Active Directory reporting

 

Have you ever consider how to simplify an Active Directory reporting for new AD environments? I have recently played with new multi domain environment and I had to check many things manually with built-in consoles. This is nothing difficult but needs some time and when I have done the environment recognition, I decided to prepare PowerShell script. It reduces time required to get some basics information about Active Directory forest and domain(s) configuration.

Today, many Active Directory environments have at least one Windows Server 2008 R2 Domain Controller where Active Directory Web Services are running. The script is written for at least PowerShell 2.0 with Active Directory module.

You can simply run it within PowerShell console without any parameter and its start scanning currently logged on forest with all its domain. When you specify a parameter – it must be DNS forest name – the scan is performed for the specified forest.

You don’t have to worry when executing the script because this is run in read-only mode, so no changes are done in the environment.

Below you may find some screen-shots from the script execution. Unfortunately, I have only access to single forest, single domain enviropnment at this time and you will get short overview of the script. But i will try to put additional screen-shots from multi-domain environment in the nearest future.

Oh, and one more thing. The output color (red) related with scanned data does not refer to an error! This is only to emphasise the setting on which you should pay attention.

That’s all, let’s see how the results are looking.

Script executed without a parameter

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

and script execution with forest name as a parameter

Script execution screen-shot

Script execution screen-shot

unfortunatelly, the output is exactly the same as for previous execution but I will replace screen-shots as soon as I will do thet in my multi-domain test environment.

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

OK, what is scanned by the script? Just take a look at the list below

At the forest level:

  • Forest name
  • Schema version
  • Forest Functional Level
  • Active DIrectory Recycle Bin enablement
  • All domains in the forest
  • Site names
  • Global Catalog servers in the entire forest
  • UPN suffixes
  • Forest FSMO roles holders

At domain level (each domain):

  • Domain name
  • NetBIOS domain name
  • Domain Functional Level
  • List of Domain Controllers
  • List of Read-Only Domain Controllers
  • Global Catalog servers for the domain
  • Default domain computer objects location
  • Default domain user objects location
  • Total no. of Organizational Units
  • Total no. of computers
  • Total no. of users
  • Total no. of groups
  • Total no. of Domain Administrators
  • Built-in Domain Administrator account details
  • Domain FSMO roles holders
  • Default Domain Password policy details
  • Total no. of Fine-Grained Password Policies

 

UPDATE

 

It took me some time to update this post but finally, I did it. A lot of new features were added into script check.

I was in contact with Daniel Petri, he suggested a lot of new features and we added them to the script. You may also wish to visit his great blog atΒ  http://www.petri.com/

Please take a look at new features on forest level, implemented in the new script version:

  • List of trusts
  • Check of Exchange version
  • Check of Exchange Organization name
  • Check of Lync version
  • Tombstone lifetime period
  • Enumerate all partitions
  • Site and Subnets information
  • Site link(s) configuration
  • Check members for Enterprise and Schema Administrator groups
  • Domain Controller(s) details
  • SYSVOL replication method
  • SYSVOL size for DFS-R replication method

Also new features at domain level were added:

  • SYSVOL replication method
  • Orphaned objects check
  • Lingering objects check
  • Conflict replication objects check
  • Total number of computers with particular operating system version
  • Active users
  • Inactive users
  • Locked out users
  • Users with no password required
  • Users with password never expires
  • Global, Universal and Local groups check
  • Check for existance of default domain policies

So, please take a look at the output from multi-site single domain environment below

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

and at this moment, that’s all. I hope in the future the script would be developed. I am going to add the results export into formatted HTML format.

Or maybe, you would like to participate with its future development? If so, please let me know and we’ll do that!

