Active Directory reporting – version 2


It took me some time to publish this post but finally, I did it.

My previous post about Active Directory Reporting using PowerShell script was published almost one year ago! Since that time a lot of new features were implemented within the script.

I was in contact with Daniel Petri, he suggested a lot of new features and we added them to the script. You may also wish to visit his great blog at

Today, I would like to introduce this script to you. I hope it would be useful for many of you. Let’s start with its description.

Have you ever consider how to simplify an Active Directory reporting for new AD environments? I decided to prepare PowerShell script which check a lot of Active Directory configuration settings and brings them on screen. This option reduces time required to gather some basic and a little bit more advanced information about Active Directory forest and domain(s) configuration.

AD environments mostly have at least one Windows Server 2008 R2 Domain Controller where Active Directory Web Services are running. This is mandatory prerequisite to be able to execute the script.

You can simply execute it on:

  • Domain Controller
  • Domain member server with PowerShell 2.0 installed
  • Domain member workstation with RSAT installed

for domain member machines you need to be sure that Active Directory Web Services port in available from location where you are running. By default it is 9389/tcp

The script requires only authenticated domain user to work properly if no custom delegation control is configured.

You can simply run it within PowerShell console without any parameter and its start scanning currently logged on forest with all its domain. When you specify a parameter – it must be DNS forest name – the scan is performed for the specified forest.

You don’t have to worry when executing the script because this is run in read-only mode, so no changes are done in the environment.

Below you may find some screen-shots from the script execution. This comes from multi-site, single domain test environment.

The output color (red) related with scanned data does not refer to an error! This is only to emphasise the setting on which you should pay attention.

Let’s see what settings are being checked when script is executed.

At forest level:

  • Forest name
  • Schema version
  • Forest Functional Level
  • List of trusts
  • Active Directory Recycle Bin enablement
  • Check of Exchange version
  • Check of Exchange Organization name
  • Check of Lync version
  • Tombstone lifetime period
  • Enumerate all partitions
  • All domains in the forest
  • Global Catalog servers in the entire forest
  • Site and Subnets information
  • Site link(s) configuration
  • UPN suffixes
  • Forest FSMO roles holders
  • Check members for Enterprise and Schema Administrator groups
  • Domain Controller(s) details
  • SYSVOL replication method
  • SYSVOL size for DFS-R replication method

at domain level:

  • Domain name
  • NetBIOS domain name
  • Domain Functional Level
  • List of Domain Controllers
  • List of Read-Only Domain Controllers
  • Global Catalog servers for the domain
  • SYSVOL replication method
  • Orphaned objects check
  • Lingering objects check
  • Conflict replication objects check
  • Default domain computer objects location
  • Default domain user objects location
  • Total no. of Organizational Units
  • Total no. of computers
  • Total no. of computers with particular operating system version
  • Total no. of users
  • Active users
  • Inactive users
  • Locked out users
  • Users with no password required
  • Users with password never expires
  • Total no. of groups
  • Global, Universal and Local groups check
  • Check for existance of default domain policies
  • Total no. of Domain Administrators
  • Built-in Domain Administrator account details
  • Domain FSMO roles holders
  • Default Domain Password policy details
  • Total no. of Fine-Grained Password Policies

So, please take a look at the screen-shot output from multi-site single domain environment below

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

and at this moment, that’s all. I hope in the future the script would be developed. I am going to add the results export into formatted HTML format.

Or maybe, you would like to participate with its future development? If so, please let me know and we’ll do that!

OK, and this is a script which you can download. After downloading, please remove –v2.doc extension and leave only .ps1

Active Directory Reporting v0.2 script

Author: Krzysztof Pytko


5 responses to “Active Directory reporting – version 2”

  1. Willem says :

    Good day. Really great script.
    How do I automate the file to save it as HTML?

    • iSiek says :


      unfortunately, this is not possible with this script version. I’m working on new version where you can use HTML as output format.
      I hope I would be able to publish it soon 🙂


      • Puffy says :

        Hi ! Thank you for this great script !
        Maybe do you have a new version with HTML as output format ?

        • iSiek says :


          thank you! Yes, I’m working on new version of that script.
          I hope this would be released soon.


  2. Andrew L says :

    I’m sure you’re getting this a lot but have you completed the script to allow for export to either HTML or CSV/TXT?


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.