From 9f13a8412f3bfb2b7e4fd6d47acc7ee881d84ec0 Mon Sep 17 00:00:00 2001 From: Jonathan Colon Date: Thu, 26 May 2022 10:23:19 -0400 Subject: [PATCH 1/7] Removed PSSharedGoods/PSWriteColor module dependency --- AsBuiltReport.Microsoft.AD.psd1 | 8 - README.md | 6 - Src/Private/Get-AbrADSiteReplication.ps1 | 1 + Src/Private/SharedUtilsFunctions.ps1 | 874 +++++++++++++++++- .../Invoke-AsBuiltReport.Microsoft.AD.ps1 | 2 - 5 files changed, 874 insertions(+), 17 deletions(-) diff --git a/AsBuiltReport.Microsoft.AD.psd1 b/AsBuiltReport.Microsoft.AD.psd1 index be23f6a..a32cf12 100644 --- a/AsBuiltReport.Microsoft.AD.psd1 +++ b/AsBuiltReport.Microsoft.AD.psd1 @@ -59,14 +59,6 @@ RequiredModules = @( @{ ModuleName = 'PSPKI'; ModuleVersion = '3.7.2' - }, - @{ - ModuleName = 'PSSharedGoods'; - ModuleVersion = '0.0.224' - }, - @{ - ModuleName = 'PSWriteColor'; - ModuleVersion = '0.87.3' } ) diff --git a/README.md b/README.md index d0c4c34..369e128 100644 --- a/README.md +++ b/README.md @@ -68,8 +68,6 @@ PowerShell 5.1 or PowerShell 7, and the following PowerShell modules are require - [GroupPolicy Module](https://docs.microsoft.com/en-us/powershell/module/grouppolicy/?view=windowsserver2019-ps) - [DhcpServer Module](https://docs.microsoft.com/en-us/powershell/module/dhcpserver/?view=windowsserver2019-ps) - [DnsServer Module](https://docs.microsoft.com/en-us/powershell/module/dnsserver/?view=windowsserver2019-ps) -- [PSSharedGoods Module](https://www.powershellgallery.com/packages/PSSharedGoods/) -- [PSWriteColor Module](https://www.powershellgallery.com/packages/PSWriteColor/0.87.3) ### Linux & macOS @@ -88,8 +86,6 @@ Due to a limitation of the WinRM component, a domain-joined machine is needed, a ```powershell Install-Module -Name PSPKI -Install-Module -Name PSWriteColor -Install-Module -Name PSSharedGoods Install-Module -Name AsBuiltReport.Microsoft.AD Install-WindowsFeature -Name RSAT-AD-PowerShell Install-WindowsFeature -Name RSAT-DNS-Server @@ -101,8 +97,6 @@ Install-WindowsFeature -Name GPMC ```powershell Install-Module -Name PSPKI -Install-Module -Name PSWriteColor -Install-Module -Name PSSharedGoods Install-Module -Name AsBuiltReport.Microsoft.AD Add-WindowsCapability -online -Name 'Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0' Add-WindowsCapability -online -Name 'Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0' diff --git a/Src/Private/Get-AbrADSiteReplication.ps1 b/Src/Private/Get-AbrADSiteReplication.ps1 index 5ac1137..f233322 100644 --- a/Src/Private/Get-AbrADSiteReplication.ps1 +++ b/Src/Private/Get-AbrADSiteReplication.ps1 @@ -133,6 +133,7 @@ function Get-AbrADSiteReplication { if ($HealthCheck.Site.Replication -and ($OutObj | Where-Object {$NULL -notlike $_.'Last Error'})) { Paragraph "Health Check:" -Italic -Bold -Underline Paragraph "Best Practices: Failing SYSVOL replication may cause Group Policy problems." -Italic -Bold + BlankLine } } catch { diff --git a/Src/Private/SharedUtilsFunctions.ps1 b/Src/Private/SharedUtilsFunctions.ps1 index be7dcdd..fdc50ec 100644 --- a/Src/Private/SharedUtilsFunctions.ps1 +++ b/Src/Private/SharedUtilsFunctions.ps1 @@ -416,7 +416,7 @@ function Get-WinADDFSHealth { } foreach ($DC in $DomainControllersFull) { - Write-Verbose "Get-WinADDFSHealth - Processing $($DC.HostName) for $Domain" + Write-Verbose "Get-WinADDFSHealth - Processing $($DC.Name) $($DC.HostName) for $Domain" $DCName = $DC.Name $Hostname = $DC.Hostname $DN = $DC.DistinguishedName @@ -560,6 +560,152 @@ function Get-WinADDFSHealth { $Table } +function ConvertTo-OperatingSystem { + <# + .SYNOPSIS + Allows easy conversion of OperatingSystem, Operating System Version to proper Windows 10 naming based on WMI or AD + + .DESCRIPTION + Allows easy conversion of OperatingSystem, Operating System Version to proper Windows 10 naming based on WMI or AD + + .PARAMETER OperatingSystem + Operating System as returned by Active Directory + + .PARAMETER OperatingSystemVersion + Operating System Version as returned by Active Directory + + .EXAMPLE + $Computers = Get-ADComputer -Filter * -Properties OperatingSystem, OperatingSystemVersion | ForEach-Object { + $OPS = ConvertTo-OperatingSystem -OperatingSystem $_.OperatingSystem -OperatingSystemVersion $_.OperatingSystemVersion + Add-Member -MemberType NoteProperty -Name 'OperatingSystemTranslated' -Value $OPS -InputObject $_ -Force + $_ + } + $Computers | Select-Object DNS*, Name, SamAccountName, Enabled, OperatingSystem*, DistinguishedName | Format-Table + + .EXAMPLE + $Registry = Get-PSRegistry -ComputerName 'AD1' -RegistryPath 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion' + ConvertTo-OperatingSystem -OperatingSystem $Registry.ProductName -OperatingSystemVersion $Registry.CurrentBuildNumber + + .NOTES + General notes + #> + [CmdletBinding()] + param( + [string] $OperatingSystem, + [string] $OperatingSystemVersion + ) + + if ($OperatingSystem -like 'Windows 10*' -or $OperatingSystem -like 'Windows 11*') { + $Systems = @{ + # This is how it's written in AD + '10.0 (22000)' = 'Windows 11 21H2' + '10.0 (19043)' = 'Windows 10 21H1' + '10.0 (19042)' = 'Windows 10 20H2' + '10.0 (19041)' = 'Windows 10 2004' + '10.0 (18898)' = 'Windows 10 Insider Preview' + '10.0 (18363)' = "Windows 10 1909" + '10.0 (18362)' = "Windows 10 1903" + '10.0 (17763)' = "Windows 10 1809" + '10.0 (17134)' = "Windows 10 1803" + '10.0 (16299)' = "Windows 10 1709" + '10.0 (15063)' = "Windows 10 1703" + '10.0 (14393)' = "Windows 10 1607" + '10.0 (10586)' = "Windows 10 1511" + '10.0 (10240)' = "Windows 10 1507" + + # This is how WMI/CIM stores it + '10.0.22000' = 'Windows 11 21H2' + '10.0.19043' = 'Windows 10 21H1' + '10.0.19042' = 'Windows 10 20H2' + '10.0.19041' = 'Windows 10 2004' + '10.0.18898' = 'Windows 10 Insider Preview' + '10.0.18363' = "Windows 10 1909" + '10.0.18362' = "Windows 10 1903" + '10.0.17763' = "Windows 10 1809" + '10.0.17134' = "Windows 10 1803" + '10.0.16299' = "Windows 10 1709" + '10.0.15063' = "Windows 10 1703" + '10.0.14393' = "Windows 10 1607" + '10.0.10586' = "Windows 10 1511" + '10.0.10240' = "Windows 10 1507" + + # This is how it's written in registry + '22000' = 'Windows 11 21H2' + '19043' = 'Windows 10 21H1' + '19042' = 'Windows 10 20H2' + '19041' = 'Windows 10 2004' + '18898' = 'Windows 10 Insider Preview' + '18363' = "Windows 10 1909" + '18362' = "Windows 10 1903" + '17763' = "Windows 10 1809" + '17134' = "Windows 10 1803" + '16299' = "Windows 10 1709" + '15063' = "Windows 10 1703" + '14393' = "Windows 10 1607" + '10586' = "Windows 10 1511" + '10240' = "Windows 10 1507" + } + $System = $Systems[$OperatingSystemVersion] + if (-not $System) { + $System = $OperatingSystem + } + } elseif ($OperatingSystem -like 'Windows Server*') { + # May need updates https://docs.microsoft.com/en-us/windows-server/get-started/windows-server-release-info + # to detect Core + + $Systems = @{ + # This is how it's written in AD + '10.0 (20348)' = 'Windows Server 2022' + '10.0 (19042)' = 'Windows Server 2019 20H2' + '10.0 (19041)' = 'Windows Server 2019 2004' + '10.0 (18363)' = 'Windows Server 2019 1909' + '10.0 (18362)' = "Windows Server 2019 1903" # (Datacenter Core, Standard Core) + '10.0 (17763)' = "Windows Server 2019 1809" # (Datacenter, Essentials, Standard) + '10.0 (17134)' = "Windows Server 2016 1803" # (Datacenter, Standard) + '10.0 (14393)' = "Windows Server 2016 1607" + '6.3 (9600)' = 'Windows Server 2012 R2' + '6.1 (7601)' = 'Windows Server 2008 R2' + '5.2 (3790)' = 'Windows Server 2003' + + # This is how WMI/CIM stores it + '10.0.20348' = 'Windows Server 2022' + '10.0.19042' = 'Windows Server 2019 20H2' + '10.0.19041' = 'Windows Server 2019 2004' + '10.0.18363' = 'Windows Server 2019 1909' + '10.0.18362' = "Windows Server 2019 1903" # (Datacenter Core, Standard Core) + '10.0.17763' = "Windows Server 2019 1809" # (Datacenter, Essentials, Standard) + '10.0.17134' = "Windows Server 2016 1803" ## (Datacenter, Standard) + '10.0.14393' = "Windows Server 2016 1607" + '6.3.9600' = 'Windows Server 2012 R2' + '6.1.7601' = 'Windows Server 2008 R2' # i think + '5.2.3790' = 'Windows Server 2003' # i think + + # This is how it's written in registry + '20348' = 'Windows Server 2022' + '19042' = 'Windows Server 2019 20H2' + '19041' = 'Windows Server 2019 2004' + '18363' = 'Windows Server 2019 1909' + '18362' = "Windows Server 2019 1903" # (Datacenter Core, Standard Core) + '17763' = "Windows Server 2019 1809" # (Datacenter, Essentials, Standard) + '17134' = "Windows Server 2016 1803" # (Datacenter, Standard) + '14393' = "Windows Server 2016 1607" + '9600' = 'Windows Server 2012 R2' + '7601' = 'Windows Server 2008 R2' + '3790' = 'Windows Server 2003' + } + $System = $Systems[$OperatingSystemVersion] + if (-not $System) { + $System = $OperatingSystem + } + } else { + $System = $OperatingSystem + } + if ($System) { + $System + } else { + 'Unknown' + } +} function Get-WinADDuplicateSPN { <# @@ -760,4 +906,730 @@ Function Get-WinADDuplicateObject { [PSCustomObject] $ConflictObject } } +} + +function Get-ComputerSplit { + [CmdletBinding()] + param( + [string[]] $ComputerName + ) + if ($null -eq $ComputerName) { + $ComputerName = $Env:COMPUTERNAME + } + try { + $LocalComputerDNSName = [System.Net.Dns]::GetHostByName($Env:COMPUTERNAME).HostName + } catch { + $LocalComputerDNSName = $Env:COMPUTERNAME + } + $ComputersLocal = $null + [Array] $Computers = foreach ($Computer in $ComputerName) { + if ($Computer -eq '' -or $null -eq $Computer) { + $Computer = $Env:COMPUTERNAME + } + if ($Computer -ne $Env:COMPUTERNAME -and $Computer -ne $LocalComputerDNSName) { + $Computer + } else { + $ComputersLocal = $Computer + } + } + , @($ComputersLocal, $Computers) +} + + +function Get-WinADForestDetails { + + <# + .SYNOPSIS + Used by As Built Report to get AD duplicate object info. + .DESCRIPTION + + .NOTES + Version: 0.1.0 + Author: Przemysław Kłys + + .EXAMPLE + + .LINK + + #> + [CmdletBinding()] + param( + [alias('ForestName')][string] $Forest, + [string[]] $ExcludeDomains, + [string[]] $ExcludeDomainControllers, + [alias('Domain', 'Domains')][string[]] $IncludeDomains, + [alias('DomainControllers', 'ComputerName')][string[]] $IncludeDomainControllers, + [switch] $SkipRODC, + [string] $Filter = '*', + [switch] $TestAvailability, + [ValidateSet('All', 'Ping', 'WinRM', 'PortOpen', 'Ping+WinRM', 'Ping+PortOpen', 'WinRM+PortOpen')] $Test = 'All', + [int[]] $Ports = 135, + [int] $PortsTimeout = 100, + [int] $PingCount = 1, + [switch] $Extended, + [System.Collections.IDictionary] $ExtendedForestInformation + ) + if ($Global:ProgressPreference -ne 'SilentlyContinue') { + $TemporaryProgress = $Global:ProgressPreference + $Global:ProgressPreference = 'SilentlyContinue' + } + + if (-not $ExtendedForestInformation) { + # standard situation, building data from AD + $Findings = [ordered] @{ } + try { + if ($Forest) { + $ForestInformation = Get-ADForest -ErrorAction Stop -Identity $Forest + } else { + $ForestInformation = Get-ADForest -ErrorAction Stop + } + <# + $ForestInformation = [ordered] @{ + ApplicationPartitions = $ForestInf.ApplicationPartitions | ForEach-Object -Process { $_ } # : {DC=DomainDnsZones,DC=ad,DC=evotec,DC=xyz, DC=DomainDnsZones,DC=ad,DC=evotec,DC=pl, DC=ForestDnsZones,DC=ad,DC=evotec,DC=xyz} + CrossForestReferences = $ForestInf.CrossForestReferences | ForEach-Object -Process { $_ } # : {} + DomainNamingMaster = $ForestInf.DomainNamingMaster # : AD1.ad.evotec.xyz + Domains = $ForestInf.Domains | ForEach-Object -Process { $_ } # : {ad.evotec.xyz, ad.evotec.pl} + ForestMode = $ForestInf.ForestMode # : Windows2012R2Forest + GlobalCatalogs = $ForestInf.GlobalCatalogs | ForEach-Object -Process { $_ } # : {AD1.ad.evotec.xyz, AD2.ad.evotec.xyz, ADRODC.ad.evotec.pl, AD3.ad.evotec.xyz...} + Name = $ForestInf.Name # : ad.evotec.xyz + PartitionsContainer = $ForestInf.PartitionsContainer # : CN=Partitions,CN=Configuration,DC=ad,DC=evotec,DC=xyz + RootDomain = $ForestInf.RootDomain # : ad.evotec.xyz + SchemaMaster = $ForestInf.SchemaMaster # : AD1.ad.evotec.xyz + Sites = $ForestInf.Sites | ForEach-Object -Process { $_ } # : {KATOWICE-1, KATOWICE-2} + SPNSuffixes = $ForestInf.SPNSuffixes | ForEach-Object -Process { $_ } # : {} + UPNSuffixes = $ForestInf.UPNSuffixes | ForEach-Object -Process { $_ } # : {myneva.eu, single.evotec.xyz, newUPN@com, evotec.xyz...} + } + #> + } catch { + Write-Warning "Get-WinADForestDetails - Error discovering DC for Forest - $($_.Exception.Message)" + return + } + if (-not $ForestInformation) { + return + } + $Findings['Forest'] = $ForestInformation + $Findings['ForestDomainControllers'] = @() + $Findings['QueryServers'] = @{ } + $Findings['DomainDomainControllers'] = @{ } + [Array] $Findings['Domains'] = foreach ($Domain in $ForestInformation.Domains) { + if ($IncludeDomains) { + if ($Domain -in $IncludeDomains) { + $Domain.ToLower() + } + # We skip checking for exclusions + continue + } + if ($Domain -notin $ExcludeDomains) { + $Domain.ToLower() + } + } + # We want to have QueryServers always available for all domains + [Array] $DomainsActive = foreach ($Domain in $Findings['Forest'].Domains) { + try { + $DC = Get-ADDomainController -DomainName $Domain -Discover -ErrorAction Stop + + $OrderedDC = [ordered] @{ + Domain = $DC.Domain + Forest = $DC.Forest + HostName = [Array] $DC.HostName + IPv4Address = $DC.IPv4Address + IPv6Address = $DC.IPv6Address + Name = $DC.Name + Site = $DC.Site + } + + } catch { + Write-Warning "Get-WinADForestDetails - Error discovering DC for domain $Domain - $($_.Exception.Message)" + continue + } + if ($Domain -eq $Findings['Forest']['Name']) { + $Findings['QueryServers']['Forest'] = $OrderedDC + } + $Findings['QueryServers']["$Domain"] = $OrderedDC + # lets return domain as something that wroks + $Domain + } + + # we need to make sure to remove domains that don't have DCs for some reason + [Array] $Findings['Domains'] = foreach ($Domain in $Findings['Domains']) { + if ($Domain -notin $DomainsActive) { + Write-Warning "Get-WinADForestDetails - Domain $Domain doesn't seem to be active (no DCs). Skipping." + continue + } + $Domain + } + + [Array] $Findings['ForestDomainControllers'] = foreach ($Domain in $Findings.Domains) { + $QueryServer = $Findings['QueryServers'][$Domain]['HostName'][0] + + [Array] $AllDC = try { + try { + $DomainControllers = Get-ADDomainController -Filter $Filter -Server $QueryServer -ErrorAction Stop + } catch { + Write-Warning "Get-WinADForestDetails - Error listing DCs for domain $Domain - $($_.Exception.Message)" + continue + } + foreach ($S in $DomainControllers) { + if ($IncludeDomainControllers.Count -gt 0) { + If (-not $IncludeDomainControllers[0].Contains('.')) { + if ($S.Name -notin $IncludeDomainControllers) { + continue + } + } else { + if ($S.HostName -notin $IncludeDomainControllers) { + continue + } + } + } + if ($ExcludeDomainControllers.Count -gt 0) { + If (-not $ExcludeDomainControllers[0].Contains('.')) { + if ($S.Name -in $ExcludeDomainControllers) { + continue + } + } else { + if ($S.HostName -in $ExcludeDomainControllers) { + continue + } + } + } + $Server = [ordered] @{ + Domain = $Domain + HostName = $S.HostName + Name = $S.Name + Forest = $ForestInformation.RootDomain + Site = $S.Site + IPV4Address = $S.IPV4Address + IPV6Address = $S.IPV6Address + IsGlobalCatalog = $S.IsGlobalCatalog + IsReadOnly = $S.IsReadOnly + IsSchemaMaster = ($S.OperationMasterRoles -contains 'SchemaMaster') + IsDomainNamingMaster = ($S.OperationMasterRoles -contains 'DomainNamingMaster') + IsPDC = ($S.OperationMasterRoles -contains 'PDCEmulator') + IsRIDMaster = ($S.OperationMasterRoles -contains 'RIDMaster') + IsInfrastructureMaster = ($S.OperationMasterRoles -contains 'InfrastructureMaster') + OperatingSystem = $S.OperatingSystem + OperatingSystemVersion = $S.OperatingSystemVersion + OperatingSystemLong = ConvertTo-OperatingSystem -OperatingSystem $S.OperatingSystem -OperatingSystemVersion $S.OperatingSystemVersion + LdapPort = $S.LdapPort + SslPort = $S.SslPort + DistinguishedName = $S.ComputerObjectDN + Pingable = $null + WinRM = $null + PortOpen = $null + Comment = '' + } + if ($TestAvailability) { + if ($Test -eq 'All' -or $Test -like 'Ping*') { + $Server.Pingable = Test-Connection -ComputerName $Server.IPV4Address -Quiet -Count $PingCount + } + if ($Test -eq 'All' -or $Test -like '*WinRM*') { + $Server.WinRM = (Test-WinRM -ComputerName $Server.HostName).Status + } + if ($Test -eq 'All' -or '*PortOpen*') { + $Server.PortOpen = (Test-ComputerPort -Server $Server.HostName -PortTCP $Ports -Timeout $PortsTimeout).Status + } + } + [PSCustomObject] $Server + } + } catch { + [PSCustomObject]@{ + Domain = $Domain + HostName = '' + Name = '' + Forest = $ForestInformation.RootDomain + IPV4Address = '' + IPV6Address = '' + IsGlobalCatalog = '' + IsReadOnly = '' + Site = '' + SchemaMaster = $false + DomainNamingMasterMaster = $false + PDCEmulator = $false + RIDMaster = $false + InfrastructureMaster = $false + LdapPort = '' + SslPort = '' + DistinguishedName = '' + Pingable = $null + WinRM = $null + PortOpen = $null + Comment = $_.Exception.Message -replace "`n", " " -replace "`r", " " + } + } + if ($SkipRODC) { + [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC | Where-Object { $_.IsReadOnly -eq $false } + #$Findings[$Domain] = $AllDC | Where-Object { $_.IsReadOnly -eq $false } + } else { + [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC + #$Findings[$Domain] = $AllDC + } + # Building all DCs for whole Forest + [Array] $Findings['DomainDomainControllers'][$Domain] + } + if ($Extended) { + $Findings['DomainsExtended'] = @{ } + $Findings['DomainsExtendedNetBIOS'] = @{ } + foreach ($DomainEx in $Findings['Domains']) { + try { + #$Findings['DomainsExtended'][$DomainEx] = Get-ADDomain -Server $Findings['QueryServers'][$DomainEx].HostName[0] + + $Findings['DomainsExtended'][$DomainEx] = Get-ADDomain -Server $Findings['QueryServers'][$DomainEx].HostName[0] | ForEach-Object { + # We need to use ForEach-Object to convert ADPropertyValueCollection to normal strings. Otherwise Copy-Dictionary fails + #True False ADPropertyValueCollection System.Collections.CollectionBase + + [ordered] @{ + AllowedDNSSuffixes = $_.AllowedDNSSuffixes | ForEach-Object -Process { $_ } #: { } + ChildDomains = $_.ChildDomains | ForEach-Object -Process { $_ } #: { } + ComputersContainer = $_.ComputersContainer #: CN = Computers, DC = ad, DC = evotec, DC = xyz + DeletedObjectsContainer = $_.DeletedObjectsContainer #: CN = Deleted Objects, DC = ad, DC = evotec, DC = xyz + DistinguishedName = $_.DistinguishedName #: DC = ad, DC = evotec, DC = xyz + DNSRoot = $_.DNSRoot #: ad.evotec.xyz + DomainControllersContainer = $_.DomainControllersContainer #: OU = Domain Controllers, DC = ad, DC = evotec, DC = xyz + DomainMode = $_.DomainMode #: Windows2012R2Domain + DomainSID = $_.DomainSID.Value #: S - 1 - 5 - 21 - 853615985 - 2870445339 - 3163598659 + ForeignSecurityPrincipalsContainer = $_.ForeignSecurityPrincipalsContainer #: CN = ForeignSecurityPrincipals, DC = ad, DC = evotec, DC = xyz + Forest = $_.Forest #: ad.evotec.xyz + InfrastructureMaster = $_.InfrastructureMaster #: AD1.ad.evotec.xyz + LastLogonReplicationInterval = $_.LastLogonReplicationInterval #: + LinkedGroupPolicyObjects = $_.LinkedGroupPolicyObjects | ForEach-Object -Process { $_ } #: + LostAndFoundContainer = $_.LostAndFoundContainer #: CN = LostAndFound, DC = ad, DC = evotec, DC = xyz + ManagedBy = $_.ManagedBy #: + Name = $_.Name #: ad + NetBIOSName = $_.NetBIOSName #: EVOTEC + ObjectClass = $_.ObjectClass #: domainDNS + ObjectGUID = $_.ObjectGUID #: bc875580 - 4c70-41ad-a487-c57337e26024 + ParentDomain = $_.ParentDomain #: + PDCEmulator = $_.PDCEmulator #: AD1.ad.evotec.xyz + PublicKeyRequiredPasswordRolling = $_.PublicKeyRequiredPasswordRolling | ForEach-Object -Process { $_ } #: + QuotasContainer = $_.QuotasContainer #: CN = NTDS Quotas, DC = ad, DC = evotec, DC = xyz + ReadOnlyReplicaDirectoryServers = $_.ReadOnlyReplicaDirectoryServers | ForEach-Object -Process { $_ } #: { } + ReplicaDirectoryServers = $_.ReplicaDirectoryServers | ForEach-Object -Process { $_ } #: { AD1.ad.evotec.xyz, AD2.ad.evotec.xyz, AD3.ad.evotec.xyz } + RIDMaster = $_.RIDMaster #: AD1.ad.evotec.xyz + SubordinateReferences = $_.SubordinateReferences | ForEach-Object -Process { $_ } #: { DC = ForestDnsZones, DC = ad, DC = evotec, DC = xyz, DC = DomainDnsZones, DC = ad, DC = evotec, DC = xyz, CN = Configuration, DC = ad, DC = evotec, DC = xyz } + SystemsContainer = $_.SystemsContainer #: CN = System, DC = ad, DC = evotec, DC = xyz + UsersContainer = $_.UsersContainer #: CN = Users, DC = ad, DC = evotec, DC = xyz + } + } + + $NetBios = $Findings['DomainsExtended'][$DomainEx]['NetBIOSName'] + $Findings['DomainsExtendedNetBIOS'][$NetBios] = $Findings['DomainsExtended'][$DomainEx] + } catch { + Write-Warning "Get-WinADForestDetails - Error gathering Domain Information for domain $DomainEx - $($_.Exception.Message)" + continue + } + } + } + # Bring back setting as per default + if ($TemporaryProgress) { + $Global:ProgressPreference = $TemporaryProgress + } + + $Findings + } else { + # this takes care of limiting output to only what we requested, but based on prior input + # this makes sure we ask once for all AD stuff and then subsequent calls just filter out things + # this should be much faster then asking again and again for stuff from AD + $Findings = Copy-DictionaryManual -Dictionary $ExtendedForestInformation + [Array] $Findings['Domains'] = foreach ($_ in $Findings.Domains) { + if ($IncludeDomains) { + if ($_ -in $IncludeDomains) { + $_.ToLower() + } + # We skip checking for exclusions + continue + } + if ($_ -notin $ExcludeDomains) { + $_.ToLower() + } + } + # Now that we have Domains we need to remove all DCs that are not from domains we excluded or included + foreach ($_ in [string[]] $Findings.DomainDomainControllers.Keys) { + if ($_ -notin $Findings.Domains) { + $Findings.DomainDomainControllers.Remove($_) + } + } + # Same as above but for query servers - we don't remove queried servers + #foreach ($_ in [string[]] $Findings.QueryServers.Keys) { + # if ($_ -notin $Findings.Domains -and $_ -ne 'Forest') { + # $Findings.QueryServers.Remove($_) + # } + #} + # Now that we have Domains we need to remove all Domains that are excluded or included + foreach ($_ in [string[]] $Findings.DomainsExtended.Keys) { + if ($_ -notin $Findings.Domains) { + $Findings.DomainsExtended.Remove($_) + $NetBiosName = $Findings.DomainsExtended.$_.'NetBIOSName' + if ($NetBiosName) { + $Findings.DomainsExtendedNetBIOS.Remove($NetBiosName) + } + } + } + [Array] $Findings['ForestDomainControllers'] = foreach ($Domain in $Findings.Domains) { + [Array] $AllDC = foreach ($S in $Findings.DomainDomainControllers["$Domain"]) { + if ($IncludeDomainControllers.Count -gt 0) { + If (-not $IncludeDomainControllers[0].Contains('.')) { + if ($S.Name -notin $IncludeDomainControllers) { + continue + } + } else { + if ($S.HostName -notin $IncludeDomainControllers) { + continue + } + } + } + if ($ExcludeDomainControllers.Count -gt 0) { + If (-not $ExcludeDomainControllers[0].Contains('.')) { + if ($S.Name -in $ExcludeDomainControllers) { + continue + } + } else { + if ($S.HostName -in $ExcludeDomainControllers) { + continue + } + } + } + $S + } + if ($SkipRODC) { + [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC | Where-Object { $_.IsReadOnly -eq $false } + } else { + [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC + } + # Building all DCs for whole Forest + [Array] $Findings['DomainDomainControllers'][$Domain] + } + $Findings + } +} + +function Get-CimData { + <# + .SYNOPSIS + Helper function for retreiving CIM data from local and remote computers + + .DESCRIPTION + Helper function for retreiving CIM data from local and remote computers + + .PARAMETER ComputerName + Specifies computer on which you want to run the CIM operation. You can specify a fully qualified domain name (FQDN), a NetBIOS name, or an IP address. If you do not specify this parameter, the cmdlet performs the operation on the local computer using Component Object Model (COM). + + .PARAMETER Protocol + Specifies the protocol to use. The acceptable values for this parameter are: DCOM, Default, or Wsman. + + .PARAMETER Class + Specifies the name of the CIM class for which to retrieve the CIM instances. You can use tab completion to browse the list of classes, because PowerShell gets a list of classes from the local WMI server to provide a list of class names. + + .PARAMETER Properties + Specifies a set of instance properties to retrieve. Use this parameter when you need to reduce the size of the object returned, either in memory or over the network. The object returned also contains the key properties even if you have not listed them using the Property parameter. Other properties of the class are present but they are not populated. + + .EXAMPLE + Get-CimData -Class 'win32_bios' -ComputerName AD1,EVOWIN + + Get-CimData -Class 'win32_bios' + + # Get-CimClass to get all classes + + .NOTES + General notes + #> + + [CmdletBinding()] + param( + [parameter(Mandatory)][string] $Class, + [string] $NameSpace = 'root\cimv2', + [string[]] $ComputerName = $Env:COMPUTERNAME, + [ValidateSet('Default', 'Dcom', 'Wsman')][string] $Protocol = 'Default', + [string[]] $Properties = '*' + ) + $ExcludeProperties = 'CimClass', 'CimInstanceProperties', 'CimSystemProperties', 'SystemCreationClassName', 'CreationClassName' + + # Querying CIM locally usually doesn't work. This means if you're querying same computer you neeed to skip CimSession/ComputerName if it's local query + [Array] $ComputersSplit = Get-ComputerSplit -ComputerName $ComputerName + + $CimObject = @( + # requires removal of this property for query + [string[]] $PropertiesOnly = $Properties | Where-Object { $_ -ne 'PSComputerName' } + # Process all remote computers + $Computers = $ComputersSplit[1] + if ($Computers.Count -gt 0) { + if ($Protocol = 'Default') { + Get-CimInstance -ClassName $Class -ComputerName $Computers -ErrorAction SilentlyContinue -Property $PropertiesOnly -Namespace $NameSpace -Verbose:$false -ErrorVariable ErrorsToProcess | Select-Object -Property $Properties -ExcludeProperty $ExcludeProperties + } else { + $Option = New-CimSessionOption -Protocol $Protocol + $Session = New-CimSession -ComputerName $Computers -SessionOption $Option -ErrorAction SilentlyContinue + $Info = Get-CimInstance -ClassName $Class -CimSession $Session -ErrorAction SilentlyContinue -Property $PropertiesOnly -Namespace $NameSpace -Verbose:$false -ErrorVariable ErrorsToProcess | Select-Object -Property $Properties -ExcludeProperty $ExcludeProperties + $null = Remove-CimSession -CimSession $Session -ErrorAction SilentlyContinue + $Info + } + } + foreach ($E in $ErrorsToProcess) { + Write-Warning -Message "Get-CimData - No data for computer $($E.OriginInfo.PSComputerName). Failed with errror: $($E.Exception.Message)" + } + # Process local computer + $Computers = $ComputersSplit[0] + if ($Computers.Count -gt 0) { + $Info = Get-CimInstance -ClassName $Class -ErrorAction SilentlyContinue -Property $PropertiesOnly -Namespace $NameSpace -Verbose:$false -ErrorVariable ErrorsLocal | Select-Object -Property $Properties -ExcludeProperty $ExcludeProperties + $Info | Add-Member -Name 'PSComputerName' -Value $Computers -MemberType NoteProperty -Force + $Info + } + foreach ($E in $ErrorsLocal) { + Write-Warning -Message "Get-CimData - No data for computer $($Env:COMPUTERNAME). Failed with errror: $($E.Exception.Message)" + } + ) + $CimObject +} + +function ConvertFrom-DistinguishedName { + <# + .SYNOPSIS + Converts a Distinguished Name to CN, OU, Multiple OUs or DC + + .DESCRIPTION + Converts a Distinguished Name to CN, OU, Multiple OUs or DC + + .PARAMETER DistinguishedName + Distinguished Name to convert + + .PARAMETER ToOrganizationalUnit + Converts DistinguishedName to Organizational Unit + + .PARAMETER ToDC + Converts DistinguishedName to DC + + .PARAMETER ToDomainCN + Converts DistinguishedName to Domain CN + + .EXAMPLE + $DistinguishedName = 'CN=Przemyslaw Klys,OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz' + ConvertFrom-DistinguishedName -DistinguishedName $DistinguishedName -ToOrganizationalUnit + + Output: + OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz + + .EXAMPLE + $DistinguishedName = 'CN=Przemyslaw Klys,OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz' + ConvertFrom-DistinguishedName -DistinguishedName $DistinguishedName + + Output: + Przemyslaw Klys + + .EXAMPLE + ConvertFrom-DistinguishedName -DistinguishedName 'OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz' -ToMultipleOrganizationalUnit -IncludeParent + + Output: + OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz + OU=Production,DC=ad,DC=evotec,DC=xyz + + .EXAMPLE + ConvertFrom-DistinguishedName -DistinguishedName 'OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz' -ToMultipleOrganizationalUnit + + Output: + OU=Production,DC=ad,DC=evotec,DC=xyz + + .EXAMPLE + $Con = @( + 'CN=Windows Authorization Access Group,CN=Builtin,DC=ad,DC=evotec,DC=xyz' + 'CN=Mmm,DC=elo,CN=nee,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=ad,DC=evotec,DC=xyz' + 'CN=e6d5fd00-385d-4e65-b02d-9da3493ed850,CN=Operations,CN=DomainUpdates,CN=System,DC=ad,DC=evotec,DC=xyz' + 'OU=Domain Controllers,DC=ad,DC=evotec,DC=pl' + 'OU=Microsoft Exchange Security Groups,DC=ad,DC=evotec,DC=xyz' + ) + + ConvertFrom-DistinguishedName -DistinguishedName $Con -ToLastName + + Output: + Windows Authorization Access Group + Mmm + e6d5fd00-385d-4e65-b02d-9da3493ed850 + Domain Controllers + Microsoft Exchange Security Groups + + .NOTES + General notes + #> + [CmdletBinding(DefaultParameterSetName = 'Default')] + param( + [Parameter(ParameterSetName = 'ToOrganizationalUnit')] + [Parameter(ParameterSetName = 'ToMultipleOrganizationalUnit')] + [Parameter(ParameterSetName = 'ToDC')] + [Parameter(ParameterSetName = 'ToDomainCN')] + [Parameter(ParameterSetName = 'Default')] + [Parameter(ParameterSetName = 'ToLastName')] + [alias('Identity', 'DN')][Parameter(ValueFromPipeline, ValueFromPipelineByPropertyName, Position = 0)][string[]] $DistinguishedName, + [Parameter(ParameterSetName = 'ToOrganizationalUnit')][switch] $ToOrganizationalUnit, + [Parameter(ParameterSetName = 'ToMultipleOrganizationalUnit')][alias('ToMultipleOU')][switch] $ToMultipleOrganizationalUnit, + [Parameter(ParameterSetName = 'ToMultipleOrganizationalUnit')][switch] $IncludeParent, + [Parameter(ParameterSetName = 'ToDC')][switch] $ToDC, + [Parameter(ParameterSetName = 'ToDomainCN')][switch] $ToDomainCN, + [Parameter(ParameterSetName = 'ToLastName')][switch] $ToLastName + ) + Process { + foreach ($Distinguished in $DistinguishedName) { + if ($ToDomainCN) { + $DN = $Distinguished -replace '.*?((DC=[^=]+,)+DC=[^=]+)$', '$1' + $CN = $DN -replace ',DC=', '.' -replace "DC=" + if ($CN) { + $CN + } + } elseif ($ToOrganizationalUnit) { + $Value = [Regex]::Match($Distinguished, '(?=OU=)(.*\n?)(?<=.)').Value + if ($Value) { + $Value + } + } elseif ($ToMultipleOrganizationalUnit) { + if ($IncludeParent) { + $Distinguished + } + while ($true) { + #$dn = $dn -replace '^.+?,(?=CN|OU|DC)' + $Distinguished = $Distinguished -replace '^.+?,(?=..=)' + if ($Distinguished -match '^DC=') { + break + } + $Distinguished + } + } elseif ($ToDC) { + #return [Regex]::Match($DistinguishedName, '(?=DC=)(.*\n?)(?<=.)').Value + # return [Regex]::Match($DistinguishedName, '.*?(DC=.*)').Value + $Value = $Distinguished -replace '.*?((DC=[^=]+,)+DC=[^=]+)$', '$1' + if ($Value) { + $Value + } + #return [Regex]::Match($DistinguishedName, 'CN=.*?(DC=.*)').Groups[1].Value + } elseif ($ToLastName) { + # Would be best if it worked, but there is too many edge cases so hand splits seems to be the best solution + # Feel free to change it back to regex if you know how ;) + <# https://stackoverflow.com/questions/51761894/regex-extract-ou-from-distinguished-name + $Regex = "^(?:(?CN=(?.*?)),)?(?(?:(?(?:CN|OU).*?),)?(?(?:DC=.*)+))$" + $Found = $Distinguished -match $Regex + if ($Found) { + $Matches.name + } + #> + $NewDN = $Distinguished -split ",DC=" + if ($NewDN[0].Contains(",OU=")) { + [Array] $ChangedDN = $NewDN[0] -split ",OU=" + } elseif ($NewDN[0].Contains(",CN=")) { + [Array] $ChangedDN = $NewDN[0] -split ",CN=" + } else { + [Array] $ChangedDN = $NewDN[0] + } + if ($ChangedDN[0].StartsWith('CN=')) { + $ChangedDN[0] -replace 'CN=', '' + } else { + $ChangedDN[0] -replace 'OU=', '' + } + } else { + $Regex = '^CN=(?.+?)(?(?:(?:OU|CN).+?(?DC.+?))$' + #$Output = foreach ($_ in $Distinguished) { + $Found = $Distinguished -match $Regex + if ($Found) { + $Matches.cn + } + #} + #$Output.cn + } + } + } +} +function Test-WinRM { + [CmdletBinding()] + param ( + [alias('Server')][string[]] $ComputerName + ) + $Output = foreach ($Computer in $ComputerName) { + $Test = [PSCustomObject] @{ + Output = $null + Status = $null + ComputerName = $Computer + } + try { + $Test.Output = Test-WSMan -ComputerName $Computer -ErrorAction Stop + $Test.Status = $true + } catch { + $Test.Status = $false + } + $Test + } + $Output +} + +function Test-ComputerPort { + [CmdletBinding()] + param ( + [alias('Server')][string[]] $ComputerName, + [int[]] $PortTCP, + [int[]] $PortUDP, + [int]$Timeout = 5000 + ) + begin { + if ($Global:ProgressPreference -ne 'SilentlyContinue') { + $TemporaryProgress = $Global:ProgressPreference + $Global:ProgressPreference = 'SilentlyContinue' + } + } + process { + foreach ($Computer in $ComputerName) { + foreach ($P in $PortTCP) { + $Output = [ordered] @{ + 'ComputerName' = $Computer + 'Port' = $P + 'Protocol' = 'TCP' + 'Status' = $null + 'Summary' = $null + 'Response' = $null + } + + $TcpClient = Test-NetConnection -ComputerName $Computer -Port $P -InformationLevel Detailed -WarningAction SilentlyContinue + if ($TcpClient.TcpTestSucceeded) { + $Output['Status'] = $TcpClient.TcpTestSucceeded + $Output['Summary'] = "TCP $P Successful" + } else { + $Output['Status'] = $false + $Output['Summary'] = "TCP $P Failed" + $Output['Response'] = $Warnings + } + [PSCustomObject]$Output + } + foreach ($P in $PortUDP) { + $Output = [ordered] @{ + 'ComputerName' = $Computer + 'Port' = $P + 'Protocol' = 'UDP' + 'Status' = $null + 'Summary' = $null + } + $UdpClient = [System.Net.Sockets.UdpClient]::new($Computer, $P) + $UdpClient.Client.ReceiveTimeout = $Timeout + # $UdpClient.Connect($Computer, $P) + $Encoding = [System.Text.ASCIIEncoding]::new() + $byte = $Encoding.GetBytes("Evotec") + [void]$UdpClient.Send($byte, $byte.length) + $RemoteEndpoint = [System.Net.IPEndPoint]::new([System.Net.IPAddress]::Any, 0) + try { + $Bytes = $UdpClient.Receive([ref]$RemoteEndpoint) + [string]$Data = $Encoding.GetString($Bytes) + If ($Data) { + $Output['Status'] = $true + $Output['Summary'] = "UDP $P Successful" + $Output['Response'] = $Data + } + } catch { + $Output['Status'] = $false + $Output['Summary'] = "UDP $P Failed" + $Output['Response'] = $_.Exception.Message + } + $UdpClient.Close() + $UdpClient.Dispose() + [PSCustomObject]$Output + } + + } + } + end { + # Bring back setting as per default + if ($TemporaryProgress) { + $Global:ProgressPreference = $TemporaryProgress + } + } } \ No newline at end of file diff --git a/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1 b/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1 index 1fd5dfc..32717db 100644 --- a/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1 +++ b/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1 @@ -42,8 +42,6 @@ function Invoke-AsBuiltReport.Microsoft.AD { } Get-RequiredModule -Name PSPKI -Version '3.7.2' - Get-RequiredModule -Name PSWriteColor -Version '0.87.3' - Get-RequiredModule -Name PSSharedGoods -Version '0.0.224' # Import Report Configuration From 6731cd95aa39e962f6c6519d714346161f8b58e6 Mon Sep 17 00:00:00 2001 From: Jonathan Colon Date: Fri, 24 Jun 2022 11:35:28 -0400 Subject: [PATCH 2/7] Update README.md --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index d0c4c34..aae8ebb 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,10 @@

