As some of you may know, over the last year I’ve been working on a PowerShell script that performs an Active Directory Health Check.
Taking my queue from Carl Webster’s Citrix Documentation scripts and Iain Brighton’s collaboration with Carl on improving the Word generation code, it has finally become time to release my little monster to the world.
I know that I’ve said it before, and every time something came in between… feedback from tester(s), improving the Word file generation part of the script, my customers, a holiday and a couple of events…
No more excuses!
–> On the 17th of Thursday 7/17/2014 I’ll do an online presentation for the Florida PowerShell User Group presenting version 1.0 of the script. 🙂
During that session, I’ll release the script on my blog… 🙂
The checks in this script are based on my personal best practices. Some of the checks may not be applicable to your environment.
The following fundamental guidelines apply to the script:
1) Must work for all domains in a forest tree.
2) Must work on PowerShell v3 and above.
3) Must work without module dependencies, except for the PowerShell core modules.
4) Must work without Administrator privileges.
5) Must work with Microsoft Word 2007 and above.
The following languages are supported for both Word and the operating system the script runs on:
The following checks are currently included in the script:
|Users||Direct member of Domain Local group|
|Users||Password never expires|
|Users||Password not required|
|Users||Password change at next logon|
|Users||Account without expiration date|
|Users||Do not require Kerberos pre-authentication|
|Groups||Privileged with many members|
|Groups||Privileged with no members|
|Sitelinks||With one site|
|Sitelinks||More than two sites|
|Subnets||Available but not used|
|Domain Controllers||No contact in last 3 months|
|Member servers||Password never expires|
|Member servers||Password older than 6 months|
|Member servers||Account never expires|
|Member servers||Account disabled|
|Organisational Unit||GPO inheritance blocked|
Note that these are just the first checks… there will be more, many more 🙂
At this time I will not accept any feature requests since I’ll need to work through the current list of feature requests before taking any new ones.
The checks that have been requested so far:
|NETLOGON||Subnets with ‘No client side’ errors|
|NETLOGON||Subnets with any other error|
|Group Policy||No userdata but status not set to UserSettingsDisabled|
|Group Policy||No computerdata but status not set to ComputerSettingsDisabled|
|Group Policy||Status set to AllSettingsDisabled|
|Group Policy||All settings disabled|
|Group||Domain Local Group member of Domain Local Group|
|Sites||Incorrect Domain Controller in site|
|Sitelinks||Change notification disabled|
|Replication||Any replication issues|
|Member Servers||Local administrator account not renamed|
|Member Servers||Local administrator account password not required|
|Member Servers||Local administrator account password never expires|