cd\
if (!(Get-ChildItem(“C:\volsys”)))
{md Volsys}
cd Volsys
$BasePath = “C:\Volsys”
if (-not (Test-Path $BasePath)) {
New-Item -Path $BasePath -ItemType Directory | Out-Null
}
Set-Location $BasePath
$d = Get-Date -Format “dd-MM-yyyy-HHmm”
md $d
cd $d
New-Item -Name REPORT.txt -ItemType File
add-content REPORT.txt “Exported Files to be in C:\Volsys\$d\”
add-content REPORT.txt “======================================================”
Write-Host
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ System Backup ‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host
New-Item -Name A1-ADSnapshot.txt -ItemType File
add-content A1-ADSnapshot.txt “Active Directory Snapshot is started”
ntdsutil “act inst ntds” snap “delete *” cre q q
$ADSNAP = “rn A1.Active Directory SnapShot is taken”
$ADSNAP | add-content REPORT.txt
Get-ADObject -filter * -Properties DistinguishedName | ft DistinguishedName > A2-DN.txt
$DN = “rn A2.DistinguishedName’s are exported”
$DN | add-content REPORT.txt
New-Item -Name A3-GPOBackup.txt -ItemType File
add-content A3-GPOBackup.txt “GPOs backup is started”
md GPOBackup
Backup-gpo -all -path c:\volsys\$d\GPOBackup
$GPOB = “rn A3.GPO backup is done”
$GPOB | add-content REPORT.txt
function Get-GPOLink {
[CmdletBinding()]param ( [Parameter(Mandatory, ValueFromPipeline, ValueFromPipelineByPropertyName)] [Alias('DisplayName')] [string[]]$Name)PROCESS { foreach ($n in $Name) { $problem = $false try { Write-Verbose -Message "Attempting to produce XML report for GPO: $n" [xml]$report = Get-GPOReport -Name $n -ReportType Xml -ErrorAction Stop } catch { $problem = $true Write-Warning -Message "An error occured while attempting to query GPO: $n" } if (-not($problem)) { Write-Verbose -Message "Returning results for GPO: $n" [PSCustomObject]@{ 'GPOName' = $report.GPO.Name 'LinksTo' = $report.GPO.LinksTo.SOMName 'Enabled' = $report.GPO.LinksTo.Enabled 'NoOverride' = $report.GPO.LinksTo.NoOverride 'CreatedDate' = ([datetime]$report.GPO.CreatedTime).ToShortDateString() 'ModifiedDate' = ([datetime]$report.GPO.ModifiedTime).ToShortDateString() } } }}}
get-gpo -all | Get-GPOLink | ft -AutoSize > c:\Volsys\$d\A4-GPOLinksExport.txt
$GPOL = “rn A4. Exporting GPO links.”
$GPOL | add-content REPORT.txt
New-Item -Name A5-DNSExport.txt -ItemType File
add-content A5-DNSZoneExport.txt “DNS Zones export”
$dns = (Get-ADDomain -Current LocalComputer).dnsroot
$dns1 = $dns.export
export-dnsserverzone $dns dnsbackup.export
$dnsex = “rn A5.DNS Zone Export is complete”
$dnsex | add-content REPORT.txt
get-aduser -filter * -Properties sid | ft name, sid > C:\Volsys\$d\A6-ADUserSIDInfo.csv
“rn A6. Exporting Sid Information.” | Add-Content REPORT.txt
get-adcomputer -filter * -Properties sid | ft name, sid > C:\Volsys\$d\A7-ADComputerSIDInfo.csv
“rn A7. Exporting Computer Sid Information.” | Add-Content REPORT.txt
Write-Host
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ Configuration and Role Information ‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host
Get-ADDomainController -filter * | sort-object site | ft name,domain, site, IPv4Address, operatingsystem -Wrap > c:\volsys\$d\B1-DCInfo.csv
$DCOSVER = “rn B1.Exporting OS and IP info of DCs.”
$DCOSVER | add-content REPORT.txt
repadmin /showbackup * > C:\Volsys\$d\B2-ADBackupStatus.csv
$ADB = “rn B2.AD Backup is controlled”
$ADB| add-content REPORT.txt
Get-hotfix > C:\Volsys\$d\B3-HotfixInfo.csv
$GPOL7 = “rn B3. Checking Hotfix details.”