+

+

+ Buy Me a Coffee at ko-fi.com +

# Microsoft AD As Built Report From f8aa3f95246aeab0cb24f1f86351f9475d454635 Mon Sep 17 00:00:00 2001 From: Jonathan Colon Date: Fri, 24 Jun 2022 11:36:04 -0400 Subject: [PATCH 3/7] Update README.md --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index aae8ebb..2e20dd1 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,6 @@

-

Buy Me a Coffee at ko-fi.com

From a263c0dc1f2ae798cb5e2ad5e396ccb700b2e907 Mon Sep 17 00:00:00 2001 From: Jonathan Colon Date: Fri, 22 Jul 2022 16:59:02 -0400 Subject: [PATCH 4/7] fix Group report for well-known groups without support for international domains #42 --- AsBuiltReport.Microsoft.AD.psd1 | 2 +- CHANGELOG.md | 10 ++++++ Src/Private/Get-AbrADDomainObject.ps1 | 44 +++++++++++++++++++-------- 3 files changed, 43 insertions(+), 13 deletions(-) diff --git a/AsBuiltReport.Microsoft.AD.psd1 b/AsBuiltReport.Microsoft.AD.psd1 index a32cf12..a34eb46 100644 --- a/AsBuiltReport.Microsoft.AD.psd1 +++ b/AsBuiltReport.Microsoft.AD.psd1 @@ -12,7 +12,7 @@ RootModule = 'AsBuiltReport.Microsoft.AD.psm1' # Version number of this module. -ModuleVersion = '0.7.3' +ModuleVersion = '0.7.4' # Supported PSEditions # CompatiblePSEditions = @() diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e01cce..031d9f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,15 @@ # :arrows_clockwise: Microsoft AD As Built Report Changelog +## [0.7.4] - 2022-xx-xx +### Changed + +- Access well known groups via SID to include international names and expand them to localized group names. + +### Fixed + +- Fixes [#42](https://github.com/AsBuiltReport/AsBuiltReport.Microsoft.AD/issues/42) + +- ## [0.7.3] - 2022-05-13 ### Added diff --git a/Src/Private/Get-AbrADDomainObject.ps1 b/Src/Private/Get-AbrADDomainObject.ps1 index 6872397..49245b2 100644 --- a/Src/Private/Get-AbrADDomainObject.ps1 +++ b/Src/Private/Get-AbrADDomainObject.ps1 @@ -5,7 +5,7 @@ function Get-AbrADDomainObject { .DESCRIPTION .NOTES - Version: 0.7.2 + Version: 0.7.4 Author: Jonathan Colon Twitter: @jcolonfzenpr Github: rebelinux @@ -213,21 +213,37 @@ function Get-AbrADDomainObject { if ($Domain) { Write-PscriboMessage "Collecting Privileged Group in Active Directory." try { + $DomainSID = Invoke-Command -Session $TempPssSession {(Get-ADDomain -Identity $using:Domain).domainsid.Value} $DC = Invoke-Command -Session $TempPssSession {Get-ADDomain -Identity $using:Domain | Select-Object -ExpandProperty ReplicaDirectoryServers | Select-Object -First 1} - if ($Domain -eq (Get-ADForest).Name) { - $Groups = 'Domain Admins','Enterprise Admins','Administrators','Server Operators','DnsAdmins','Remote Desktop Users','Incoming Forest Trust Builders','Key Admins','Backup Operators','Cert Publishers','Print Operators','Account Operators','Schema Admins' + if ($Domain -eq $ADSystem.Name) { + #$Groups = 'Domain Admins','Enterprise Admins','Administrators','Server Operators','DnsAdmins','Remote Desktop Users','Incoming Forest Trust Builders','Key Admins','Backup Operators','Cert Publishers','Print Operators','Account Operators','Schema Admins' + $GroupsSID = "$DomainSID-512","$DomainSID-519",'S-1-5-32-544','S-1-5-32-549',"$DomainSID-1101",'S-1-5-32-555','S-1-5-32-557',"$DomainSID-526",'S-1-5-32-551',"$DomainSID-517",'S-1-5-32-550','S-1-5-32-548',"$DomainSID-518" } else { - $Groups = 'Domain Admins','Server Operators','DnsAdmins','Remote Desktop Users','Key Admins','Backup Operators','Cert Publishers','Print Operators','Account Operators' + #$Groups = 'Domain Admins','Server Operators','DnsAdmins','Remote Desktop Users','Key Admins','Backup Operators','Cert Publishers','Print Operators','Account Operators' + $GroupsSID = "$DomainSID-512",'S-1-5-32-544','S-1-5-32-549',"$DomainSID-1101",'S-1-5-32-555','S-1-5-32-557',"$DomainSID-526",'S-1-5-32-551',"$DomainSID-517",'S-1-5-32-550','S-1-5-32-548' } - if ($Groups) { - foreach ($Group in $Groups) { - $GroupObject = Invoke-Command -Session $TempPssSession {Get-ADGroupMember -Server $using:DC -Identity $using:Group -Recursive -ErrorAction SilentlyContinue} - $inObj = [ordered] @{ - 'Group Name' = $Group - 'Count' = ($GroupObject | Measure-Object).Count + if ($GroupsSID) { + foreach ($GroupSID in $GroupsSID) { + try { + $Group = Invoke-Command -Session $TempPssSession {Get-ADGroup -Server $using:DC -Filter * | Select-Object -Property SID,Name | Where-Object {$_.SID -like $using:GroupSID}} + if ($Group) { + Write-PscriboMessage "Collecting Privileged Group $($Group.Name) with SID $($Group.SID)" + $GroupObject = Invoke-Command -Session $TempPssSession {Get-ADGroupMember -Server $using:DC -Identity ($using:Group).Name -Recursive -ErrorAction SilentlyContinue} + $inObj = [ordered] @{ + 'Group Name' = $Group.Name + 'Count' = ($GroupObject | Measure-Object).Count + } + $OutObj += [pscustomobject]$inobj + } } - $OutObj += [pscustomobject]$inobj + catch { + Write-PscriboMessage -IsWarning "$($_.Exception.Message) (Privileged Group in Active Directory item)" + } + } + + if ($HealthCheck.Domain.Security) { + $OutObj | Where-Object { $_.'Group Name' -eq 'Schema Admins' -and $_.Count -gt 1 } | Set-Style -Style Warning } $TableParams = @{ @@ -238,7 +254,11 @@ function Get-AbrADDomainObject { if ($Report.ShowTableCaptions) { $TableParams['Caption'] = "- $($TableParams.Name)" } - $OutObj | Sort-Object -Property 'Group Name' | Table @TableParams + $OutObj | Sort-Object -Property 'Group Name' | Table @TableParams + if ($HealthCheck.Domain.Security -and ($OutObj | Where-Object { $_.'Group Name' -eq 'Schema Admins' -and $_.Count -gt 1 })) { + Paragraph "Health Check:" -Italic -Bold -Underline + Paragraph "Secutiry Best Practice: The Schema Admins group is a privileged group in a forest root domain. Members of the Schema Admins group can make changes to the schema, which is the framework for the Active Directory forest. Changes to the schema are not frequently required. This group only contains the Built-in Administrator account by default. Additional accounts must only be added when changes to the schema are necessary and then must be removed." -Italic -Bold + } } } catch { From 58838faa3f09b971c268a6f87b63a9fc11d94bfa Mon Sep 17 00:00:00 2001 From: Jonathan Colon Date: Fri, 22 Jul 2022 17:00:57 -0400 Subject: [PATCH 5/7] Update to Changelog --- CHANGELOG.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 031d9f4..4af33bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,12 +4,11 @@ ### Changed - Access well known groups via SID to include international names and expand them to localized group names. +- Removed PSSharedGoods/PSWriteColor module dependency ### Fixed - Fixes [#42](https://github.com/AsBuiltReport/AsBuiltReport.Microsoft.AD/issues/42) - -- ## [0.7.3] - 2022-05-13 ### Added From 54ece322691eb069405f45b86f58f2b21a52e7ff Mon Sep 17 00:00:00 2001 From: Jonathan Colon Date: Fri, 22 Jul 2022 21:39:04 -0400 Subject: [PATCH 6/7] Update Sample Microsoft AD As Built Report.html --- .../Sample Microsoft AD As Built Report.html | 2373 ++++++++++------- 1 file changed, 1433 insertions(+), 940 deletions(-) diff --git a/Samples/Sample Microsoft AD As Built Report.html b/Samples/Sample Microsoft AD As Built Report.html index 828eaee..3029590 100644 --- a/Samples/Sample Microsoft AD As Built Report.html +++ b/Samples/Sample Microsoft AD As Built Report.html @@ -45,302 +45,302 @@











Microsoft Logo
-

Microsoft AD As Built Report


Zen Pr Solutions
































+
Microsoft AD As Built Report

Zen Pr Solutions
































- +
Author:Jonathan Colon
Date:Wednesday, May 11, 2022
Date:Friday, July 22, 2022
Version:1.0

Microsoft AD As Built Report - v1.0

Table of Contents

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
1PHARMAX.LOCAL Active Directory Report
1.1   Forest Information.
1.1.1      Optional Features
1.1.2      Domain Sites
1.1.2.1         Site Subnets
1.1.2.2         Site Links
1.2   Active Directory Domain Information
1.2.1      UIA.LOCAL Domain Configuration
1.2.1.1         Health Check - DFS Health
1.2.1.2         Flexible Single Master Operations (FSMO)
1.2.1.3         Domain and Trusts
1.2.1.4         Domain Object Count
1.2.1.5         User Accounts in Active Directory
1.2.1.6         Status of Users Accounts
1.2.1.7         Privileged Group Count
1.2.1.8         Computer Accounts in Active Directory
1.2.1.9         Status of Computer Accounts
1.2.1.10         Operating Systems Count
1.2.1.11         Default Domain Password Policy
1.2.1.12         Health Check - Account Security Assessment
1.2.1.13         Health Check - Privileged Users Assessment
1.2.1.14         Health Check - Service Accounts Assessment
1.2.1.15         Health Check - KRBTGT Account Audit
1.2.1.16         Health Check - Administrator Account Audit
1.2.1.17         Domain Controller Summary
1.2.1.17.1            Hardware Inventory
1.2.1.17.2            NTDS Information
1.2.1.17.3            Time Source Information
1.2.1.17.4            Health Check - Installed Software on DC
1.2.1.17.5            Roles
1.2.1.17.5.1               DC-UIA-01V
1.2.1.17.6            Health Check - DC Diagnostic
1.2.1.17.6.1               DC-UIA-01V
1.2.1.17.7            Infrastructure Services Status
1.2.1.17.7.1               DC-UIA-01V
1.2.1.17.8            Sites Replication
1.2.1.17.9            Sites Replication Failure
1.2.1.17.10            Group Policy Objects Summary
1.2.1.17.10.1               GPO Central Store Repository
1.2.1.17.11            Organizational Units
1.2.2      PHARMAX.LOCAL Domain Configuration
1.2.2.1         Health Check - Naming Context Last Backup
1.2.2.2         Health Check - DFS Health
1.2.2.3         Flexible Single Master Operations (FSMO)
1.2.2.4         Domain and Trusts
1.2.2.5         Domain Object Count
1.2.2.6         User Accounts in Active Directory
1.2.2.7         Status of Users Accounts
1.2.2.8         Privileged Group Count
1.2.2.9         Computer Accounts in Active Directory
1.2.2.10         Status of Computer Accounts
1.2.2.11         Operating Systems Count
1.2.2.12         Default Domain Password Policy
1.2.2.13         Fined Grained Password Policies
1.2.2.14         Group Managed Service Accounts (GMSA)
1.2.2.15         Health Check - Account Security Assessment
1.2.2.16         Health Check - Privileged Users Assessment
1.2.2.17         Health Check - Service Accounts Assessment
1.2.2.18         Health Check - Unconstrained Kerberos Delegation
1.2.2.19         Health Check - KRBTGT Account Audit
1.2.2.20         Health Check - Administrator Account Audit
1.2.2.21         Health Check - Duplicate Objects
1.2.2.22         Health Check - Duplicate SPN
1.2.2.23         Domain Controller Summary
1.2.2.23.1            Hardware Inventory
1.2.2.23.2            NTDS Information
1.2.2.23.3            Time Source Information
1.2.2.23.4            Health Check - Installed Software on DC
1.2.2.23.4.1               SERVER-DC-01V additional software
1.2.2.23.4.2               CAYEY-DC-01V additional software
1.2.2.23.5            Roles
1.2.2.23.5.1               SERVER-DC-01V
1.2.2.23.5.2               CAYEY-DC-01V
1.2.2.23.6            Health Check - DC Diagnostic
1.2.2.23.6.1               SERVER-DC-01V
1.2.2.23.6.2               CAYEY-DC-01V
1.2.2.23.7            Infrastructure Services Status
1.2.2.23.7.1               SERVER-DC-01V
1.2.2.23.8            Infrastructure Services Status
1.2.2.23.8.1               CAYEY-DC-01V
1.2.2.23.9            Sites Replication
1.2.2.23.10            Sites Replication Failure
1.2.2.23.11            Group Policy Objects Summary
1.2.2.23.11.1               GPO Central Store Repository
1.2.2.23.11.2               GPO with User Logon/Logoff Script
1.2.2.23.11.3               GPO with Computer Startup/Shutdown Script
1.2.2.23.11.4               Health Check - Unlinked GPO
1.2.2.23.11.5               Health Check - Empty GPOs
1.2.2.23.11.6               Health Check - Enforced GPO
1.2.2.23.12            Organizational Units
1.2.2.23.12.1               Health Check - OU with GPO Blocked Inheritance
1.2.3      ACAD.PHARMAX.LOCAL Domain Configuration
1.2.3.1         Health Check - Naming Context Last Backup
1.2.3.2         Health Check - DFS Health
1.2.3.3         Flexible Single Master Operations (FSMO)
1.2.3.4         Domain and Trusts
1.2.3.5         Domain Object Count
1.2.3.6         User Accounts in Active Directory
1.2.3.7         Status of Users Accounts
1.2.3.8         Privileged Group Count
1.2.3.9         Computer Accounts in Active Directory
1.2.3.10         Status of Computer Accounts
1.2.3.11         Operating Systems Count
1.2.3.12         Default Domain Password Policy
1.2.3.13         Fined Grained Password Policies
1.2.3.14         Group Managed Service Accounts (GMSA)
1.2.3.15         Health Check - Account Security Assessment
1.2.3.16         Health Check - Privileged Users Assessment
1.2.3.17         Health Check - Service Accounts Assessment
1.2.3.18         Health Check - KRBTGT Account Audit
1.2.3.19         Health Check - Administrator Account Audit
1.2.3.20         Domain Controller Summary
1.2.3.20.1            Hardware Inventory
1.2.3.20.2            NTDS Information
1.2.3.20.3            Time Source Information
1.2.3.20.4            Health Check - Installed Software on DC
1.2.3.20.5            Roles
1.2.3.20.5.1               ACADE-DC-01V
1.2.3.20.6            Health Check - DC Diagnostic
1.2.3.20.6.1               ACADE-DC-01V
1.2.3.20.7            Infrastructure Services Status
1.2.3.20.7.1               ACADE-DC-01V
1.2.3.20.8            Sites Replication
1.2.3.20.9            Group Policy Objects Summary
1.2.3.20.9.1               GPO Central Store Repository
1.2.3.20.9.2               GPO with User Logon/Logoff Script
1.2.3.20.9.3               Health Check - Unlinked GPO
1.2.3.20.9.4               Health Check - Empty GPOs
1.2.3.20.9.5               Health Check - Enforced GPO
1.2.3.20.10            Organizational Units
1.2.3.20.10.1               Health Check - OU with GPO Blocked Inheritance
1.3   Domain Name System Summary
1.3.1      UIA.LOCAL DNS Configuration
1.3.1.1         Infrastructure Summary
1.3.1.1.1            Domain Controller DNS IP Configuration
1.3.1.1.2            Application Directory Partition
1.3.1.1.2.1               DC-UIA-01V Directory Partition
1.3.1.1.3            Response Rate Limiting (RRL)
1.3.1.1.4            Scavenging Options
1.3.1.1.5            Forwarder Options
1.3.1.1.6            Root Hints
1.3.1.1.6.1               DC-UIA-01V Root Hints
1.3.1.1.7            Zone Scope Recursion
1.3.1.2         DC-UIA-01V DNS Zone Configuration
1.3.1.2.1            Reverse Lookup Zone Configuration
1.3.1.2.2            Zone Scope Aging Properties
1.3.2      PHARMAX.LOCAL DNS Configuration
1.3.2.1         Infrastructure Summary
1.3.2.1.1            Domain Controller DNS IP Configuration
1.3.2.1.2            Application Directory Partition
1.3.2.1.2.1               SERVER-DC-01V Directory Partition
1.3.2.1.2.2               CAYEY-DC-01V Directory Partition
1.3.2.1.3            Response Rate Limiting (RRL)
1.3.2.1.4            Scavenging Options
1.3.2.1.5            Forwarder Options
1.3.2.1.6            Root Hints
1.3.2.1.6.1               SERVER-DC-01V Root Hints
1.3.2.1.6.2               CAYEY-DC-01V Root Hints
1.3.2.1.7            Zone Scope Recursion
1.3.2.2         SERVER-DC-01V DNS Zone Configuration
1.3.2.2.1            Zone Delegation
1.3.2.2.2            Zone Transfers
1.3.2.2.3            Reverse Lookup Zone Configuration
1.3.2.2.4            Conditional Forwarder
1.3.2.2.5            Zone Scope Aging Properties
1.3.2.3         CAYEY-DC-01V DNS Zone Configuration
1.3.2.3.1            Zone Delegation
1.3.2.3.2            Reverse Lookup Zone Configuration
1.3.2.3.3            Conditional Forwarder
1.3.2.3.4            Zone Scope Aging Properties
1.3.3      ACAD.PHARMAX.LOCAL DNS Configuration
1.3.3.1         Infrastructure Summary
1.3.3.1.1            Domain Controller DNS IP Configuration
1.3.3.1.2            Application Directory Partition
1.3.3.1.2.1               ACADE-DC-01V Directory Partition
1.3.3.1.3            Response Rate Limiting (RRL)
1.3.3.1.4            Scavenging Options
1.3.3.1.5            Forwarder Options
1.3.3.1.6            Root Hints
1.3.3.1.6.1               ACADE-DC-01V Root Hints
1.3.3.1.7            Zone Scope Recursion
1.3.3.2         ACADE-DC-01V DNS Zone Configuration
1.3.3.2.1            Zone Transfers
1.3.3.2.2            Reverse Lookup Zone Configuration
1.3.3.2.3            Conditional Forwarder
1.3.3.2.4            Zone Scope Aging Properties
1.4   Dynamic Host Configuration Protocol Summary
1.4.1      UIA.LOCAL Domain DHCP Configuration
1.4.1.1         DHCP Servers In Active Directory
1.4.1.1.1            Service Database
1.4.1.1.2            Dynamic DNS credentials
1.4.1.2         IPv4 Scope Configuration
1.4.1.2.1            IPv4 Service Statistics
1.4.1.2.2            DC-UIA-01V IPv4 Scopes
1.4.1.2.2.1               IPv4 Scope Statistics
1.4.1.2.2.2               IPv4 Network Interface Binding
1.4.1.2.3            Scope Options
1.4.1.2.3.1               172.23.7.0
1.4.1.3         IPv6 Scope Configuration
1.4.1.3.1            IPv6 Service Statistics
1.4.2      PHARMAX.LOCAL Domain DHCP Configuration
1.4.2.1         DHCP Servers In Active Directory
1.4.2.1.1            Service Database
1.4.2.1.2            Dynamic DNS credentials
1.4.2.2         IPv4 Scope Configuration
1.4.2.2.1            IPv4 Service Statistics
1.4.2.2.2            CAYEY-DC-01V IPv4 Scopes
1.4.2.2.2.1               IPv4 Scope Statistics
1.4.2.2.2.2               IPv4 Scope Failover
1.4.2.2.2.3               IPv4 Network Interface Binding
1.4.2.2.3            CAYEY-DC-01V IPv4 Scope Server Options
1.4.2.2.3.1               Scope DNS Setting
1.4.2.2.4            Scope Options
1.4.2.2.4.1               10.10.33.0
1.4.2.2.4.2               10.10.34.0
1.4.2.2.5            SERVER-DC-01V IPv4 Scopes
1.4.2.2.5.1               IPv4 Scope Statistics
1.4.2.2.5.2               IPv4 Scope Failover
1.4.2.2.5.3               IPv4 Network Interface Binding
1.4.2.2.6            SERVER-DC-01V IPv4 Scope Server Options
1.4.2.2.6.1               Scope DNS Setting
1.4.2.2.7            Scope Options
1.4.2.2.7.1               10.10.32.0
1.4.2.2.7.2               10.10.33.0
1.4.2.2.7.3               10.10.34.0
1.4.2.2.7.4               10.10.35.0
1.4.2.2.7.5               192.168.2.0
1.4.2.2.7.6               192.168.4.0
1.4.2.2.7.7               192.168.6.0
1.4.2.2.7.8               192.168.7.0
1.4.2.2.7.9               192.168.12.0
1.4.2.3         IPv6 Scope Configuration
1.4.2.3.1            IPv6 Service Statistics
1.4.3      ACAD.PHARMAX.LOCAL Domain DHCP Configuration
1.4.3.1         DHCP Servers In Active Directory
1.4.3.1.1            Service Database
1.4.3.1.2            Dynamic DNS credentials
1.4.3.2         IPv4 Scope Configuration
1.4.3.2.1            IPv4 Service Statistics
1.4.3.2.2            ACADE-DC-01V IPv4 Scopes
1.4.3.2.2.1               IPv4 Scope Statistics
1.4.3.2.2.2               IPv4 Network Interface Binding
1.4.3.2.3            ACADE-DC-01V IPv4 Scope Server Options
1.4.3.2.3.1               Scope DNS Setting
1.4.3.2.4            Scope Options
1.4.3.2.4.1               172.23.5.0
1.4.3.3         IPv6 Scope Configuration
1.4.3.3.1            IPv6 Service Statistics
1.4.3.3.2            ACADE-DC-01V IPv6 Scopes
1.4.3.3.2.1               IPv6 Scope Statistics
1.4.3.3.3            ACADE-DC-01V IPv6 Scope Server Options
1.4.3.3.3.1               Scope DNS Settings
1.4.3.3.4            Scope Options
1.4.3.3.4.1               fd99:9971::
1.5   Certificate Authority Summary
1.5.1      Enterprise Root Certificate Authority
1.5.2      Enterprise Subordinate Certificate Authority
1.5.3      Certificate Validity Period
1.5.3.1         Access Control List (ACL) Summary
1.5.3.1.1            pharmax-SERVER-DC-01V-CA Rights
1.5.3.1.2            acad-ACADE-DC-01V-CA Rights
1.5.3.1.3            pharmax-CAYEY-DC-01V-CA Rights
1.5.4      Cryptography Configuration
1.5.5      Authority Information Access (AIA) Summary
1.5.5.1         pharmax-SERVER-DC-01V-CA
1.5.5.2         acad-ACADE-DC-01V-CA
1.5.5.3         pharmax-CAYEY-DC-01V-CA
1.5.6      Certificate Revocation List (CRL) Configuration
1.5.6.1         CRL Validity Period
1.5.6.2         CRL Flags Settings
1.5.6.3         CRL Distribution Point
1.5.6.3.1            pharmax-SERVER-DC-01V-CA
1.5.6.3.2            acad-ACADE-DC-01V-CA
1.5.6.3.3            pharmax-CAYEY-DC-01V-CA
1.5.7      AIA and CDP Health Status
1.5.8      Certificate Template Summary
1.5.8.1         pharmax-SERVER-DC-01V-CA Certificate Template
1.5.8.2         Certificate Template In Active Directory
1.5.9      Certificate Template Summary
1.5.9.1         acad-ACADE-DC-01V-CA Certificate Template
1.5.9.2         Certificate Template In Active Directory
1.5.10      Certificate Template Summary
1.5.10.1         pharmax-CAYEY-DC-01V-CA Certificate Template
1.5.10.2         Certificate Template In Active Directory
1.5.11      Key Recovery Agent Certificate
1PHARMAX.LOCAL Active Directory Report
1.1   Forest Information.
1.1.1      Optional Features
1.1.2      Domain Sites
1.1.2.1         Site Subnets
1.1.2.2         Site Links
1.2   Active Directory Domain Information
1.2.1      UIA.LOCAL Domain Configuration
1.2.1.1         Health Check - Naming Context Last Backup
1.2.1.2         Health Check - DFS Health
1.2.1.3         Flexible Single Master Operations (FSMO)
1.2.1.4         Domain and Trusts
1.2.1.5         Domain Object Count
1.2.1.6         User Accounts in Active Directory
1.2.1.7         Status of Users Accounts
1.2.1.8         Privileged Group Count
1.2.1.9         Computer Accounts in Active Directory
1.2.1.10         Status of Computer Accounts
1.2.1.11         Operating Systems Count
1.2.1.12         Default Domain Password Policy
1.2.1.13         Health Check - Account Security Assessment
1.2.1.14         Health Check - Privileged Users Assessment
1.2.1.15         Health Check - Service Accounts Assessment
1.2.1.16         Health Check - KRBTGT Account Audit
1.2.1.17         Health Check - Administrator Account Audit
1.2.1.18         Domain Controller Summary
1.2.1.18.1            Hardware Inventory
1.2.1.18.2            NTDS Information
1.2.1.18.3            Time Source Information
1.2.1.18.4            Health Check - Installed Software on DC
1.2.1.18.5            Roles
1.2.1.18.5.1               DC-UIA-01V
1.2.1.18.6            Health Check - DC Diagnostic
1.2.1.18.6.1               DC-UIA-01V
1.2.1.18.7            Infrastructure Services Status
1.2.1.18.7.1               DC-UIA-01V
1.2.1.18.8            Sites Replication
1.2.1.18.9            Group Policy Objects Summary
1.2.1.18.9.1               GPO Central Store Repository
1.2.1.18.10            Organizational Units
1.2.2      PHARMAX.LOCAL Domain Configuration
1.2.2.1         Health Check - Naming Context Last Backup
1.2.2.2         Health Check - DFS Health
1.2.2.3         Flexible Single Master Operations (FSMO)
1.2.2.4         Domain and Trusts
1.2.2.5         Domain Object Count
1.2.2.6         User Accounts in Active Directory
1.2.2.7         Status of Users Accounts
1.2.2.8         Privileged Group Count
1.2.2.9         Computer Accounts in Active Directory
1.2.2.10         Status of Computer Accounts
1.2.2.11         Operating Systems Count
1.2.2.12         Default Domain Password Policy
1.2.2.13         Fined Grained Password Policies
1.2.2.14         Group Managed Service Accounts (GMSA)
1.2.2.15         Health Check - Account Security Assessment
1.2.2.16         Health Check - Privileged Users Assessment
1.2.2.17         Health Check - Service Accounts Assessment
1.2.2.18         Health Check - Unconstrained Kerberos Delegation
1.2.2.19         Health Check - KRBTGT Account Audit
1.2.2.20         Health Check - Administrator Account Audit
1.2.2.21         Health Check - Duplicate Objects
1.2.2.22         Health Check - Duplicate SPN
1.2.2.23         Domain Controller Summary
1.2.2.23.1            Hardware Inventory
1.2.2.23.2            NTDS Information
1.2.2.23.3            Time Source Information
1.2.2.23.4            Health Check - Installed Software on DC
1.2.2.23.4.1               SERVER-DC-01V additional software
1.2.2.23.4.2               CAYEY-DC-01V additional software
1.2.2.23.5            Roles
1.2.2.23.5.1               SERVER-DC-01V
1.2.2.23.5.2               CAYEY-DC-01V
1.2.2.23.6            Health Check - DC Diagnostic
1.2.2.23.6.1               SERVER-DC-01V
1.2.2.23.6.2               CAYEY-DC-01V
1.2.2.23.7            Infrastructure Services Status
1.2.2.23.7.1               SERVER-DC-01V
1.2.2.23.8            Infrastructure Services Status
1.2.2.23.8.1               CAYEY-DC-01V
1.2.2.23.9            Sites Replication
1.2.2.23.10            Sites Replication Failure
1.2.2.23.11            Group Policy Objects Summary
1.2.2.23.11.1               GPO Central Store Repository
1.2.2.23.11.2               GPO with User Logon/Logoff Script
1.2.2.23.11.3               GPO with Computer Startup/Shutdown Script
1.2.2.23.11.4               Health Check - Unlinked GPO
1.2.2.23.11.5               Health Check - Empty GPOs
1.2.2.23.11.6               Health Check - Enforced GPO
1.2.2.23.12            Organizational Units
1.2.2.23.12.1               Health Check - OU with GPO Blocked Inheritance
1.2.3      ACAD.PHARMAX.LOCAL Domain Configuration
1.2.3.1         Health Check - Naming Context Last Backup
1.2.3.2         Health Check - DFS Health
1.2.3.3         Flexible Single Master Operations (FSMO)
1.2.3.4         Domain and Trusts
1.2.3.5         Domain Object Count
1.2.3.6         User Accounts in Active Directory
1.2.3.7         Status of Users Accounts
1.2.3.8         Privileged Group Count
1.2.3.9         Computer Accounts in Active Directory
1.2.3.10         Status of Computer Accounts
1.2.3.11         Operating Systems Count
1.2.3.12         Default Domain Password Policy
1.2.3.13         Fined Grained Password Policies
1.2.3.14         Group Managed Service Accounts (GMSA)
1.2.3.15         Health Check - Account Security Assessment
1.2.3.16         Health Check - Privileged Users Assessment
1.2.3.17         Health Check - Service Accounts Assessment
1.2.3.18         Health Check - KRBTGT Account Audit
1.2.3.19         Health Check - Administrator Account Audit
1.2.3.20         Domain Controller Summary
1.2.3.20.1            Hardware Inventory
1.2.3.20.2            NTDS Information
1.2.3.20.3            Time Source Information
1.2.3.20.4            Health Check - Installed Software on DC
1.2.3.20.5            Roles
1.2.3.20.5.1               ACADE-DC-01V
1.2.3.20.6            Health Check - DC Diagnostic
1.2.3.20.6.1               ACADE-DC-01V
1.2.3.20.7            Infrastructure Services Status
1.2.3.20.7.1               ACADE-DC-01V
1.2.3.20.8            Sites Replication
1.2.3.20.9            Group Policy Objects Summary
1.2.3.20.9.1               GPO Central Store Repository
1.2.3.20.9.2               GPO with User Logon/Logoff Script
1.2.3.20.9.3               Health Check - Unlinked GPO
1.2.3.20.9.4               Health Check - Empty GPOs
1.2.3.20.9.5               Health Check - Enforced GPO
1.2.3.20.10            Organizational Units
1.2.3.20.10.1               Health Check - OU with GPO Blocked Inheritance
1.3   Domain Name System Summary
1.3.1      UIA.LOCAL DNS Configuration
1.3.1.1         Infrastructure Summary
1.3.1.1.1            Domain Controller DNS IP Configuration
1.3.1.1.2            Application Directory Partition
1.3.1.1.2.1               DC-UIA-01V Directory Partition
1.3.1.1.3            Response Rate Limiting (RRL)
1.3.1.1.4            Scavenging Options
1.3.1.1.5            Forwarder Options
1.3.1.1.6            Root Hints
1.3.1.1.6.1               DC-UIA-01V Root Hints
1.3.1.1.7            Zone Scope Recursion
1.3.1.2         DC-UIA-01V DNS Zone Configuration
1.3.1.2.1            Reverse Lookup Zone Configuration
1.3.1.2.2            Zone Scope Aging Properties
1.3.2      PHARMAX.LOCAL DNS Configuration
1.3.2.1         Infrastructure Summary
1.3.2.1.1            Domain Controller DNS IP Configuration
1.3.2.1.2            Application Directory Partition
1.3.2.1.2.1               SERVER-DC-01V Directory Partition
1.3.2.1.2.2               CAYEY-DC-01V Directory Partition
1.3.2.1.3            Response Rate Limiting (RRL)
1.3.2.1.4            Scavenging Options
1.3.2.1.5            Forwarder Options
1.3.2.1.6            Root Hints
1.3.2.1.6.1               SERVER-DC-01V Root Hints
1.3.2.1.6.2               CAYEY-DC-01V Root Hints
1.3.2.1.7            Zone Scope Recursion
1.3.2.2         SERVER-DC-01V DNS Zone Configuration
1.3.2.2.1            Zone Delegation
1.3.2.2.2            Zone Transfers
1.3.2.2.3            Reverse Lookup Zone Configuration
1.3.2.2.4            Conditional Forwarder
1.3.2.2.5            Zone Scope Aging Properties
1.3.2.3         CAYEY-DC-01V DNS Zone Configuration
1.3.2.3.1            Zone Delegation
1.3.2.3.2            Reverse Lookup Zone Configuration
1.3.2.3.3            Conditional Forwarder
1.3.2.3.4            Zone Scope Aging Properties
1.3.3      ACAD.PHARMAX.LOCAL DNS Configuration
1.3.3.1         Infrastructure Summary
1.3.3.1.1            Domain Controller DNS IP Configuration
1.3.3.1.2            Application Directory Partition
1.3.3.1.2.1               ACADE-DC-01V Directory Partition
1.3.3.1.3            Response Rate Limiting (RRL)
1.3.3.1.4            Scavenging Options
1.3.3.1.5            Forwarder Options
1.3.3.1.6            Root Hints
1.3.3.1.6.1               ACADE-DC-01V Root Hints
1.3.3.1.7            Zone Scope Recursion
1.3.3.2         ACADE-DC-01V DNS Zone Configuration
1.3.3.2.1            Zone Transfers
1.3.3.2.2            Reverse Lookup Zone Configuration
1.3.3.2.3            Conditional Forwarder
1.3.3.2.4            Zone Scope Aging Properties
1.4   Dynamic Host Configuration Protocol Summary
1.4.1      UIA.LOCAL Domain DHCP Configuration
1.4.1.1         DHCP Servers In Active Directory
1.4.1.1.1            Service Database
1.4.1.1.2            Dynamic DNS credentials
1.4.1.2         IPv4 Scope Configuration
1.4.1.2.1            IPv4 Service Statistics
1.4.1.2.2            DC-UIA-01V IPv4 Scopes
1.4.1.2.2.1               IPv4 Scope Statistics
1.4.1.2.2.2               IPv4 Network Interface Binding
1.4.1.2.3            Scope Options
1.4.1.2.3.1               172.23.7.0
1.4.1.3         IPv6 Scope Configuration
1.4.1.3.1            IPv6 Service Statistics
1.4.2      PHARMAX.LOCAL Domain DHCP Configuration
1.4.2.1         DHCP Servers In Active Directory
1.4.2.1.1            Service Database
1.4.2.1.2            Dynamic DNS credentials
1.4.2.2         IPv4 Scope Configuration
1.4.2.2.1            IPv4 Service Statistics
1.4.2.2.2            CAYEY-DC-01V IPv4 Scopes
1.4.2.2.2.1               IPv4 Scope Statistics
1.4.2.2.2.2               IPv4 Scope Failover
1.4.2.2.2.3               IPv4 Network Interface Binding
1.4.2.2.3            CAYEY-DC-01V IPv4 Scope Server Options
1.4.2.2.3.1               Scope DNS Setting
1.4.2.2.4            Scope Options
1.4.2.2.4.1               10.10.33.0
1.4.2.2.4.2               10.10.34.0
1.4.2.2.5            SERVER-DC-01V IPv4 Scopes
1.4.2.2.5.1               IPv4 Scope Statistics
1.4.2.2.5.2               IPv4 Scope Failover
1.4.2.2.5.3               IPv4 Network Interface Binding
1.4.2.2.6            SERVER-DC-01V IPv4 Scope Server Options
1.4.2.2.6.1               Scope DNS Setting
1.4.2.2.7            Scope Options
1.4.2.2.7.1               10.10.32.0
1.4.2.2.7.2               10.10.33.0
1.4.2.2.7.3               10.10.34.0
1.4.2.2.7.4               10.10.35.0
1.4.2.2.7.5               192.168.2.0
1.4.2.2.7.6               192.168.4.0
1.4.2.2.7.7               192.168.6.0
1.4.2.2.7.8               192.168.7.0
1.4.2.2.7.9               192.168.12.0
1.4.2.3         IPv6 Scope Configuration
1.4.2.3.1            IPv6 Service Statistics
1.4.3      ACAD.PHARMAX.LOCAL Domain DHCP Configuration
1.4.3.1         DHCP Servers In Active Directory
1.4.3.1.1            Service Database
1.4.3.1.2            Dynamic DNS credentials
1.4.3.2         IPv4 Scope Configuration
1.4.3.2.1            IPv4 Service Statistics
1.4.3.2.2            ACADE-DC-01V IPv4 Scopes
1.4.3.2.2.1               IPv4 Scope Statistics
1.4.3.2.2.2               IPv4 Network Interface Binding
1.4.3.2.3            ACADE-DC-01V IPv4 Scope Server Options
1.4.3.2.3.1               Scope DNS Setting
1.4.3.2.4            Scope Options
1.4.3.2.4.1               172.23.5.0
1.4.3.3         IPv6 Scope Configuration
1.4.3.3.1            IPv6 Service Statistics
1.4.3.3.2            ACADE-DC-01V IPv6 Scopes
1.4.3.3.2.1               IPv6 Scope Statistics
1.4.3.3.3            ACADE-DC-01V IPv6 Scope Server Options
1.4.3.3.3.1               Scope DNS Settings
1.4.3.3.4            Scope Options
1.4.3.3.4.1               fd99:9971::
1.5   Certificate Authority Summary
1.5.1      Enterprise Root Certificate Authority
1.5.2      Enterprise Subordinate Certificate Authority
1.5.3      Certificate Validity Period
1.5.3.1         Access Control List (ACL) Summary
1.5.3.1.1            pharmax-SERVER-DC-01V-CA Rights
1.5.3.1.2            acad-ACADE-DC-01V-CA Rights
1.5.3.1.3            pharmax-CAYEY-DC-01V-CA Rights
1.5.4      Cryptography Configuration
1.5.5      Authority Information Access (AIA) Summary
1.5.5.1         pharmax-SERVER-DC-01V-CA
1.5.5.2         acad-ACADE-DC-01V-CA
1.5.5.3         pharmax-CAYEY-DC-01V-CA
1.5.6      Certificate Revocation List (CRL) Configuration
1.5.6.1         CRL Validity Period
1.5.6.2         CRL Flags Settings
1.5.6.3         CRL Distribution Point
1.5.6.3.1            pharmax-SERVER-DC-01V-CA
1.5.6.3.2            acad-ACADE-DC-01V-CA
1.5.6.3.3            pharmax-CAYEY-DC-01V-CA
1.5.7      AIA and CDP Health Status
1.5.8      Certificate Template Summary
1.5.8.1         pharmax-SERVER-DC-01V-CA Certificate Template
1.5.8.2         Certificate Template In Active Directory
1.5.9      Certificate Template Summary
1.5.9.1         acad-ACADE-DC-01V-CA Certificate Template
1.5.9.2         Certificate Template In Active Directory
1.5.10      Certificate Template Summary
1.5.10.1         pharmax-CAYEY-DC-01V-CA Certificate Template
1.5.10.2         Certificate Template In Active Directory
1.5.11      Key Recovery Agent Certificate

