Active Directory reporting


Have you ever consider how to simplify an Active Directory reporting for new AD environments? I have recently played with new multi domain environment and I had to check many things manually with built-in consoles. This is nothing difficult but needs some time and when I have done the environment recognition, I decided to prepare PowerShell script. It reduces time required to get some basics information about Active Directory forest and domain(s) configuration.

Today, many Active Directory environments have at least one Windows Server 2008 R2 Domain Controller where Active Directory Web Services are running. The script is written for at least PowerShell 2.0 with Active Directory module.

You can simply run it within PowerShell console without any parameter and its start scanning currently logged on forest with all its domain. When you specify a parameter – it must be DNS forest name – the scan is performed for the specified forest.

You don’t have to worry when executing the script because this is run in read-only mode, so no changes are done in the environment.

Below you may find some screen-shots from the sript execution. Unfortunately, I have only access to single forest, single domain enviropnment at this time and you will get short overview of the script. But i will try to put additional screen-shots from multi-domain environment in the nearest future.

Oh, and one more thing. The output color (red) related with scanned data does not refer to an error! This is only to emphasise the setting on which you should pay attention.

That’s all, let’s see how the results are looking.

Script executed without a parameter

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

and script execution with forest name as a parameter

Script execution screen-shot

Script execution screen-shot

unfortunatelly, the output is exactly the same as for previous execution but I will replace screen-shots as soon as I will do thet in my multi-domain test environment.

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

OK, what is scanned by the script? Just take a look at the list below

At the forest level:

  • Forest name
  • Schema version
  • Forest Functional Level
  • Active DIrectory Recycle Bin enablement
  • All domains in the forest
  • Site names
  • Global Catalog servers in the entire forest
  • UPN suffixes
  • Forest FSMO roles holders

At domain level (each domain):

  • Domain name
  • NetBIOS domain name
  • Domain Functional Level
  • List of Domain Controllers
  • List of Read-Only Domain Controllers
  • Global Catalog servers for the domain
  • Default domain computer objects location
  • Default domain user objects location
  • Total no. of Organizational Units
  • Total no. of computers
  • Total no. of users
  • Total no. of groups
  • Total no. of Domain Administrators
  • Built-in Domain Administrator account details
  • Domain FSMO roles holders
  • Default Domain Password policy details
  • Total no. of Fine-Grained Password Policies

and at this moment, that’s all. I hope in the future the script would be developed. I am going to add the results export into formatted HTML format.

Or maybe, you would like to participate with its future development? If so, please let me know and we’ll do that!

OK, and this is a script which you can download. After downloading, please remove –v1.doc extension and leave only .ps1

AD Report script

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: