Properties tombstoneLifetime).tombstoneLifetime > C:\Volsys\$d\68-TSL.txt
$GPOL68 = “rn 71. Checking TLS time.”
$GPOL68 | add-content adcheck.txt
Get-ADOptionalFeature -Filter ‘name -like “Recycle Bin Feature”‘ > C:\Volsys\$d\69-RecycleBinCheck.txt
$GPOL69 = “rn 72. Listing TLS time.”
$GPOL69 | add-content adcheck.txt
cls
get-aduser guest -Properties * | FL > C:\Volsys\$d\70-Guest.txt
$GPOL70 = “rn 73. Checking guest info.”
$GPOL70 | add-content adcheck.txt
Get-ADComputer -filter “useraccountcontrol -band 32” -Properties * | ft name > C:\Volsys\$d\71-PasswordNotRequiredComputers.txt
$GPOL71 = “rn 74. Exporting TSL info.”
$GPOL71 | add-content adcheck.txt
Get-ADuser -filter “useraccountcontrol -band 2097152” -Properties * | ft name > C:\Volsys\$d\72-DESusage.txt
$GPOL72 = “rn 75. Exporting DES usage.”
$GPOL72 | add-content adcheck.txt
cls
Klist > C:\Volsys\$d\73-KerberosInfo.txt
Klist tgt >> C:\Volsys\$d\73-KerberosInfo.txt
Klist sessions >> C:\Volsys\$d\73-KerberosInfo.txt
Klist kcd_cache >> C:\Volsys\$d\73-KerberosInfo.txt
$GPOL73 = “rn 76. Exporting Kerberos info.”
$GPOL73 | add-content adcheck.txt
cls
Get-ADuser -filter “useraccountcontrol -band 524288” -Properties * | ft name > C:\Volsys\$d\74-TrustedDelegationComputers.txt
$GPOL74 = “rn 77. Checking Trusted Delegation Computers.”
$GPOL74 | add-content adcheck.txt
cls
Get-DnsServer > C:\Volsys\$d\75-DnsServer.txt
$GPOL75 = “rn 78. Checking DNS Servers.”
$GPOL75 | add-content adcheck.txt
cls
Get-DfsrServiceConfiguration > C:\Volsys\$d\76-DFSRConfiguration.txt
$GPOL76 = “rn 79. Checking DFSR Configuration.”
$GPOL76 | add-content adcheck.txt
cls
Get-ChildItem c:\users > C:\Volsys\$d\77-UsersFolder.txt
$PROf = “rn 81. Exporting Users Folder Profiles.”
$PROf | add-content adcheck.txt
$ds = (Get-ADDomain -Current LocalComputer).dnsroot
$ht = hostname
Get-GPOReport -All -Domain $ds -Server $ht -ReportType htmL -Path “C:\Volsys\$d\78-GPOReportsAll.html”
$PROf = “rn 82. Exporting ALL GPOs Settings.”
$PROf | add-content adcheck.txt
cls
cd\
cd c:\volsys\$d
$ACC = “All User Account Counts:”
$ACC1 = (Get-ADUser -filter * -Properties *).count
$ACC| add-content 79-AllAccountCount.txt
$ACC1| add-content 79-AllAccountCount.txt
$ACC2 = “All Computer Account Counts:”
$ACC3 = (Get-ADComputer -filter * -Properties *).count
$ACC2| add-content 79-AllAccountCount.txt
$ACC3| add-content 79-AllAccountCount.txt
$ACC4 = “All Group Account Counts:”
$ACC5 = (Get-ADGroup -filter * -Properties *).count
$ACC4| add-content 79-AllAccountCount.txt
$ACC5| add-content 79-AllAccountCount.txt
$PROf1 = “rn 83. Exporting ALL Account Count.”
$PROf1 | add-content adcheck.txt
$ACL
$DN = (Get-ADDomain -Current LocalComputer).DistinguishedName
get-acl -path ad:$DN | fl > C:\Volsys\$d\81-RootACL.TXT
$PROf10 = “rn 84. Exporting Directory ACL Scan.”
$PROf10 | add-content adcheck.txt
cls
Get-SmbServerConfiguration > C:\Volsys\$d\82-SmbConfig.TXT
$PROf15 = “rn 85. Exporting SMB Server Configuration.”
$PROf15 | add-content adcheck.txt
cls
get-eventlog “Directory Service” | select entrytype, source, eventid, message > C:\Volsys\$d\83-DSEvent.TXT
$event = “rn 86. Exporting Directory Services Event Logs.”