Page 2
-
Microsoft AD As Built Report - v1.0

1 PHARMAX.LOCAL Active Directory Report

The following section provides a summary of the Active Directory Infrastructure configuration for PHARMAX.LOCAL.

1.1 Forest Information.

The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network. At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.

+
Microsoft AD As Built Report - v1.0

1 PHARMAX.LOCAL Active Directory Report

The following section provides a summary of the Active Directory Infrastructure configuration for PHARMAX.LOCAL.

1.1 Forest Information.

The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network. At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.

@@ -357,13 +357,13 @@
Forest Namepharmax.local
Forest Functional LevelWindows2016Forest
UPN Suffixes-
Table 1 - Forest Summary - PHARMAX.LOCAL

-

1.1.1 Optional Features

+

1.1.1 Optional Features

NameRequired Forest ModeEnabled
Privileged Access Management FeatureWindows2016ForestNo
Recycle Bin FeatureWindows2008R2ForestYes
Table 2 - Optional Features - PHARMAX.LOCAL

-

1.1.2 Domain Sites

+

1.1.2 Domain Sites

@@ -372,7 +372,7 @@
Site NameDescriptionSubnetsCreation Date
ACAD-172.23.4.0/249/5/2021
Cayey-BranchSite of Cayey, PR Branch10.10.0.0/169/3/2021
UIA-172.23.7.0/245/11/2022
Table 3 - Sites - PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Ensure Sites have an associated subnet. If subnets are not associated with AD Sites users in the AD Sites might choose a remote domain controller for authentication which in turn might result in excessive use of a remote domain controller.
Best Practices: Ensure Sites have a defined description.

1.1.2.1 Site Subnets

+
Health Check:
Corrective Actions: Ensure Sites have an associated subnet. If subnets are not associated with AD Sites users in the AD Sites might choose a remote domain controller for authentication which in turn might result in excessive use of a remote domain controller.
Best Practices: Ensure Sites have a defined description.

1.1.2.1 Site Subnets

@@ -381,13 +381,13 @@
SubnetDescriptionSitesCreation Date
10.10.0.0/16Cayey-NetworksCayey-Branch9/12/2020
10.9.1.0/24-Pharmax-HQ9/14/2021
192.168.0.0/16-Pharmax-HQ9/12/2020
Table 4 - Site Subnets - PHARMAX.LOCAL

-
Health Check:
Best Practices: Ensure that subnets has a defined description.

1.1.2.2 Site Links

+
Health Check:
Best Practices: Ensure that subnets has a defined description.

1.1.2.2 Site Links

Site Link NameCostReplication FrequencyTransport ProtocolSites
PHARMAX-to-ACAD10015 minIPACAD
Pharmax-HQ
Pharmax-to-All10015 minIPUIA
Dead-Site
ACAD
Cayey-Branch
Pharmax-HQ
Table 5 - Site Links - PHARMAX.LOCAL

-

1.2 Active Directory Domain Information

An Active Directory domain is a collection of objects within a Microsoft Active Directory network. An object can be a single user or a group or it can be a hardware component, such as a computer or printer.Each domain holds a database containing object identity information. Active Directory domains can be identified using a DNS name, which can be the same as an organization's public domain name, a sub-domain or an alternate version (which may end in .local).

1.2.1 UIA.LOCAL Domain Configuration

The following section provides a summary of the Active Directory Domain Information.

+

1.2 Active Directory Domain Information

An Active Directory domain is a collection of objects within a Microsoft Active Directory network. An object can be a single user or a group or it can be a hardware component, such as a computer or printer.Each domain holds a database containing object identity information. Active Directory domains can be identified using a DNS name, which can be the same as an organization's public domain name, a sub-domain or an alternate version (which may end in .local).

1.2.1 UIA.LOCAL Domain Configuration

The following section provides a summary of the Active Directory Domain Information.

@@ -405,16 +405,25 @@ - - + +
Domain Nameuia
NetBIOS NameUIA
Users Containeruia.local/Users
ReadOnly Replica Directory Servers-
ms-DS-MachineAccountQuota10
RID Issued1600
RID Available1073740223
RID Issued4600
RID Available1073737223
Table 6 - Domain Summary - UIA.LOCAL

-

1.2.1.1 Health Check - DFS Health

The following section details Distributed File System health status for Domain UIA.LOCAL.

+

1.2.1.1 Health Check - Naming Context Last Backup

The following section details naming context last backup time for Domain UIA.LOCAL.

+ + + + + + +
Naming ContextLast BackupLast Backup in Days
CN=Configuration,DC=pharmax,DC=local2022:05:1370
CN=Schema,CN=Configuration,DC=pharmax,DC=local2022:05:1370
DC=DomainDnsZones,DC=uia,DC=local2022:05:1370
DC=ForestDnsZones,DC=pharmax,DC=local2022:05:1370
DC=uia,DC=local2022:05:1370
+
Table 7 - Naming Context Last Backup - UIA.LOCAL

+
Health Check:
Corrective Actions: Ensure there is a recent (<180 days) Active Directory backup.

1.2.1.2 Health Check - DFS Health

The following section details Distributed File System health status for Domain UIA.LOCAL.

DC NameReplication StateGPO CountSysvol CountIdentical CountStop Replication On AutoRecovery
DC-UIA-01VNormal22YesNo
-
Table 7 - Domain Last Backup - UIA.LOCAL

-
Health Check:
Corrective Actions: Ensure an identical GPO/SYSVOL content for the domain controller in all Active Directory domains.

1.2.1.2 Flexible Single Master Operations (FSMO)

The following section provides a summary of the Active Directory FSMO for Domain UIA.LOCAL.

+
Table 8 - Domain Last Backup - UIA.LOCAL

+
Health Check:
Corrective Actions: Ensure an identical GPO/SYSVOL content for the domain controller in all Active Directory domains.

1.2.1.3 Flexible Single Master Operations (FSMO)

The following section provides a summary of the Active Directory FSMO for Domain UIA.LOCAL.

@@ -422,8 +431,8 @@
Infrastructure Master ServerDC-UIA-01V.uia.local
RID Master ServerDC-UIA-01V.uia.local
Domain Naming Master ServerServer-DC-01V.pharmax.local
Schema Master ServerServer-DC-01V.pharmax.local
-
Table 8 - FSMO Server - uia.local

-

1.2.1.3 Domain and Trusts

The following section provides a summary of Active Directory Trust information on UIA.LOCAL.

+
Table 9 - FSMO Server - uia.local

+

1.2.1.4 Domain and Trusts

The following section provides a summary of Active Directory Trust information on UIA.LOCAL.

@@ -437,71 +446,73 @@
Namepharmax.local
Pathuia.local/System/pharmax.local
Trust TypeUplevel
Uplevel OnlyNo
-
Table 9 - Trusts - UIA.LOCAL

-

1.2.1.4 Domain Object Count

The following section provides a summary of the Active Directory Object Count on UIA.LOCAL.

+
Table 10 - Trusts - UIA.LOCAL

+

1.2.1.5 Domain Object Count

The following section provides a summary of the Active Directory Object Count on UIA.LOCAL.

- + - - - + + +
Computers1
Computers100
Servers1
Domain Controller1
Global Catalog1
Users4
Privileged Users2
Groups45
Users2494
Privileged Users25
Groups543
-
Table 10 - Object Count - UIA.LOCAL

-

1.2.1.5 User Accounts in Active Directory

The following table provide a summary of the User Accounts from UIA.LOCAL.

+
Table 11 - Object Count - UIA.LOCAL

+

1.2.1.6 User Accounts in Active Directory

The following table provide a summary of the User Accounts from UIA.LOCAL.

- - + +
StatusCountPercentage
Enabled250%
Disabled250%
Enabled2492100%
Disabled20%
-
Table 11 - User Accounts in Active Directory - UIA.LOCAL

-

1.2.1.6 Status of Users Accounts

The following table provide a summary of the User Accounts from UIA.LOCAL.

+
Table 12 - User Accounts in Active Directory - UIA.LOCAL

+

1.2.1.7 Status of Users Accounts

The following table provide a summary of the User Accounts from UIA.LOCAL.

- - - - - - - - - - - + + + + + + + + + + +
CategoryEnabled CountEnabled %Disabled CountDisabled %Total CountTotal %
Cannot Change Password1332512514350
Password Never Expires125125250
Must Change Password at Logon125125125
Password Age (> 42 days)12512500
SmartcardLogonRequired12512500
SidHistory12512500
Never Logged in125250375
Dormant (> 90 days)125250375
Password Not Required125125250
Account Expired12512500
Account Lockout12512500
Cannot Change Password13110141
Password Never Expires101020
Must Change Password at Logon101020
Password Age (> 42 days)2490100102491100
SmartcardLogonRequired101000
SidHistory101000
Never Logged in2491100202493100
Dormant (> 90 days)2491100202493100
Password Not Required101020
Account Expired101000
Account Lockout101000
-
Table 12 - Status of User Accounts - UIA.LOCAL

-

1.2.1.7 Privileged Group Count

The following table provide a summary of the Privileged Group count from UIA.LOCAL.

+
Table 13 - Status of User Accounts - UIA.LOCAL

+

1.2.1.8 Privileged Group Count

The following table provide a summary of the Privileged Group count from UIA.LOCAL.

- - - - - - - - - -
Group NameCount
Account Operators0
Backup Operators0
Cert Publishers0
DnsAdmins0
Domain Admins1
Key Admins0
Print Operators0
Remote Desktop Users0
Server Operators0
-
Table 13 - Privileged Group Count - UIA.LOCAL

-

1.2.1.8 Computer Accounts in Active Directory

The following table provide a summary of the Computer Accounts from UIA.LOCAL.

+ + + + + + + + + + +
Account Operators1
Administrators10
Backup Operators2
Cert Publishers1
DnsAdmins3
Domain Admins6
Key Admins5
Print Operators3
Remote Desktop Users2
Server Operators2
+
Table 14 - Privileged Group Count - UIA.LOCAL

+

1.2.1.9 Computer Accounts in Active Directory

The following table provide a summary of the Computer Accounts from UIA.LOCAL.

- - + +
StatusCountPercentage
Enabled10
Disabled10
Enabled100100%
Disabled00%
-
Table 14 - Computer Accounts in Active Directory - UIA.LOCAL

-

1.2.1.9 Status of Computer Accounts

The following table provide a summary of the Computer Accounts from UIA.LOCAL.

+
Table 15 - Computer Accounts in Active Directory - UIA.LOCAL

+

1.2.1.10 Status of Computer Accounts

The following table provide a summary of the Computer Accounts from UIA.LOCAL.

- - - + + +
CategoryEnabled CountEnabled %Disabled CountDisabled %Total CountTotal %
Dormant (> 90 days)101000
Password Age (> 30 days)101000
SidHistory101000
Dormant (> 90 days)9999009999
Password Age (> 30 days)9999009999
SidHistory111100
-
Table 15 - Status of Computer Accounts - UIA.LOCAL

-

1.2.1.10 Operating Systems Count

The following table provide a summary of the Operating System count from UIA.LOCAL.

+
Table 16 - Status of Computer Accounts - UIA.LOCAL

+

1.2.1.11 Operating Systems Count

The following table provide a summary of the Operating System count from UIA.LOCAL.

+
Operating SystemCount
 99
Windows Server 2022 Datacenter Evaluation1
-
Table 16 - Operating System Count - UIA.LOCAL

-

1.2.1.11 Default Domain Password Policy

The following section provides a summary of the Default Domain Password Policy on UIA.LOCAL.

+
Table 17 - Operating System Count - UIA.LOCAL

+

1.2.1.12 Default Domain Password Policy

The following section provides a summary of the Default Domain Password Policy on UIA.LOCAL.

@@ -514,11 +525,11 @@
Password Must Meet Complexity RequirementsYes
Pathuia.local/
Enforce Password History24
Store Password using Reversible EncryptionNo
-
Table 17 - Default Domain Password Policy - UIA.LOCAL

-

1.2.1.12 Health Check - Account Security Assessment

The following section provide a summary of the Account Security Assessment on Domain UIA.LOCAL.

+
Table 18 - Default Domain Password Policy - UIA.LOCAL

+

1.2.1.13 Health Check - Account Security Assessment

The following section provide a summary of the Account Security Assessment on Domain UIA.LOCAL.

- - + + @@ -528,40 +539,112 @@
Total Users4
Enabled Users2
Total Users2494
Enabled Users2492
Disabled Users2
Enabled Inactive Users1
Users With Reversible Encryption Password0
User Does Not Require Pre Auth0
Users With SID History0
-
Table 18 - Account Security Assessment - UIA.LOCAL

-
Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.

1.2.1.13 Health Check - Privileged Users Assessment

The following section details probable AD Admin accounts (user accounts with AdminCount set to 1) on Domain UIA.LOCAL

+
Table 19 - Account Security Assessment - UIA.LOCAL

+
Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.

1.2.1.14 Health Check - Privileged Users Assessment

The following section details probable AD Admin accounts (user accounts with AdminCount set to 1) on Domain UIA.LOCAL

- -
UsernameCreatedPassword Last SetLast Logon Date
krbtgt5/11/20225/11/2022-
Administrator5/11/20221/26/20225/11/2022
-
Table 19 - Privileged User Assessment - UIA.LOCAL

-
Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.

1.2.1.14 Health Check - Service Accounts Assessment

The following section details probable AD Service Accounts (user accounts with SPNs) on Domain UIA.LOCAL

+ + + + + + + + + + + + + + + + + + + + + + + + +
krbtgt5/11/20225/11/2022-
ERNEST_WALLACE5/14/20225/14/2022-
SYBIL_BIRD5/14/20225/14/2022-
SASHA_PRESTON5/14/20225/14/2022-
MONA_SYKES5/14/20225/14/2022-
KENDRICK_RAYMOND5/14/20225/14/2022-
ADA_MARSHALL5/14/20225/14/2022-
ELISABETH_GOMEZ5/14/20225/14/2022-
AVA_MERRILL5/14/20225/14/2022-
HUGO_MERRITT5/14/20225/14/2022-
AMELIA_VALENCIA5/14/20225/14/2022-
CAROLE_COLEMAN5/14/20225/14/2022-
SARAH_GREER5/14/20225/14/2022-
ANGEL_MCDANIEL5/14/20225/14/2022-
THOMAS_CASH5/14/20225/14/2022-
ALISSA_SHAW5/14/20225/14/2022-
JESSE_WHEELER5/14/20225/14/2022-
DARRIN_KLEIN5/14/20225/14/2022-
JOSIE_WHEELER5/14/20225/14/2022-
LEONARDO_TALLEY5/14/20225/14/2022-
RAYMOND_HENDERSON5/14/20225/14/2022-
LINA_BEASLEY5/14/20225/14/2022-
RACHELLE_ADAMS5/14/20225/14/2022-
LENA_HENDRICKS5/14/20225/14/2022-
+
Table 20 - Privileged User Assessment - UIA.LOCAL

+
Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.

1.2.1.15 Health Check - Service Accounts Assessment

The following section details probable AD Service Accounts (user accounts with SPNs) on Domain UIA.LOCAL

+ + + + + + + + + + + + + + + + + + + + + + + + -
UsernameEnabledPassword Last SetLast Logon DateService Principal Name
DEAN_WILEYYes5/14/2022-CIFS/ESMWWEBS1000001
MICHELE_WILCOXYes5/14/2022-CIFS/ESMWWKS1000000
ELISABETH_GOMEZYes5/14/2022-CIFS/FSRWWKS1000001
VILMA_KEYYes5/14/2022-CIFS/HREWDBAS1000000
WILLA_CLARKEYes5/14/2022-CIFS/ITSWVIR1000000
JESSE_WHEELERYes5/14/2022-CIFS/SECWWEBS1000000
CHRISTINE_HARMONYes5/14/2022-CIFS/TSTWCTRX1000000
KERMIT_KINNEYYes5/14/2022-ftp/AWSWLPT1000000
IRMA_RODGERSYes5/14/2022-ftp/AZRWCTRX1000000
NUMBERS_CHENYes5/14/2022-ftp/AZRWSECS1000000
CLAYTON_HEWITTYes5/14/2022-ftp/BDEWVIR1000000
AMOS_DAUGHERTYYes5/14/2022-ftp/ESMWLPT1000001
JAIME_DAWSONYes5/14/2022-ftp/ESMWVIR1000000
TIM_HUMPHREYYes5/14/2022-ftp/FINWWKS1000001
GLENDA_PATEYes5/14/2022-ftp/ITSWVIR1000000
ROYCE_BERNARDYes5/14/2022-ftp/TSTWWKS1000002
BARBARA_SKINNERYes5/14/2022-https/AWSWAPPS1000000
KATE_CARRYes5/14/2022-https/AWSWVIR1000000
CHUCK_MANNINGYes5/14/2022-https/BDEWSECS1000001
DEBBIE_FORDYes5/14/2022-https/DC-UIA-01V
ISSAC_BUCKYes5/14/2022-https/FINWLPT1000002
JOHN_YOUNGYes5/14/2022-https/GOOWWEBS1000000
RITA_SPARKSYes5/14/2022-https/HREWWEBS1000000
COLEMAN_KENNEDYYes5/14/2022-https/TSTWLPT1000001
krbtgtNo5/11/2022-kadmin/changepw
-
Table 20 - Service Accounts Assessment - UIA.LOCAL

-
Health Check:
Corrective Actions: Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged. They are almost always over-privileged due to documented vendor requirements or because of operational challenges. Ensure there aren't any account with weak security posture.

1.2.1.15 Health Check - KRBTGT Account Audit

The following section provide a summary of KRBTGT account on Domain UIA.LOCAL.

+ + + + + + + + + + + + + + + + + + + + + + + + + +
NEWTON_PENNINGTONYes5/14/2022-kafka/AWSWWKS1000000
NANETTE_GARRETTYes5/14/2022-kafka/AZRWWEBS1000000
TAMI_MULLINSYes5/14/2022-kafka/ESMWWKS1000001
NIGEL_FARMERYes5/14/2022-kafka/ESMWWKS1000002
CURT_POOLEYes5/14/2022-kafka/FINWAPPS1000001
LUCIANO_KINNEYYes5/14/2022-kafka/FINWCTRX1000000
HARRIS_DAVENPORTYes5/14/2022-kafka/FSRWWKS1000001
6182398383SAYes5/14/2022-kafka/SECWSECS1000000
JACQUELINE_MANNYes5/14/2022-kafka/SECWWKS1000000
FRANKLIN_SMITHYes5/14/2022-kafka/TSTWCTRX1000000
KITTY_CLARKEYes5/14/2022-MSSQL/BDEWLPT1000001
POP3/AZRWAPPS1000000
LEONARDO_VAUGHANYes5/14/2022-MSSQL/ESMWWEBS1000002
CELIA_MUNOZYes5/14/2022-MSSQL/FSRWDBAS1000000
KAREEM_HAHNYes5/14/2022-MSSQL/HREWVIR1000000
MATILDA_RAMSEYYes5/14/2022-MSSQL/HREWVIR1000001
GILDA_COOPERYes5/14/2022-MSSQL/OGCWAPPS1000000
NATALIA_HOUSTONYes5/14/2022-MSSQL/TSTWLPT1000000
ELIZA_WALTERSYes5/14/2022-POP3/AWSWAPPS1000000
AMALIA_MCLAUGHLINYes5/14/2022-POP3/AWSWLPT1000000
GERRY_HUFFYes5/14/2022-POP3/AWSWVIR1000000
MIRANDA_KIRKLANDYes5/14/2022-POP3/BDEWWKS1000000
CORNELIA_WASHINGTONYes5/14/2022-POP3/ESMWWEBS1000001
ADOLFO_MCNEILYes5/14/2022-POP3/FINWCTRX1000000
WINSTON_BAILEYYes5/14/2022-POP3/FINWLPT1000003
LAMONT_JUAREZYes5/14/2022-POP3/HREWWKS1000000
+
Table 21 - Service Accounts Assessment - UIA.LOCAL

+
Health Check:
Corrective Actions: Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged. They are almost always over-privileged due to documented vendor requirements or because of operational challenges. Ensure there aren't any account with weak security posture.

1.2.1.16 Health Check - KRBTGT Account Audit

The following section provide a summary of KRBTGT account on Domain UIA.LOCAL.

Namekrbtgt
Created05/11/2022 13:56:07
Password Last Set05/11/2022 13:56:07
Distinguished NameCN=krbtgt,CN=Users,DC=uia,DC=local
-
Table 21 - KRBTGT Account Audit - UIA.LOCAL

-
Health Check:
Best Practice: Microsoft advises changing the krbtgt account password at regular intervals to keep the environment more secure.

1.2.1.16 Health Check - Administrator Account Audit

The following section provide a summary of Administrator account on Domain UIA.LOCAL.

+
Table 22 - KRBTGT Account Audit - UIA.LOCAL

+
Health Check:
Best Practice: Microsoft advises changing the krbtgt account password at regular intervals to keep the environment more secure.

1.2.1.17 Health Check - Administrator Account Audit

The following section provide a summary of Administrator account on Domain UIA.LOCAL.

NameAdministrator
Created05/11/2022 13:54:55
Password Last Set01/26/2022 20:44:53
Distinguished NameCN=Administrator,CN=Users,DC=uia,DC=local
-
Table 22 - Administrator Account Audit - UIA.LOCAL

-
Health Check:
Best Practice: Microsoft advises changing the administrator account password at regular intervals to keep the environment more secure.

1.2.1.17 Domain Controller Summary

A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain.

+
Table 23 - Administrator Account Audit - UIA.LOCAL

+
Health Check:
Best Practice: Microsoft advises changing the administrator account password at regular intervals to keep the environment more secure.

1.2.1.18 Domain Controller Summary

A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain.

DC NameDomain NameSiteGlobal CatalogRead OnlyIP Address
DC-UIA-01Vuia.localUIAYesNo172.23.7.1
-
Table 23 - Domain Controller Summary - UIA.LOCAL

-
1.2.1.17.1 Hardware Inventory
The following section provides a summary of the Domain Controller Hardware for UIA.LOCAL.

+
Table 24 - Domain Controller Summary - UIA.LOCAL

+
1.2.1.18.1 Hardware Inventory
The following section provides a summary of the Domain Controller Hardware for UIA.LOCAL.

@@ -585,26 +668,26 @@
NameDC-UIA-01V
Windows Product NameWindows Server 2022 Datacenter Evaluation
Number of Logical Cores2
Physical Memory (GB)4.00 GB
-
Table 24 - Domain Controller Hardware - DC-UIA-01V

-
1.2.1.17.2 NTDS Information
The following section provides a summary of the Domain Controller NTDS file size on UIA.LOCAL.

+
Table 25 - Domain Controller Hardware - DC-UIA-01V

+
1.2.1.18.2 NTDS Information
The following section provides a summary of the Domain Controller NTDS file size on UIA.LOCAL.

- +
DC NameDatabase FileDatabase SizeLog PathSysVol Path
DC-UIA-01VC:\Windows\NTDS\ntds.dit52.00 MBC:\Windows\NTDSC:\Windows\SYSVOL\sysvol
DC-UIA-01VC:\Windows\NTDS\ntds.dit80.00 MBC:\Windows\NTDSC:\Windows\SYSVOL\sysvol
-
Table 25 - NTDS Database File Usage - UIA.LOCAL

-
1.2.1.17.3 Time Source Information
The following section provides a summary of the Domain Controller Time Source configuration on UIA.LOCAL.

+
Table 26 - NTDS Database File Usage - UIA.LOCAL

+
1.2.1.18.3 Time Source Information
The following section provides a summary of the Domain Controller Time Source configuration on UIA.LOCAL.

NameTime ServerType
DC-UIA-01VDomain HierarchyDOMHIER
-
Table 26 - Time Source Configuration - UIA.LOCAL

-
1.2.1.17.4 Health Check - Installed Software on DC
The following section provides a summary of additional software running on UIA.LOCAL.

1.2.1.17.5 Roles
The following section provides a summary of the Domain Controller Role & Features information.
1.2.1.17.5.1 DC-UIA-01V
+
Table 27 - Time Source Configuration - UIA.LOCAL

+
1.2.1.18.4 Health Check - Installed Software on DC
The following section provides a summary of additional software running on UIA.LOCAL.