$GPOL7 | add-content REPORT.txt
$DC=Get-ADDomainController -Filter *
$Dcs = $DC.Name
$DCS
foreach ($a in $DCS)
{
$a
$b = Invoke-Command -ComputerName $a -ScriptBlock { Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime }
$a >> c:\volsys\$d\B4-DCRebootDate.csv
}
$b >> c:\volsys\$d\B4-DCRebootDate.csv
$pro = “rn B4. Exporting reboot time of DCs.”
$pro | add-content REPORT.txt
get-adforest > C:\Volsys\$d\B5-ForestDomainInfo.csv
get-addomain >> C:\Volsys\$d\B5-ForestDomainInfo.csv
$for = “rn B5.Exporting Forest and Domain info”
$for| add-content REPORT.txt
netdom query fsmo > C:\Volsys\$d\B6-FSMORoles.csv
$fsmo = “rn B6.Checking FSMO roles.”
$fsmo | add-content REPORT.txt
dcdiag /v /test:FSMOCheck > C:\Volsys\$d\B7-FSMOHealthCheck.csv
“rn B7. Exporting FSMO Check.” | Add-Content REPORT.txt
$DN = (Get-ADDomain -Current LocalComputer).DistinguishedName
ldifde -f B8-Infra_FsmoRoleOwner.ldf -d “CN=Infrastructure,DC=DomainDnsZones,$DN” -l fSMORoleOwner
$GPOL = “rn B8. Listing FSMO Owner info.”
$GPOL | add-content REPORT.txt
Dcdiag.exe /TEST:RidManager /v | find /i “Available RID Pool for the Domain” > C:\Volsys\$d\B9-RIDPoolStatus.csv
$rid = “rn B9.Rid Pool control”
$rid| add-content REPORT.txt
Repadmin /showrepl * /csv | ConvertFrom-Csv | select “Source DSA”, “Naming Context”, “Destination DSA” ,”Number of Failures”,”Last Failure Time”, “Last Success Time”, “Last Failure Status” | ConvertTo-Html > C:\Volsys\$d\B10-ADReplSummary.html
$repl = “rn B10.Checking AD replication.”
$repl| add-content REPORT.txt
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion > C:\Volsys\$d\B11-SchemaVersion.csv
$schmaver = “rn B11.Checking Schema version.”
$schmaver | add-content REPORT.txt
W32tm /query /configuration > C:\Volsys\$d\B12-TimeConfig.csv
W32tm /monitor >> C:\Volsys\$d\B12-TimeConfig.csv
$time = “rn B12.Checking Time Server.”
$time | add-content REPORT.txt
w32tm /resync /rediscover > C:\Volsys\$d\B13-DCNtpSync.csv
$GPOL2 = “rn B13. Checking sync of DC and NTP server.”
$GPOL2 | add-content REPORT.txt
$BPAModel = “Microsoft/Windows/DirectoryServices”
$LogPath = “c:\Volsys\$d”
Invoke-BpaModel -id $BPAModel
Get-BpaResult -id $BPAModel | Where-Object {$_.severity -ne “Information”} | Out-File -FilePath c:\Volsys\$d\B14-BestPracticesWarnings.log
$REP = “rn B14.Exporting AD Best Practice Analyzer results.”
$REP | add-content REPORT.txt
Get-ADOrganizationalUnit -filter * -Properties * |sort-object ProtectedFromAccidentalDeletion | ft canonicalname, ProtectedFromAccidentalDeletion > c:\Volsys\$d\B15-ProtectedOU.csv
$pro = “rn B15. Exporting Protected OU status.”
$pro | add-content REPORT.txt
netsh interface ipv4 show interfaces > C:\Volsys\$d\B16-EthernetInterface.csv
“rn B16. Exporting Internet Informations.” | Add-Content REPORT.txt
DCdiag > c:\Volsys\$d\B17-DCdiag.csv
$DCD = “rn B17. DCDiag “
$DCD| add-content REPORT.txt
cd\
copy C:\Windows\debug\netlogon.log c:\Volsys\$d\B18-Netlogon.csv
$GPOL1 = “rn B18. Copying Netlogon.log file.”
cd c:\Volsys\$d\
$GPOL1 | add-content REPORT.txt
get-fileshare > C:\Volsys\$d\B19-FileShare.csv
$GPOL12 = “rn B19. Exporting file shares on DCs.”