$event | add-content adcheck.txt
Get-ADReplicationSite > C:\Volsys\$d\84-ADSiteLink.TXT
Get-ADReplicationSiteLink -filter * >> C:\Volsys\$d\84-ADSitelink.TXT
$SL = “rn 87.Exporting Active Directory Site and Sitelink Information.”
$SL | add-content adcheck.txt
Get-Aduser -filter “userPassword -like ‘*’ ” | ft name, userPassword > C:\Volsys\$d\85-UserPass.TXT
$up1 = “rn 88. Exporting User Password Attribute.”
$up1 | add-content adcheck.txt
$DN = (Get-ADDomain -Current LocalComputer).DistinguishedName
Dsacls “CN=AdminSDHolder,CN=System,$DN” > C:\Volsys\$d\86-AdminSDHolderACLs.TXT
$up2 = “rn 89. Exporting AdminSD Holder Security ACLs.”
$up2 | add-content adcheck.txt
Get-ADGroupMember “Pre-Windows 2000 Compatible Access” > C:\Volsys\$d\87-Pre-Windows2000.TXT
$up3 = “rn 90. Exporting Pre-Windows 2000 Group Members.”
$up3 | add-content adcheck.txt
Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | Format-List > C:\Volsys\$d\88-StartupApps.TXT
$up4 = “rn 91. Exporting Startup Application List.”
$up4 | add-content adcheck.txt
Get-ADGroupMember “protected users” | ft name > C:\Volsys\$d\89-ProtectedUsersGroupMembers.TXT
$pu = “rn 92. Exporting Protected USers Group Member.”
$pu | add-content adcheck.txt
Get-ADUser -filter * -properties PasswordLastSet, PasswordExpired, PasswordNeverExpires | sort PasswordExpired | ft Name, PasswordLastSet, PasswordExpired, PasswordNeverExpires > C:\Volsys\$d\90-PasswordExpires.TXT
$pe = “rn 93. Exporting Password Expires Users.”
$pe | add-content adcheck.txt
cd..
Cls
Get-ADOrganizationalUnit -Properties CanonicalName -Filter *| Sort-Object CanonicalName | Format-List CanonicalName, DistinguishedName > C:\Volsys\$d\91-ADOUStructure.TXT
$pe1 = “rn 94. Exporting AD OU Structure.”
$pe1 | add-content adcheck.txt
cd..
Cls
$DN = (Get-ADDomain -Current LocalComputer).DNSRoot
get-gpo -all -domain $DN | sort-object creationTime | ft Displayname, CreationTime, ModificationTime > C:\Volsys\$d\92-GPOCMDate.TXT
$pe5 = “rn 95. Exporting GPO Create and Modify Dates.”
$pe5 | add-content adcheck.txt
cd..
Cls
Get-ADGroupMember “Terminal Server License Servers” > C:\Volsys\$d\93-TerminalServerLicesnceServers.TXT
$pe1 = “rn 96. Exporting Terminal Server License Servers Group Members.”
$pe1 | add-content adcheck.txt
cd..
Cls
Get-FileHash -Algorithm sha256 -Path “c:\Windows\system32*.*” | FL > C:\Volsys\$d\94-FileHashes.TXT
$pe51 = “rn 97. Exporting System32 Folders, Hashes.”
$pe51 | add-content adcheck.txt
cd..
Cls
Get-Service > C:\Volsys\$d\95-Services.TXT
$pe51 = “rn 98. Exporting Services.”
$pe51 | add-content adcheck.txt
cd..
Cls
Search-ADAccount -LockedOut > C:\Volsys\$d\96-LockedAccount.TXT
$pe52 = “rn 99. Exporting Services.”
$pe52 | add-content adcheck.txt
cd..
reg export “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters” C:\Volsys\$d\97-NTDSParameters.TXT
$pq5 = “rn 100. Exporting NTDS Parameters.”
$pq5 | add-content adcheck.txt
Get-ChildItem Cert:\LocalMachine\my > C:\Volsys\$d\98-CompPersonelCert.TXT
$pq6 = “rn 101. Exporting Computer Persones Cert Parameters.”
$pq6 | add-content adcheck.txt
$nm = hostname
Get-ADcomputer $nm -Properties * | fl ServicePrincipalNames > C:\Volsys\$d\99-DCSpn.TXT
$pq7 = “rn 102. Exporting DC SPN info.”
$pq7 | add-content adcheck.txt
Cls
Write-Host
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ V O L S Y S is finished. You can check the C:\Volsys folder ‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host
Azure Security - Cyber Security 