1.2.1.18.5 Roles
The following section provides a summary of the Domain Controller Role & Features information.
1.2.1.18.5.1 DC-UIA-01V
NameParentInstallState
Active Directory Domain ServicesRoleActive Directory Domain Services (AD DS) stores information about objects on the network and makes this information available to users and network administrators. AD DS uses domain controllers to give network users access to permitted resources anywhere on the network through a single logon process.
DHCP ServerRoleDynamic Host Configuration Protocol (DHCP) Server enables you to centrally configure, manage, and provide temporary IP addresses and related information for client computers.
DNS ServerRoleDomain Name System (DNS) Server provides name resolution for TCP/IP networks. DNS Server is easier to manage when it is installed on the same server as Active Directory Domain Services. If you select the Active Directory Domain Services role, you can install and configure DNS Server and Active Directory Domain Services to work together.
File and Storage ServicesRoleFile and Storage Services includes services that are always installed, as well as functionality that you can install to help manage file servers and storage.
-
Table 27 - Roles - DC-UIA-01V

-
Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.1.17.6 Health Check - DC Diagnostic
The following section provides a summary of the Active Directory DC Diagnostic.

1.2.1.17.6.1 DC-UIA-01V
+
Table 28 - Roles - DC-UIA-01V

+
Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.1.18.6 Health Check - DC Diagnostic
The following section provides a summary of the Active Directory DC Diagnostic.

1.2.1.18.6.1 DC-UIA-01V
@@ -633,8 +716,8 @@
Test NameResult
Advertisingfailed
CheckSDRefDompassed
SysVolCheckfailed
VerifyReferencespassed
-
Table 28 - Domain Controller DCDiag - DC-UIA-01V

-
1.2.1.17.7 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.1.17.7.1 DC-UIA-01V
+
Table 29 - Domain Controller DCDiag - DC-UIA-01V

+
1.2.1.18.7 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.1.18.7.1 DC-UIA-01V
@@ -647,8 +730,8 @@
Display NameShort NameStatus
   
Active Directory Domain ServicesNTDSRunning
NetLogonNetlogonRunning
Windows TimeW32TimeRunning
-
Table 29 - Domain Controller Infrastructure Services Status Information.

-
1.2.1.17.8 Sites Replication
The following section provides a summary of the Active Directory Site Replication information.

+
Table 30 - Domain Controller Infrastructure Services Status Information.

+
1.2.1.18.8 Sites Replication
The following section provides a summary of the Active Directory Site Replication information.

@@ -661,7 +744,7 @@
DC NameDC-UIA-01V
GUID26fe30d7-5edb-4acd-8098-f0695eac1e26
EnabledYes
CreatedWed, 11 May 2022 17:57:17 GMT
-
Table 30 - Site Replication - DC-UIA-01V

+
Table 31 - Site Replication - DC-UIA-01V

@@ -675,34 +758,260 @@
DC NameDC-UIA-01V
EnabledYes
CreatedWed, 11 May 2022 17:57:17 GMT
-
Table 31 - Site Replication - DC-UIA-01V

-
1.2.1.17.9 Sites Replication Failure
The following section provides a summary of the Active Directory Site Replication Failure information.

+
Table 32 - Site Replication - DC-UIA-01V

+
1.2.1.18.9 Group Policy Objects Summary
The following section provides a summary of the Group Policy Objects for domain UIA.LOCAL.

- - - - - - + + + + + +
Server NameDC-UIA-01V
PartnerSERVER-DC-01V
Last Error1908
Failure TypeLink
Failure Count0
First Failure TimeWed, 11 May 2022 17:54:50 GMT
GPO NameDefault Domain Policy
GPO StatusAll Settings Enabled
Created05/11/2022
Modified05/11/2022
Description 
OwnerUIA\Domain Admins
-
Table 32 - Site Replication Failure - DC-UIA-01V

-
Health Check:
Best Practices: Failing SYSVOL replication may cause Group Policy problems.
1.2.1.17.10 Group Policy Objects Summary
The following section provides a summary of the Group Policy Objects for domain UIA.LOCAL.

- - - +
Table 33 - GPO - Default Domain Policy

+
GPO NameGPO StatusOwner
Default Domain Controllers PolicyAll Settings EnabledUIA\Domain Admins
Default Domain PolicyAll Settings EnabledUIA\Domain Admins
+ + + + + + +
GPO NameDefault Domain Controllers Policy
GPO StatusAll Settings Enabled
Created05/11/2022
Modified05/11/2022
Description 
OwnerUIA\Domain Admins
-
Table 33 - GPO - UIA.LOCAL

-
1.2.1.17.10.1 GPO Central Store Repository
The following section provides information of the status of Central Store. Corrective Action: Deploy centralized GPO repository.

+
Table 34 - GPO - Default Domain Controllers Policy

+
1.2.1.18.9.1 GPO Central Store Repository
The following section provides information of the status of Central Store. Corrective Action: Deploy centralized GPO repository.

DomainConfiguredCentral Store Path
UIA.LOCALNo\\uia.local\SYSVOL\uia.local\Policies\PolicyDefinitions
-
Table 34 - GPO Central Store - UIA.LOCAL

-
Health Check:
Best Practices: Ensure Central Store is deployed to centralized GPO repository.
1.2.1.17.11 Organizational Units
The following section provides a summary of Active Directory Organizational Unit information.

+
Table 35 - GPO Central Store - UIA.LOCAL

+
Health Check:
Best Practices: Ensure Central Store is deployed to centralized GPO repository.
1.2.1.18.10 Organizational Units
The following section provides a summary of Active Directory Organizational Unit information.

+ + + + + + + + + + + + + + + + + + + + + -
NamePathLinked GPO
.SecFrame.comuia.local/.SecFrame.com-
Adminuia.local/Admin-
Staginguia.local/Admin/Staging-
Tier 0uia.local/Admin/Tier 0-
T0-Accountsuia.local/Admin/Tier 0/T0-Accounts-
T0-Devicesuia.local/Admin/Tier 0/T0-Devices-
T0-Permissionsuia.local/Admin/Tier 0/T0-Permissions-
T0-Rolesuia.local/Admin/Tier 0/T0-Roles-
T0-Serversuia.local/Admin/Tier 0/T0-Servers-
Tier 1uia.local/Admin/Tier 1-
T1-Accountsuia.local/Admin/Tier 1/T1-Accounts-
T1-Devicesuia.local/Admin/Tier 1/T1-Devices-
T1-Permissionsuia.local/Admin/Tier 1/T1-Permissions-
T1-Rolesuia.local/Admin/Tier 1/T1-Roles-
T1-Serversuia.local/Admin/Tier 1/T1-Servers-
Tier 2uia.local/Admin/Tier 2-
T2-Accountsuia.local/Admin/Tier 2/T2-Accounts-
T2-Devicesuia.local/Admin/Tier 2/T2-Devices-
T2-Permissionsuia.local/Admin/Tier 2/T2-Permissions-
T2-Rolesuia.local/Admin/Tier 2/T2-Roles-
T2-Serversuia.local/Admin/Tier 2/T2-Servers-
Domain Controllersuia.local/Domain ControllersDefault Domain Controllers Policy
-
Table 35 - Organizational Unit - UIA.LOCAL

-

1.2.2 PHARMAX.LOCAL Domain Configuration

The following section provides a summary of the Active Directory Domain Information.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Grouper-Groupsuia.local/Grouper-Groups-
Peopleuia.local/People-
AWSuia.local/People/AWS-
AZRuia.local/People/AZR-
BDEuia.local/People/BDE-
Deprovisioneduia.local/People/Deprovisioned-
ESMuia.local/People/ESM-
FINuia.local/People/FIN-
FSRuia.local/People/FSR-
GOOuia.local/People/GOO-
HREuia.local/People/HRE-
ITSuia.local/People/ITS-
OGCuia.local/People/OGC-
SECuia.local/People/SEC-
TSTuia.local/People/TST-
Unassociateduia.local/People/Unassociated-
Quarantineuia.local/Quarantine-
Stageuia.local/Stage-
AWSuia.local/Stage/AWS-
Devicesuia.local/Stage/AWS/Devices-
Groupsuia.local/Stage/AWS/Groups-
ServiceAccountsuia.local/Stage/AWS/ServiceAccounts-
Testuia.local/Stage/AWS/Test-
AZRuia.local/Stage/AZR-
Devicesuia.local/Stage/AZR/Devices-
Groupsuia.local/Stage/AZR/Groups-
ServiceAccountsuia.local/Stage/AZR/ServiceAccounts-
Testuia.local/Stage/AZR/Test-
BDEuia.local/Stage/BDE-
Devicesuia.local/Stage/BDE/Devices-
Groupsuia.local/Stage/BDE/Groups-
ServiceAccountsuia.local/Stage/BDE/ServiceAccounts-
Testuia.local/Stage/BDE/Test-
ESMuia.local/Stage/ESM-
Devicesuia.local/Stage/ESM/Devices-
Groupsuia.local/Stage/ESM/Groups-
ServiceAccountsuia.local/Stage/ESM/ServiceAccounts-
Testuia.local/Stage/ESM/Test-
FINuia.local/Stage/FIN-
Devicesuia.local/Stage/FIN/Devices-
Groupsuia.local/Stage/FIN/Groups-
ServiceAccountsuia.local/Stage/FIN/ServiceAccounts-
Testuia.local/Stage/FIN/Test-
FSRuia.local/Stage/FSR-
Devicesuia.local/Stage/FSR/Devices-
Groupsuia.local/Stage/FSR/Groups-
ServiceAccountsuia.local/Stage/FSR/ServiceAccounts-
Testuia.local/Stage/FSR/Test-
GOOuia.local/Stage/GOO-
Devicesuia.local/Stage/GOO/Devices-
Groupsuia.local/Stage/GOO/Groups-
ServiceAccountsuia.local/Stage/GOO/ServiceAccounts-
Testuia.local/Stage/GOO/Test-
HREuia.local/Stage/HRE-
Devicesuia.local/Stage/HRE/Devices-
Groupsuia.local/Stage/HRE/Groups-
ServiceAccountsuia.local/Stage/HRE/ServiceAccounts-
Testuia.local/Stage/HRE/Test-
ITSuia.local/Stage/ITS-
Devicesuia.local/Stage/ITS/Devices-
Groupsuia.local/Stage/ITS/Groups-
ServiceAccountsuia.local/Stage/ITS/ServiceAccounts-
Testuia.local/Stage/ITS/Test-
OGCuia.local/Stage/OGC-
Devicesuia.local/Stage/OGC/Devices-
Groupsuia.local/Stage/OGC/Groups-
ServiceAccountsuia.local/Stage/OGC/ServiceAccounts-
Testuia.local/Stage/OGC/Test-
SECuia.local/Stage/SEC-
Devicesuia.local/Stage/SEC/Devices-
Groupsuia.local/Stage/SEC/Groups-
ServiceAccountsuia.local/Stage/SEC/ServiceAccounts-
Testuia.local/Stage/SEC/Test-
TSTuia.local/Stage/TST-
Devicesuia.local/Stage/TST/Devices-
Groupsuia.local/Stage/TST/Groups-
ServiceAccountsuia.local/Stage/TST/ServiceAccounts-
Testuia.local/Stage/TST/Test-
Testinguia.local/Testing-
Tier 1uia.local/Tier 1-
AWSuia.local/Tier 1/AWS-
Devicesuia.local/Tier 1/AWS/Devices-
Groupsuia.local/Tier 1/AWS/Groups-
ServiceAccountsuia.local/Tier 1/AWS/ServiceAccounts-
Testuia.local/Tier 1/AWS/Test-
AZRuia.local/Tier 1/AZR-
Devicesuia.local/Tier 1/AZR/Devices-
Groupsuia.local/Tier 1/AZR/Groups-
ServiceAccountsuia.local/Tier 1/AZR/ServiceAccounts-
Testuia.local/Tier 1/AZR/Test-
BDEuia.local/Tier 1/BDE-
Devicesuia.local/Tier 1/BDE/Devices-
Groupsuia.local/Tier 1/BDE/Groups-
ServiceAccountsuia.local/Tier 1/BDE/ServiceAccounts-
Testuia.local/Tier 1/BDE/Test-
ESMuia.local/Tier 1/ESM-
Devicesuia.local/Tier 1/ESM/Devices-
Groupsuia.local/Tier 1/ESM/Groups-
ServiceAccountsuia.local/Tier 1/ESM/ServiceAccounts-
Testuia.local/Tier 1/ESM/Test-
FINuia.local/Tier 1/FIN-
Devicesuia.local/Tier 1/FIN/Devices-
Groupsuia.local/Tier 1/FIN/Groups-
ServiceAccountsuia.local/Tier 1/FIN/ServiceAccounts-
Testuia.local/Tier 1/FIN/Test-
FSRuia.local/Tier 1/FSR-
Devicesuia.local/Tier 1/FSR/Devices-
Groupsuia.local/Tier 1/FSR/Groups-
ServiceAccountsuia.local/Tier 1/FSR/ServiceAccounts-
Testuia.local/Tier 1/FSR/Test-
GOOuia.local/Tier 1/GOO-
Devicesuia.local/Tier 1/GOO/Devices-
Groupsuia.local/Tier 1/GOO/Groups-
ServiceAccountsuia.local/Tier 1/GOO/ServiceAccounts-
Testuia.local/Tier 1/GOO/Test-
HREuia.local/Tier 1/HRE-
Devicesuia.local/Tier 1/HRE/Devices-
Groupsuia.local/Tier 1/HRE/Groups-
ServiceAccountsuia.local/Tier 1/HRE/ServiceAccounts-
Testuia.local/Tier 1/HRE/Test-
ITSuia.local/Tier 1/ITS-
Devicesuia.local/Tier 1/ITS/Devices-
Groupsuia.local/Tier 1/ITS/Groups-
ServiceAccountsuia.local/Tier 1/ITS/ServiceAccounts-
Testuia.local/Tier 1/ITS/Test-
OGCuia.local/Tier 1/OGC-
Devicesuia.local/Tier 1/OGC/Devices-
Groupsuia.local/Tier 1/OGC/Groups-
ServiceAccountsuia.local/Tier 1/OGC/ServiceAccounts-
Testuia.local/Tier 1/OGC/Test-
SECuia.local/Tier 1/SEC-
Devicesuia.local/Tier 1/SEC/Devices-
Groupsuia.local/Tier 1/SEC/Groups-
ServiceAccountsuia.local/Tier 1/SEC/ServiceAccounts-
Testuia.local/Tier 1/SEC/Test-
TSTuia.local/Tier 1/TST-
Devicesuia.local/Tier 1/TST/Devices-
Groupsuia.local/Tier 1/TST/Groups-
ServiceAccountsuia.local/Tier 1/TST/ServiceAccounts-
Testuia.local/Tier 1/TST/Test-
Tier 2uia.local/Tier 2-
AWSuia.local/Tier 2/AWS-
Devicesuia.local/Tier 2/AWS/Devices-
Groupsuia.local/Tier 2/AWS/Groups-
ServiceAccountsuia.local/Tier 2/AWS/ServiceAccounts-
Testuia.local/Tier 2/AWS/Test-
AZRuia.local/Tier 2/AZR-
Devicesuia.local/Tier 2/AZR/Devices-
Groupsuia.local/Tier 2/AZR/Groups-
ServiceAccountsuia.local/Tier 2/AZR/ServiceAccounts-
Testuia.local/Tier 2/AZR/Test-
BDEuia.local/Tier 2/BDE-
Devicesuia.local/Tier 2/BDE/Devices-
Groupsuia.local/Tier 2/BDE/Groups-
ServiceAccountsuia.local/Tier 2/BDE/ServiceAccounts-
Testuia.local/Tier 2/BDE/Test-
ESMuia.local/Tier 2/ESM-
Devicesuia.local/Tier 2/ESM/Devices-
Groupsuia.local/Tier 2/ESM/Groups-
ServiceAccountsuia.local/Tier 2/ESM/ServiceAccounts-
Testuia.local/Tier 2/ESM/Test-
FINuia.local/Tier 2/FIN-
Devicesuia.local/Tier 2/FIN/Devices-
Groupsuia.local/Tier 2/FIN/Groups-
ServiceAccountsuia.local/Tier 2/FIN/ServiceAccounts-
Testuia.local/Tier 2/FIN/Test-
FSRuia.local/Tier 2/FSR-
Devicesuia.local/Tier 2/FSR/Devices-
Groupsuia.local/Tier 2/FSR/Groups-
ServiceAccountsuia.local/Tier 2/FSR/ServiceAccounts-
Testuia.local/Tier 2/FSR/Test-
GOOuia.local/Tier 2/GOO-
Devicesuia.local/Tier 2/GOO/Devices-
Groupsuia.local/Tier 2/GOO/Groups-
ServiceAccountsuia.local/Tier 2/GOO/ServiceAccounts-
Testuia.local/Tier 2/GOO/Test-
HREuia.local/Tier 2/HRE-
Devicesuia.local/Tier 2/HRE/Devices-
Groupsuia.local/Tier 2/HRE/Groups-
ServiceAccountsuia.local/Tier 2/HRE/ServiceAccounts-
Testuia.local/Tier 2/HRE/Test-
ITSuia.local/Tier 2/ITS-
Devicesuia.local/Tier 2/ITS/Devices-
Groupsuia.local/Tier 2/ITS/Groups-
ServiceAccountsuia.local/Tier 2/ITS/ServiceAccounts-
Testuia.local/Tier 2/ITS/Test-
OGCuia.local/Tier 2/OGC-
Devicesuia.local/Tier 2/OGC/Devices-
Groupsuia.local/Tier 2/OGC/Groups-
ServiceAccountsuia.local/Tier 2/OGC/ServiceAccounts-
Testuia.local/Tier 2/OGC/Test-
SECuia.local/Tier 2/SEC-
Devicesuia.local/Tier 2/SEC/Devices-
Groupsuia.local/Tier 2/SEC/Groups-
ServiceAccountsuia.local/Tier 2/SEC/ServiceAccounts-
Testuia.local/Tier 2/SEC/Test-
TSTuia.local/Tier 2/TST-
Devicesuia.local/Tier 2/TST/Devices-
Groupsuia.local/Tier 2/TST/Groups-
ServiceAccountsuia.local/Tier 2/TST/ServiceAccounts-
Testuia.local/Tier 2/TST/Test-
+
Table 36 - Organizational Unit - UIA.LOCAL

+

1.2.2 PHARMAX.LOCAL Domain Configuration

The following section provides a summary of the Active Directory Domain Information.

@@ -723,23 +1032,23 @@
Domain Namepharmax
NetBIOS NamePHARMAX
RID Issued8100
RID Available1073733723
-
Table 36 - Domain Summary - PHARMAX.LOCAL

-

1.2.2.1 Health Check - Naming Context Last Backup

The following section details naming context last backup time for Domain PHARMAX.LOCAL.

+
Table 37 - Domain Summary - PHARMAX.LOCAL

+

1.2.2.1 Health Check - Naming Context Last Backup

The following section details naming context last backup time for Domain PHARMAX.LOCAL.

- - - - - -
Naming ContextLast BackupLast Backup in Days
CN=Configuration,DC=pharmax,DC=local2022:05:110
CN=Schema,CN=Configuration,DC=pharmax,DC=local2022:05:110
DC=DomainDnsZones,DC=pharmax,DC=local2022:05:028
DC=ForestDnsZones,DC=pharmax,DC=local2022:05:110
DC=pharmax,DC=local2022:05:028
-
Table 37 - Naming Context Last Backup - PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Ensure there is a recent (<180 days) Active Directory backup.

1.2.2.2 Health Check - DFS Health

The following section details Distributed File System health status for Domain PHARMAX.LOCAL.

+ + + + + +
CN=Configuration,DC=pharmax,DC=local2022:05:1370
CN=Schema,CN=Configuration,DC=pharmax,DC=local2022:05:1370
DC=DomainDnsZones,DC=pharmax,DC=local2022:05:0280
DC=ForestDnsZones,DC=pharmax,DC=local2022:05:1370
DC=pharmax,DC=local2022:05:0280
+
Table 38 - Naming Context Last Backup - PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Ensure there is a recent (<180 days) Active Directory backup.

1.2.2.2 Health Check - DFS Health

The following section details Distributed File System health status for Domain PHARMAX.LOCAL.

DC NameReplication StateGPO CountSysvol CountIdentical CountStop Replication On AutoRecovery
CAYEY-DC-01VNormal1414YesNo
SERVER-DC-01VNormal1414YesNo
-
Table 38 - Domain Last Backup - PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Ensure an identical GPO/SYSVOL content for the domain controller in all Active Directory domains.

1.2.2.3 Flexible Single Master Operations (FSMO)

The following section provides a summary of the Active Directory FSMO for Domain PHARMAX.LOCAL.

+
Table 39 - Domain Last Backup - PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Ensure an identical GPO/SYSVOL content for the domain controller in all Active Directory domains.

1.2.2.3 Flexible Single Master Operations (FSMO)

The following section provides a summary of the Active Directory FSMO for Domain PHARMAX.LOCAL.

@@ -747,8 +1056,8 @@
Infrastructure Master ServerServer-DC-01V.pharmax.local
RID Master ServerServer-DC-01V.pharmax.local
Domain Naming Master ServerServer-DC-01V.pharmax.local
Schema Master ServerServer-DC-01V.pharmax.local
-
Table 39 - FSMO Server - pharmax.local

-

1.2.2.4 Domain and Trusts

The following section provides a summary of Active Directory Trust information on PHARMAX.LOCAL.

+
Table 40 - FSMO Server - pharmax.local

+

1.2.2.4 Domain and Trusts

The following section provides a summary of Active Directory Trust information on PHARMAX.LOCAL.

@@ -762,7 +1071,7 @@
Nameacad.pharmax.local
Pathpharmax.local/System/acad.pharmax.local
Trust TypeUplevel
Uplevel OnlyNo
-
Table 40 - Trusts - PHARMAX.LOCAL

+
Table 41 - Trusts - PHARMAX.LOCAL

@@ -777,40 +1086,40 @@
Nameuia.local
Trust TypeUplevel
Uplevel OnlyNo
-
Table 41 - Trusts - PHARMAX.LOCAL

-

1.2.2.5 Domain Object Count

The following section provides a summary of the Active Directory Object Count on PHARMAX.LOCAL.

+
Table 42 - Trusts - PHARMAX.LOCAL

+

1.2.2.5 Domain Object Count

The following section provides a summary of the Active Directory Object Count on PHARMAX.LOCAL.

- - + +
Computers197
Servers59
Computers201
Servers63
Domain Controller2
Global Catalog1
Users2889
Privileged Users19
Groups564
-
Table 42 - Object Count - PHARMAX.LOCAL

-

1.2.2.6 User Accounts in Active Directory

The following table provide a summary of the User Accounts from PHARMAX.LOCAL.

+
Table 43 - Object Count - PHARMAX.LOCAL

+

1.2.2.6 User Accounts in Active Directory

The following table provide a summary of the User Accounts from PHARMAX.LOCAL.

StatusCountPercentage
Enabled2885100%
Disabled40%
-
Table 43 - User Accounts in Active Directory - PHARMAX.LOCAL

-

1.2.2.7 Status of Users Accounts

The following table provide a summary of the User Accounts from PHARMAX.LOCAL.

+
Table 44 - User Accounts in Active Directory - PHARMAX.LOCAL

+

1.2.2.7 Status of Users Accounts

The following table provide a summary of the User Accounts from PHARMAX.LOCAL.

- + - +
CategoryEnabled CountEnabled %Disabled CountDisabled %Total CountTotal %
Cannot Change Password13010140
Password Never Expires17130201
Must Change Password at Logon002020
Password Age (> 42 days)401050
Password Age (> 42 days)28669910286799
SmartcardLogonRequired101020
SidHistory101000
Never Logged in28699940287399
Dormant (> 90 days)2881100402885100
Dormant (> 90 days)2882100402886100
Password Not Required202040
Account Expired101010
Account Lockout101000
-
Table 44 - Status of User Accounts - PHARMAX.LOCAL

-

1.2.2.8 Privileged Group Count

The following table provide a summary of the Privileged Group count from PHARMAX.LOCAL.

+
Table 45 - Status of User Accounts - PHARMAX.LOCAL

+

1.2.2.8 Privileged Group Count

The following table provide a summary of the Privileged Group count from PHARMAX.LOCAL.

@@ -823,24 +1132,24 @@ - +
Group NameCount
Account Operators1
Administrators6
Key Admins2
Print Operators1
Remote Desktop Users3
Schema Admins1
Schema Admins25
Server Operators3
-
Table 45 - Privileged Group Count - PHARMAX.LOCAL

-

1.2.2.9 Computer Accounts in Active Directory

The following table provide a summary of the Computer Accounts from PHARMAX.LOCAL.

+
Table 46 - Privileged Group Count - PHARMAX.LOCAL

+
Health Check:
Secutiry Best Practice: The Schema Admins group is a privileged group in a forest root domain. Members of the Schema Admins group can make changes to the schema, which is the framework for the Active Directory forest. Changes to the schema are not frequently required. This group only contains the Built-in Administrator account by default. Additional accounts must only be added when changes to the schema are necessary and then must be removed.

1.2.2.9 Computer Accounts in Active Directory

The following table provide a summary of the Computer Accounts from PHARMAX.LOCAL.

- +
StatusCountPercentage
Enabled19398%
Enabled19798%
Disabled42%
-
Table 46 - Computer Accounts in Active Directory - PHARMAX.LOCAL

-

1.2.2.10 Status of Computer Accounts

The following table provide a summary of the Computer Accounts from PHARMAX.LOCAL.

+
Table 47 - Computer Accounts in Active Directory - PHARMAX.LOCAL

+

1.2.2.10 Status of Computer Accounts

The following table provide a summary of the Computer Accounts from PHARMAX.LOCAL.

- - - + + +
CategoryEnabled CountEnabled %Disabled CountDisabled %Total CountTotal %
Dormant (> 90 days)172874217689
Password Age (> 30 days)178904218292
SidHistory111100
Dormant (> 90 days)172864217688
Password Age (> 30 days)182914218693
SidHistory101000
-
Table 47 - Status of Computer Accounts - PHARMAX.LOCAL

-

1.2.2.11 Operating Systems Count

The following table provide a summary of the Operating System count from PHARMAX.LOCAL.

+
Table 48 - Status of Computer Accounts - PHARMAX.LOCAL

+

1.2.2.11 Operating Systems Count

The following table provide a summary of the Operating System count from PHARMAX.LOCAL.

@@ -848,7 +1157,7 @@ - + @@ -857,12 +1166,13 @@ - + + - +
Operating SystemCount
 103
CentOS1
EMC File Server1
NetApp Release 9.5P61
NetApp Release 9.81
NetApp Release 9.9.11
NetApp Release 9.8P71
NetApp Release 9.9.1P13
OneFS1
redhat-linux-gnu1
Windows 10 Enterprise1
Windows 10 Enterprise Evaluation15
Windows Server 2016 Standard Evaluation10
Windows Server 2019 Standard Evaluation40
Windows Server 2019 Standard1
Windows Server 2019 Standard Evaluation39
Windows Server 2022 Datacenter3
Windows Server 2022 Datacenter Evaluation6
Windows Server 2022 Datacenter Evaluation10
-
Table 48 - Operating System Count - PHARMAX.LOCAL

-

1.2.2.12 Default Domain Password Policy

The following section provides a summary of the Default Domain Password Policy on PHARMAX.LOCAL.

+
Table 49 - Operating System Count - PHARMAX.LOCAL

+

1.2.2.12 Default Domain Password Policy

The following section provides a summary of the Default Domain Password Policy on PHARMAX.LOCAL.

@@ -875,8 +1185,8 @@
Password Must Meet Complexity RequirementsYes
Pathpharmax.local/
Enforce Password History24
Store Password using Reversible EncryptionNo
-
Table 49 - Default Domain Password Policy - PHARMAX.LOCAL

-

1.2.2.13 Fined Grained Password Policies

The following section provides a summary of the Fined Grained Password Policies on PHARMAX.LOCAL.

+
Table 50 - Default Domain Password Policy - PHARMAX.LOCAL

+

1.2.2.13 Fined Grained Password Policies

The following section provides a summary of the Fined Grained Password Policies on PHARMAX.LOCAL.

@@ -893,7 +1203,7 @@
Password Setting NameAdministrators
Domain Namepharmax.local
Precedence1
Applies Tohorizon-ic, dbuser, jocolon
-
Table 50 - Fined Grained Password Policies - Administrators

+
Table 51 - Fined Grained Password Policies - Administrators

@@ -911,8 +1221,8 @@
Password Setting NameTest
Precedence1
Applies Tovmuserro
-
Table 51 - Fined Grained Password Policies - Test

-

1.2.2.14 Group Managed Service Accounts (GMSA)

The following section provides a summary of the Group Managed Service Accounts on PHARMAX.LOCAL.

+
Table 52 - Fined Grained Password Policies - Test

+

1.2.2.14 Group Managed Service Accounts (GMSA)

The following section provides a summary of the Group Managed Service Accounts on PHARMAX.LOCAL.

@@ -928,7 +1238,7 @@
NameSQLServer
SamAccountNameSQLServer$
Password ExpiredNo
Password Last Set09/27/2020 14:14:22
-
Table 52 - Group Managed Service Accounts - SQLServer

+
Table 53 - Group Managed Service Accounts - SQLServer

@@ -945,8 +1255,8 @@
Nameadfsgmsa
Password ExpiredNo
Password Last Set10/07/2020 18:36:16
-
Table 53 - Group Managed Service Accounts - adfsgmsa

-

1.2.2.15 Health Check - Account Security Assessment

The following section provide a summary of the Account Security Assessment on Domain PHARMAX.LOCAL.

+
Table 54 - Group Managed Service Accounts - adfsgmsa

+

1.2.2.15 Health Check - Account Security Assessment

The following section provide a summary of the Account Security Assessment on Domain PHARMAX.LOCAL.

@@ -959,12 +1269,12 @@
Total Users2889
Enabled Users2885
User Does Not Require Pre Auth0
Users With SID History0
-
Table 54 - Account Security Assessment - PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.

1.2.2.16 Health Check - Privileged Users Assessment

The following section details probable AD Admin accounts (user accounts with AdminCount set to 1) on Domain PHARMAX.LOCAL

+
Table 55 - Account Security Assessment - PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.

1.2.2.16 Health Check - Privileged Users Assessment

The following section details probable AD Admin accounts (user accounts with AdminCount set to 1) on Domain PHARMAX.LOCAL

- - + + @@ -982,8 +1292,8 @@
UsernameCreatedPassword Last SetLast Logon Date
krbtgt6/10/20186/10/2018-
Administrator6/10/20186/10/20185/2/2022
jocolon12/4/201911/30/20215/7/2022
Administrator6/10/20186/10/201812/22/2043
jocolon12/4/201911/30/202112/22/2043
svc_SCCM_ClientPush9/12/20209/12/20209/14/2020
DAMIAN_LEVY4/5/20224/5/2022-
JUDSON_BULLOCK4/5/20224/5/2022-
LAWANDA_JOSEPH4/5/20224/5/2022-
NICHOLAS_SCHROEDER4/5/20224/5/2022-
-
Table 55 - Privileged User Assessment - PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.

1.2.2.17 Health Check - Service Accounts Assessment

The following section details probable AD Service Accounts (user accounts with SPNs) on Domain PHARMAX.LOCAL

+
Table 56 - Privileged User Assessment - PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.

1.2.2.17 Health Check - Service Accounts Assessment

The following section details probable AD Service Accounts (user accounts with SPNs) on Domain PHARMAX.LOCAL

@@ -1082,34 +1392,34 @@
UsernameEnabledPassword Last SetLast Logon DateService Principal Name
vcenterYes12/13/201912/13/2019CIFS/ACAD-DNS-01V
7007675057SAYes4/5/2022-CIFS/DR-DC-01V
MARICELA_GARDNERYes4/5/2022-POP3/VEEAM-HV-01
CLAUDE_BOYDYes4/5/2022-POP3/vm-001v
-
Table 56 - Service Accounts Assessment - PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged. They are almost always over-privileged due to documented vendor requirements or because of operational challenges. Ensure there aren't any account with weak security posture.

1.2.2.18 Health Check - Unconstrained Kerberos Delegation

The following section provide a summary of unconstrained kerberos delegation on Domain PHARMAX.LOCAL.

+
Table 57 - Service Accounts Assessment - PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged. They are almost always over-privileged due to documented vendor requirements or because of operational challenges. Ensure there aren't any account with weak security posture.

1.2.2.18 Health Check - Unconstrained Kerberos Delegation

The following section provide a summary of unconstrained kerberos delegation on Domain PHARMAX.LOCAL.

NameDistinguished Name
HV-SERVER-01VCN=HV-SERVER-01V,OU=Member Servers,DC=pharmax,DC=local
-
Table 57 - Unconstrained Kerberos Delegation - PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Ensure there aren't any unconstrained kerberos delegation in Active Directory.

1.2.2.19 Health Check - KRBTGT Account Audit

The following section provide a summary of KRBTGT account on Domain PHARMAX.LOCAL.

+
Table 58 - Unconstrained Kerberos Delegation - PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Ensure there aren't any unconstrained kerberos delegation in Active Directory.

1.2.2.19 Health Check - KRBTGT Account Audit

The following section provide a summary of KRBTGT account on Domain PHARMAX.LOCAL.

Namekrbtgt
Created06/10/2018 21:00:49
Password Last Set06/10/2018 21:00:49
Distinguished NameCN=krbtgt,CN=Users,DC=pharmax,DC=local
-
Table 58 - KRBTGT Account Audit - PHARMAX.LOCAL

-
Health Check:
Best Practice: Microsoft advises changing the krbtgt account password at regular intervals to keep the environment more secure.

1.2.2.20 Health Check - Administrator Account Audit

The following section provide a summary of Administrator account on Domain PHARMAX.LOCAL.

+
Table 59 - KRBTGT Account Audit - PHARMAX.LOCAL

+
Health Check:
Best Practice: Microsoft advises changing the krbtgt account password at regular intervals to keep the environment more secure.

1.2.2.20 Health Check - Administrator Account Audit

The following section provide a summary of Administrator account on Domain PHARMAX.LOCAL.

NameAdministrator
Created06/10/2018 21:00:05
Password Last Set06/10/2018 04:01:50
Distinguished NameCN=Administrator,CN=Users,DC=pharmax,DC=local
-
Table 59 - Administrator Account Audit - PHARMAX.LOCAL

-
Health Check:
Best Practice: Microsoft advises changing the administrator account password at regular intervals to keep the environment more secure.

1.2.2.21 Health Check - Duplicate Objects

The following section details Duplicate Objects discovered on Domain PHARMAX.LOCAL.

+
Table 60 - Administrator Account Audit - PHARMAX.LOCAL

+
Health Check:
Best Practice: Microsoft advises changing the administrator account password at regular intervals to keep the environment more secure.

1.2.2.21 Health Check - Duplicate Objects

The following section details Duplicate Objects discovered on Domain PHARMAX.LOCAL.

NameCreatedChangedConflict Changed
SCCM-DP-01V-Remote-Installation-Services CNF:0b206bf4-6c39-47b2-bd69-3694aa657d762020:09:132020:09:132020:09:13
-
Table 60 - Duplicate Object - PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Ensure there aren't any duplicate object.