$GPOL12 | add-content REPORT.txt
Import-module servermanager ; Get-WindowsFeature | where-object {$_.Installed -eq $True} | format-list DisplayName > C:\Volsys\$d\B20-FeatureS.csv
$GPOL58 = “rn B20.Checking active features on DCs. “
$GPOL58 | add-content REPORT.txt
Get-ADObject -Filter {objectClass -eq “trustedDomain”} -Properties TrustPartner,TrustDirection,trustType | FT Name,TrustPartner,TrustDirection,TrustType > C:\Volsys\$d\B21-TrustValidationCheck.csv
$GPOL59 = “rn B21.Validating Domain trusts. “
$GPOL59 | add-content REPORT.txt
systeminfo > C:\Volsys\$d\B22-SystemInfo.csv
$GPOL60 = “rn B22.Exporting System Info. “
$GPOL60 | add-content REPORT.txt
tasklist /FI “username eq system” /v > C:\Volsys\$d\B23-TaskList.csv
$GPOL62 = “rn B23. Exporting to single list. “
$GPOL62 | add-content REPORT.txt
netsh advfirewall show all state > C:\Volsys\$d\B24-FWStatus.csv
$GPOL63 = “rn B24. Checking Firewall status. “
$GPOL63 | add-content REPORT.txt
dfsrmig /getglobalstate > C:\Volsys\$d\B25-SysvolState.csv
dfsrmig /getmigrationstate >> C:\Volsys\$d\B25-SysvolState.csv
$GPOL65 = “rn B25. Sysvol is in use.”
$GPOL65 | add-content REPORT.txt
Get-WinEvent -FilterHashtable @{logname=’Security’ ; ID=4624} | where {$_.message -match “ntlm v1” } | where {$_.message -match “49194” }| fl > C:\NTLMv1.csv\$d\B26-Ntlmv1.csv
$GPOL64 = “rn B26. NTLM V1 is in use.”
$GPOL64 | add-content REPORT.txt
Get-Process | where {$_.mainWindowTitle} | Format-Table id, name, mainwindowtitle -autosize > C:\Volsys\$d\B27-DCProcessControl.csv
$GPOL66 = “rn B27. Exporting processes running on DCs.”
$GPOL66 | add-content REPORT.txt
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table AutoSize > C:\Volsys\$d\B28-SoftwareControl.csv
$GPOL67 = “rn B28. Listing processes running on DCs.”
$GPOL67 | add-content REPORT.txt
Get-Service > C:\Volsys\$d\B29-Services.csv
$pe51 = “rn B29. Exporting Services.”
$pe51 | add-content REPORT.txt
(Get-ADObject -Identity CN=Directory Service,CN=Windows NT,CN=Services,$((Get-ADRootDSE).configurationNamingContext) -Properties tombstoneLifetime).tombstoneLifetime > C:\Volsys\$d\B30-TSL.csv
$GPOL68 = “rn B30. Checking TLS time.”
$GPOL68 | add-content REPORT.txt
Get-ADOptionalFeature -Filter ‘name -like “Recycle Bin Feature”‘ > C:\Volsys\$d\B31-RecycleBinCheck.csv
$GPOL69 = “rn B31. Che.”
$GPOL69 | add-content REPORT.txt
Get-DnsServer > C:\Volsys\$d\B32-DnsServer.csv
$GPOL75 = “rn B32. Checking DNS Servers.”
$GPOL75 | add-content REPORT.txt
Get-DfsrServiceConfiguration > C:\Volsys\$d\B33-DFSRConfiguration.csv
$GPOL76 = “rn B33. Checking DFSR Configuration.”
$GPOL76 | add-content REPORT.txt
Get-SmbServerConfiguration > C:\Volsys\$d\B34-SmbConfig.csv
$PROf15 = “rn B34. Exporting SMB Server Configuration.”
$PROf15 | add-content REPORT.txt
Get-ADReplicationSite > C:\Volsys\$d\B35-ADSiteLink.csv
Get-ADReplicationSiteLink -filter * >> C:\Volsys\$d\B35-ADSitelink.csv
$SL = “rn B35.Exporting Active Directory Site and Sitelink Information.”
