Active Directory reporting
Have you ever consider how to simplify an Active Directory reporting for new AD environments? I have recently played with new multi domain environment and I had to check many things manually with built-in consoles. This is nothing difficult but needs some time and when I have done the environment recognition, I decided to prepare PowerShell script. It reduces time required to get some basics information about Active Directory forest and domain(s) configuration.
Today, many Active Directory environments have at least one Windows Server 2008 R2 Domain Controller where Active Directory Web Services are running. The script is written for at least PowerShell 2.0 with Active Directory module.
You can simply run it within PowerShell console without any parameter and its start scanning currently logged on forest with all its domain. When you specify a parameter – it must be DNS forest name – the scan is performed for the specified forest.
You don’t have to worry when executing the script because this is run in read-only mode, so no changes are done in the environment.
Below you may find some screen-shots from the script execution. Unfortunately, I have only access to single forest, single domain enviropnment at this time and you will get short overview of the script. But i will try to put additional screen-shots from multi-domain environment in the nearest future.
Oh, and one more thing. The output color (red) related with scanned data does not refer to an error! This is only to emphasise the setting on which you should pay attention.
That’s all, let’s see how the results are looking.
Script executed without a parameter
and script execution with forest name as a parameter
unfortunatelly, the output is exactly the same as for previous execution but I will replace screen-shots as soon as I will do thet in my multi-domain test environment.
OK, what is scanned by the script? Just take a look at the list below
At the forest level:
- Forest name
- Schema version
- Forest Functional Level
- Active DIrectory Recycle Bin enablement
- All domains in the forest
- Site names
- Global Catalog servers in the entire forest
- UPN suffixes
- Forest FSMO roles holders
At domain level (each domain):
- Domain name
- NetBIOS domain name
- Domain Functional Level
- List of Domain Controllers
- List of Read-Only Domain Controllers
- Global Catalog servers for the domain
- Default domain computer objects location
- Default domain user objects location
- Total no. of Organizational Units
- Total no. of computers
- Total no. of users
- Total no. of groups
- Total no. of Domain Administrators
- Built-in Domain Administrator account details
- Domain FSMO roles holders
- Default Domain Password policy details
- Total no. of Fine-Grained Password Policies
It took me some time to update this post but finally, I did it. A lot of new features were added into script check.
I was in contact with Daniel Petri, he suggested a lot of new features and we added them to the script. You may also wish to visit his great blog at http://www.petri.com/
Please take a look at new features on forest level, implemented in the new script version:
- List of trusts
- Check of Exchange version
- Check of Exchange Organization name
- Check of Lync version
- Tombstone lifetime period
- Enumerate all partitions
- Site and Subnets information
- Site link(s) configuration
- Check members for Enterprise and Schema Administrator groups
- Domain Controller(s) details
- SYSVOL replication method
- SYSVOL size for DFS-R replication method
Also new features at domain level were added:
- SYSVOL replication method
- Orphaned objects check
- Lingering objects check
- Conflict replication objects check
- Total number of computers with particular operating system version
- Active users
- Inactive users
- Locked out users
- Users with no password required
- Users with password never expires
- Global, Universal and Local groups check
- Check for existance of default domain policies
So, please take a look at the output from multi-site single domain environment below
and at this moment, that’s all. I hope in the future the script would be developed. I am going to add the results export into formatted HTML format.
Or maybe, you would like to participate with its future development? If so, please let me know and we’ll do that!
OK, and this is a script which you can download. After downloading, please remove –v2.doc extension and leave only .ps1
Author: Krzysztof Pytko