1.2.2.22 Health Check - Duplicate SPN

The following section details Duplicate SPN discovered on Domain PHARMAX.LOCAL.

+
Table 61 - Duplicate Object - PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Ensure there aren't any duplicate object.

1.2.2.22 Health Check - Duplicate SPN

The following section details Duplicate SPN discovered on Domain PHARMAX.LOCAL.

@@ -1117,25 +1427,25 @@
NameCountDistinguished Name
HOST/ACAD-DNS-01V2CN=ACAD-DNS-01V,OU=Member Servers,DC=acad,DC=pharmax,DC=local
CN=ACAD-DNS-01V,CN=Computers,DC=pharmax,DC=local
HOST/ACADE-DC-01V2CN=ACADE-DC-01V,OU=Domain Controllers,DC=acad,DC=pharmax,DC=local
CN=ACADE-DC-01V,CN=Computers,DC=pharmax,DC=local
RestrictedKrbHost/ACADE-DC-01V2CN=ACADE-DC-01V,OU=Domain Controllers,DC=acad,DC=pharmax,DC=local
CN=ACADE-DC-01V,CN=Computers,DC=pharmax,DC=local
TERMSRV/ACAD-DNS-01V2CN=ACAD-DNS-01V,OU=Member Servers,DC=acad,DC=pharmax,DC=local
CN=ACAD-DNS-01V,CN=Computers,DC=pharmax,DC=local
-
Table 61 - Duplicate SPN - PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Ensure there aren't any duplicate SPNs (other than krbtgt).

1.2.2.23 Domain Controller Summary

A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain.

+
Table 62 - Duplicate SPN - PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Ensure there aren't any duplicate SPNs (other than krbtgt).

1.2.2.23 Domain Controller Summary

A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain.

DC NameDomain NameSiteGlobal CatalogRead OnlyIP Address
CAYEY-DC-01Vpharmax.localCayey-BranchNoNo10.10.33.1
SERVER-DC-01Vpharmax.localPharmax-HQYesNo192.168.5.1
-
Table 62 - Domain Controller Summary - PHARMAX.LOCAL

-
1.2.2.23.1 Hardware Inventory
The following section provides a summary of the Domain Controller Hardware for PHARMAX.LOCAL.

+
Table 63 - Domain Controller Summary - PHARMAX.LOCAL

+
1.2.2.23.1 Hardware Inventory
The following section provides a summary of the Domain Controller Hardware for PHARMAX.LOCAL.

- + - - + + @@ -1148,7 +1458,7 @@
NameServer-DC-01V
Windows Product NameWindows Server 2019 Standard Evaluation
Windows Product NameWindows Server 2019 Standard
Windows Current Version6.3
Windows Build Number10.0.17763
Windows Install TypeServer
AD Domainpharmax.local
Windows Installation Date09/08/2020 21:20:17
Time Zone(UTC-04:00) Georgetown, La Paz, Manaus, San Juan
License TypeRetail:TB:Eval
Partial Product KeyY7XRX
License TypeVolume:GVLK
Partial Product KeyJ464C
ManufacturerVMware, Inc.
ModelVMware7,1
Serial Number 
Number of Logical Cores2
Physical Memory (GB)4.00 GB
-
Table 63 - Domain Controller Hardware - SERVER-DC-01V

+
Table 64 - Domain Controller Hardware - SERVER-DC-01V

@@ -1173,30 +1483,30 @@
Namecayey-dc-01v
Number of Logical Cores2
Physical Memory (GB)4.00 GB
-
Table 64 - Domain Controller Hardware - CAYEY-DC-01V

-
1.2.2.23.2 NTDS Information
The following section provides a summary of the Domain Controller NTDS file size on PHARMAX.LOCAL.

+
Table 65 - Domain Controller Hardware - CAYEY-DC-01V

+
1.2.2.23.2 NTDS Information
The following section provides a summary of the Domain Controller NTDS file size on PHARMAX.LOCAL.

- - + +
DC NameDatabase FileDatabase SizeLog PathSysVol Path
CAYEY-DC-01VC:\Windows\NTDS\ntds.dit74.00 MBC:\Windows\NTDSC:\Windows\SYSVOL\sysvol
SERVER-DC-01VC:\Windows\NTDS\ntds.dit72.00 MBC:\Windows\NTDSC:\Windows\SYSVOL\sysvol
CAYEY-DC-01VC:\Windows\NTDS\ntds.dit72.00 MBC:\Windows\NTDSC:\Windows\SYSVOL\sysvol
SERVER-DC-01VC:\Windows\NTDS\ntds.dit84.00 MBC:\Windows\NTDSC:\Windows\SYSVOL\sysvol
-
Table 65 - NTDS Database File Usage - PHARMAX.LOCAL

-
1.2.2.23.3 Time Source Information
The following section provides a summary of the Domain Controller Time Source configuration on PHARMAX.LOCAL.

+
Table 66 - NTDS Database File Usage - PHARMAX.LOCAL

+
1.2.2.23.3 Time Source Information
The following section provides a summary of the Domain Controller Time Source configuration on PHARMAX.LOCAL.

NameTime ServerType
CAYEY-DC-01VDomain HierarchyDOMHIER
SERVER-DC-01V0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.orgMANUAL (NTP)
-
Table 66 - Time Source Configuration - PHARMAX.LOCAL

-
1.2.2.23.4 Health Check - Installed Software on DC
The following section provides a summary of additional software running on PHARMAX.LOCAL.

1.2.2.23.4.1 SERVER-DC-01V additional software
+
Table 67 - Time Source Configuration - PHARMAX.LOCAL

+
1.2.2.23.4 Health Check - Installed Software on DC
The following section provides a summary of additional software running on PHARMAX.LOCAL.

1.2.2.23.4.1 SERVER-DC-01V additional software
NamePublisherInstall Date
Veeam VSS Hardware ProviderVeeam Software Group GmbH20220502
-
Table 67 - Installed Software - SERVER-DC-01V

-
Health Check:
Best Practices: Do not run other software or services on a Domain Controller.
1.2.2.23.4.2 CAYEY-DC-01V additional software
+
Table 68 - Installed Software - SERVER-DC-01V

+
Health Check:
Best Practices: Do not run other software or services on a Domain Controller.
1.2.2.23.4.2 CAYEY-DC-01V additional software
NamePublisherInstall Date
7-Zip 21.07 (x64 edition)Igor Pavlov20220122
-
Table 68 - Installed Software - CAYEY-DC-01V

-
Health Check:
Best Practices: Do not run other software or services on a Domain Controller.
1.2.2.23.5 Roles
The following section provides a summary of the Domain Controller Role & Features information.
1.2.2.23.5.1 SERVER-DC-01V
+
Table 69 - Installed Software - CAYEY-DC-01V

+
Health Check:
Best Practices: Do not run other software or services on a Domain Controller.
1.2.2.23.5 Roles
The following section provides a summary of the Domain Controller Role & Features information.
1.2.2.23.5.1 SERVER-DC-01V
@@ -1206,8 +1516,8 @@
NameParentInstallState
Active Directory Certificate ServicesRoleActive Directory Certificate Services (AD CS) is used to create certification authorities and related role services that allow you to issue and manage certificates used in a variety of applications.
Active Directory Domain ServicesRoleActive Directory Domain Services (AD DS) stores information about objects on the network and makes this information available to users and network administrators. AD DS uses domain controllers to give network users access to permitted resources anywhere on the network through a single logon process.
Web Server (IIS)RoleWeb Server (IIS) provides a reliable, manageable, and scalable Web application infrastructure.
Windows Server Update ServicesRoleWindows Server Update Services allows network administrators to specify the Microsoft updates that should be installed, create separate groups of computers for different sets of updates, and get reports on the compliance levels of the computers and the updates that must be installed.
-
Table 69 - Roles - SERVER-DC-01V

-
Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.2.23.5.2 CAYEY-DC-01V
+
Table 70 - Roles - SERVER-DC-01V

+
Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.2.23.5.2 CAYEY-DC-01V
@@ -1216,8 +1526,8 @@
NameParentInstallState
Active Directory Certificate ServicesRoleActive Directory Certificate Services (AD CS) is used to create certification authorities and related role services that allow you to issue and manage certificates used in a variety of applications.
Active Directory Domain ServicesRoleActive Directory Domain Services (AD DS) stores information about objects on the network and makes this information available to users and network administrators. AD DS uses domain controllers to give network users access to permitted resources anywhere on the network through a single logon process.
File and Storage ServicesRoleFile and Storage Services includes services that are always installed, as well as functionality that you can install to help manage file servers and storage.
Web Server (IIS)RoleWeb Server (IIS) provides a reliable, manageable, and scalable Web application infrastructure.
-
Table 70 - Roles - CAYEY-DC-01V

-
Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.2.23.6 Health Check - DC Diagnostic
The following section provides a summary of the Active Directory DC Diagnostic.

1.2.2.23.6.1 SERVER-DC-01V
+
Table 71 - Roles - CAYEY-DC-01V

+
Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.2.23.6 Health Check - DC Diagnostic
The following section provides a summary of the Active Directory DC Diagnostic.

1.2.2.23.6.1 SERVER-DC-01V
@@ -1246,8 +1556,8 @@
Test NameResult
Advertisingpassed
CheckSDRefDompassed
SysVolCheckpassed
VerifyReferencespassed
-
Table 71 - Domain Controller DCDiag - SERVER-DC-01V

-
1.2.2.23.6.2 CAYEY-DC-01V
+
Table 72 - Domain Controller DCDiag - SERVER-DC-01V

+
1.2.2.23.6.2 CAYEY-DC-01V
@@ -1276,8 +1586,8 @@
Test NameResult
Advertisingpassed
CheckSDRefDompassed
SysVolCheckpassed
VerifyReferencespassed
-
Table 72 - Domain Controller DCDiag - CAYEY-DC-01V

-
1.2.2.23.7 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.2.23.7.1 SERVER-DC-01V
+
Table 73 - Domain Controller DCDiag - CAYEY-DC-01V

+
1.2.2.23.7 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.2.23.7.1 SERVER-DC-01V
@@ -1290,8 +1600,8 @@
Display NameShort NameStatus
Active Directory Certificate ServicesCertSvcRunning
Active Directory Domain ServicesNTDSRunning
NetLogonNetlogonRunning
Windows TimeW32TimeRunning
-
Table 73 - Domain Controller Infrastructure Services Status Information.

-
1.2.2.23.8 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.2.23.8.1 CAYEY-DC-01V
+
Table 74 - Domain Controller Infrastructure Services Status Information.

+
1.2.2.23.8 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.2.23.8.1 CAYEY-DC-01V
@@ -1304,8 +1614,8 @@
Display NameShort NameStatus
Active Directory Certificate ServicesCertSvcRunning
Active Directory Domain ServicesNTDSRunning
NetLogonNetlogonRunning
Windows TimeW32TimeRunning
-
Table 74 - Domain Controller Infrastructure Services Status Information.

-
1.2.2.23.9 Sites Replication
The following section provides a summary of the Active Directory Site Replication information.

+
Table 75 - Domain Controller Infrastructure Services Status Information.

+
1.2.2.23.9 Sites Replication
The following section provides a summary of the Active Directory Site Replication information.

@@ -1318,7 +1628,7 @@
DC NameSERVER-DC-01V
GUID9dd36d8c-c157-4886-b411-c316fdf19c86
EnabledYes
CreatedTue, 07 Dec 2021 15:52:27 GMT
-
Table 75 - Site Replication - SERVER-DC-01V

+
Table 76 - Site Replication - SERVER-DC-01V

@@ -1332,7 +1642,7 @@
DC NameSERVER-DC-01V
EnabledYes
CreatedWed, 11 May 2022 17:54:53 GMT
-
Table 76 - Site Replication - SERVER-DC-01V

+
Table 77 - Site Replication - SERVER-DC-01V

@@ -1346,7 +1656,7 @@
DC NameSERVER-DC-01V
EnabledYes
CreatedSun, 05 Sep 2021 16:24:39 GMT
-
Table 77 - Site Replication - SERVER-DC-01V

+
Table 78 - Site Replication - SERVER-DC-01V

@@ -1360,79 +1670,211 @@
DC NameCAYEY-DC-01V
EnabledYes
CreatedTue, 07 Dec 2021 15:55:03 GMT
-
Table 78 - Site Replication - CAYEY-DC-01V

-
1.2.2.23.10 Sites Replication Failure
The following section provides a summary of the Active Directory Site Replication Failure information.

+
Table 79 - Site Replication - CAYEY-DC-01V

+
1.2.2.23.10 Sites Replication Failure
The following section provides a summary of the Active Directory Site Replication Failure information.

+ + + + + + + +
Server NameServer-DC-01V
PartnerDC-UIA-01V
Last Error1256
Failure TypeLink
Failure Count0
First Failure TimeSun, 10 Jul 2022 16:34:20 GMT
+
Table 80 - Site Replication Failure - SERVER-DC-01V

+
Health Check:
Best Practices: Failing SYSVOL replication may cause Group Policy problems.

- + - +
Server NameServer-DC-01V
PartnerACADE-DC-01V
Last Error8524
Last Error1256
Failure TypeLink
Failure Count0
First Failure TimeWed, 11 May 2022 18:10:50 GMT
First Failure TimeSun, 10 Jul 2022 16:34:20 GMT
-
Table 79 - Site Replication Failure - SERVER-DC-01V

-
Health Check:
Best Practices: Failing SYSVOL replication may cause Group Policy problems.
+
Table 81 - Site Replication Failure - SERVER-DC-01V

+
Health Check:
Best Practices: Failing SYSVOL replication may cause Group Policy problems.

- +
Server NameServer-DC-01V
PartnerCAYEY-DC-01V
Last Error8524
Failure TypeLink
Failure Count0
First Failure TimeWed, 11 May 2022 18:10:50 GMT
First Failure TimeSun, 10 Jul 2022 16:34:20 GMT
-
Table 80 - Site Replication Failure - SERVER-DC-01V

-
Health Check:
Best Practices: Failing SYSVOL replication may cause Group Policy problems.
1.2.2.23.11 Group Policy Objects Summary
The following section provides a summary of the Group Policy Objects for domain PHARMAX.LOCAL.

- - - - - - - - - - - - - - - -
GPO NameGPO StatusOwner
Assign-ApplicationsAll Settings EnabledPHARMAX\Domain Admins
Certificate AutoEnrollmentUser Settings DisabledPHARMAX\Domain Admins
Dead PolicyAll Settings DisabledPHARMAX\Domain Admins
Default Domain Controllers PolicyAll Settings EnabledPHARMAX\Domain Admins
Default Domain PolicyAll Settings EnabledPHARMAX\Domain Admins
Horizon-DEMAll Settings EnabledPHARMAX\Domain Admins
LAPS ConfigurationAll Settings EnabledPHARMAX\Domain Admins
Linux-Settings-GPOAll Settings DisabledPHARMAX\Domain Admins
ProfileUnityAll Settings EnabledPHARMAX\Domain Admins
SCCM - Restricted Group and General SettingsAll Settings EnabledPHARMAX\Domain Admins
SCEP ConfigurationAll Settings EnabledPHARMAX\Domain Admins
VEEAM_Disable_FirewallAll Settings EnabledPHARMAX\Domain Admins
VEEAM_Local_AdministratorsAll Settings EnabledPHARMAX\Domain Admins
WSUS - Domain PolicyUser Settings DisabledPHARMAX\Domain Admins
-
Table 81 - GPO - PHARMAX.LOCAL

-
Health Check:
Best Practices: Ensure 'All Settings Disabled' GPO are removed from Active Directory.
1.2.2.23.11.1 GPO Central Store Repository
The following section provides information of the status of Central Store. Corrective Action: Deploy centralized GPO repository.

+
Table 82 - Site Replication Failure - SERVER-DC-01V

+
Health Check:
Best Practices: Failing SYSVOL replication may cause Group Policy problems.

1.2.2.23.11 Group Policy Objects Summary
The following section provides a summary of the Group Policy Objects for domain PHARMAX.LOCAL.

+ + + + + + + +
GPO NameAssign-Applications
GPO StatusAll Settings Enabled
Created03/10/2021
Modified03/10/2021
Description 
OwnerPHARMAX\Domain Admins
+
Table 83 - GPO - Assign-Applications

+
+ + + + + + + +
GPO NameCertificate AutoEnrollment
GPO StatusUser Settings Disabled
Created01/25/2020
Modified06/30/2021
Description 
OwnerPHARMAX\Domain Admins
+
Table 84 - GPO - Certificate AutoEnrollment

+
+ + + + + + + +
GPO NameDefault Domain Policy
GPO StatusAll Settings Enabled
Created06/10/2018
Modified12/19/2021
Description 
OwnerPHARMAX\Domain Admins
+
Table 85 - GPO - Default Domain Policy

+
+ + + + + + + +
GPO NameVEEAM_Disable_Firewall
GPO StatusAll Settings Enabled
Created12/13/2019
Modified09/08/2020
Description 
OwnerPHARMAX\Domain Admins
+
Table 86 - GPO - VEEAM_Disable_Firewall

+
+ + + + + + + +
GPO NameDefault Domain Controllers Policy
GPO StatusAll Settings Enabled
Created06/10/2018
Modified11/01/2020
Description 
OwnerPHARMAX\Domain Admins
+
Table 87 - GPO - Default Domain Controllers Policy

+
+ + + + + + + +
GPO NameProfileUnity
GPO StatusAll Settings Enabled
Created06/08/2020
Modified10/05/2021
Description 
OwnerPHARMAX\Domain Admins
+
Table 88 - GPO - ProfileUnity

+
+ + + + + + + +
GPO NameVEEAM_Local_Administrators
GPO StatusAll Settings Enabled
Created12/13/2019
Modified05/20/2022
Description 
OwnerPHARMAX\Domain Admins
+
Table 89 - GPO - VEEAM_Local_Administrators

+
+ + + + + + + +
GPO NameWSUS - Domain Policy
GPO StatusUser Settings Disabled
Created02/23/2020
Modified03/10/2021
Description 
OwnerPHARMAX\Domain Admins
+
Table 90 - GPO - WSUS - Domain Policy

+
+ + + + + + + +
GPO NameSCEP Configuration
GPO StatusAll Settings Enabled
Created09/14/2020
Modified10/04/2020
Description 
OwnerPHARMAX\Domain Admins
+
Table 91 - GPO - SCEP Configuration

+
+ + + + + + + +
GPO NameDead Policy
GPO StatusAll Settings Disabled
Created10/05/2021
Modified01/22/2022
Description 
OwnerPHARMAX\Domain Admins
+
Table 92 - GPO - Dead Policy

+
+ + + + + + + +
GPO NameHorizon-DEM
GPO StatusAll Settings Enabled
Created03/01/2020
Modified09/08/2020
Description 
OwnerPHARMAX\Domain Admins
+
Table 93 - GPO - Horizon-DEM

+
+ + + + + + + +
GPO NameLinux-Settings-GPO
GPO StatusAll Settings Disabled
Created05/22/2021
Modified02/04/2022
Description 
OwnerPHARMAX\Domain Admins
+
Table 94 - GPO - Linux-Settings-GPO

+
+ + + + + + + +
GPO NameSCCM - Restricted Group and General Settings
GPO StatusAll Settings Enabled
Created09/12/2020
Modified09/12/2020
Description 
OwnerPHARMAX\Domain Admins
+
Table 95 - GPO - SCCM - Restricted Group and General Settings

+
+ + + + + + + +
GPO NameLAPS Configuration
GPO StatusAll Settings Enabled
Created11/01/2020
Modified11/01/2020
Description 
OwnerPHARMAX\Domain Admins
+
Table 96 - GPO - LAPS Configuration

+
1.2.2.23.11.1 GPO Central Store Repository
The following section provides information of the status of Central Store. Corrective Action: Deploy centralized GPO repository.

DomainConfiguredCentral Store Path
PHARMAX.LOCALYes\\pharmax.local\SYSVOL\pharmax.local\Policies\PolicyDefinitions
-
Table 82 - GPO Central Store - PHARMAX.LOCAL

-
1.2.2.23.11.2 GPO with User Logon/Logoff Script
The following section provides a summary of Group Policy Objects with Logon/Logoff Script.

+
Table 97 - GPO Central Store - PHARMAX.LOCAL

+
1.2.2.23.11.2 GPO with User Logon/Logoff Script
The following section provides a summary of Group Policy Objects with Logon/Logoff Script.

GPO NameGPO StatusTypeScript
Dead PolicyAll Settings DisabledLogoff%systemdrive%\Program Files\ProfileUnity\Client.NET\LwL.ProfileUnity.Client.Logoff.exe
Horizon-DEMAll Settings EnabledLogoffC:\Program Files\Immidio\Flex Profiles\FlexEngine.exe
ProfileUnityAll Settings EnabledLogoff%systemdrive%\Program Files\ProfileUnity\Client.NET\LwL.ProfileUnity.Client.Logoff.exe
-
Table 83 - GPO with Logon/Logoff Script - PHARMAX.LOCAL

-
1.2.2.23.11.3 GPO with Computer Startup/Shutdown Script
The following section provides a summary of Group Policy Objects with Startup/Shutdown Script.

+
Table 98 - GPO with Logon/Logoff Script - PHARMAX.LOCAL

+
1.2.2.23.11.3 GPO with Computer Startup/Shutdown Script
The following section provides a summary of Group Policy Objects with Startup/Shutdown Script.

GPO NameGPO StatusTypeScript
Dead PolicyAll Settings DisabledStartup\\pharmax.local\netlogon\profileunity\LwL.ProfileUnity.Client.Startup.exe
ProfileUnityAll Settings EnabledStartup\\pharmax.local\netlogon\profileunity\LwL.ProfileUnity.Client.Startup.exe
-
Table 84 - GPO with Startup/Shutdown Script - PHARMAX.LOCAL

-
1.2.2.23.11.4 Health Check - Unlinked GPO
The following section provides a summary of the Unlinked Group Policy Objects.

+
Table 99 - GPO with Startup/Shutdown Script - PHARMAX.LOCAL

+
1.2.2.23.11.4 Health Check - Unlinked GPO
The following section provides a summary of the Unlinked Group Policy Objects.

GPO NameCreatedModifiedComputer EnabledUser Enabled
Dead Policy2021-10-052022-01-22NoNo
-
Table 85 - Unlinked GPO - PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Remove Unused GPO from Active Directory.
1.2.2.23.11.5 Health Check - Empty GPOs
The following section provides a summary of the Empty Group Policy Objects.

+
Table 100 - Unlinked GPO - PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Remove Unused GPO from Active Directory.
1.2.2.23.11.5 Health Check - Empty GPOs
The following section provides a summary of the Empty Group Policy Objects.

GPO NameCreatedModifiedDescription
Linux-Settings-GPO2021-05-232022-02-04-
-
Table 86 - Empty GPO - PHARMAX.LOCAL

-
Health Check:
Corrective Actions: No User and Computer parameters are set: Remove Unused GPO in Active Directory.
1.2.2.23.11.6 Health Check - Enforced GPO
The following section provides a summary of the Enforced Group Policy Objects.

+
Table 101 - Empty GPO - PHARMAX.LOCAL

+
Health Check:
Corrective Actions: No User and Computer parameters are set: Remove Unused GPO in Active Directory.
1.2.2.23.11.6 Health Check - Enforced GPO
The following section provides a summary of the Enforced Group Policy Objects.

GPO NameEnforcedOrderTarget
Linux-Settings-GPOYes1pharmax.local/LinuxMachines
-
Table 87 - Enforced GPO - PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.
1.2.2.23.12 Organizational Units
The following section provides a summary of Active Directory Organizational Unit information.

+
Table 102 - Enforced GPO - PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.
1.2.2.23.12 Organizational Units
The following section provides a summary of Active Directory Organizational Unit information.

@@ -1676,14 +2118,14 @@
NamePathLinked GPO
.SecFrame.compharmax.local/.SecFrame.com-
Adminpharmax.local/Admin-
VEEAM Serverspharmax.local/VEEAM ServersVEEAM_Disable_Firewall, VEEAM_Local_Administrators
VEEAM WorkStationspharmax.local/VEEAM WorkStationsVEEAM_Local_Administrators, VEEAM_Disable_Firewall
-
Table 88 - Organizational Unit - PHARMAX.LOCAL

-
1.2.2.23.12.1 Health Check - OU with GPO Blocked Inheritance
The following section provides a summary of the Blocked Inheritance Group Policy Objects.

+
Table 103 - Organizational Unit - PHARMAX.LOCAL

+
1.2.2.23.12.1 Health Check - OU with GPO Blocked Inheritance
The following section provides a summary of the Blocked Inheritance Group Policy Objects.

OU NameContainer TypeInheritance BlockedPath
fortinet emsOUYespharmax.local/Fortinet EMS
linuxmachinesOUYespharmax.local/LinuxMachines
-
Table 89 - Blocked Inheritance GPO - PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.

1.2.3 ACAD.PHARMAX.LOCAL Domain Configuration

The following section provides a summary of the Active Directory Domain Information.

+
Table 104 - Blocked Inheritance GPO - PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.

1.2.3 ACAD.PHARMAX.LOCAL Domain Configuration

The following section provides a summary of the Active Directory Domain Information.

@@ -1704,22 +2146,22 @@
Domain Nameacad
NetBIOS NameACAD
RID Issued1600
RID Available1073740223
-
Table 90 - Domain Summary - ACAD.PHARMAX.LOCAL

-

1.2.3.1 Health Check - Naming Context Last Backup

The following section details naming context last backup time for Domain ACAD.PHARMAX.LOCAL.

+
Table 105 - Domain Summary - ACAD.PHARMAX.LOCAL

+

1.2.3.1 Health Check - Naming Context Last Backup

The following section details naming context last backup time for Domain ACAD.PHARMAX.LOCAL.

- - - - - -
Naming ContextLast BackupLast Backup in Days
CN=Configuration,DC=pharmax,DC=local2022:05:110
CN=Schema,CN=Configuration,DC=pharmax,DC=local2022:05:110
DC=acad,DC=pharmax,DC=local2021:09:05248
DC=DomainDnsZones,DC=acad,DC=pharmax,DC=local2021:09:05248
DC=ForestDnsZones,DC=pharmax,DC=local2022:05:110
-
Table 91 - Naming Context Last Backup - ACAD.PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Ensure there is a recent (<180 days) Active Directory backup.

1.2.3.2 Health Check - DFS Health

The following section details Distributed File System health status for Domain ACAD.PHARMAX.LOCAL.

+ + + + + +
CN=Configuration,DC=pharmax,DC=local2022:05:1370
CN=Schema,CN=Configuration,DC=pharmax,DC=local2022:05:1370
DC=acad,DC=pharmax,DC=local2021:09:05320
DC=DomainDnsZones,DC=acad,DC=pharmax,DC=local2021:09:05320
DC=ForestDnsZones,DC=pharmax,DC=local2022:05:1370
+
Table 106 - Naming Context Last Backup - ACAD.PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Ensure there is a recent (<180 days) Active Directory backup.

1.2.3.2 Health Check - DFS Health

The following section details Distributed File System health status for Domain ACAD.PHARMAX.LOCAL.

DC NameReplication StateGPO CountSysvol CountIdentical CountStop Replication On AutoRecovery
ACADE-DC-01VNormal66YesNo
-
Table 92 - Domain Last Backup - ACAD.PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Ensure an identical GPO/SYSVOL content for the domain controller in all Active Directory domains.

1.2.3.3 Flexible Single Master Operations (FSMO)

The following section provides a summary of the Active Directory FSMO for Domain ACAD.PHARMAX.LOCAL.

+
Table 107 - Domain Last Backup - ACAD.PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Ensure an identical GPO/SYSVOL content for the domain controller in all Active Directory domains.

1.2.3.3 Flexible Single Master Operations (FSMO)

The following section provides a summary of the Active Directory FSMO for Domain ACAD.PHARMAX.LOCAL.

@@ -1727,8 +2169,8 @@
Infrastructure Master Serveracade-dc-01v.acad.pharmax.local
RID Master Serveracade-dc-01v.acad.pharmax.local
Domain Naming Master ServerServer-DC-01V.pharmax.local
Schema Master ServerServer-DC-01V.pharmax.local
-
Table 93 - FSMO Server - acad.pharmax.local

-

1.2.3.4 Domain and Trusts

The following section provides a summary of Active Directory Trust information on ACAD.PHARMAX.LOCAL.

+
Table 108 - FSMO Server - acad.pharmax.local

+

1.2.3.4 Domain and Trusts

The following section provides a summary of Active Directory Trust information on ACAD.PHARMAX.LOCAL.

@@ -1742,8 +2184,8 @@
Namepharmax.local
Pathacad.pharmax.local/System/pharmax.local
Trust TypeUplevel
Uplevel OnlyNo
-
Table 94 - Trusts - ACAD.PHARMAX.LOCAL

-

1.2.3.5 Domain Object Count

The following section provides a summary of the Active Directory Object Count on ACAD.PHARMAX.LOCAL.

+
Table 109 - Trusts - ACAD.PHARMAX.LOCAL

+

1.2.3.5 Domain Object Count

The following section provides a summary of the Active Directory Object Count on ACAD.PHARMAX.LOCAL.

@@ -1753,14 +2195,14 @@
Computers2
Servers2
Privileged Users2
Groups46
-
Table 95 - Object Count - ACAD.PHARMAX.LOCAL

-

1.2.3.6 User Accounts in Active Directory

The following table provide a summary of the User Accounts from ACAD.PHARMAX.LOCAL.

+
Table 110 - Object Count - ACAD.PHARMAX.LOCAL

+

1.2.3.6 User Accounts in Active Directory

The following table provide a summary of the User Accounts from ACAD.PHARMAX.LOCAL.

StatusCountPercentage
Enabled250%
Disabled250%
-
Table 96 - User Accounts in Active Directory - ACAD.PHARMAX.LOCAL

-

1.2.3.7 Status of Users Accounts

The following table provide a summary of the User Accounts from ACAD.PHARMAX.LOCAL.

+
Table 111 - User Accounts in Active Directory - ACAD.PHARMAX.LOCAL

+

1.2.3.7 Status of Users Accounts

The following table provide a summary of the User Accounts from ACAD.PHARMAX.LOCAL.

@@ -1774,10 +2216,11 @@
CategoryEnabled CountEnabled %Disabled CountDisabled %Total CountTotal %
Cannot Change Password1332512514350
Password Never Expires125125125
Account Expired12512500
Account Lockout12512500
-
Table 97 - Status of User Accounts - ACAD.PHARMAX.LOCAL

-

1.2.3.8 Privileged Group Count

The following table provide a summary of the Privileged Group count from ACAD.PHARMAX.LOCAL.

+
Table 112 - Status of User Accounts - ACAD.PHARMAX.LOCAL

+

1.2.3.8 Privileged Group Count

The following table provide a summary of the Privileged Group count from ACAD.PHARMAX.LOCAL.

+ @@ -1787,26 +2230,26 @@
Group NameCount
Account Operators0
Administrators6
Backup Operators1
Cert Publishers1
DnsAdmins0
Remote Desktop Users0
Server Operators0
-
Table 98 - Privileged Group Count - ACAD.PHARMAX.LOCAL

-

1.2.3.9 Computer Accounts in Active Directory

The following table provide a summary of the Computer Accounts from ACAD.PHARMAX.LOCAL.

+
Table 113 - Privileged Group Count - ACAD.PHARMAX.LOCAL

+

1.2.3.9 Computer Accounts in Active Directory

The following table provide a summary of the Computer Accounts from ACAD.PHARMAX.LOCAL.

StatusCountPercentage
Enabled2100%
Disabled00%
-
Table 99 - Computer Accounts in Active Directory - ACAD.PHARMAX.LOCAL

-

1.2.3.10 Status of Computer Accounts

The following table provide a summary of the Computer Accounts from ACAD.PHARMAX.LOCAL.

+
Table 114 - Computer Accounts in Active Directory - ACAD.PHARMAX.LOCAL

+

1.2.3.10 Status of Computer Accounts

The following table provide a summary of the Computer Accounts from ACAD.PHARMAX.LOCAL.

- - + +
CategoryEnabled CountEnabled %Disabled CountDisabled %Total CountTotal %
Dormant (> 90 days)15015000
Password Age (> 30 days)15015000
Dormant (> 90 days)150150150
Password Age (> 30 days)150150150
SidHistory15015000
-
Table 100 - Status of Computer Accounts - ACAD.PHARMAX.LOCAL

-

1.2.3.11 Operating Systems Count

The following table provide a summary of the Operating System count from ACAD.PHARMAX.LOCAL.

+
Table 115 - Status of Computer Accounts - ACAD.PHARMAX.LOCAL

+

1.2.3.11 Operating Systems Count

The following table provide a summary of the Operating System count from ACAD.PHARMAX.LOCAL.

Operating SystemCount
Windows Server 2019 Standard Evaluation2
-
Table 101 - Operating System Count - ACAD.PHARMAX.LOCAL

-

1.2.3.12 Default Domain Password Policy

The following section provides a summary of the Default Domain Password Policy on ACAD.PHARMAX.LOCAL.

+
Table 116 - Operating System Count - ACAD.PHARMAX.LOCAL

+

1.2.3.12 Default Domain Password Policy

The following section provides a summary of the Default Domain Password Policy on ACAD.PHARMAX.LOCAL.

@@ -1819,8 +2262,8 @@
Password Must Meet Complexity RequirementsYes
Pathacad.pharmax.local/
Enforce Password History24
Store Password using Reversible EncryptionNo
-
Table 102 - Default Domain Password Policy - ACAD.PHARMAX.LOCAL

-

1.2.3.13 Fined Grained Password Policies

The following section provides a summary of the Fined Grained Password Policies on ACAD.PHARMAX.LOCAL.

+
Table 117 - Default Domain Password Policy - ACAD.PHARMAX.LOCAL

+

1.2.3.13 Fined Grained Password Policies

The following section provides a summary of the Fined Grained Password Policies on ACAD.PHARMAX.LOCAL.

@@ -1837,8 +2280,8 @@
Password Setting NameACADTest
Domain Nameacad.pharmax.local
Precedence1
Applies ToSCCM-GMSA
-
Table 103 - Fined Grained Password Policies - ACADTest

-

1.2.3.14 Group Managed Service Accounts (GMSA)

The following section provides a summary of the Group Managed Service Accounts on ACAD.PHARMAX.LOCAL.

+
Table 118 - Fined Grained Password Policies - ACADTest

+

1.2.3.14 Group Managed Service Accounts (GMSA)

The following section provides a summary of the Group Managed Service Accounts on ACAD.PHARMAX.LOCAL.

@@ -1854,8 +2297,8 @@
NameSCCMMSA
SamAccountNameSCCMMSA$
Password ExpiredNo
Password Last Set09/11/2021 21:01:33
-
Table 104 - Group Managed Service Accounts - SCCMMSA

-

1.2.3.15 Health Check - Account Security Assessment

The following section provide a summary of the Account Security Assessment on Domain ACAD.PHARMAX.LOCAL.

+
Table 119 - Group Managed Service Accounts - SCCMMSA

+

1.2.3.15 Health Check - Account Security Assessment

The following section provide a summary of the Account Security Assessment on Domain ACAD.PHARMAX.LOCAL.