OK, and this is a script which you can download. After downloading, please remove –v2.doc extension and leave only .ps1

Active Directory Reporting v0.2 script

Author: Krzysztof Pytko

Facebooktwittergoogle_plusredditpinterestlinkedinmail

12 responses to “Active Directory reporting”

  1. Michael Raj says :

    Thank you for explanations. I tried AdSysNet Active Directory Manager, the tool supports mulitpl domains very effectively. Visit here to check the multi-domain management http://adsysnet.com/asn-active-directory-manager-manage-multiple-domains.aspx

     
  2. CHeKi says :

    Jose ist very good for Active Directory reporting

    http://www.faq-o-matic.net/jose-en/

     
  3. Vivek says :

    How can I output to a text file? The normal methods does not seem to work. I did | Export-csv -path c:\temp\output.txt

     
    • kpytko says :

      Hello,

      I’m sorry to tell you that but this script at this stage does not support data export to HTML, CSV or TXT files.
      When I have started writing this script, it contained few simple checks. I was adding new features day by day and I discovered that the script grown too much πŸ™‚

      Another story about the script is Daniel Petri :] He contacted me and asked if we can add some more Active Directory checks into it. Of course we agreed and started to extending tool for more checks. At the end we received huge code which does not support PowerShell objects. They are not implemented inside the code yet.

      There are no PowerShell objects defined to capture results and that’s why mentioned above file formats are not possible to use. To allow that, the script needs to be completely rewritten.

      I’m wondering if it’s better to start writing new one based on PowerShell 3.0/4.0 (Windows Server 2012/2012R2) or redesign the current one. Will let you know about decisions.

      If you really need to have it copied, you have to manually select output in PowerShell console and copy its results to notepad. I’m sorry for inconvenience,

      Regards,
      Krzysztof

       
  4. Nirav says :

    Excellent script, tired of taking screenshots πŸ™‚ is there a way to export report to txt format?

    Thank you

     
    • kpytko says :

      Thank you! I’m glad it was useful for you. A script is still under features development.
      Unfortunately, at this stage the script doesn’t offer exporting results to HTML,CSV or TXT files. You can only manually select text from output in PowerShell console and copy it to notepad or take screen shots as you did it πŸ™‚

      When I have started writing this script, it contained few simple checks. I was adding new features day by day and I discovered that the script grown too much πŸ™‚

      Another story about the script is Daniel Petri :] He contacted me and asked if we can add some more Active Directory checks into it. Of course we agreed and started to extending tool for more checks. At the end we received huge code which does not support PowerShell objects. They are not implemented inside the code yet.

      There are no PowerShell objects defined to capture results and that’s why mentioned above file formats are not possible to use. To allow that, the script needs to be completely rewritten.

      I’m wondering if it’s better to start writing new one based on PowerShell 3.0/4.0 (Windows Server 2012/2012R2) or redesign the current one. Will let you know about decisions.

      Regards,
      Krzysztof

       
  5. Cristiano Ianiri says :

    The script is really useful, but how can I export the output of the command powershell in an html file?
    Thank you

     
    • kpytko says :

      Thank you for using my script! A script is still under features development.

      Unfortunately, at this stage the script doesn’t offer exporting results to HTML,CSV or TXT files. You can only manually select text from output in PowerShell console and copy it to notepad or take screen shots as you did it πŸ™‚

      When I have started writing this script, it contained few simple checks. I was adding new features day by day and I discovered that the script grown too much πŸ™‚

      Another story about the script is Daniel Petri :] He contacted me and asked if we can add some more Active Directory checks into it. Of course we agreed and started to extending tool for more checks. At the end we received huge code which does not support PowerShell objects. They are not implemented inside the code yet.

      There are no PowerShell objects defined to capture results and that’s why mentioned above file formats are not possible to use. To allow that, the script needs to be completely rewritten.

      I’m wondering if it’s better to start writing new one based on PowerShell 3.0/4.0 (Windows Server 2012/2012R2) or redesign the current one. Will let you know about decisions.

      Regards,
      Krzysztof

       
  6. Dave H says :

    If you do Start-Transcript and a path before running the script, you’ll have a text readout after the script runs. I have Start-Transcript n:\mysession.txt -append in my PS profile so it starts on PS startup every day.
    thanks, Dave

     

Leave a Reply

Your email address will not be published. Required fields are marked *