This is a PowerShell script which offers an Active Directory Health Check.
These checks are based on my personal best practices. Some of the checks may not be applicable to your environment.
The following fundamental guidelines apply to the script:
1) Must work for all domains in a forest tree.
2) Must work on PowerShell v3 and above.
3) Must work without module dependencies, except for the PowerShell core modules.
4) Must work without Administrator privileges.
5) Must work with Microsoft Word 2007 and above.
The following languages are supported for both Word and the operating system the script runs on:
The following checks are currently included in the script:
|Users||Direct member of Domain Local group|
|Users||Password never expires|
|Users||Password not required|
|Users||Change password at next logon|
|Users||Password not changed in last 12 months|
|Users||Account without expiration date|
|Users||Do not require Kerberos pre-authentication|
|Groups||Privileged with more than 5 members|
|Groups||Privileged with no members|
|Groups||With no members|
|Sites||Without a description|
|Sites||Without a connection|
|Sites||Without one or more subnet(s)|
|Sitelinks||With one site|
|Sitelinks||With more than two sites|
|Sitelinks||Without a description|
|Subnets in Sites||Available but not used|
|Domain Controllers||No contact in last 3 months|
|Member servers||Password never expires|
|Member servers||Password older than 6 months|
|Member servers||Account never expires|
|Member servers||Account disabled|
|Organisational Unit||GPO inheritance blocked|
Get your copy of the script here!