Health Check

Active Directory

This is a PowerShell script which offers an Active Directory Health Check.
These checks are based on my personal best practices. Some of the checks may not be applicable to your environment.

The following fundamental guidelines apply to the script:

1) Must work for all domains in a forest tree.
2) Must work on PowerShell v3 and above.
3) Must work without module dependencies, except for the PowerShell core modules.
4) Must work without Administrator privileges.
5) Must work with Microsoft Word 2007 and above.


The following languages are supported for both Word and the operating system the script runs on:

Catalan Danish Dutch
English Finnish French
German Norwegian Portuguese
Spanish Swedish


The following checks are currently included in the script:

 Users  Direct member of Domain Local group
 Users  Password never expires
 Users  Password not required
 Users  Change password at next logon
 Users  Password not changed in last 12 months
 Users  Account without expiration date
 Users  Do not require Kerberos pre-authentication
 Users  Disabled
 Groups  Privileged with more than 5 members
 Groups  Privileged with no members
 Groups  With no members
 Sites  Without a description
 Sites  No server(s)
 Sites  Without a connection
 Sites  No sitelink(s)
 Sites  Without one or more subnet(s)
 Sitelinks  With one site
 Sitelinks  With more than two sites
 Sitelinks  Without a description
 Subnets in Sites  Available but not used
 Domain Controllers  No contact in last 3 months
 Member servers  Password never expires
 Member servers  Password older than 6 months
 Member servers  Account never expires
 Member servers  Account disabled
 Organisational Unit  GPO inheritance blocked


     Get the latest version copy of the script here!

Release notes Download
Signed (.txt) Download
Unsigned (.txt) Download
Signed (.zip) Download
Unsigned (.zip) Download
All (.zip) Download


  1. megamorf. says:

    Haven’t run it yet, but just a quick suggestion from looking at the code:

  2. Jeff Wouters says:

    When creating a custom object via a hashtable, as Richard describes in his blog post, you’re never sure in what order the properties are spit out.
    In my case, I want to spit out the properties in a specific order (name/computername has time come first) and therefor I’m doing it this way.
    In a beta release I actually did create a hashtable but there were come complaints by testers about the inconsistency in the output (property order).
    So you are correct, but in this case I had a reason not to do it via a hashtable.
    Thanks for your feedback though 🙂

  3. TimDunn says:

    Or, this hack: Add-Member -InputObject $object -MemberType ScriptMethod -Name AddProperty -Value { Add-Member -InputObject $this -Name $args[0] -Value $args[1] }

Leave a Reply

Your email address will not be published. Required fields are marked *