Health Check
Active Directory
This is a PowerShell script which offers an Active Directory Health Check.
These checks are based on my personal best practices. Some of the checks may not be applicable to your environment.
The following fundamental guidelines apply to the script:
1) Must work for all domains in a forest tree.
2) Must work on PowerShell v3 and above.
3) Must work without module dependencies, except for the PowerShell core modules.
4) Must work without Administrator privileges.
5) Must work with Microsoft Word 2007 and above.
The following languages are supported for both Word and the operating system the script runs on:
Catalan | Danish | Dutch |
English | Finnish | French |
German | Norwegian | Portuguese |
Spanish | Swedish |
The following checks are currently included in the script:
Users | Direct member of Domain Local group |
Users | Password never expires |
Users | Password not required |
Users | Change password at next logon |
Users | Password not changed in last 12 months |
Users | Account without expiration date |
Users | Do not require Kerberos pre-authentication |
Users | Disabled |
Groups | Privileged with more than 5 members |
Groups | Privileged with no members |
Groups | With no members |
Sites | Without a description |
Sites | No server(s) |
Sites | Without a connection |
Sites | No sitelink(s) |
Sites | Without one or more subnet(s) |
Sitelinks | With one site |
Sitelinks | With more than two sites |
Sitelinks | Without a description |
Subnets in Sites | Available but not used |
Domain Controllers | No contact in last 3 months |
Member servers | Password never expires |
Member servers | Password older than 6 months |
Member servers | Account never expires |
Member servers | Account disabled |
Organisational Unit | GPO inheritance blocked |
Get the latest version copy of the script here!
Release notes | ![]() |
Signed (.txt) | ![]() |
Unsigned (.txt) | ![]() |
Signed (.zip) | ![]() |
Unsigned (.zip) | ![]() |
All (.zip) | ![]() |
Haven’t run it yet, but just a quick suggestion from looking at the code: http://richardspowershellblog.wordpress.com/2014/07/21/bad-practice-creating-objects/
When creating a custom object via a hashtable, as Richard describes in his blog post, you’re never sure in what order the properties are spit out.
In my case, I want to spit out the properties in a specific order (name/computername has time come first) and therefor I’m doing it this way.
In a beta release I actually did create a hashtable but there were come complaints by testers about the inconsistency in the output (property order).
So you are correct, but in this case I had a reason not to do it via a hashtable.
Thanks for your feedback though 🙂
Or, this hack: Add-Member -InputObject $object -MemberType ScriptMethod -Name AddProperty -Value { Add-Member -InputObject $this -Name $args[0] -Value $args[1] }