@@ -1868,40 +2311,40 @@
Total Users4
Enabled Users2
User Does Not Require Pre Auth0
Users With SID History0
-
Table 105 - Account Security Assessment - ACAD.PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.

1.2.3.16 Health Check - Privileged Users Assessment

The following section details probable AD Admin accounts (user accounts with AdminCount set to 1) on Domain ACAD.PHARMAX.LOCAL

+
Table 120 - Account Security Assessment - ACAD.PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.

1.2.3.16 Health Check - Privileged Users Assessment

The following section details probable AD Admin accounts (user accounts with AdminCount set to 1) on Domain ACAD.PHARMAX.LOCAL

UsernameCreatedPassword Last SetLast Logon Date
Administrator9/5/20219/5/20219/18/2021
krbtgt9/5/20219/5/2021-
-
Table 106 - Privileged User Assessment - ACAD.PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.

1.2.3.17 Health Check - Service Accounts Assessment

The following section details probable AD Service Accounts (user accounts with SPNs) on Domain ACAD.PHARMAX.LOCAL

+
Table 121 - Privileged User Assessment - ACAD.PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.

1.2.3.17 Health Check - Service Accounts Assessment

The following section details probable AD Service Accounts (user accounts with SPNs) on Domain ACAD.PHARMAX.LOCAL

UsernameEnabledPassword Last SetLast Logon DateService Principal Name
krbtgtNo9/5/2021-kadmin/changepw
-
Table 107 - Service Accounts Assessment - ACAD.PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged. They are almost always over-privileged due to documented vendor requirements or because of operational challenges. Ensure there aren't any account with weak security posture.

1.2.3.18 Health Check - KRBTGT Account Audit

The following section provide a summary of KRBTGT account on Domain ACAD.PHARMAX.LOCAL.

+
Table 122 - Service Accounts Assessment - ACAD.PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged. They are almost always over-privileged due to documented vendor requirements or because of operational challenges. Ensure there aren't any account with weak security posture.

1.2.3.18 Health Check - KRBTGT Account Audit

The following section provide a summary of KRBTGT account on Domain ACAD.PHARMAX.LOCAL.

Namekrbtgt
Created09/05/2021 12:25:21
Password Last Set09/05/2021 12:25:21
Distinguished NameCN=krbtgt,CN=Users,DC=acad,DC=pharmax,DC=local
-
Table 108 - KRBTGT Account Audit - ACAD.PHARMAX.LOCAL

-
Health Check:
Best Practice: Microsoft advises changing the krbtgt account password at regular intervals to keep the environment more secure.

1.2.3.19 Health Check - Administrator Account Audit

The following section provide a summary of Administrator account on Domain ACAD.PHARMAX.LOCAL.

+
Table 123 - KRBTGT Account Audit - ACAD.PHARMAX.LOCAL

+
Health Check:
Best Practice: Microsoft advises changing the krbtgt account password at regular intervals to keep the environment more secure.

1.2.3.19 Health Check - Administrator Account Audit

The following section provide a summary of Administrator account on Domain ACAD.PHARMAX.LOCAL.

NameAdministrator
Created09/05/2021 12:24:39
Password Last Set09/05/2021 10:35:45
Distinguished NameCN=Administrator,CN=Users,DC=acad,DC=pharmax,DC=local
-
Table 109 - Administrator Account Audit - ACAD.PHARMAX.LOCAL

-
Health Check:
Best Practice: Microsoft advises changing the administrator account password at regular intervals to keep the environment more secure.

1.2.3.20 Domain Controller Summary

A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain.

+
Table 124 - Administrator Account Audit - ACAD.PHARMAX.LOCAL

+
Health Check:
Best Practice: Microsoft advises changing the administrator account password at regular intervals to keep the environment more secure.

1.2.3.20 Domain Controller Summary

A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain.

DC NameDomain NameSiteGlobal CatalogRead OnlyIP Address
ACADE-DC-01Vacad.pharmax.localACADYesNo172.23.4.1
-
Table 110 - Domain Controller Summary - ACAD.PHARMAX.LOCAL

-
1.2.3.20.1 Hardware Inventory
The following section provides a summary of the Domain Controller Hardware for ACAD.PHARMAX.LOCAL.

+
Table 125 - Domain Controller Summary - ACAD.PHARMAX.LOCAL

+
1.2.3.20.1 Hardware Inventory
The following section provides a summary of the Domain Controller Hardware for ACAD.PHARMAX.LOCAL.

@@ -1925,18 +2368,18 @@
Nameacade-dc-01v
Windows Product NameWindows Server 2019 Standard Evaluation
Number of Logical Cores2
Physical Memory (GB)4.00 GB
-
Table 111 - Domain Controller Hardware - ACADE-DC-01V

-
1.2.3.20.2 NTDS Information
The following section provides a summary of the Domain Controller NTDS file size on ACAD.PHARMAX.LOCAL.

+
Table 126 - Domain Controller Hardware - ACADE-DC-01V

+
1.2.3.20.2 NTDS Information
The following section provides a summary of the Domain Controller NTDS file size on ACAD.PHARMAX.LOCAL.

- +
DC NameDatabase FileDatabase SizeLog PathSysVol Path
ACADE-DC-01VC:\Windows\NTDS\ntds.dit54.00 MBC:\Windows\NTDSC:\Windows\SYSVOL\sysvol
ACADE-DC-01VC:\Windows\NTDS\ntds.dit66.00 MBC:\Windows\NTDSC:\Windows\SYSVOL\sysvol
-
Table 112 - NTDS Database File Usage - ACAD.PHARMAX.LOCAL

-
1.2.3.20.3 Time Source Information
The following section provides a summary of the Domain Controller Time Source configuration on ACAD.PHARMAX.LOCAL.

+
Table 127 - NTDS Database File Usage - ACAD.PHARMAX.LOCAL

+
1.2.3.20.3 Time Source Information
The following section provides a summary of the Domain Controller Time Source configuration on ACAD.PHARMAX.LOCAL.

NameTime ServerType
ACADE-DC-01VDomain HierarchyDOMHIER
-
Table 113 - Time Source Configuration - ACAD.PHARMAX.LOCAL

-
1.2.3.20.4 Health Check - Installed Software on DC
The following section provides a summary of additional software running on ACAD.PHARMAX.LOCAL.

1.2.3.20.5 Roles
The following section provides a summary of the Domain Controller Role & Features information.
1.2.3.20.5.1 ACADE-DC-01V
+
Table 128 - Time Source Configuration - ACAD.PHARMAX.LOCAL

+
1.2.3.20.4 Health Check - Installed Software on DC
The following section provides a summary of additional software running on ACAD.PHARMAX.LOCAL.

1.2.3.20.5 Roles
The following section provides a summary of the Domain Controller Role & Features information.
1.2.3.20.5.1 ACADE-DC-01V
@@ -1945,8 +2388,8 @@
NameParentInstallState
Active Directory Certificate ServicesRoleActive Directory Certificate Services (AD CS) is used to create certification authorities and related role services that allow you to issue and manage certificates used in a variety of applications.
Active Directory Domain ServicesRoleActive Directory Domain Services (AD DS) stores information about objects on the network and makes this information available to users and network administrators. AD DS uses domain controllers to give network users access to permitted resources anywhere on the network through a single logon process.
File and Storage ServicesRoleFile and Storage Services includes services that are always installed, as well as functionality that you can install to help manage file servers and storage.
Web Server (IIS)RoleWeb Server (IIS) provides a reliable, manageable, and scalable Web application infrastructure.
-
Table 114 - Roles - ACADE-DC-01V

-
Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.3.20.6 Health Check - DC Diagnostic
The following section provides a summary of the Active Directory DC Diagnostic.

1.2.3.20.6.1 ACADE-DC-01V
+
Table 129 - Roles - ACADE-DC-01V

+
Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.3.20.6 Health Check - DC Diagnostic
The following section provides a summary of the Active Directory DC Diagnostic.

1.2.3.20.6.1 ACADE-DC-01V
@@ -1958,7 +2401,7 @@ - + @@ -1975,8 +2418,8 @@
Test NameResult
Advertisingfailed
CheckSDRefDompassed
CrossRefValidationpassed
CrossRefValidationpassed
CrossRefValidationpassed
DFSREventfailed
DFSREventpassed
FrsEventpassed
Intersitepassed
KccEventpassed
SysVolCheckfailed
VerifyReferencespassed
-
Table 115 - Domain Controller DCDiag - ACADE-DC-01V

-
1.2.3.20.7 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.3.20.7.1 ACADE-DC-01V
+
Table 130 - Domain Controller DCDiag - ACADE-DC-01V

+
1.2.3.20.7 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.3.20.7.1 ACADE-DC-01V
@@ -1989,8 +2432,8 @@
Display NameShort NameStatus
Active Directory Certificate ServicesCertSvcRunning
Active Directory Domain ServicesNTDSRunning
NetLogonNetlogonRunning
Windows TimeW32TimeRunning
-
Table 116 - Domain Controller Infrastructure Services Status Information.

-
1.2.3.20.8 Sites Replication
The following section provides a summary of the Active Directory Site Replication information.

+
Table 131 - Domain Controller Infrastructure Services Status Information.

+
1.2.3.20.8 Sites Replication
The following section provides a summary of the Active Directory Site Replication information.

@@ -2003,90 +2446,140 @@
DC NameACADE-DC-01V
GUID739a49db-275b-4d09-81c8-ab9e5f393977
EnabledYes
CreatedSun, 05 Sep 2021 16:26:31 GMT
-
Table 117 - Site Replication - ACADE-DC-01V

-
1.2.3.20.9 Group Policy Objects Summary
The following section provides a summary of the Group Policy Objects for domain ACAD.PHARMAX.LOCAL.

- - - - - - - -
GPO NameGPO StatusOwner
ACAD Certificate AutoEnrollmentAll Settings EnabledPHARMAX\Enterprise Admins
Default Domain Controllers PolicyAll Settings EnabledACAD\Domain Admins
Default Domain PolicyAll Settings EnabledACAD\Domain Admins
Empty Policy ACADAll Settings EnabledPHARMAX\Enterprise Admins
Logon ScriptAll Settings EnabledPHARMAX\Enterprise Admins
Unlinked Policy ACADAll Settings DisabledPHARMAX\Enterprise Admins
-
Table 118 - GPO - ACAD.PHARMAX.LOCAL

-
Health Check:
Best Practices: Ensure 'All Settings Disabled' GPO are removed from Active Directory.
1.2.3.20.9.1 GPO Central Store Repository
The following section provides information of the status of Central Store. Corrective Action: Deploy centralized GPO repository.

+
Table 132 - Site Replication - ACADE-DC-01V

+
1.2.3.20.9 Group Policy Objects Summary
The following section provides a summary of the Group Policy Objects for domain ACAD.PHARMAX.LOCAL.

+ + + + + + + +
GPO NameEmpty Policy ACAD
GPO StatusAll Settings Enabled
Created10/05/2021
Modified10/05/2021
Description 
OwnerPHARMAX\Enterprise Admins
+
Table 133 - GPO - Empty Policy ACAD

+
+ + + + + + + +
GPO NameDefault Domain Policy
GPO StatusAll Settings Enabled
Created09/05/2021
Modified10/19/2021
Description 
OwnerACAD\Domain Admins
+
Table 134 - GPO - Default Domain Policy

+
+ + + + + + + +
GPO NameUnlinked Policy ACAD
GPO StatusAll Settings Disabled
Created10/05/2021
Modified10/05/2021
Description 
OwnerPHARMAX\Enterprise Admins
+
Table 135 - GPO - Unlinked Policy ACAD

+
+ + + + + + + +
GPO NameDefault Domain Controllers Policy
GPO StatusAll Settings Enabled
Created09/05/2021
Modified09/22/2021
Description 
OwnerACAD\Domain Admins
+
Table 136 - GPO - Default Domain Controllers Policy

+
+ + + + + + + +
GPO NameACAD Certificate AutoEnrollment
GPO StatusAll Settings Enabled
Created09/22/2021
Modified09/22/2021
Description 
OwnerPHARMAX\Enterprise Admins
+
Table 137 - GPO - ACAD Certificate AutoEnrollment

+
+ + + + + + + +
GPO NameLogon Script
GPO StatusAll Settings Enabled
Created10/07/2021
Modified10/07/2021
Description 
OwnerPHARMAX\Enterprise Admins
+
Table 138 - GPO - Logon Script

+
1.2.3.20.9.1 GPO Central Store Repository
The following section provides information of the status of Central Store. Corrective Action: Deploy centralized GPO repository.

DomainConfiguredCentral Store Path
ACAD.PHARMAX.LOCALNo\\acad.pharmax.local\SYSVOL\acad.pharmax.local\Policies\PolicyDefinitions
-
Table 119 - GPO Central Store - ACAD.PHARMAX.LOCAL

-
Health Check:
Best Practices: Ensure Central Store is deployed to centralized GPO repository.
1.2.3.20.9.2 GPO with User Logon/Logoff Script
The following section provides a summary of Group Policy Objects with Logon/Logoff Script.

+
Table 139 - GPO Central Store - ACAD.PHARMAX.LOCAL

+
Health Check:
Best Practices: Ensure Central Store is deployed to centralized GPO repository.
1.2.3.20.9.2 GPO with User Logon/Logoff Script
The following section provides a summary of Group Policy Objects with Logon/Logoff Script.

GPO NameGPO StatusTypeScript
Logon ScriptAll Settings EnabledLogon\\acad.pharmax.local\NETLOGON\enroll.exe
-
Table 120 - GPO with Logon/Logoff Script - ACAD.PHARMAX.LOCAL

-
1.2.3.20.9.3 Health Check - Unlinked GPO
The following section provides a summary of the Unlinked Group Policy Objects.

+
Table 140 - GPO with Logon/Logoff Script - ACAD.PHARMAX.LOCAL

+
1.2.3.20.9.3 Health Check - Unlinked GPO
The following section provides a summary of the Unlinked Group Policy Objects.

GPO NameCreatedModifiedComputer EnabledUser Enabled
Logon Script2021-10-072021-10-07YesYes
Unlinked Policy ACAD2021-10-062021-10-06NoNo
-
Table 121 - Unlinked GPO - ACAD.PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Remove Unused GPO from Active Directory.
1.2.3.20.9.4 Health Check - Empty GPOs
The following section provides a summary of the Empty Group Policy Objects.

+
Table 141 - Unlinked GPO - ACAD.PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Remove Unused GPO from Active Directory.
1.2.3.20.9.4 Health Check - Empty GPOs
The following section provides a summary of the Empty Group Policy Objects.

GPO NameCreatedModifiedDescription
Empty Policy ACAD2021-10-062021-10-06-
-
Table 122 - Empty GPO - ACAD.PHARMAX.LOCAL

-
Health Check:
Corrective Actions: No User and Computer parameters are set: Remove Unused GPO in Active Directory.
1.2.3.20.9.5 Health Check - Enforced GPO
The following section provides a summary of the Enforced Group Policy Objects.

+
Table 142 - Empty GPO - ACAD.PHARMAX.LOCAL

+
Health Check:
Corrective Actions: No User and Computer parameters are set: Remove Unused GPO in Active Directory.
1.2.3.20.9.5 Health Check - Enforced GPO
The following section provides a summary of the Enforced Group Policy Objects.

GPO NameEnforcedOrderTarget
Empty Policy ACADYes1acad.pharmax.local/Acad Computers/SCCM Computers
-
Table 123 - Enforced GPO - ACAD.PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.
1.2.3.20.10 Organizational Units
The following section provides a summary of Active Directory Organizational Unit information.

+
Table 143 - Enforced GPO - ACAD.PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.
1.2.3.20.10 Organizational Units
The following section provides a summary of Active Directory Organizational Unit information.

NamePathLinked GPO
Acad Computersacad.pharmax.local/Acad Computers-
SCCM Computersacad.pharmax.local/Acad Computers/SCCM ComputersEmpty Policy ACAD
Domain Controllersacad.pharmax.local/Domain ControllersDefault Domain Controllers Policy
Member Serversacad.pharmax.local/Member Servers-
-
Table 124 - Organizational Unit - ACAD.PHARMAX.LOCAL

-
1.2.3.20.10.1 Health Check - OU with GPO Blocked Inheritance
The following section provides a summary of the Blocked Inheritance Group Policy Objects.

+
Table 144 - Organizational Unit - ACAD.PHARMAX.LOCAL

+
1.2.3.20.10.1 Health Check - OU with GPO Blocked Inheritance
The following section provides a summary of the Blocked Inheritance Group Policy Objects.

OU NameContainer TypeInheritance BlockedPath
sccm computersOUYesacad.pharmax.local/Acad Computers/SCCM Computers
-
Table 125 - Blocked Inheritance GPO - ACAD.PHARMAX.LOCAL

-
Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.

1.3 Domain Name System Summary

The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols.

1.3.1 UIA.LOCAL DNS Configuration

The following section provides a configuration summary of the DNS service.

1.3.1.1 Infrastructure Summary

The following section provides a summary of the DNS Infrastructure configuration.

+
Table 145 - Blocked Inheritance GPO - ACAD.PHARMAX.LOCAL

+
Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.

1.3 Domain Name System Summary

The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols.

1.3.1 UIA.LOCAL DNS Configuration

The following section provides a configuration summary of the DNS service.

1.3.1.1 Infrastructure Summary

The following section provides a summary of the DNS Infrastructure configuration.

DC NameBuild NumberIPv6DnsSecReadOnly DCListening IP
DC-UIA-01V20348YesYesNofe80::fc0b:52e5:4931:6229
172.23.7.1
-
Table 126 - Infrastructure Setting - UIA.LOCAL

-
1.3.1.1.1 Domain Controller DNS IP Configuration
+
Table 146 - Infrastructure Setting - UIA.LOCAL

+
1.3.1.1.1 Domain Controller DNS IP Configuration
DC NameInterfaceDNS IP 1DNS IP 2DNS IP 3DNS IP 4
DC-UIA-01VEthernet0127.0.0.1192.168.5.1--
-
Table 127 - IP Configuration - UIA.LOCAL

-
Health Check:
Best Practices: DNS configuration on network adapter should include the loopback address, but not as the first entry.
1.3.1.1.2 Application Directory Partition
The following section provides Directory Partition information.

1.3.1.1.2.1 DC-UIA-01V Directory Partition
+
Table 147 - IP Configuration - UIA.LOCAL

+
Health Check:
Best Practices: DNS configuration on network adapter should include the loopback address, but not as the first entry.
1.3.1.1.2 Application Directory Partition
The following section provides Directory Partition information.

1.3.1.1.2.1 DC-UIA-01V Directory Partition
NameStateFlagsZone Count
DomainDnsZones.acad.pharmax.local-Not-Enlisted 0
DomainDnsZones.pharmax.local-Not-Enlisted 0
DomainDnsZones.uia.localDNS_DP_OKAYEnlisted Auto Domain 2
ForestDnsZones.pharmax.localDNS_DP_OKAYEnlisted Auto Forest 3
-
Table 128 - Directory Partitions - UIA.LOCAL

-
1.3.1.1.3 Response Rate Limiting (RRL)
+
Table 148 - Directory Partitions - UIA.LOCAL

+
1.3.1.1.3 Response Rate Limiting (RRL)
DC NameStatusResponses Per SecErrors Per SecWindow In SecLeak RateTruncate Rate
DC-UIA-01VDisable55532
-
Table 129 - Response Rate Limiting - UIA.LOCAL

-
1.3.1.1.4 Scavenging Options
+
Table 149 - Response Rate Limiting - UIA.LOCAL

+
1.3.1.1.4 Scavenging Options
DC NameNoRefresh IntervalRefresh IntervalScavenging IntervalLast Scavenge TimeScavenging State
DC-UIA-01V7.00:00:007.00:00:0000:00:00-Disabled
-
Table 130 - Scavenging - UIA.LOCAL

-
Health Check:
Best Practices: Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs.
1.3.1.1.5 Forwarder Options
+
Table 150 - Scavenging - UIA.LOCAL

+
Health Check:
Best Practices: Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs.
1.3.1.1.5 Forwarder Options
DC NameIP AddressTimeoutUse Root HintUse Recursion
DC-UIA-01V192.168.5.13/sYesYes
-
Table 131 - Forwarders - UIA.LOCAL

-
1.3.1.1.6 Root Hints
The following section provides Root Hints information.
1.3.1.1.6.1 DC-UIA-01V Root Hints
+
Table 151 - Forwarders - UIA.LOCAL

+
1.3.1.1.6 Root Hints
The following section provides Root Hints information.
1.3.1.1.6.1 DC-UIA-01V Root Hints
@@ -2102,81 +2595,81 @@
NameIP Address
a.root-servers.net.2001:503:ba3e::2:30
b.root-servers.net.2001:500:200::b
l.root-servers.net.2001:500:9f::42
m.root-servers.net.2001:dc3::35
-
Table 132 - Root Hints - UIA.LOCAL

-
1.3.1.1.7 Zone Scope Recursion
+
Table 152 - Root Hints - UIA.LOCAL

+
1.3.1.1.7 Zone Scope Recursion
DC NameZone NameForwarderUse Recursion
DC-UIA-01VRoot192.168.5.1Yes
-
Table 133 - Zone Scope Recursion - UIA.LOCAL

-

1.3.1.2 DC-UIA-01V DNS Zone Configuration

+
Table 153 - Zone Scope Recursion - UIA.LOCAL

+

1.3.1.2 DC-UIA-01V DNS Zone Configuration

Zone NameZone TypeReplication ScopeDynamic UpdateDS IntegratedRead OnlySigned
_msdcs.pharmax.localPrimaryForestSecureYesNoNo
TrustAnchorsPrimaryForestNoneYesNoNo
uia.localPrimaryDomainSecureYesNoNo
-
Table 134 - Zones - UIA.LOCAL

-
1.3.1.2.1 Reverse Lookup Zone Configuration
+
Table 154 - Zones - UIA.LOCAL

+
1.3.1.2.1 Reverse Lookup Zone Configuration
Zone NameZone TypeReplication ScopeDynamic UpdateDS IntegratedRead OnlySigned
0.in-addr.arpaPrimaryNoneNoneNoNoNo
127.in-addr.arpaPrimaryNoneNoneNoNoNo
255.in-addr.arpaPrimaryNoneNoneNoNoNo
70.23.172.in-addr.arpaPrimaryForestSecureYesNoNo
-
Table 135 - Zones - UIA.LOCAL

-
1.3.1.2.2 Zone Scope Aging Properties
+
Table 155 - Zones - UIA.LOCAL

+
1.3.1.2.2 Zone Scope Aging Properties
Zone NameAging EnabledRefresh IntervalNoRefresh IntervalAvailable For Scavenge
_msdcs.pharmax.localYes7.00:00:007.00:00:00Sat, 29 Jan 2022 18:00:00 GMT
TrustAnchorsYes7.00:00:007.00:00:00Thu, 07 Jan 2021 16:00:00 GMT
uia.localNo7.00:00:007.00:00:00-
-
Table 136 - Zone Aging Properties - UIA.LOCAL

-
Health Check:
Best Practices: Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs.

1.3.2 PHARMAX.LOCAL DNS Configuration

The following section provides a configuration summary of the DNS service.

1.3.2.1 Infrastructure Summary

The following section provides a summary of the DNS Infrastructure configuration.

+
Table 156 - Zone Aging Properties - UIA.LOCAL

+
Health Check:
Best Practices: Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs.

1.3.2 PHARMAX.LOCAL DNS Configuration

The following section provides a configuration summary of the DNS service.

1.3.2.1 Infrastructure Summary

The following section provides a summary of the DNS Infrastructure configuration.

DC NameBuild NumberIPv6DnsSecReadOnly DCListening IP
CAYEY-DC-01V17763YesNoNo10.10.33.1
SERVER-DC-01V17763YesNoNo192.168.5.1
-
Table 137 - Infrastructure Setting - PHARMAX.LOCAL

-
1.3.2.1.1 Domain Controller DNS IP Configuration
+
Table 157 - Infrastructure Setting - PHARMAX.LOCAL

+
1.3.2.1.1 Domain Controller DNS IP Configuration
- +
DC NameInterfaceDNS IP 1DNS IP 2DNS IP 3DNS IP 4
CAYEY-DC-01VEthernet0192.168.5.110.10.33.1127.0.0.1-
CAYEY-DC-01VEthernet010.10.33.1192.168.5.1127.0.0.1-
SERVER-DC-01VEthernet0192.168.5.1127.0.0.1--
-
Table 138 - IP Configuration - PHARMAX.LOCAL

-
1.3.2.1.2 Application Directory Partition
The following section provides Directory Partition information.

1.3.2.1.2.1 SERVER-DC-01V Directory Partition
+
Table 158 - IP Configuration - PHARMAX.LOCAL

+
1.3.2.1.2 Application Directory Partition
The following section provides Directory Partition information.

1.3.2.1.2.1 SERVER-DC-01V Directory Partition
NameStateFlagsZone Count
DomainDnsZones.acad.pharmax.local-Not-Enlisted 0
DomainDnsZones.pharmax.localDNS_DP_OKAYEnlisted Auto Domain 8
DomainDnsZones.uia.local-Not-Enlisted 0
ForestDnsZones.pharmax.localDNS_DP_OKAYEnlisted Auto Forest 3
-
Table 139 - Directory Partitions - PHARMAX.LOCAL

-
1.3.2.1.2.2 CAYEY-DC-01V Directory Partition
+
Table 159 - Directory Partitions - PHARMAX.LOCAL

+
1.3.2.1.2.2 CAYEY-DC-01V Directory Partition
NameStateFlagsZone Count
DomainDnsZones.acad.pharmax.local-Not-Enlisted 0
DomainDnsZones.pharmax.localDNS_DP_OKAYEnlisted Auto Domain 8
DomainDnsZones.uia.local-Not-Enlisted 0
ForestDnsZones.pharmax.localDNS_DP_OKAYEnlisted Auto Forest 3
-
Table 140 - Directory Partitions - PHARMAX.LOCAL

-
1.3.2.1.3 Response Rate Limiting (RRL)
+
Table 160 - Directory Partitions - PHARMAX.LOCAL

+
1.3.2.1.3 Response Rate Limiting (RRL)
DC NameStatusResponses Per SecErrors Per SecWindow In SecLeak RateTruncate Rate
CAYEY-DC-01VDisable55532
SERVER-DC-01VDisable55532
-
Table 141 - Response Rate Limiting - PHARMAX.LOCAL

-
1.3.2.1.4 Scavenging Options
+
Table 161 - Response Rate Limiting - PHARMAX.LOCAL

+
1.3.2.1.4 Scavenging Options
DC NameNoRefresh IntervalRefresh IntervalScavenging IntervalLast Scavenge TimeScavenging State
CAYEY-DC-01V7.00:00:007.00:00:0000:00:00-Disabled
SERVER-DC-01V7.00:00:007.00:00:007.00:00:00-Enabled
-
Table 142 - Scavenging - PHARMAX.LOCAL

-
Health Check:
Best Practices: Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs.
1.3.2.1.5 Forwarder Options
+
Table 162 - Scavenging - PHARMAX.LOCAL

+
Health Check:
Best Practices: Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs.
1.3.2.1.5 Forwarder Options
- +
DC NameIP AddressTimeoutUse Root HintUse Recursion
CAYEY-DC-01V192.168.5.13/sYesYes
SERVER-DC-01V10.0.0.138
8.8.8.8		3/sYesYes
SERVER-DC-01V8.8.8.8
10.0.0.138		3/sYesYes
-
Table 143 - Forwarders - PHARMAX.LOCAL

-
1.3.2.1.6 Root Hints
The following section provides Root Hints information.
1.3.2.1.6.1 SERVER-DC-01V Root Hints
+
Table 163 - Forwarders - PHARMAX.LOCAL

+
1.3.2.1.6 Root Hints
The following section provides Root Hints information.
1.3.2.1.6.1 SERVER-DC-01V Root Hints
@@ -2189,11 +2682,11 @@ - +
NameIP Address
a.root-servers.net.198.41.0.4
b.root-servers.net.199.9.14.201
i.root-servers.net.192.36.148.17
j.root-servers.net.192.58.128.30
k.root-servers.net.193.0.14.129
l.root-servers.net.199.7.83.42
l.root-servers.net.System.Object[]
m.root-servers.net.202.12.27.33
-
Table 144 - Root Hints - PHARMAX.LOCAL

-
1.3.2.1.6.2 CAYEY-DC-01V Root Hints
+
Table 164 - Root Hints - PHARMAX.LOCAL

+
1.3.2.1.6.2 CAYEY-DC-01V Root Hints
@@ -2209,14 +2702,14 @@
NameIP Address
a.root-servers.net.198.41.0.4
b.root-servers.net.199.9.14.201
l.root-servers.net.199.7.83.42
m.root-servers.net.202.12.27.33
-
Table 145 - Root Hints - PHARMAX.LOCAL

-
1.3.2.1.7 Zone Scope Recursion
+
Table 165 - Root Hints - PHARMAX.LOCAL

+
1.3.2.1.7 Zone Scope Recursion
- +
DC NameZone NameForwarderUse Recursion
CAYEY-DC-01VRoot192.168.5.1Yes
SERVER-DC-01VRoot10.0.0.138
8.8.8.8		Yes
SERVER-DC-01VRoot8.8.8.8
10.0.0.138		Yes
-
Table 146 - Zone Scope Recursion - PHARMAX.LOCAL

-

1.3.2.2 SERVER-DC-01V DNS Zone Configuration

+
Table 166 - Zone Scope Recursion - PHARMAX.LOCAL

+

1.3.2.2 SERVER-DC-01V DNS Zone Configuration

@@ -2224,19 +2717,19 @@
Zone NameZone TypeReplication ScopeDynamic UpdateDS IntegratedRead OnlySigned
_msdcs.pharmax.localPrimaryForestSecureYesNoNo
pharmax.localPrimaryDomainSecureYesNoNo
uia.localStubDomain-YesNo-
zenprsolutions.localStubDomain-YesNo-
-
Table 147 - Zones - PHARMAX.LOCAL

-
1.3.2.2.1 Zone Delegation
+
Table 167 - Zones - PHARMAX.LOCAL

+
1.3.2.2.1 Zone Delegation
Zone NameChild ZoneName ServerIP Address
pharmax.localacad.pharmax.local.ACADE-DC-01V.acad.pharmax.local.172.23.4.1
pharmax.local_msdcs.pharmax.local.server-dc-01v.pharmax.local.192.168.5.1
-
Table 148 - Zone Delegations - PHARMAX.LOCAL

-
1.3.2.2.2 Zone Transfers
+
Table 168 - Zone Delegations - PHARMAX.LOCAL

+
1.3.2.2.2 Zone Transfers
Zone NameSecondary ServersNotify ServersSecure Secondaries
pharmax.local172.23.4.1-Send zone transfers only to name servers that are authoritative for the zone.
-
Table 149 - Zone Transfers - pharmax.local

-
1.3.2.2.3 Reverse Lookup Zone Configuration
+
Table 169 - Zone Transfers - pharmax.local

+
1.3.2.2.3 Reverse Lookup Zone Configuration
@@ -2246,20 +2739,20 @@
Zone NameZone TypeReplication ScopeDynamic UpdateDS IntegratedRead OnlySigned
0.in-addr.arpaPrimaryNoneNoneNoNoNo
10.10.in-addr.arpaPrimaryDomainSecureYesNoNo
255.in-addr.arpaPrimaryNoneNoneNoNoNo
70.23.172.in-addr.arpaPrimaryForestSecureYesNoNo
-
Table 150 - Zones - PHARMAX.LOCAL

-
1.3.2.2.4 Conditional Forwarder
+
Table 170 - Zones - PHARMAX.LOCAL

+
1.3.2.2.4 Conditional Forwarder
Zone NameZone TypeReplication ScopeMaster ServersDS Integrated
zenprsolutions.govForwarderDomain8.8.8.8Yes
-
Table 151 - Conditional Forwarders - PHARMAX.LOCAL

-
1.3.2.2.5 Zone Scope Aging Properties
+
Table 171 - Conditional Forwarders - PHARMAX.LOCAL

+
1.3.2.2.5 Zone Scope Aging Properties
- - - + + +
Zone NameAging EnabledRefresh IntervalNoRefresh IntervalAvailable For Scavenge
_msdcs.pharmax.localYes7.00:00:007.00:00:00Wed, 18 May 2022 17:00:00 GMT
pharmax.localYes7.00:00:007.00:00:00Wed, 18 May 2022 17:00:00 GMT
TrustAnchorsYes7.00:00:007.00:00:00Wed, 18 May 2022 17:00:00 GMT
_msdcs.pharmax.localYes7.00:00:007.00:00:00Fri, 29 Jul 2022 17:00:00 GMT
pharmax.localYes7.00:00:007.00:00:00Fri, 29 Jul 2022 17:00:00 GMT
TrustAnchorsYes7.00:00:007.00:00:00Fri, 29 Jul 2022 17:00:00 GMT
-
Table 152 - Zone Aging Properties - PHARMAX.LOCAL

-

1.3.2.3 CAYEY-DC-01V DNS Zone Configuration

+
Table 172 - Zone Aging Properties - PHARMAX.LOCAL

+

1.3.2.3 CAYEY-DC-01V DNS Zone Configuration

@@ -2268,14 +2761,14 @@
Zone NameZone TypeReplication ScopeDynamic UpdateDS IntegratedRead OnlySigned
_msdcs.pharmax.localPrimaryForestSecureYesNoNo
pharmax.localPrimaryDomainSecureYesNoNo
zenpr.localSecondary--NoNo-
zenprsolutions.localStubDomain-YesNo-
-
Table 153 - Zones - PHARMAX.LOCAL

-
1.3.2.3.1 Zone Delegation
+
Table 173 - Zones - PHARMAX.LOCAL

+
1.3.2.3.1 Zone Delegation
Zone NameChild ZoneName ServerIP Address
pharmax.localacad.pharmax.local.ACADE-DC-01V.acad.pharmax.local.172.23.4.1
pharmax.local_msdcs.pharmax.local.server-dc-01v.pharmax.local.192.168.5.1
-
Table 154 - Zone Delegations - PHARMAX.LOCAL

-
1.3.2.3.2 Reverse Lookup Zone Configuration
+
Table 174 - Zone Delegations - PHARMAX.LOCAL

+
1.3.2.3.2 Reverse Lookup Zone Configuration
@@ -2285,90 +2778,90 @@
Zone NameZone TypeReplication ScopeDynamic UpdateDS IntegratedRead OnlySigned
0.in-addr.arpaPrimaryNoneNoneNoNoNo
10.10.in-addr.arpaPrimaryDomainSecureYesNoNo
255.in-addr.arpaPrimaryNoneNoneNoNoNo
70.23.172.in-addr.arpaPrimaryForestSecureYesNoNo
-
Table 155 - Zones - PHARMAX.LOCAL

-
1.3.2.3.3 Conditional Forwarder
+
Table 175 - Zones - PHARMAX.LOCAL

+
1.3.2.3.3 Conditional Forwarder
Zone NameZone TypeReplication ScopeMaster ServersDS Integrated
zenprsolutions.eduForwarderNone1.1.1.1No
zenprsolutions.govForwarderDomain8.8.8.8Yes
-
Table 156 - Conditional Forwarders - PHARMAX.LOCAL

-
1.3.2.3.4 Zone Scope Aging Properties
+
Table 176 - Conditional Forwarders - PHARMAX.LOCAL

+
1.3.2.3.4 Zone Scope Aging Properties
Zone NameAging EnabledRefresh IntervalNoRefresh IntervalAvailable For Scavenge
_msdcs.pharmax.localYes7.00:00:007.00:00:00Sat, 29 Jan 2022 18:00:00 GMT
pharmax.localYes7.00:00:007.00:00:00Fri, 24 Sep 2021 23:00:00 GMT
TrustAnchorsYes7.00:00:007.00:00:00Thu, 07 Jan 2021 16:00:00 GMT
-
Table 157 - Zone Aging Properties - PHARMAX.LOCAL

-

1.3.3 ACAD.PHARMAX.LOCAL DNS Configuration

The following section provides a configuration summary of the DNS service.