$SL | add-content REPORT.txt
get-eventlog Directory Service | select entrytype, source, eventid, message > C:\Volsys\$d\B36-DSEvent.csv
$event = “rn B36. Exporting Directory Services Event Logs.”
$event | add-content REPORT.txt
Get-ADOrganizationalUnit -Properties CanonicalName -Filter *| Sort-Object CanonicalName | Format-List CanonicalName, DistinguishedName > C:\Volsys\$d\B37-ADOUStructure.csv
$pe1 = “rn B37. Exporting AD OU Structure.”
$pe1 | add-content REPORT.txt
Get-ChildItem Cert:\LocalMachine\my > C:\Volsys\$d\B38-CompPersonelCert.csv
$pq6 = “rn B38. Exporting Computer Persones Cert Parameters.”
$pq6 | add-content REPORT.txt
$nm = hostname
Get-ADcomputer $nm -Properties * | fl ServicePrincipalNames > C:\Volsys\$d\B39-DCSpn.csv
$pq7 = “rn B39. Exporting DC SPN info.”
$pq7 | add-content REPORT.txt
Get-ADComputer -Filter {(Enabled -eq $True)} -Property * | Sort-Object operatingsystem| FT Name,OperatingSystem,OperatingSystemVersion > C:\Volsys\$d\B40-AllOperatingSystemVersion.csv
$pq60 = “rn B40. Exporting All Operating System Versions.”
$pq60 | add-content REPORT.txt
$DC=Get-ADDomainController -Filter *
$Dcs = $DC.Name
$DCS
foreach ($a in $DCS)
{
$a
$b = Invoke-Command -ComputerName $a -ScriptBlock { Net Session }
$a >> c:\volsys\$d\B41-Session.csv
$b.count >> c:\volsys\$d\B41-Session.csv
}
$GPOL11 = “rn B41. Exporting DC Sessions Count.”
$GPOL11 | add-content REPORT.txt
Write-Host
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ Accounts Info ‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host
$BA = (Get-ADDomain).domainsid
$BA = $BA.ToString() + “-500”
Get-ADUser -Identity $BA -properties * > c:\Volsys\$d\C1-RID500Info.csv
$GPOL = “rn C1. Checking RID-500 Account info.”
$GPOL | add-content REPORT.txt
Get-ADUser krbtgt -properties * > C:\Volsys\$d\C2-KRBTGTInfo.csv
“rn C2. Checking KRBTGT Account info.” | Add-Content REPORT.txt
$BA = (Get-ADDomain).domainsid
$BA = $BA.ToString() + “-501”
get-aduser guest -Properties * | FL > C:\Volsys\$d\C3-GuestInfo.csv
$GPOL70 = “rn C3. Checking guest info.”
$GPOL70 | add-content REPORT.txt
Klist > C:\Volsys\$d\C4-KerberosInfo.csv
Klist tgt >> C:\Volsys\$d\C4-KerberosInfo.csv
Klist sessions >> C:\Volsys\$d\C4-KerberosInfo.csv
Klist kcd_cache >> C:\Volsys\$d\C4-KerberosInfo.csv
$GPOL73 = “rn C4. Exporting Kerberos info.”
$GPOL73 | add-content REPORT.txt
$ACC = “All User Account Counts:”
$ACC1 = (Get-ADUser -filter * -Properties *).count
$ACC| add-content C5-AllAccountCount.csv
$ACC1| add-content C5-AllAccountCount.csv
$ACC2 = “All Computer Account Counts:”
$ACC3 = (Get-ADComputer -filter * -Properties *).count
$ACC2| add-content C5-AllAccountCount.csv
$ACC3| add-content C5-AllAccountCount.csv
$ACC4 = “All Group Account Counts:”
$ACC5 = (Get-ADGroup -filter * -Properties *).count
$ACC4| add-content C5-AllAccountCount.csv
$ACC5| add-content C5-AllAccountCount.csv
$PROf1 = “rn C5. Exporting ALL Account Count.”
