This PowerShell script is designed to conduct a comprehensive audit of Microsoft Active Directory, focusing on identifying common security vulnerabilities and weaknesses. Its execution facilitates the pinpointing of critical areas that require reinforcement, thereby fortifying your infrastructure against prevalent tactics used in lateral movement or privilege escalation attacks targeting Active Directory.

_____ ____     _____       _ _ _
|  _  |    \   |  _  |_ _ _| |_| |_
|     |  |  |  |     | | | . | |  _|
|__|__|____/   |__|__|___|___|_|_|
                 by phillips321

If you have any decent powershell one liners that could be used in the script please let me know. I'm trying to keep this script as a single file with no requirements on external tools (other than ntdsutil and cmd.exe)

Run directly on a DC using a DA. If you don't trust the code I suggest reading it first and you'll see it's all harmless! (But shouldn't you be doing that anyway with code you download off the net and then run as DA??)

• Device Information
  • Get-HostDetails
• Domain Audit
  • Get-LastWUDate
  • Get-DCEval
  • Get-TimeSource
  • Get-PrivilegedGroupMembership
  • Get-MachineAccountQuota
  • Get-DefaultDomainControllersPolicy
  • Get-SMB1Support
  • Get-FunctionalLevel
  • Get-DCsNotOwnedByDA
  • Get-ReplicationType
  • Get-RecycleBinState
  • Get-CriticalServicesStatus
  • Get-RODC
• Domain Trust Audit
  • Get-DomainTrusts
• User Accounts Audit
  • Get-InactiveAccounts
  • Get-DisabledAccounts
  • Get-LockedAccounts
  • Get-AdminAccountChecks
  • Get-NULLSessions
  • Get-PrivilegedGroupAccounts
  • Get-ProtectedUsers
• Password Information Audit
  • Get-AccountPassDontExpire
  • Get-UserPasswordNotChangedRecently
  • Get-PasswordPolicy
  • Get-PasswordQuality
• Dumps NTDS.dit
  • Get-NTDSdit
• Computer Objects Audit
  • Get-OldBoxes
• GPO audit (and checking SYSVOL for passwords)
  • Get-GPOtoFile
  • Get-GPOsPerOU
  • Get-SYSVOLXMLS
  • Get-GPOEnum
• Check Generic Group AD Permissions
  • Get-OUPerms
• Check For Existence of LAPS in domain
  • Get-LAPSStatus
• Check For Existence of Authentication Polices and Silos
  • Get-AuthenticationPoliciesAndSilos
• Check for insecure DNS zones
  • Get-DNSZoneInsecure
• Check for newly created users and groups
  • Get-RecentChanges
• Check for ADCS vulnerabilties, ESC1,2,3,4 and 8.
• Check for high value kerberoastable accounts
• Check for ASREPRoastable accounts
• Check for dangerous ACL permissions on Users, Groups and Computers.
• Check LDAP and LDAPs settings (Signing, null sessions etc )

The following switches can be used in combination

• -installdeps installs optional features (DSInternals)
• -hostdetails retrieves hostname and other useful audit info
• -domainaudit retrieves information about the AD such as functional level
• -trusts retrieves information about any domain trusts
• -accounts identifies account issues such as expired, disabled, etc...
• -passwordpolicy retrieves password policy information
• -ntds dumps the NTDS.dit file using ntdsutil
• -oldboxes identified outdated OSs like XP/2003 joined to the domain
• -gpo dumps the GPOs in XML and HTML for later analysis
• -ouperms checks generic OU permission issues
• -laps checks if LAPS is installed
• -authpolsilos checks for existence of authentication policies and silos
• -insecurednszone checks for insecure DNS zones
• -recentchanges checks for newly created users and groups (last 30 days)
• -adcs checks for ADCS vulnerabilties, ESC1,2,3,4 and 8.
• -acl checks for dangerous ACL permissions on Users, Groups and Computers.
• -spn checks for high value kerberoastable accounts
• -asrep checks for ASREPRoastable accounts
• -ldapsecurity checks for multiple LDAP issues
• -exclude allows you to exclude specific checks when using adaudit.ps1 -all -exclude ouperms,ntds,adcs"
• -select allows you to exclude specific checks when using adaudit.ps1 -all "gpo,ntds,acl"
• -all runs all checks, e.g. AdAudit.ps1 -all

The script now fully supports both forest root domains and child domains:

• Schema Admins and Enterprise Admins are gracefully handled in child domains (where they only exist in the forest root)
• Script completes successfully with appropriate informational messaging for missing forest-root-only groups
• No crashes or blocking failures due to missing groups in child domain scenarios
• Tested and validated on Windows Server 2022 child domains

The script implements comprehensive error handling throughout:

• Optional audit functions fail gracefully without blocking script execution
• GPO report generation errors (e.g., corrupted GPOs) don't prevent other audits from completing
• Defensive checks prevent file-not-found exceptions on optional output files
• Clear error/warning/info messaging distinguishes between critical failures and expected scenarios
• Missing optional modules (DSInternals, LAPS, AdmPwd.PS) don't prevent core audit functions

• Generates valid, properly-formatted Nessus XML without requiring post-processing
• All special characters are properly escaped at source (&, <, >, ", ')
• Output file is ready for direct import into Nessus without manual modifications
• Eliminates the need for post-processing steps or extra output files

• Validated on Windows Server 2022 (both forest root and child domains)
• Supports Windows Server 2008R2 through 2022
• Successfully handles complex production environments with corrupted GPOs and mixed configurations