• Sponsor posted an update in the group Group logo of PowerShellPowerShell 1 day, 6 hours ago

    Kick-start your automation journey 2022 with ScriptRunner
    PowerShell is great but together with ScriptRunner it becomes a real solution for every organization.
    With the new ScriptRunner features it is super easy to securely delegate administrative tasks to your help desk team and even end-users. The ScriptRunner reports and dashboards help you now to visualize infrastructure analyses and the time your organization saved by automating with ScriptRunner.
    Register for free
  • We have 2022 January, and it still works from Powershell 2.0 on Windows Vista / Server 2008 (without R2) up to Windows 11 newest insider build. Just tested...

  • Hi,
    i made some progress, the script can be used from Computer Client like Win10, and he dont need to import Active Directory modules,
    also dont need to enter config.ini DC information, it will be get automatically

  • Sorry my bad, 551 was good, it's the 567 that need to be change.

    551 : $domaininfo.RIDMaster --> $domaininfo.DomainMode
    567 : $domaininfo.DomainMode --> $domaininfo.RIDMaster

  • Hi Krishnamoorthi,
    as I explained above, there is the possibility of packaging the AD module, to launch the script from a client, it will be more secure than doing it on the DC itself, adjust it too to remove the static variables will be interesting, as well as a GUI, if you agree you can tell me how to contact you to optimize it

  • Make sure Powershell AD Module is exists from where u running the script

  • First of all, thank for the script.
    Unlikely I'm just getting one User out of the script with the following error in PowerShell:
    Get-ADUser : Not a valid Win32-FileTime.
    Parametername: fileTime

  • Thank you very much Krishnamoorthi. That was it. I am so sorry about such a stupid mistake. 🙂
    Thank you, I appreciate your help.


  • Ah, of course, forgot I'd need to expand the list of properties. Used that and have now resolved them all and documented them just incase.

    Thanks again.

  • get-aduser -filter * -properties * | where {$_.PasswordNotRequired -eq $true}

    Try the above one

  • Pls remove txt from the INI file format..It is Config.ini.txt currently

  • Thank you for this, it's really helpful and puts my mind at ease to see a lot of green. I do have a query with regards to the 'Users with Password Not Required' line though. My report found;

    10,000 odd Total Users
    3000 enabled
    7000 disabled
    1100 inactive (how many days does it use for inactivity out of interest?)
    6000 users with password not required

    It's that last line that concerns me but looking into the script it's looking at all users where 'passwordnotrequired -eq $true'. I've ran that myself with get-aduser -filter * | where {$_.PasswordNotRequired -eq $true} and I get 0 results (which I'd expect). Any thoughts on why it's pulling 6000 as part of the wider script?

  • Hello Krishnamoorthi,
    I took your config.ini files and put it to the same location:
    PS C:ADcheck> dir

    Directory: C:ADcheck

    Mode LastWriteTime Length Name
    ---- ------------- ------ ----
    -a---- 1/8/2022 11:31 AM 33181 AD_SecurityCheck.ps1
    -a---- 1/11/2022 7:54 AM 241 Config.ini.txt
    -a---- 1/11/2022 7:54 AM 866 Log11_01_2022-07_54_25.log
    -a---- 1/11/2022 7:54 AM 15543 Reports11_01_2022-07_54_25.htm

    PS C:ADcheck>
    PS C:ADcheck> .AD_SecurityCheck.ps1
    Cannot find path 'C:ADcheckConfig.ini' because it does not exist.
    At C:ADcheckAD_SecurityCheck.ps1:43 char:25
    + switch -regex -file $FilePath
    + ~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (C:ADcheckConfig.ini:String) [], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound

    You cannot call a method on a null-valued expression.
    At C:ADcheckAD_SecurityCheck.ps1:82 char:1

    I have even tried to copy config.ini to C: root, but no success. And thats why I am wondering, why that issue is.
    Thank you


  • Hello Michael,
    -the script uses hard variables which limits it to DCs in English
    -the try catch method is not efficient to return error
    -an AD module can be injected in order to be able to launch the script without prerequisite and from client
    -I even thought to make a simple GUI interface which displays the result and allows advance configuration .ini
    but like I said? is there more interest than pingCastel

  • Hello guys,what a nice script, I just noticed a little error in the variable of RID master.
    Can you please edit the line 551 with $domaininfo.RIDMaster instead of $domaininfo.DomainMode ?


  • Script and INI file should be there in the same directory. Post the screenshot if you looking for the further help.

    You can take INI file from here - https://github.com/gkm-automation/AD-Security-Assessment

  • Hello,
    I am no as good as I expected in PowerShell, I was try to run script but cannot go trough this:
    Cannot find path 'C:ADcheckConfig.ini' because it does not exist.

    Even that file is on expected path, no success. And I think this is, what stopped me from running it.
    I will appreciate any advices.
    Thank you

  • Load More
© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account