$PROf1 | add-content REPORT.txt
Get-ADGroupMember “domain admins” | FT name, samaccountname > C:\Volsys\$d\C6-DomainAdmins.csv
$domadm = “rn C6.Exporting Domain Admins group members”
$domadm| add-content REPORT.txt
Get-ADGroupMember “enterprise admins” | FT name, samaccountname > C:\Volsys\$d\C7-EnterpriseAdmins.csv
$entadm = “rn C7.Exporting Enterprise Admins group members”
$entadm| add-content REPORT.txt
Get-ADGroupMember “schema admins” | FT name, samaccountname > C:\Volsys\$d\C8-SchemAdmins.csv
$schadm = “rn C8.Exporting Schema Admins group members”
$schadm| add-content REPORT.txt
Get-ADGroupMember “administrators” | FT name, samaccountname > C:\Volsys\$d\C9-Administrators.csv
$adm = “rn C9.Exporting Administrators group members”
$adm| add-content REPORT.txt
Get-ADGroupMember “Pre-Windows 2000 Compatible Access” > C:\Volsys\$d\C10-Pre-Windows2000.csv
$up3 = “rn C10. Exporting Pre-Windows 2000 Group Members.”
$up3 | add-content REPORT.txt
Get-ADGroupMember “protected users” | ft name > C:\Volsys\$d\C11-ProtectedUsersGroupMembers.csv
$pu = “rn C11. Exporting Protected USers Group Member.”
$pu | add-content REPORT.txt
Get-ADGroupMember “group policy creator Owners” > C:\Volsys\$d\C12-GPCOMembers.csv
$GPOL14 = “rn C12. Checking member of group policy creator owners group.”
$GPOL14 | add-content REPORT.txt
Get-ADGroupMember “Terminal Server License Servers” > C:\Volsys\$d\C13-TerminalServerLicesnceServers.csv
$pe1 = “rn C13. Exporting Terminal Server License Servers Group Members.”
$pe1 | add-content REPORT.txt
Get-ADGroupMember “domain admins” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp, Enabled > C:\Volsys\$d\C14-Logondates.csv
$domadm1 = “rn C14.Exporting Logon time of Domain Admins group members.”
$domadm1| add-content REPORT.txt
Get-ADGroupMember “enterprise admins” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp, Enabled >> C:\Volsys\$d\C14-Logondates.csv
$domadm2 = “rn C14.Exporting Logon time of Enterprise Admins group members.”
$domadm2| add-content REPORT.txt
Get-ADGroupMember “schema admins” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp, Enabled >> C:\Volsys\$d\C14-Logondates.csv
$domadm3 = “rn C14.Exporting Logon time of Schema Admins group members.”
$domadm3| add-content REPORT.txt
Get-ADGroupMember “administrators” |get-aduser -properties * | FT name, samaccountname, lastlogondate, lastlogontimestamp, Enabled >> C:\Volsys\$d\C14-Logondates.csv
$domadm4 = “rn C14.Exporting Logon time of Administrators group members.”
$domadm4| add-content REPORT.txt
Get-ADGroupMember -Identity Domain Admins |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} > C:\Volsys\$d\C15-PrivGroupsMemberPassNevExpires.csv
Get-ADGroupMember -Identity Enterprise Admins |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\C15-PrivGroupsMemberPassNevExpires.csv
Get-ADGroupMember -Identity Administrators |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\C15-PrivGroupsMemberPassNevExpires.csv
Get-ADGroupMember -Identity Account Operators |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\C15-PrivGroupsMemberPassNevExpires.csv
Get-ADGroupMember -Identity Server Operators |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\C15-PrivGroupsMemberPassNevExpires.csv
Get-ADGroupMember -Identity Backup Operators |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\C15-PrivGroupsMemberPassNevExpires.csv
Get-ADGroupMember -Identity Print Operators |foreach { Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires | select Name, PasswordLastSet, PasswordNeverExpires} >> C:\Volsys\$d\C15-PrivGroupsMemberPassNevExpires.csv
$GPOL6 = “rn C15. Listing users who has password never expire and member of admin groups.”
$GPOL6 | add-content REPORT.txt
dsquery user -inactive 12 -limit 5000 > C:\Volsys\$d\C16-InActiveUsers.csv
$auser = “rn C16.Exporting list of people who did not loging last three months.”
$auser | add-content REPORT.txt
dsquery computer -inactive 12 -limit 5000 > C:\Volsys\$d\C17-InActiveComputers.csv
$acomp = “rn C17.Exporting list of computers which did not authenticate last three months”
$acomp | add-content REPORT.txt
get-adcomputer -filter “useraccountcontrol -band 2” -properties useraccountcontrol | ft name > C:\Volsys\$d\C18-DisableComputers.csv
$GPOL8 = “rn C18. Checking disabled computers.”
$GPOL8 | add-content REPORT.txt
get-aduser -filter “useraccountcontrol -band 2” -properties useraccountcontrol | ft name > C:\Volsys\$d\C19-DisableUsers.csv
$GPOL9 = “rn C19. Listing disabled users.”
$GPOL9 | add-content REPORT.txt
Get-ADUser -Filter ‘useraccountcontrol -band 66048′ -Properties useraccountcontrol |sort-object enabled| FT Name,Samaccountname, Enabled, @{N=’lastlogontimestamp’; E={[DateTime]::FromFileTime($_.lastlogontimestamp)}} > C:\Volsys\$d\C20-PassNeverExpiredUsers.csv
$66048 = “rn C20.Exporting Password not required and password never expired users.”
$66048 | add-content REPORT.txt
Get-ADUser -Filter ‘useraccountcontrol -band 544’ -Properties useraccountcontrol | FT Name,Samaccountname, useraccountcontrol > C:\Volsys\$d\C21-PassNotRequiredUsers.csv
$544 = “rn C21. Listing Password not required users.”
$544 | add-content REPORT.txt
get-aduser -filter * -properties * |sort-object badpasswordtime | ft name , badpwdcount, @{N=’badpasswordtime’; E={[DateTime]::FromFileTime($_.badpasswordtime)}}, lastlogondate > C:\volsys\$d\C22-SecurityBadPasswordAttemts.csv
$AL = “rn C22.Listing users if Account Lock Out value is 5.”
$AL | add-content REPORT.txt
Get-ADGroup -Filter * -Properties Members | where {-not $_.members} |ft name > c:\Volsys\$d\C23-EmptyGroups.csv
$GPOL = “rn C23. Checking empty groups.”
$GPOL | add-content REPORT.txt
Get-ADOrganizationalUnit -Filter * | Where-Object {-not ( Get-ADObject -Filter * -SearchBase $_.Distinguishedname -SearchScope OneLevel -ResultSetSize 1 )} | Select Name,DistinguishedName > c:\Volsys\$d\C24-EmptyOUs.csv
$GPOL = “rn C24. Checking empty OUs.”
$GPOL | add-content REPORT.txt
get-aduser -filter “admincount -eq 1” -Properties * | ft name, Enabled > C:\Volsys\$d\C25-AdminCount.csv
$GPOL10 = “rn C25. Listing users with Admin Count set to 1.”
$GPOL10 | add-content REPORT.txt
get-adgroup -filter “admincount -eq 1” | FT > C:\Volsys\$d\C26-AdminCountGroups.csv
“rn C26. Exporting Admin Count 1 Groups.” | Add-Content REPORT.txt
Get-ADuser -filter “useraccountcontrol -band 2097152” -Properties * | ft name > C:\Volsys\$d\C27-DESusage.csv
$GPOL72 = “rn C27. Exporting DES usage.”
$GPOL72 | add-content REPORT.txt
Get-ADuser -filter “useraccountcontrol -band 524288” -Properties * | ft name > C:\Volsys\$d\C28-TrustedDelegationComputers.csv
$GPOL74 = “rn C28. Checking Trusted Delegation Computers.”
$GPOL74 | add-content REPORT.txt
Get-ADUser -Filter ‘useraccountcontrol -band 4194304’ -Properties useraccountcontrol | FL > C:\Volsys\$d\C29-KRBpre-Auth.csv
“rn C29. Exporting Kerberos Pre-Authentication.” | Add-Content REPORT.txt
Get-ADUser -filter * -properties PasswordLastSet, PasswordExpired, PasswordNeverExpires | sort PasswordExpired | ft Name, PasswordLastSet, PasswordExpired, PasswordNeverExpires > C:\Volsys\$d\C30-PasswordExpires.csv
$pe = “rn C30. Exporting Password Expires Users.”