1.3.3.1 Infrastructure Summary

The following section provides a summary of the DNS Infrastructure configuration.

+
Table 177 - Zone Aging Properties - PHARMAX.LOCAL

+

1.3.3 ACAD.PHARMAX.LOCAL DNS Configuration

The following section provides a configuration summary of the DNS service.

1.3.3.1 Infrastructure Summary

The following section provides a summary of the DNS Infrastructure configuration.

DC NameBuild NumberIPv6DnsSecReadOnly DCListening IP
ACADE-DC-01V17763YesNoNo172.23.4.1
-
Table 158 - Infrastructure Setting - ACAD.PHARMAX.LOCAL

-
1.3.3.1.1 Domain Controller DNS IP Configuration
+
Table 178 - Infrastructure Setting - ACAD.PHARMAX.LOCAL

+
1.3.3.1.1 Domain Controller DNS IP Configuration
- +
DC NameInterfaceDNS IP 1DNS IP 2DNS IP 3DNS IP 4
ACADE-DC-01VEthernet0172.23.4.1192.168.5.1127.0.0.1-
ACADE-DC-01VEthernet0172.23.4.1192.168.5.110.10.33.1127.0.0.1
-
Table 159 - IP Configuration - ACAD.PHARMAX.LOCAL

-
1.3.3.1.2 Application Directory Partition
The following section provides Directory Partition information.

1.3.3.1.2.1 ACADE-DC-01V Directory Partition
+
Table 179 - IP Configuration - ACAD.PHARMAX.LOCAL

+
1.3.3.1.2 Application Directory Partition
The following section provides Directory Partition information.

1.3.3.1.2.1 ACADE-DC-01V Directory Partition
NameStateFlagsZone Count
DomainDnsZones.acad.pharmax.localDNS_DP_OKAYEnlisted Auto Domain 3
DomainDnsZones.pharmax.local-Not-Enlisted 0
DomainDnsZones.uia.local-Not-Enlisted 0
ForestDnsZones.pharmax.localDNS_DP_OKAYEnlisted Auto Forest 3
-
Table 160 - Directory Partitions - ACAD.PHARMAX.LOCAL

-
1.3.3.1.3 Response Rate Limiting (RRL)
+
Table 180 - Directory Partitions - ACAD.PHARMAX.LOCAL

+
1.3.3.1.3 Response Rate Limiting (RRL)
DC NameStatusResponses Per SecErrors Per SecWindow In SecLeak RateTruncate Rate
ACADE-DC-01VDisable55532
-
Table 161 - Response Rate Limiting - ACAD.PHARMAX.LOCAL

-
1.3.3.1.4 Scavenging Options
+
Table 181 - Response Rate Limiting - ACAD.PHARMAX.LOCAL

+
1.3.3.1.4 Scavenging Options
DC NameNoRefresh IntervalRefresh IntervalScavenging IntervalLast Scavenge TimeScavenging State
ACADE-DC-01V7.00:00:007.00:00:0000:00:00-Disabled
-
Table 162 - Scavenging - ACAD.PHARMAX.LOCAL

-
Health Check:
Best Practices: Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs.
1.3.3.1.5 Forwarder Options
+
Table 182 - Scavenging - ACAD.PHARMAX.LOCAL

+
Health Check:
Best Practices: Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs.
1.3.3.1.5 Forwarder Options
DC NameIP AddressTimeoutUse Root HintUse Recursion
ACADE-DC-01V192.168.5.13/sYesYes
-
Table 163 - Forwarders - ACAD.PHARMAX.LOCAL

-
1.3.3.1.6 Root Hints
The following section provides Root Hints information.
1.3.3.1.6.1 ACADE-DC-01V Root Hints
+
Table 183 - Forwarders - ACAD.PHARMAX.LOCAL

+
1.3.3.1.6 Root Hints
The following section provides Root Hints information.
1.3.3.1.6.1 ACADE-DC-01V Root Hints
- - - - - - - - - - - - - -
NameIP Address
a.root-servers.net.198.41.0.4
b.root-servers.net.199.9.14.201
c.root-servers.net.2001:500:2::c
d.root-servers.net.2001:500:2d::d
e.root-servers.net.2001:500:a8::e
f.root-servers.net.2001:500:2f::f
g.root-servers.net.2001:500:12::d0d
h.root-servers.net.2001:500:1::53
i.root-servers.net.2001:7fe::53
j.root-servers.net.2001:503:c27::2:30
k.root-servers.net.2001:7fd::1
l.root-servers.net.2001:500:9f::42
m.root-servers.net.2001:dc3::35
-
Table 164 - Root Hints - ACAD.PHARMAX.LOCAL

-
1.3.3.1.7 Zone Scope Recursion
+ + + + + + + + + + + + + +
a.root-servers.net.2001:503:ba3e::2:30, System.Object[]
b.root-servers.net.2001:500:200::b, System.Object[]
c.root-servers.net.2001:500:2::c, 192.33.4.12
d.root-servers.net.2001:500:2d::d, 199.7.91.13
e.root-servers.net.2001:500:a8::e, 192.203.230.10
f.root-servers.net.2001:500:2f::f, 192.5.5.241
g.root-servers.net.2001:500:12::d0d, 192.112.36.4
h.root-servers.net.2001:500:1::53, 198.97.190.53
i.root-servers.net.2001:7fe::53, 192.36.148.17
j.root-servers.net.2001:503:c27::2:30, 192.58.128.30
k.root-servers.net.2001:7fd::1, 193.0.14.129
l.root-servers.net.2001:500:9f::42, 199.7.83.42
m.root-servers.net.2001:dc3::35, 202.12.27.33
+
Table 184 - Root Hints - ACAD.PHARMAX.LOCAL

+
1.3.3.1.7 Zone Scope Recursion
DC NameZone NameForwarderUse Recursion
ACADE-DC-01VRoot192.168.5.1Yes
-
Table 165 - Zone Scope Recursion - ACAD.PHARMAX.LOCAL

-

1.3.3.2 ACADE-DC-01V DNS Zone Configuration

+
Table 185 - Zone Scope Recursion - ACAD.PHARMAX.LOCAL

+

1.3.3.2 ACADE-DC-01V DNS Zone Configuration

Zone NameZone TypeReplication ScopeDynamic UpdateDS IntegratedRead OnlySigned
_msdcs.pharmax.localPrimaryForestSecureYesNoNo
acad.pharmax.localPrimaryDomainSecureYesNoNo
TrustAnchorsPrimaryForestNoneYesNoNo
zenpr.localSecondary--NoNo-
-
Table 166 - Zones - ACAD.PHARMAX.LOCAL

-
1.3.3.2.1 Zone Transfers
+
Table 186 - Zones - ACAD.PHARMAX.LOCAL

+
1.3.3.2.1 Zone Transfers
Zone NameSecondary ServersNotify ServersSecure Secondaries
acad.pharmax.local172.23.4.2, 10.10.40.2172.23.4.2Send zone transfers only to servers you specify in Secondary Servers.
zenpr.local172.23.4.2172.24.4.2Send zone transfers to all secondary servers that request them.
-
Table 167 - Zone Transfers - zenpr.local

-
Health Check:
Best Practices: Configure all DNS zones only to allow zone transfers from Trusted IP addresses.
1.3.3.2.2 Reverse Lookup Zone Configuration
+
Table 187 - Zone Transfers - zenpr.local

+
Health Check:
Best Practices: Configure all DNS zones only to allow zone transfers from Trusted IP addresses.
1.3.3.2.2 Reverse Lookup Zone Configuration
@@ -2376,104 +2869,104 @@
Zone NameZone TypeReplication ScopeDynamic UpdateDS IntegratedRead OnlySigned
0.23.172.in-addr.arpaPrimaryDomainSecureYesNoNo
0.in-addr.arpaPrimaryNoneNoneNoNoNo
255.in-addr.arpaPrimaryNoneNoneNoNoNo
70.23.172.in-addr.arpaPrimaryForestSecureYesNoNo
-
Table 168 - Zones - ACAD.PHARMAX.LOCAL

-
1.3.3.2.3 Conditional Forwarder
+
Table 188 - Zones - ACAD.PHARMAX.LOCAL

+
1.3.3.2.3 Conditional Forwarder
Zone NameZone TypeReplication ScopeMaster ServersDS Integrated
zenprsolutions.localForwarderNone8.8.8.8No
-
Table 169 - Conditional Forwarders - ACAD.PHARMAX.LOCAL

-
1.3.3.2.4 Zone Scope Aging Properties
+
Table 189 - Conditional Forwarders - ACAD.PHARMAX.LOCAL

+
1.3.3.2.4 Zone Scope Aging Properties
Zone NameAging EnabledRefresh IntervalNoRefresh IntervalAvailable For Scavenge
_msdcs.pharmax.localYes7.00:00:007.00:00:00Sat, 29 Jan 2022 18:00:00 GMT
acad.pharmax.localNo7.00:00:007.00:00:00-
TrustAnchorsYes7.00:00:007.00:00:00Thu, 07 Jan 2021 16:00:00 GMT
-
Table 170 - Zone Aging Properties - ACAD.PHARMAX.LOCAL

-
Health Check:
Best Practices: Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs.

1.4 Dynamic Host Configuration Protocol Summary

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client/server architecture.

1.4.1 UIA.LOCAL Domain DHCP Configuration

The following section provides a summary of the Dynamic Host Configuration Protocol.

1.4.1.1 DHCP Servers In Active Directory

The following section provides a summary of the DHCP servers information on UIA.LOCAL.

+
Table 190 - Zone Aging Properties - ACAD.PHARMAX.LOCAL

+
Health Check:
Best Practices: Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs.

1.4 Dynamic Host Configuration Protocol Summary

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client/server architecture.

1.4.1 UIA.LOCAL Domain DHCP Configuration

The following section provides a summary of the Dynamic Host Configuration Protocol.

1.4.1.1 DHCP Servers In Active Directory

The following section provides a summary of the DHCP servers information on UIA.LOCAL.

DC NameIP AddressDomain NameDomain JoinedAuthorizedConflict Detection Attempts
dc-uia-01v172.23.7.1uia.localYesYes0
-
Table 171 - DHCP Servers In Active Directory - UIA.LOCAL

-
1.4.1.1.1 Service Database
+
Table 191 - DHCP Servers In Active Directory - UIA.LOCAL

+
1.4.1.1.1 Service Database
DC NameFile PathBackup PathBackup IntervalLogging Enabled
dc-uia-01vC:\Windows\system32\dhcp\dhcp.mdbC:\Windows\system32\dhcp\backup60 minYes
-
Table 172 - DHCP Servers Database - UIA.LOCAL

-
1.4.1.1.2 Dynamic DNS credentials
+
Table 192 - DHCP Servers Database - UIA.LOCAL

+
1.4.1.1.2 Dynamic DNS credentials
DC NameUser NameDomain Name
dc-uia-01v--
-
Table 173 - DHCP Servers Dynamic DNS Credentials - UIA.LOCAL

-
Health Check:
Best Practice: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.

1.4.1.2 IPv4 Scope Configuration

The following section provides a IPv4 configuration summary of the Dynamic Host Configuration Protocol.

1.4.1.2.1 IPv4 Service Statistics
+
Table 193 - DHCP Servers Dynamic DNS Credentials - UIA.LOCAL

+
Health Check:
Best Practice: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.

1.4.1.2 IPv4 Scope Configuration

The following section provides a IPv4 configuration summary of the Dynamic Host Configuration Protocol.

1.4.1.2.1 IPv4 Service Statistics
DC NameTotal ScopesTotal AddressesAddresses In UseAddresses AvailablePercentage In UsePercentage Available
dc-uia-01v124402440100
-
Table 174 - DHCP Server IPv4 Statistics - UIA.LOCAL

-
1.4.1.2.2 DC-UIA-01V IPv4 Scopes
The following section provides detailed information of the IPv4 Scope configuration.

+
Table 194 - DHCP Server IPv4 Statistics - UIA.LOCAL

+
1.4.1.2.2 DC-UIA-01V IPv4 Scopes
The following section provides detailed information of the IPv4 Scope configuration.

Scope IdScope NameScope RangeLease DurationState
172.23.7.0/24UIA Admin Scope172.23.7.10 - 172.23.7.2538.00:00:00Active
-
Table 175 - IPv4 Scopes - DC-UIA-01V

-
1.4.1.2.2.1 IPv4 Scope Statistics
+
Table 195 - IPv4 Scopes - DC-UIA-01V

+
1.4.1.2.2.1 IPv4 Scope Statistics
Scope IdFree IPIn Use IPPercentage In UseReserved IP
172.23.7.0244000
-
Table 176 - IPv4 Scope Statistics - DC-UIA-01V

-
1.4.1.2.2.2 IPv4 Network Interface Binding
+
Table 196 - IPv4 Scope Statistics - DC-UIA-01V

+
1.4.1.2.2.2 IPv4 Network Interface Binding
Interface AliasIP AddressSubnet MaskState
Ethernet0172.23.7.1255.255.255.0Enabled
-
Table 177 - IPv4 Network Interface binding - DC-UIA-01V

-
1.4.1.2.3 Scope Options
The following section provides a summary of the DHCP servers IPv4 Scope Server Options information.
1.4.1.2.3.1 172.23.7.0
+
Table 197 - IPv4 Network Interface binding - DC-UIA-01V

+
1.4.1.2.3 Scope Options
The following section provides a summary of the DHCP servers IPv4 Scope Server Options information.
1.4.1.2.3.1 172.23.7.0
NameOption IdValuePolicy Name
Router3172.23.7.254-
DNS Servers6172.23.7.1
192.168.5.1		-
DNS Domain Name15uia.local-
Lease51691200-
-
Table 178 - IPv4 Scopes Options - 172.23.7.0

-

1.4.1.3 IPv6 Scope Configuration

The following section provides a IPv6 configuration summary of the Dynamic Host Configuration Protocol.

1.4.1.3.1 IPv6 Service Statistics
+
Table 198 - IPv4 Scopes Options - 172.23.7.0

+

1.4.1.3 IPv6 Scope Configuration

The following section provides a IPv6 configuration summary of the Dynamic Host Configuration Protocol.

1.4.1.3.1 IPv6 Service Statistics
DC NameTotal ScopesTotal AddressesAddresses In UseAddresses AvailablePercentage In UsePercentage Available
dc-uia-01v000000
-
Table 179 - DHCP Server IPv6 Statistics - UIA.LOCAL

-

1.4.2 PHARMAX.LOCAL Domain DHCP Configuration

The following section provides a summary of the Dynamic Host Configuration Protocol.

1.4.2.1 DHCP Servers In Active Directory

The following section provides a summary of the DHCP servers information on PHARMAX.LOCAL.

+
Table 199 - DHCP Server IPv6 Statistics - UIA.LOCAL

+

1.4.2 PHARMAX.LOCAL Domain DHCP Configuration

The following section provides a summary of the Dynamic Host Configuration Protocol.

1.4.2.1 DHCP Servers In Active Directory

The following section provides a summary of the DHCP servers information on PHARMAX.LOCAL.

DC NameIP AddressDomain NameDomain JoinedAuthorizedConflict Detection Attempts
cayey-dc-01v10.10.33.1pharmax.localYesYes0
server-dc-01v192.168.5.1pharmax.localYesYes1
-
Table 180 - DHCP Servers In Active Directory - PHARMAX.LOCAL

-
1.4.2.1.1 Service Database
+
Table 200 - DHCP Servers In Active Directory - PHARMAX.LOCAL

+
1.4.2.1.1 Service Database
DC NameFile PathBackup PathBackup IntervalLogging Enabled
cayey-dc-01vC:\Windows\system32\dhcp\dhcp.mdbC:\Windows\system32\dhcp\backup60 minYes
server-dc-01vC:\Windows\system32\dhcp\dhcp.mdbC:\Windows\system32\dhcp\backup60 minYes
-
Table 181 - DHCP Servers Database - PHARMAX.LOCAL

-
1.4.2.1.2 Dynamic DNS credentials
+
Table 201 - DHCP Servers Database - PHARMAX.LOCAL

+
1.4.2.1.2 Dynamic DNS credentials
DC NameUser NameDomain Name
cayey-dc-01v--
server-dc-01vadministratorPHARMAX.LOCAL
-
Table 182 - DHCP Servers Dynamic DNS Credentials - PHARMAX.LOCAL

-
Health Check:
Best Practice: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.

1.4.2.2 IPv4 Scope Configuration

The following section provides a IPv4 configuration summary of the Dynamic Host Configuration Protocol.

1.4.2.2.1 IPv4 Service Statistics
+
Table 202 - DHCP Servers Dynamic DNS Credentials - PHARMAX.LOCAL

+
Health Check:
Best Practice: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.

1.4.2.2 IPv4 Scope Configuration

The following section provides a IPv4 configuration summary of the Dynamic Host Configuration Protocol.

1.4.2.2.1 IPv4 Service Statistics
DC NameTotal ScopesTotal AddressesAddresses In UseAddresses AvailablePercentage In UsePercentage Available
cayey-dc-01v221402140100
server-dc-01v9187419116831090
-
Table 183 - DHCP Server IPv4 Statistics - PHARMAX.LOCAL

-
1.4.2.2.2 CAYEY-DC-01V IPv4 Scopes
The following section provides detailed information of the IPv4 Scope configuration.

+
Table 203 - DHCP Server IPv4 Statistics - PHARMAX.LOCAL

+
1.4.2.2.2 CAYEY-DC-01V IPv4 Scopes
The following section provides detailed information of the IPv4 Scope configuration.

Scope IdScope NameScope RangeLease DurationState
10.10.33.0/24ESX-VM-NETWORK-DR10.10.33.40 - 10.10.33.253100.00:00:00Active
10.10.34.0/24ESXi-ISCSI-BLOCK-A-DR10.10.34.10 - 10.10.34.2538.00:00:00Inactive
-
Table 184 - IPv4 Scopes - CAYEY-DC-01V

-
Health Check:
Corrective Action: Ensure inactive scope are removed from DHCP server.
1.4.2.2.2.1 IPv4 Scope Statistics
+
Table 204 - IPv4 Scopes - CAYEY-DC-01V

+
Health Check:
Corrective Action: Ensure inactive scope are removed from DHCP server.
1.4.2.2.2.1 IPv4 Scope Statistics
Scope IdFree IPIn Use IPPercentage In UseReserved IP
10.10.33.0214003
10.10.34.00000
-
Table 185 - IPv4 Scope Statistics - CAYEY-DC-01V

-
1.4.2.2.2.2 IPv4 Scope Failover
+
Table 205 - IPv4 Scope Statistics - CAYEY-DC-01V

+
1.4.2.2.2.2 IPv4 Scope Failover
@@ -2488,7 +2981,7 @@
DHCP Servercayey-dc-01v.pharmax.local
Partner DHCP Serverserver-dc-01v.pharmax.local
Auto State TransitionNo
Authetication EnableYes
-
Table 186 - IPv4 Scope Failover Cofiguration - CAYEY-DC-01V

+
Table 206 - IPv4 Scope Failover Cofiguration - CAYEY-DC-01V

@@ -2504,21 +2997,21 @@
DHCP Servercayey-dc-01v.pharmax.local
Auto State TransitionYes
Authetication EnableNo
-
Table 187 - IPv4 Scope Failover Cofiguration - CAYEY-DC-01V

-
Health Check:
Corrective Action: Ensure Dhcp servers require authentication (a shared secret) in order to secure communications between failover partners.
1.4.2.2.2.3 IPv4 Network Interface Binding
+
Table 207 - IPv4 Scope Failover Cofiguration - CAYEY-DC-01V

+
Health Check:
Corrective Action: Ensure Dhcp servers require authentication (a shared secret) in order to secure communications between failover partners.
1.4.2.2.2.3 IPv4 Network Interface Binding
Interface AliasIP AddressSubnet MaskState
Ethernet010.10.33.1255.255.255.0Enabled
-
Table 188 - IPv4 Network Interface binding - CAYEY-DC-01V

-
1.4.2.2.3 CAYEY-DC-01V IPv4 Scope Server Options
+
Table 208 - IPv4 Network Interface binding - CAYEY-DC-01V

+
1.4.2.2.3 CAYEY-DC-01V IPv4 Scope Server Options
NameOption IdValuePolicy Name
Time Offset20-
Time Server410.10.33.1-
Name Servers510.10.33.1-
DNS Servers610.10.33.1
192.168.5.1		-
-
Table 189 - IPv4 Scopes Server Options - CAYEY-DC-01V

-
1.4.2.2.3.1 Scope DNS Setting
The following section provides a summary of the DHCP servers IPv4 Scope DNS Setting information.

+
Table 209 - IPv4 Scopes Server Options - CAYEY-DC-01V

+
1.4.2.2.3.1 Scope DNS Setting
The following section provides a summary of the DHCP servers IPv4 Scope DNS Setting information.

@@ -2527,8 +3020,8 @@
Dynamic UpdatesOnClientRequest
Dns Suffix-
Disable Dns Ptr RR UpdateNo
Delete Dns RR On Lease ExpiryYes
-
Table 190 - IPv4 Scopes DNS Setting - cayey-dc-01v

-
Health Check:
Best Practice: 'Always dynamically update dns records' should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.
1.4.2.2.4 Scope Options
The following section provides a summary of the DHCP servers IPv4 Scope Server Options information.
1.4.2.2.4.1 10.10.33.0
+
Table 210 - IPv4 Scopes DNS Setting - cayey-dc-01v

+
Health Check:
Best Practice: 'Always dynamically update dns records' should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.
1.4.2.2.4 Scope Options
The following section provides a summary of the DHCP servers IPv4 Scope Server Options information.
1.4.2.2.4.1 10.10.33.0
@@ -2536,16 +3029,16 @@
NameOption IdValuePolicy Name
Router310.10.33.254-
Lease518640000-
Bootfile Name67snponly64.efi.vmw-hardwired-
 8123-
-
Table 191 - IPv4 Scopes Options - 10.10.33.0

-
1.4.2.2.4.2 10.10.34.0
+
Table 211 - IPv4 Scopes Options - 10.10.33.0

+
1.4.2.2.4.2 10.10.34.0
NameOption IdValuePolicy Name
Router310.10.34.254-
DNS Servers6192.168.5.1
192.168.5.1		-
DNS Domain Name15pharmax.local-
Lease51691200-
-
Table 192 - IPv4 Scopes Options - 10.10.34.0

-
1.4.2.2.5 SERVER-DC-01V IPv4 Scopes
The following section provides detailed information of the IPv4 Scope configuration.

+
Table 212 - IPv4 Scopes Options - 10.10.34.0

+
1.4.2.2.5 SERVER-DC-01V IPv4 Scopes
The following section provides detailed information of the IPv4 Scope configuration.

@@ -2557,21 +3050,21 @@
Scope IdScope NameScope RangeLease DurationState
10.10.32.0/24ESXi-vMotion-DR10.10.32.10 - 10.10.32.2508.00:00:00Active
10.10.33.0/24ESX-VM-NETWORK-DR10.10.33.40 - 10.10.33.253100.00:00:00Active
192.168.6.0/24ESXi-ISCSI-BLOCK-A192.168.6.10 - 192.168.6.2408.00:00:00Active
192.168.7.0/24ESX-VM-NETWORK192.168.7.40 - 192.168.7.253UnlimitedActive
-
Table 193 - IPv4 Scopes - SERVER-DC-01V

-
1.4.2.2.5.1 IPv4 Scope Statistics
+
Table 213 - IPv4 Scopes - SERVER-DC-01V

+
1.4.2.2.5.1 IPv4 Scope Statistics
- - - + + + - - + +
Scope IdFree IPIn Use IPPercentage In UseReserved IP
10.10.32.0239210
10.10.33.0214002
10.10.34.0244000
10.10.35.0242210
192.168.12.0224732
192.168.2.0242210
10.10.35.0243100
192.168.12.0227422
192.168.2.0243100
192.168.4.011000
192.168.6.0224732
192.168.7.0431718017
192.168.6.0227422
192.168.7.0351798417
-
Table 194 - IPv4 Scope Statistics - SERVER-DC-01V

-
1.4.2.2.5.2 IPv4 Scope Failover
+
Table 214 - IPv4 Scope Statistics - SERVER-DC-01V

+
1.4.2.2.5.2 IPv4 Scope Failover
@@ -2586,7 +3079,7 @@
DHCP Serverserver-dc-01v.pharmax.local
Partner DHCP Servercayey-dc-01v.pharmax.local
Auto State TransitionNo
Authetication EnableYes
-
Table 195 - IPv4 Scope Failover Cofiguration - SERVER-DC-01V

+
Table 215 - IPv4 Scope Failover Cofiguration - SERVER-DC-01V

@@ -2602,13 +3095,13 @@
DHCP Serverserver-dc-01v.pharmax.local
Auto State TransitionYes
Authetication EnableNo
-
Table 196 - IPv4 Scope Failover Cofiguration - SERVER-DC-01V

-
Health Check:
Corrective Action: Ensure Dhcp servers require authentication (a shared secret) in order to secure communications between failover partners.
1.4.2.2.5.3 IPv4 Network Interface Binding
+
Table 216 - IPv4 Scope Failover Cofiguration - SERVER-DC-01V

+
Health Check:
Corrective Action: Ensure Dhcp servers require authentication (a shared secret) in order to secure communications between failover partners.
1.4.2.2.5.3 IPv4 Network Interface Binding
Interface AliasIP AddressSubnet MaskState
Ethernet0192.168.5.1255.255.255.0Enabled
-
Table 197 - IPv4 Network Interface binding - SERVER-DC-01V

-
1.4.2.2.6 SERVER-DC-01V IPv4 Scope Server Options
+
Table 217 - IPv4 Network Interface binding - SERVER-DC-01V

+
1.4.2.2.6 SERVER-DC-01V IPv4 Scope Server Options
@@ -2618,8 +3111,8 @@
NameOption IdValuePolicy Name
Time Server4192.168.5.1-
Name Servers5192.168.5.1-
Post Office Protocol (POP3) Servers70192.168.7.21-
 8155-
-
Table 198 - IPv4 Scopes Server Options - SERVER-DC-01V

-
1.4.2.2.6.1 Scope DNS Setting
The following section provides a summary of the DHCP servers IPv4 Scope DNS Setting information.

+
Table 218 - IPv4 Scopes Server Options - SERVER-DC-01V

+
1.4.2.2.6.1 Scope DNS Setting
The following section provides a summary of the DHCP servers IPv4 Scope DNS Setting information.

@@ -2628,15 +3121,15 @@
Dynamic UpdatesAlways
Dns Suffix-
Disable Dns Ptr RR UpdateNo
Delete Dns RR On Lease ExpiryYes
-
Table 199 - IPv4 Scopes DNS Setting - server-dc-01v

-
1.4.2.2.7 Scope Options
The following section provides a summary of the DHCP servers IPv4 Scope Server Options information.
1.4.2.2.7.1 10.10.32.0
+
Table 219 - IPv4 Scopes DNS Setting - server-dc-01v

+
1.4.2.2.7 Scope Options
The following section provides a summary of the DHCP servers IPv4 Scope Server Options information.
1.4.2.2.7.1 10.10.32.0
NameOption IdValuePolicy Name
Router310.10.32.254-
DNS Domain Name15pharmax.local-
Lease51691200-
-
Table 200 - IPv4 Scopes Options - 10.10.32.0

-
1.4.2.2.7.2 10.10.33.0
+
Table 220 - IPv4 Scopes Options - 10.10.32.0

+
1.4.2.2.7.2 10.10.33.0
@@ -2644,42 +3137,42 @@
NameOption IdValuePolicy Name
Router310.10.33.254-
Lease518640000-
Bootfile Name67snponly64.efi.vmw-hardwired-
 8123-
-
Table 201 - IPv4 Scopes Options - 10.10.33.0

-
1.4.2.2.7.3 10.10.34.0
+
Table 221 - IPv4 Scopes Options - 10.10.33.0

+
1.4.2.2.7.3 10.10.34.0
NameOption IdValuePolicy Name
DNS Servers6192.168.5.1
192.168.5.1		-
DNS Domain Name15pharmax.local-
Lease51691200-
-
Table 202 - IPv4 Scopes Options - 10.10.34.0

-
1.4.2.2.7.4 10.10.35.0
+
Table 222 - IPv4 Scopes Options - 10.10.34.0

+
1.4.2.2.7.4 10.10.35.0
NameOption IdValuePolicy Name
DNS Servers6192.168.5.1
192.168.5.1		-
DNS Domain Name15pharmax.local-
Lease51691200-
-
Table 203 - IPv4 Scopes Options - 10.10.35.0

-
1.4.2.2.7.5 192.168.2.0
+
Table 223 - IPv4 Scopes Options - 10.10.35.0

+
1.4.2.2.7.5 192.168.2.0
NameOption IdValuePolicy Name
Router3192.168.2.254-
DNS Domain Name15pharmax.local-
Lease51691200-
-
Table 204 - IPv4 Scopes Options - 192.168.2.0

-
1.4.2.2.7.6 192.168.4.0
+
Table 224 - IPv4 Scopes Options - 192.168.2.0

+
1.4.2.2.7.6 192.168.4.0
NameOption IdValuePolicy Name
Router3192.168.4.254-
DNS Domain Name15pharmax.local-
Lease51691200-
-
Table 205 - IPv4 Scopes Options - 192.168.4.0

-
1.4.2.2.7.7 192.168.6.0
+
Table 225 - IPv4 Scopes Options - 192.168.4.0

+
1.4.2.2.7.7 192.168.6.0
NameOption IdValuePolicy Name
DNS Domain Name15pharmax.local-
Lease51691200-
-
Table 206 - IPv4 Scopes Options - 192.168.6.0

-
1.4.2.2.7.8 192.168.7.0
+
Table 226 - IPv4 Scopes Options - 192.168.6.0

+
1.4.2.2.7.8 192.168.7.0
@@ -2688,61 +3181,61 @@
NameOption IdValuePolicy Name
Router3192.168.7.254-
DNS Domain Name15pharmax.local-
Bootfile Name67snponly64.efi.vmw-hardwired-
 8123-
-
Table 207 - IPv4 Scopes Options - 192.168.7.0

-
1.4.2.2.7.9 192.168.12.0
+
Table 227 - IPv4 Scopes Options - 192.168.7.0

+
1.4.2.2.7.9 192.168.12.0
NameOption IdValuePolicy Name
DNS Domain Name15pharmax.local-
Lease51691200-
-
Table 208 - IPv4 Scopes Options - 192.168.12.0

-

1.4.2.3 IPv6 Scope Configuration

The following section provides a IPv6 configuration summary of the Dynamic Host Configuration Protocol.

1.4.2.3.1 IPv6 Service Statistics
+
Table 228 - IPv4 Scopes Options - 192.168.12.0

+

1.4.2.3 IPv6 Scope Configuration

The following section provides a IPv6 configuration summary of the Dynamic Host Configuration Protocol.

1.4.2.3.1 IPv6 Service Statistics
DC NameTotal ScopesTotal AddressesAddresses In UseAddresses AvailablePercentage In UsePercentage Available
cayey-dc-01v000000
server-dc-01v000000
-
Table 209 - DHCP Server IPv6 Statistics - PHARMAX.LOCAL

-

1.4.3 ACAD.PHARMAX.LOCAL Domain DHCP Configuration

The following section provides a summary of the Dynamic Host Configuration Protocol.

1.4.3.1 DHCP Servers In Active Directory

The following section provides a summary of the DHCP servers information on ACAD.PHARMAX.LOCAL.

+
Table 229 - DHCP Server IPv6 Statistics - PHARMAX.LOCAL

+

1.4.3 ACAD.PHARMAX.LOCAL Domain DHCP Configuration

The following section provides a summary of the Dynamic Host Configuration Protocol.

1.4.3.1 DHCP Servers In Active Directory

The following section provides a summary of the DHCP servers information on ACAD.PHARMAX.LOCAL.

DC NameIP AddressDomain NameDomain JoinedAuthorizedConflict Detection Attempts
acade-dc-01v172.23.4.1acad.pharmax.localYesYes0
-
Table 210 - DHCP Servers In Active Directory - ACAD.PHARMAX.LOCAL

-
1.4.3.1.1 Service Database
+
Table 230 - DHCP Servers In Active Directory - ACAD.PHARMAX.LOCAL

+
1.4.3.1.1 Service Database
DC NameFile PathBackup PathBackup IntervalLogging Enabled
acade-dc-01vC:\Windows\system32\dhcp\dhcp.mdbC:\Windows\system32\dhcp\backup60 minYes
-
Table 211 - DHCP Servers Database - ACAD.PHARMAX.LOCAL

-
1.4.3.1.2 Dynamic DNS credentials
+
Table 231 - DHCP Servers Database - ACAD.PHARMAX.LOCAL

+
1.4.3.1.2 Dynamic DNS credentials
DC NameUser NameDomain Name
acade-dc-01v--
-
Table 212 - DHCP Servers Dynamic DNS Credentials - ACAD.PHARMAX.LOCAL

-
Health Check:
Best Practice: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.

1.4.3.2 IPv4 Scope Configuration

The following section provides a IPv4 configuration summary of the Dynamic Host Configuration Protocol.

1.4.3.2.1 IPv4 Service Statistics
+
Table 232 - DHCP Servers Dynamic DNS Credentials - ACAD.PHARMAX.LOCAL

+
Health Check:
Best Practice: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.

1.4.3.2 IPv4 Scope Configuration

The following section provides a IPv4 configuration summary of the Dynamic Host Configuration Protocol.

1.4.3.2.1 IPv4 Service Statistics
DC NameTotal ScopesTotal AddressesAddresses In UseAddresses AvailablePercentage In UsePercentage Available
acade-dc-01v123302330100
-
Table 213 - DHCP Server IPv4 Statistics - ACAD.PHARMAX.LOCAL

-
1.4.3.2.2 ACADE-DC-01V IPv4 Scopes
The following section provides detailed information of the IPv4 Scope configuration.

+
Table 233 - DHCP Server IPv4 Statistics - ACAD.PHARMAX.LOCAL

+
1.4.3.2.2 ACADE-DC-01V IPv4 Scopes
The following section provides detailed information of the IPv4 Scope configuration.

