AD Privileged Audit: Provides various Windows Server Active Directory security-focused reports

AD Privileged Audit

Provides various Windows Server Active Directory (AD) security-focused reports.

1. Designed to be fast and efficient, typically provides “immediate” (no post-processing required) results within a minute.
2. Available for anyone to run for free, especially when paid tools are maybe not available.
3. Non-invasive / “read-only”. Do not install any components or dependencies, or make any changes to the environment – outside of writing reports to a (new) “AD-Reports” folder on the running users’ Desktop by default, which can be redirected or disabled.
4. Outside of someone downloading the script from here, does not require any Internet access, and does not collect or report any data outside of what is provided to the running user.

This script was written to assist with my professional information security consulting efforts. Please consider engaging with me or one of my co-workers through my employer for any needed assistance in running this tool, or especially in interpreting and managing the reported results.

This script is provided with the intent to allow any organization to report upon, and hopefully, continuously improve upon their AD security posture. Ideally, reports would be run weekly/periodically, with a goal of reducing most reports to or near 0 results.

Reports

Current reports include:

1. Privileged AD Group Members.
   1. Currently reported groups include:
      1. Domain Admins
      2. Enterprise Admins
      3. Administrators
      4. Schema Admins
      5. Account Operators
      6. Server Operators
      7. Print Operators
      8. Backup Operators
      9. DnsAdmins
      10. DnsUpdateProxy
      11. DHCP Administrators
      12. Domain Controllers
      13. Enterprise Read-Only Domain Controllers
      14. Read-Only Domain Controllers
   2. Groups are omitted when they don’t exist.
   3. (Further considerations below.)
2. Privileged AD Groups.
   1. Provides the detail of each group itself included above, whereas the above report details each groups’ membership.
3. Stale Users.
   1. Users that haven’t logged-in within 90 days.
4. Stale Passwords.
   1. Users with passwords older than 365 days.
5. Password Not Required.
6. SID History.
7. Stale Computers.
   1. Computers that haven’t logged-in within 90 days.
8. Unsupported Operating Systems.
9. Computers without LAPS or expired.
10. Computers with current LAPS.
11. Warnings.

LAPS is Microsoft’s “Local Administrator Password Solution”. If you are not yet using it, you should be.

• https://www.microsoft.com/en-us/download/details.aspx?id=46899

Each report includes a significant and consistent set of columns of details that should remove most of the need for cross-referencing Active Directory Users and Computers (ADUC) or other similar tools for further details on reported objects, as well as providing some value in terms of digital forensics.

Install & Use

Copyright © 2020-2021, Mark A. Ziesemer