$pe | add-content REPORT.txt
Search-ADAccount -LockedOut > C:\Volsys\$d\C31-LockedAccount.csv
$pe52 = “rn C31. Exporting Services.”
$pe52 | add-content REPORT.txt
Setspn -x -f > C32-SPN.csv
$GPOL = “rn C32. Listing Dublicate SPNs.”
$GPOL | add-content REPORT.txt
Get-ADServiceAccount -Filter * -Properties * | FT name, LAstLogonDate > C:\Volsys\$d\C33-gMSAAccounts.csv
$pe59 = “rn C33. Exporting Services.”
$pe59 | add-content REPORT.txt
Write-Host
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ GPO – SYSVOL ‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host
Gpresult /H C:\Volsys\$d\D1-Gpresult.html
$GPOL11 = “rn D1. Exporting policies applied to DCs.”
$GPOL11 | add-content REPORT.txt
$ds = (Get-ADDomain -Current LocalComputer).dnsroot
$ht = hostname
Get-GPOReport -All -Domain $ds -Server $ht -ReportType htmL -Path “C:\Volsys\$d\D2-GPOReportsAll.html”
$PROf = “rn D2. Exporting ALL GPOs Settings.”
$PROf | add-content REPORT.txt
Get-ADDefaultDomainPasswordPolicy -Current LocalComputer > C:\Volsys\$d\D3-DomainPolicy.csv
$GPOL4 = “rn D3. Exporting DDPP configuration.”
$GPOL4 | add-content REPORT.txt
Get-ADFineGrainedPasswordPolicy -Filter {Name -like “*”} | ft Name, Precedence,MaxPasswordAge,MinPasswordLength > C:\Volsys\$d\D4-FGPP.csv
$GPOL13 = “rn D4. Exporting FGPP info.”
$GPOL13 | add-content REPORT.txt
auditpol /get /category:* > c:\Volsys\$d\D5-AuditPolicy.csv
$Audit = “rn D5. Exporting Audit Policy configuration.”
$Audit | add-content REPORT.txt
$DN = (Get-ADDomain -Current LocalComputer).DNSRoot
get-gpo -all -domain $DN | sort-object creationTime | ft Displayname, CreationTime, ModificationTime > C:\Volsys\$d\D6-GPOCMDate.csv
$pe5 = “rn D6. Exporting GPO Create and Modify Dates.”
$pe5 | add-content REPORT.txt
import-module grouppolicy
function IsNotLinked($xmldata){
If ($xmldata.GPO.LinksTo -eq $null) {
Return $true
}
Return $false
}
$unlinkedGPOs = @()
Get-GPO -All | ForEach { $gpo = $_ ; $_ | Get-GPOReport -ReportType xml | ForEach { If(IsNotLinked([xml]$_)){$unlinkedGPOs += $gpo} }}
If ($unlinkedGPOs.Count -eq 0) {
“No Unlinked GPO’s Found” > c:\volsys\$d\76-UnlinkedGpo.csv
}
Else{
$unlinkedGPOs | Select DisplayName,ID | ft >> c:\volsys\$d\D7-UnlinkedGpo.csv
}
$DCOSVER = “rn D7.Exporting list of GPO which has no link to anywere.”
$DCOSVER | add-content REPORT.txt
Write-Host
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ Security ‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host
$domainAdminsGroup = Get-ADGroup -Identity “Domain Admins”
$acl = Get-Acl -Path “AD:\$($domainAdminsGroup.DistinguishedName)”
$acl | Export-Csv -Path “C:\Volsys\$d\E1-DomainAdminsACLs.csv” -NoTypeInformation
“rn E1. Exporting Domain Admins Groups ACLs.” | Add-Content REPORT.txt
$EnterpriseAdminsGroup = Get-ADGroup -Identity “Enterprise Admins”
$acl = Get-Acl -Path “AD:\$($EnterpriseAdminsGroup.DistinguishedName)”
$acl | Export-Csv -Path “C:\Volsys\$d\E2-EnterpriseAdminsACLs.csv” -NoTypeInformation
“rn E2. Exporting Enterprise Admins Groups ACLs.” | Add-Content REPORT.txt
$SchemaAdminsGroup = Get-ADGroup -Identity “Schema Admins”
$acl = Get-Acl -Path “AD:\$($SchemaAdminsGroup.DistinguishedName)”
$acl | Export-Csv -Path “C:\Volsys\$d\E3-SchemaAdminsACLs.csv” -NoTypeInformation
“rn E3. Exporting Schema Admins Groups ACLs.” | Add-Content REPORT.txt
$ADministratorsGroup = Get-ADGroup -Identity “Administrators”
$acl = Get-Acl -Path “AD:\$($AdministratorsGroup.DistinguishedName)”
$acl | Export-Csv -Path “C:\Volsys\$d\E4-AdministratorsGroupACLs.csv” -NoTypeInformation
“rn E4. Exporting Administrators Groups ACLs.” | Add-Content REPORT.txt
Get-ScheduledTask > C:\Volsys\$d\E5-SchTask.csv
$GPOL15 = “rn E5.Checking Schedule tasks running on DCs. “
$GPOL15 | add-content REPORT.txt
Get-ChildItem c:\users > C:\Volsys\$d\E6-UsersFolder.csv
$PROf = “rn E6. Exporting Users Folder Profiles.”
$PROf | add-content REPORT.txt
$DN = (Get-ADDomain -Current LocalComputer).DistinguishedName
get-acl -path ad:$DN | fl > C:\Volsys\$d\E7-RootACL.csv
$PROf10 = “rn E7. Exporting Directory ACL Scan.”
$PROf10 | add-content REPORT.txt
$DN = (Get-ADDomain -Current LocalComputer).DistinguishedName
Dsacls “CN=AdminSDHolder,CN=System,$DN” > C:\Volsys\$d\E8-AdminSDHolderACLs.csv
$up2 = “rn E8. Exporting AdminSD Holder Security ACLs.”
$up2 | add-content REPORT.txt
Get-Aduser -filter “userPassword -like ‘*’ ” | ft name, userPassword > C:\Volsys\$d\E9-UserPasswordClearTest.csv
$up1 = “rn E9. Exporting User Password Attribute.”
$up1 | add-content REPORT.txt
Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | Format-List > C:\Volsys\$d\E10-StartupApps.csv
$up4 = “rn E10. Exporting Startup Application List.”
$up4 | add-content REPORT.txt
Get-Acl c:\windows\ntds | fl > C:\Volsys\$d\E11-NTDSPermission.csv
“rn E11. Exporting NTDS Permissions.” | Add-Content REPORT.txt
Get-Acl c:\windows\ntds | fl > C:\Volsys\$d\E12-SysvolPermission.csv
“rn E12. Exporting Sysvol Permissions.” | Add-Content REPORT.txt
Get-ADUser -Filter * -Properties sIDHistory | Where sIDHistory | Select-Object name, sIDHistory -ExpandProperty sidHistory | Format-Table name, sIDHistory AutoSize > C:\Volsys\$d\E13-SidHistory.csv
“rn E13. Exporting Sid History Accounts.” | Add-Content REPORT.txt
Get-ADUser krbtgt -properties * > C:\Volsys\$d\E14-KRBTGTInfo.csv
“rn E14. Checking KRBTGT Account info.” | Add-Content REPORT.txt
Get-Service -Name Spooler | select Status > C:\Volsys\$d\E15.SpoolerServies.csv
“rn E15. Checking Spooler Services Status.” | Add-Content REPORT.txt
$30days= (Get-Date).AddDays(-30)
Get-ADComputer -Filter {whencreated -ge $30days} | select Name,SamaccountName,SID > C:\Volsys\$d\E16.LastComputers.csv
“rn E16. Exporting Last created computers.” | Add-Content REPORT.txt
$30days= (Get-Date).AddDays(-30)
Get-ADUser -Filter {whencreated -ge $30days} | select Name,SamaccountName,SID > C:\Volsys\$d\E17.LastUsers.csv
“rn E17. Exporting Last created users.” | Add-Content REPORT.txt
Cls
Write-Host
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ V O L S Y S is finished. You can check the C:\Volsys folder ‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host ‘ ————————————————————‘ -ForegroundColor red -BackgroundColor white
Write-Host
Active Directory - Cyber Security 