Scope IdScope NameScope RangeLease DurationState
172.23.5.0/24Dept-B Clients172.23.5.10 - 172.23.5.2531.00:00:00Active
-
Table 214 - IPv4 Scopes - ACADE-DC-01V

-
1.4.3.2.2.1 IPv4 Scope Statistics
+
Table 234 - IPv4 Scopes - ACADE-DC-01V

+
1.4.3.2.2.1 IPv4 Scope Statistics
Scope IdFree IPIn Use IPPercentage In UseReserved IP
172.23.5.0233000
-
Table 215 - IPv4 Scope Statistics - ACADE-DC-01V

-
1.4.3.2.2.2 IPv4 Network Interface Binding
+
Table 235 - IPv4 Scope Statistics - ACADE-DC-01V

+
1.4.3.2.2.2 IPv4 Network Interface Binding
Interface AliasIP AddressSubnet MaskState
Ethernet0172.23.4.1255.255.255.0Enabled
-
Table 216 - IPv4 Network Interface binding - ACADE-DC-01V

-
1.4.3.2.3 ACADE-DC-01V IPv4 Scope Server Options
+
Table 236 - IPv4 Network Interface binding - ACADE-DC-01V

+
1.4.3.2.3 ACADE-DC-01V IPv4 Scope Server Options
NameOption IdValuePolicy Name
DNS Servers6172.23.4.1
192.168.5.1
10.10.33.1		-
DNS Domain Name15acad.pharmax.local-
-
Table 217 - IPv4 Scopes Server Options - ACADE-DC-01V

-
1.4.3.2.3.1 Scope DNS Setting
The following section provides a summary of the DHCP servers IPv4 Scope DNS Setting information.

+
Table 237 - IPv4 Scopes Server Options - ACADE-DC-01V

+
1.4.3.2.3.1 Scope DNS Setting
The following section provides a summary of the DHCP servers IPv4 Scope DNS Setting information.

@@ -2751,64 +3244,64 @@
Dynamic UpdatesOnClientRequest
Dns Suffix-
Disable Dns Ptr RR UpdateNo
Delete Dns RR On Lease ExpiryYes
-
Table 218 - IPv4 Scopes DNS Setting - acade-dc-01v

-
Health Check:
Best Practice: 'Always dynamically update dns records' should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.
1.4.3.2.4 Scope Options
The following section provides a summary of the DHCP servers IPv4 Scope Server Options information.
1.4.3.2.4.1 172.23.5.0
+
Table 238 - IPv4 Scopes DNS Setting - acade-dc-01v

+
Health Check:
Best Practice: 'Always dynamically update dns records' should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.
1.4.3.2.4 Scope Options
The following section provides a summary of the DHCP servers IPv4 Scope Server Options information.
1.4.3.2.4.1 172.23.5.0
NameOption IdValuePolicy Name
Router3172.23.5.254-
Lease5186400-
-
Table 219 - IPv4 Scopes Options - 172.23.5.0

-

1.4.3.3 IPv6 Scope Configuration

The following section provides a IPv6 configuration summary of the Dynamic Host Configuration Protocol.

1.4.3.3.1 IPv6 Service Statistics
+
Table 239 - IPv4 Scopes Options - 172.23.5.0

+

1.4.3.3 IPv6 Scope Configuration

The following section provides a IPv6 configuration summary of the Dynamic Host Configuration Protocol.

1.4.3.3.1 IPv6 Service Statistics
DC NameTotal ScopesTotal AddressesAddresses In UseAddresses AvailablePercentage In UsePercentage Available
acade-dc-01v1184467440737095516140184467440737095516140100
-
Table 220 - DHCP Server IPv6 Statistics - ACAD.PHARMAX.LOCAL

-
1.4.3.3.2 ACADE-DC-01V IPv6 Scopes
The following section provides a summary of the DHCP servers IPv6 Scope Configuration.

+
Table 240 - DHCP Server IPv6 Statistics - ACAD.PHARMAX.LOCAL

+
1.4.3.3.2 ACADE-DC-01V IPv6 Scopes
The following section provides a summary of the DHCP servers IPv6 Scope Configuration.

Scope IdScope NameLease DurationState
fd99:9971::/64Dept-C Clients8.00:00:00Active
-
Table 221 - IPv6 Scopes - ACADE-DC-01V

-
1.4.3.3.2.1 IPv6 Scope Statistics
+
Table 241 - IPv6 Scopes - ACADE-DC-01V

+
1.4.3.3.2.1 IPv6 Scope Statistics
Scope IdFree IPIn Use IPPercentage In UseReserved IP
fd99:9971::18446744073709551614000
-
Table 222 - IPv6 Scope Statistics - ACADE-DC-01V

-
1.4.3.3.3 ACADE-DC-01V IPv6 Scope Server Options
The following section provides a summary of the DHCP servers IPv6 Scope Server Options information.

+
Table 242 - IPv6 Scope Statistics - ACADE-DC-01V

+
1.4.3.3.3 ACADE-DC-01V IPv6 Scope Server Options
The following section provides a summary of the DHCP servers IPv6 Scope Server Options information.

NameOption IdTypeValue
Domain Search List 24Stringfd99:9971::1
-
Table 223 - IPv6 Scopes Server Options - ACADE-DC-01V

-
1.4.3.3.3.1 Scope DNS Settings
+
Table 243 - IPv6 Scopes Server Options - ACADE-DC-01V

+
1.4.3.3.3.1 Scope DNS Settings
Dynamic UpdatesOnClientRequest
Name ProtectionNo
Delete Dns RR On Lease ExpiryYes
-
Table 224 - IPv6 Scopes DNS Setting - acade-dc-01v

-
1.4.3.3.4 Scope Options
The following section provides a summary 6 Scope Server Options information.

1.4.3.3.4.1 fd99:9971::
The following section provides a summary of the DHCP servers IPv6 Scope Server Options information.

+
Table 244 - IPv6 Scopes DNS Setting - acade-dc-01v

+
1.4.3.3.4 Scope Options
The following section provides a summary 6 Scope Server Options information.

1.4.3.3.4.1 fd99:9971::
The following section provides a summary of the DHCP servers IPv6 Scope Server Options information.

NameOption IdTypeValue
DNS Recursive Name Server IPv6 Address List 23IPv6Addressfd99:9971::1
-
Table 225 - IPv6 Scopes Options - fd99:9971::

-

1.5 Certificate Authority Summary

In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

+
Table 245 - IPv6 Scopes Options - fd99:9971::

+

1.5 Certificate Authority Summary

In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

CA NameServer NameTypeStatus
acad-ACADE-DC-01V-CAACADE-DC-01VEnterprise Subordinate CARunning
pharmax-CAYEY-DC-01V-CACAYEY-DC-01VEnterprise Subordinate CARunning
pharmax-SERVER-DC-01V-CASERVER-DC-01VEnterprise Root CARunning
-
Table 226 - Certification Authority Summary - PHARMAX.LOCAL

-

1.5.1 Enterprise Root Certificate Authority

The following section provides the Enterprise Root CA information.

+
Table 246 - Certification Authority Summary - PHARMAX.LOCAL

+

1.5.1 Enterprise Root Certificate Authority

The following section provides the Enterprise Root CA information.

- +
CA Namepharmax-SERVER-DC-01V-CA
Server NameSERVER-DC-01V
TypeEnterprise Root CA
Config StringServer-DC-01V.pharmax.local\pharmax-SERVER-DC-01V-CA
Operating SystemMicrosoft Windows Server 2019 Standard Evaluation
Operating SystemMicrosoft Windows Server 2019 Standard
Certificate[Subject]
CN=pharmax-SERVER-DC-01V-CA, DC=pharmax, DC=local

[Issuer]
CN=pharmax-SERVER-DC-01V-CA, DC=pharmax, DC=local

[Serial Number]
5D2E25D9AFFDE4904A05D70BEB7ACBD2

[Not Before]
1/25/2020 7:35:16 PM

[Not After]
1/25/2025 7:45:15 PM

[Thumbprint]
0F6D4D3B8C71290E76B6B6C0661275F6F37B9CE0
StatusRunning
-
Table 227 - Enterprise Root CA - PHARMAX.LOCAL

-

1.5.2 Enterprise Subordinate Certificate Authority

The following section provides the Enterprise Subordinate CA information.

+
Table 247 - Enterprise Root CA - PHARMAX.LOCAL

+

1.5.2 Enterprise Subordinate Certificate Authority

The following section provides the Enterprise Subordinate CA information.

@@ -2818,7 +3311,7 @@
CA Nameacad-ACADE-DC-01V-CA
Server NameACADE-DC-01V
Certificate[Subject]
CN=acad-ACADE-DC-01V-CA, DC=acad, DC=pharmax, DC=local

[Issuer]
CN=pharmax-SERVER-DC-01V-CA, DC=pharmax, DC=local

[Serial Number]
61000000F5B20F8367F4837C6A0000000000F5

[Not Before]
9/22/2021 8:59:36 PM

[Not After]
9/22/2023 9:09:36 PM

[Thumbprint]
89532761827821E1B102CC8B86C529A6D2E92AC6
StatusRunning
-
Table 228 - Enterprise Subordinate CA - acad-ACADE-DC-01V-CA

+
Table 248 - Enterprise Subordinate CA - acad-ACADE-DC-01V-CA

@@ -2829,22 +3322,22 @@
CA Namepharmax-CAYEY-DC-01V-CA
Certificate[Subject]
CN=pharmax-CAYEY-DC-01V-CA, DC=pharmax, DC=local

[Issuer]
CN=pharmax-SERVER-DC-01V-CA, DC=pharmax, DC=local

[Serial Number]
61000000F60DE0C8AB312FB51E0000000000F6

[Not Before]
10/4/2021 10:33:08 AM

[Not After]
10/4/2023 10:43:08 AM

[Thumbprint]
CB2AC03DDA5A793DACAFC1EDC048CB1123D94B4B
StatusRunning
-
Table 229 - Enterprise Subordinate CA - pharmax-CAYEY-DC-01V-CA

-

1.5.3 Certificate Validity Period

The following section provides the Certification Authority Certificate Validity Period information.

+
Table 249 - Enterprise Subordinate CA - pharmax-CAYEY-DC-01V-CA

+

1.5.3 Certificate Validity Period

The following section provides the Certification Authority Certificate Validity Period information.

CA NameServer NameValidity Period
acad-ACADE-DC-01V-CAACADE-DC-01V2 Years
pharmax-CAYEY-DC-01V-CACAYEY-DC-01V2 Years
pharmax-SERVER-DC-01V-CASERVER-DC-01V2 Years
-
Table 230 - Certificate Validity Period - PHARMAX.LOCAL

-

1.5.3.1 Access Control List (ACL) Summary

+
Table 250 - Certificate Validity Period - PHARMAX.LOCAL

+

1.5.3.1 Access Control List (ACL) Summary

DC NameOwnerGroup
acad-ACADE-DC-01V-CABUILTIN\AdministratorsBUILTIN\Administrators
pharmax-CAYEY-DC-01V-CABUILTIN\AdministratorsBUILTIN\Administrators
pharmax-SERVER-DC-01V-CABUILTIN\AdministratorsBUILTIN\Administrators
-
Table 231 - Access Control List - PHARMAX.LOCAL

-
1.5.3.1.1 pharmax-SERVER-DC-01V-CA Rights
+
Table 251 - Access Control List - PHARMAX.LOCAL

+
1.5.3.1.1 pharmax-SERVER-DC-01V-CA Rights
@@ -2852,24 +3345,24 @@
IdentityAccess Control TypeRights
BUILTIN\AdministratorsAllowManageCA, ManageCertificates
NT AUTHORITY\Authenticated UsersAllowEnroll
PHARMAX\Enterprise AdminsAllowManageCA, ManageCertificates
PHARMAX\jocolonAllowManageCA, ManageCertificates, Read, Enroll
-
Table 232 - ACL Rights - pharmax-SERVER-DC-01V-CA

-
1.5.3.1.2 acad-ACADE-DC-01V-CA Rights
+
Table 252 - ACL Rights - pharmax-SERVER-DC-01V-CA

+
1.5.3.1.2 acad-ACADE-DC-01V-CA Rights
IdentityAccess Control TypeRights
ACAD\Domain AdminsAllowManageCA, ManageCertificates
BUILTIN\AdministratorsAllowManageCA, ManageCertificates
NT AUTHORITY\Authenticated UsersAllowEnroll
PHARMAX\Enterprise AdminsAllowManageCA, ManageCertificates
-
Table 233 - ACL Rights - acad-ACADE-DC-01V-CA

-
1.5.3.1.3 pharmax-CAYEY-DC-01V-CA Rights
+
Table 253 - ACL Rights - acad-ACADE-DC-01V-CA

+
1.5.3.1.3 pharmax-CAYEY-DC-01V-CA Rights
IdentityAccess Control TypeRights
BUILTIN\AdministratorsAllowManageCA, ManageCertificates
NT AUTHORITY\Authenticated UsersAllowEnroll
PHARMAX\Domain AdminsAllowManageCA, ManageCertificates
PHARMAX\Enterprise AdminsAllowManageCA, ManageCertificates
-
Table 234 - ACL Rights - pharmax-CAYEY-DC-01V-CA

-

1.5.4 Cryptography Configuration

The following section provides the Certification Authority Cryptography Configuration information.

+
Table 254 - ACL Rights - pharmax-CAYEY-DC-01V-CA

+

1.5.4 Cryptography Configuration

The following section provides the Certification Authority Cryptography Configuration information.

@@ -2879,7 +3372,7 @@
CA Namepharmax-SERVER-DC-01V-CA
Server NameSERVER-DC-01V
Alternate Signature AlgorithmNo
Provider Is CNGYes
-
Table 235 - Cryptography Configuration - PHARMAX.LOCAL

+
Table 255 - Cryptography Configuration - PHARMAX.LOCAL

@@ -2890,7 +3383,7 @@
CA Nameacad-ACADE-DC-01V-CA
Alternate Signature AlgorithmNo
Provider Is CNGYes
-
Table 236 - Cryptography Configuration - PHARMAX.LOCAL

+
Table 256 - Cryptography Configuration - PHARMAX.LOCAL

@@ -2901,8 +3394,8 @@
CA Namepharmax-CAYEY-DC-01V-CA
Alternate Signature AlgorithmNo
Provider Is CNGYes
-
Table 237 - Cryptography Configuration - PHARMAX.LOCAL

-

1.5.5 Authority Information Access (AIA) Summary

The following section provides the Certification Authority Authority Information Access information.

1.5.5.1 pharmax-SERVER-DC-01V-CA

+
Table 257 - Cryptography Configuration - PHARMAX.LOCAL

+

1.5.5 Authority Information Access (AIA) Summary

The following section provides the Certification Authority Authority Information Access information.

1.5.5.1 pharmax-SERVER-DC-01V-CA

@@ -2911,7 +3404,7 @@
Reg URI1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
Config URI1:C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
Include To ExtensionNo
OCSPNo
-
Table 238 - Authority Information Access - pharmax-SERVER-DC-01V-CA

+
Table 258 - Authority Information Access - pharmax-SERVER-DC-01V-CA

@@ -2921,7 +3414,7 @@
Reg URI3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
Include To ExtensionYes
OCSPNo
-
Table 239 - Authority Information Access - pharmax-SERVER-DC-01V-CA

+
Table 259 - Authority Information Access - pharmax-SERVER-DC-01V-CA

@@ -2931,7 +3424,7 @@
Reg URI0:http://%1/CertEnroll/%1_%3%4.crt
Include To ExtensionNo
OCSPNo
-
Table 240 - Authority Information Access - pharmax-SERVER-DC-01V-CA

+
Table 260 - Authority Information Access - pharmax-SERVER-DC-01V-CA

@@ -2941,7 +3434,7 @@
Reg URI0:file://%1/CertEnroll/%1_%3%4.crt
Include To ExtensionNo
OCSPNo
-
Table 241 - Authority Information Access - pharmax-SERVER-DC-01V-CA

+
Table 261 - Authority Information Access - pharmax-SERVER-DC-01V-CA

@@ -2951,8 +3444,8 @@
Reg URI2:http://acade-dc-01v.acad.pharmax.local/CertData/%1_%3%4.crt
Include To ExtensionYes
OCSPNo
-
Table 242 - Authority Information Access - pharmax-SERVER-DC-01V-CA

-

1.5.5.2 acad-ACADE-DC-01V-CA

+
Table 262 - Authority Information Access - pharmax-SERVER-DC-01V-CA

+

1.5.5.2 acad-ACADE-DC-01V-CA

@@ -2961,7 +3454,7 @@
Reg URI1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
Config URI1:C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
Include To ExtensionNo
OCSPNo
-
Table 243 - Authority Information Access - acad-ACADE-DC-01V-CA

+
Table 263 - Authority Information Access - acad-ACADE-DC-01V-CA

@@ -2971,7 +3464,7 @@
Reg URI3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
Include To ExtensionYes
OCSPNo
-
Table 244 - Authority Information Access - acad-ACADE-DC-01V-CA

+
Table 264 - Authority Information Access - acad-ACADE-DC-01V-CA

@@ -2981,7 +3474,7 @@
Reg URI0:http://%1/CertEnroll/%1_%3%4.crt
Include To ExtensionNo
OCSPNo
-
Table 245 - Authority Information Access - acad-ACADE-DC-01V-CA

+
Table 265 - Authority Information Access - acad-ACADE-DC-01V-CA

@@ -2991,7 +3484,7 @@
Reg URI0:file://%1/CertEnroll/%1_%3%4.crt
Include To ExtensionNo
OCSPNo
-
Table 246 - Authority Information Access - acad-ACADE-DC-01V-CA

+
Table 266 - Authority Information Access - acad-ACADE-DC-01V-CA

@@ -3001,7 +3494,7 @@
Reg URI2:http://acade-dc-01v.acad.pharmax.local/CertEnroll/%1_%3%4.crt
Include To ExtensionYes
OCSPNo
-
Table 247 - Authority Information Access - acad-ACADE-DC-01V-CA

+
Table 267 - Authority Information Access - acad-ACADE-DC-01V-CA

@@ -3011,8 +3504,8 @@
Reg URI32:http://acade-dc-01v.acad.pharmax.local/ocsp
Include To ExtensionNo
OCSPYes
-
Table 248 - Authority Information Access - acad-ACADE-DC-01V-CA

-

1.5.5.3 pharmax-CAYEY-DC-01V-CA

+
Table 268 - Authority Information Access - acad-ACADE-DC-01V-CA

+

1.5.5.3 pharmax-CAYEY-DC-01V-CA

@@ -3021,7 +3514,7 @@
Reg URI1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
Config URI1:C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
Include To ExtensionNo
OCSPNo
-
Table 249 - Authority Information Access - pharmax-CAYEY-DC-01V-CA

+
Table 269 - Authority Information Access - pharmax-CAYEY-DC-01V-CA

@@ -3031,7 +3524,7 @@
Reg URI3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
Include To ExtensionYes
OCSPNo
-
Table 250 - Authority Information Access - pharmax-CAYEY-DC-01V-CA

+
Table 270 - Authority Information Access - pharmax-CAYEY-DC-01V-CA

@@ -3041,7 +3534,7 @@
Reg URI0:http://%1/CertEnroll/%1_%3%4.crt
Include To ExtensionNo
OCSPNo
-
Table 251 - Authority Information Access - pharmax-CAYEY-DC-01V-CA

+
Table 271 - Authority Information Access - pharmax-CAYEY-DC-01V-CA

@@ -3051,22 +3544,22 @@
Reg URI0:file://%1/CertEnroll/%1_%3%4.crt
Include To ExtensionNo
OCSPNo
-
Table 252 - Authority Information Access - pharmax-CAYEY-DC-01V-CA

-

1.5.6 Certificate Revocation List (CRL) Configuration

The following section provides the Certification Authority CRL Distribution Point information.

1.5.6.1 CRL Validity Period

+
Table 272 - Authority Information Access - pharmax-CAYEY-DC-01V-CA

+

1.5.6 Certificate Revocation List (CRL) Configuration

The following section provides the Certification Authority CRL Distribution Point information.

1.5.6.1 CRL Validity Period

CA NameBase CRLBase CRL OverlapDelta CRLDelta CRL Overlap
acad-ACADE-DC-01V-CA1 Weeks0 Hours1 Days0 Minutes
pharmax-CAYEY-DC-01V-CA1 Weeks0 Hours1 Days0 Minutes
pharmax-SERVER-DC-01V-CA50 Weeks0 Hours0 Days0 Minutes
-
Table 253 - CRL Validity Preriod - PHARMAX.LOCAL

-

1.5.6.2 CRL Flags Settings

+
Table 273 - CRL Validity Preriod - PHARMAX.LOCAL

+

1.5.6.2 CRL Flags Settings

CA NameServer NameCRL Flags
acad-ACADE-DC-01V-CAACADE-DC-01VDeleteExpiredCRLs
pharmax-CAYEY-DC-01V-CACAYEY-DC-01VDeleteExpiredCRLs
pharmax-SERVER-DC-01V-CASERVER-DC-01VDeleteExpiredCRLs
-
Table 254 - CRL Flags - PHARMAX.LOCAL

-

1.5.6.3 CRL Distribution Point

The following section provides the Certification Authority CRL Distribution Point information.

1.5.6.3.1 pharmax-SERVER-DC-01V-CA
+
Table 274 - CRL Flags - PHARMAX.LOCAL

+

1.5.6.3 CRL Distribution Point

The following section provides the Certification Authority CRL Distribution Point information.

1.5.6.3.1 pharmax-SERVER-DC-01V-CA
@@ -3079,7 +3572,7 @@
Reg URI65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl
Config URI65:C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Add To Fresh est CRLNo
Add To Crl cdpNo
-
Table 255 - CRL Distribution Point - pharmax-SERVER-DC-01V-CA

+
Table 275 - CRL Distribution Point - pharmax-SERVER-DC-01V-CA

@@ -3093,7 +3586,7 @@
Reg URI79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
Add To Fresh est CRLYes
Add To Crl cdpYes
-
Table 256 - CRL Distribution Point - pharmax-SERVER-DC-01V-CA

+
Table 276 - CRL Distribution Point - pharmax-SERVER-DC-01V-CA

@@ -3107,7 +3600,7 @@
Reg URI0:http://%1/CertEnroll/%3%8%9.crl
Add To Fresh est CRLNo
Add To Crl cdpNo
-
Table 257 - CRL Distribution Point - pharmax-SERVER-DC-01V-CA

+
Table 277 - CRL Distribution Point - pharmax-SERVER-DC-01V-CA

@@ -3121,7 +3614,7 @@
Reg URI0:file://%1/CertEnroll/%3%8%9.crl
Add To Fresh est CRLNo
Add To Crl cdpNo
-
Table 258 - CRL Distribution Point - pharmax-SERVER-DC-01V-CA

+
Table 278 - CRL Distribution Point - pharmax-SERVER-DC-01V-CA

@@ -3135,8 +3628,8 @@
Reg URI6:http://acade-dc-01v.acad.pharmax.local/CertData/%3%8%9.crl
Add To Fresh est CRLYes
Add To Crl cdpNo
-
Table 259 - CRL Distribution Point - pharmax-SERVER-DC-01V-CA

-
1.5.6.3.2 acad-ACADE-DC-01V-CA
+
Table 279 - CRL Distribution Point - pharmax-SERVER-DC-01V-CA

+
1.5.6.3.2 acad-ACADE-DC-01V-CA
@@ -3149,7 +3642,7 @@
Reg URI65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl
Config URI65:C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Add To Fresh est CRLNo
Add To Crl cdpNo
-
Table 260 - CRL Distribution Point - acad-ACADE-DC-01V-CA

+
Table 280 - CRL Distribution Point - acad-ACADE-DC-01V-CA

@@ -3163,7 +3656,7 @@
Reg URI79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
Add To Fresh est CRLYes
Add To Crl cdpYes
-
Table 261 - CRL Distribution Point - acad-ACADE-DC-01V-CA

+
Table 281 - CRL Distribution Point - acad-ACADE-DC-01V-CA

@@ -3177,7 +3670,7 @@
Reg URI0:http://%1/CertEnroll/%3%8%9.crl
Add To Fresh est CRLNo
Add To Crl cdpNo
-
Table 262 - CRL Distribution Point - acad-ACADE-DC-01V-CA

+
Table 282 - CRL Distribution Point - acad-ACADE-DC-01V-CA

@@ -3191,7 +3684,7 @@
Reg URI0:file://%1/CertEnroll/%3%8%9.crl
Add To Fresh est CRLNo
Add To Crl cdpNo
-
Table 263 - CRL Distribution Point - acad-ACADE-DC-01V-CA

+
Table 283 - CRL Distribution Point - acad-ACADE-DC-01V-CA

@@ -3205,8 +3698,8 @@
Reg URI6:http://acade-dc-01v.acad.pharmax.local/CertEnroll/%3%8%9.crl
Add To Fresh est CRLYes
Add To Crl cdpNo
-
Table 264 - CRL Distribution Point - acad-ACADE-DC-01V-CA

-
1.5.6.3.3 pharmax-CAYEY-DC-01V-CA
+
Table 284 - CRL Distribution Point - acad-ACADE-DC-01V-CA

+
1.5.6.3.3 pharmax-CAYEY-DC-01V-CA
@@ -3219,7 +3712,7 @@
Reg URI65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl
Config URI65:C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Add To Fresh est CRLNo
Add To Crl cdpNo
-
Table 265 - CRL Distribution Point - pharmax-CAYEY-DC-01V-CA

+
Table 285 - CRL Distribution Point - pharmax-CAYEY-DC-01V-CA

@@ -3233,7 +3726,7 @@
Reg URI79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
Add To Fresh est CRLYes
Add To Crl cdpYes
-
Table 266 - CRL Distribution Point - pharmax-CAYEY-DC-01V-CA

+
Table 286 - CRL Distribution Point - pharmax-CAYEY-DC-01V-CA

@@ -3247,7 +3740,7 @@
Reg URI0:http://%1/CertEnroll/%3%8%9.crl
Add To Fresh est CRLNo
Add To Crl cdpNo
-
Table 267 - CRL Distribution Point - pharmax-CAYEY-DC-01V-CA

+
Table 287 - CRL Distribution Point - pharmax-CAYEY-DC-01V-CA

@@ -3261,15 +3754,15 @@
Reg URI0:file://%1/CertEnroll/%3%8%9.crl
Add To Fresh est CRLNo
Add To Crl cdpNo
-
Table 268 - CRL Distribution Point - pharmax-CAYEY-DC-01V-CA

-

1.5.7 AIA and CDP Health Status

The following section is intended to perform Certification Authority health status checking by CA certificate chain status and validating all CRL Distribution Point (CDP) and Authority Information Access (AIA) URLs for each certificate in the chain.

+
Table 288 - CRL Distribution Point - pharmax-CAYEY-DC-01V-CA

+

1.5.7 AIA and CDP Health Status

The following section is intended to perform Certification Authority health status checking by CA certificate chain status and validating all CRL Distribution Point (CDP) and Authority Information Access (AIA) URLs for each certificate in the chain.

- - + +
CA NameChildsHealth
acad-ACADE-DC-01V-CAacad-ACADE-DC-01V-CA
pharmax-SERVER-DC-01V-CA		Error
pharmax-CAYEY-DC-01V-CApharmax-CAYEY-DC-01V-CA
pharmax-SERVER-DC-01V-CA		Ok
pharmax-SERVER-DC-01V-CApharmax-SERVER-DC-01V-CAOk
pharmax-CAYEY-DC-01V-CApharmax-CAYEY-DC-01V-CA
pharmax-SERVER-DC-01V-CA		Warning
pharmax-SERVER-DC-01V-CApharmax-SERVER-DC-01V-CAWarning
-
Table 269 - Certification Authority Health - PHARMAX.LOCAL

-

1.5.8 Certificate Template Summary

The following section provides the certificate templates that are assigned to a specified Certification Authority (CA). CA server can issue certificates only based on assigned templates.

1.5.8.1 pharmax-SERVER-DC-01V-CA Certificate Template

+
Table 289 - Certification Authority Health - PHARMAX.LOCAL

+

1.5.8 Certificate Template Summary

The following section provides the certificate templates that are assigned to a specified Certification Authority (CA). CA server can issue certificates only based on assigned templates.

1.5.8.1 pharmax-SERVER-DC-01V-CA Certificate Template

@@ -3292,8 +3785,8 @@
Template NameSchema VersionSupported CAAutoenrollment
Administrator1Windows 2000 ServerNo
Basic EFS1Windows 2000 ServerNo
Web Server - Parallel2Windows Server 2003 Enterprise EditionNo
Web Server - WSUS SSL2Windows Server 2003 Enterprise EditionNo
-
Table 270 - Issued Certificate Template - pharmax-SERVER-DC-01V-CA

-

1.5.8.2 Certificate Template In Active Directory

The following section provides registered certificate templates from Active Directory.

+
Table 290 - Issued Certificate Template - pharmax-SERVER-DC-01V-CA

+

1.5.8.2 Certificate Template In Active Directory

The following section provides registered certificate templates from Active Directory.

@@ -3338,8 +3831,8 @@
Template NameSchema VersionSupported CAAutoenrollment
Administrator1Windows 2000 ServerNo
Authenticated Session1Windows 2000 ServerNo
Web Server - WSUS SSL2Windows Server 2003 Enterprise EditionNo
Workstation Authentication2Windows Server 2003 Enterprise EditionYes
-
Table 271 - Certificate Template in AD - PHARMAX.LOCAL

-

1.5.9 Certificate Template Summary

The following section provides the certificate templates that are assigned to a specified Certification Authority (CA). CA server can issue certificates only based on assigned templates.

1.5.9.1 acad-ACADE-DC-01V-CA Certificate Template

+
Table 291 - Certificate Template in AD - PHARMAX.LOCAL

+

1.5.9 Certificate Template Summary

The following section provides the certificate templates that are assigned to a specified Certification Authority (CA). CA server can issue certificates only based on assigned templates.

1.5.9.1 acad-ACADE-DC-01V-CA Certificate Template

@@ -3354,8 +3847,8 @@
Template NameSchema VersionSupported CAAutoenrollment
Administrator1Windows 2000 ServerNo
Basic EFS1Windows 2000 ServerNo
User1Windows 2000 ServerNo
Web Server1Windows 2000 ServerNo
-
Table 272 - Issued Certificate Template - acad-ACADE-DC-01V-CA

-

1.5.9.2 Certificate Template In Active Directory

The following section provides registered certificate templates from Active Directory.

+
Table 292 - Issued Certificate Template - acad-ACADE-DC-01V-CA

+

1.5.9.2 Certificate Template In Active Directory

The following section provides registered certificate templates from Active Directory.

@@ -3400,8 +3893,8 @@
Template NameSchema VersionSupported CAAutoenrollment
Administrator1Windows 2000 ServerNo
Authenticated Session1Windows 2000 ServerNo
Web Server - WSUS SSL2Windows Server 2003 Enterprise EditionNo
Workstation Authentication2Windows Server 2003 Enterprise EditionYes
-
Table 273 - Certificate Template in AD - PHARMAX.LOCAL

-

1.5.10 Certificate Template Summary

The following section provides the certificate templates that are assigned to a specified Certification Authority (CA). CA server can issue certificates only based on assigned templates.

1.5.10.1 pharmax-CAYEY-DC-01V-CA Certificate Template

+
Table 293 - Certificate Template in AD - PHARMAX.LOCAL

+

1.5.10 Certificate Template Summary

The following section provides the certificate templates that are assigned to a specified Certification Authority (CA). CA server can issue certificates only based on assigned templates.

1.5.10.1 pharmax-CAYEY-DC-01V-CA Certificate Template

@@ -3415,8 +3908,8 @@
Template NameSchema VersionSupported CAAutoenrollment
Administrator1Windows 2000 ServerNo
Basic EFS1Windows 2000 ServerNo
User1Windows 2000 ServerNo
Web Server1Windows 2000 ServerNo
-
Table 274 - Issued Certificate Template - pharmax-CAYEY-DC-01V-CA

-

1.5.10.2 Certificate Template In Active Directory

The following section provides registered certificate templates from Active Directory.

+
Table 294 - Issued Certificate Template - pharmax-CAYEY-DC-01V-CA

+

1.5.10.2 Certificate Template In Active Directory

The following section provides registered certificate templates from Active Directory.

@@ -3461,20 +3954,20 @@
Template NameSchema VersionSupported CAAutoenrollment
Administrator1Windows 2000 ServerNo
Authenticated Session1Windows 2000 ServerNo
Web Server - WSUS SSL2Windows Server 2003 Enterprise EditionNo
Workstation Authentication2Windows Server 2003 Enterprise EditionYes
-
Table 275 - Certificate Template in AD - PHARMAX.LOCAL

-

1.5.11 Key Recovery Agent Certificate

The following section provides the Key Recovery Agent certificate used to encrypt user's certificate private key and store it in CA database. In the case when user cannot access his or her certificate private key it is possible to recover it by Key Recovery Agent if Key Archival procedure was taken against particular certificate.

+
Table 295 - Certificate Template in AD - PHARMAX.LOCAL

+

1.5.11 Key Recovery Agent Certificate

The following section provides the Key Recovery Agent certificate used to encrypt user's certificate private key and store it in CA database. In the case when user cannot access his or her certificate private key it is possible to recover it by Key Recovery Agent if Key Archival procedure was taken against particular certificate.

CA Namepharmax-SERVER-DC-01V-CA
Server NameSERVER-DC-01V
Certificate[Subject]
CN=Administrator, CN=Users, DC=pharmax, DC=local

[Issuer]
CN=pharmax-SERVER-DC-01V-CA, DC=pharmax, DC=local

[Serial Number]
61000001068FABBB1D8B7B986A000000000106

[Not Before]
11/16/2021 8:11:55 PM

[Not After]
11/16/2023 8:11:55 PM

[Thumbprint]
0C65947128A94A0209907127D13F81AD5840CA37
-
Table 276 - Key Recovery Agent Certificate - pharmax-SERVER-DC-01V-CA

+
Table 296 - Key Recovery Agent Certificate - pharmax-SERVER-DC-01V-CA

CA Nameacad-ACADE-DC-01V-CA
Server NameACADE-DC-01V
Certificate[Subject]
CN=Administrator, CN=Users, DC=pharmax, DC=local

[Issuer]
CN=pharmax-SERVER-DC-01V-CA, DC=pharmax, DC=local

[Serial Number]
610000011FC4B5F75727EEAB0800000000011F

[Not Before]
1/23/2022 10:30:44 PM

[Not After]
1/23/2024 10:30:44 PM

[Thumbprint]
4883ED66CAB909725F89D7483E97DBF69C4CDA9B
-
Table 277 - Key Recovery Agent Certificate - acad-ACADE-DC-01V-CA

+
Table 297 - Key Recovery Agent Certificate - acad-ACADE-DC-01V-CA


Page 3
From cc9938e803c91bceebb149973be263bda840bf08 Mon Sep 17 00:00:00 2001 From: Jonathan Colon Date: Fri, 29 Jul 2022 17:01:54 -0400 Subject: [PATCH 7/7] Final modification for v0.7.4 release --- Src/Private/SharedUtilsFunctions.ps1 | 25 ++++++++++++++++--- .../Invoke-AsBuiltReport.Microsoft.AD.ps1 | 3 ++- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/Src/Private/SharedUtilsFunctions.ps1 b/Src/Private/SharedUtilsFunctions.ps1 index fdc50ec..1a68bfe 100644 --- a/Src/Private/SharedUtilsFunctions.ps1 +++ b/Src/Private/SharedUtilsFunctions.ps1 @@ -587,7 +587,8 @@ function ConvertTo-OperatingSystem { ConvertTo-OperatingSystem -OperatingSystem $Registry.ProductName -OperatingSystemVersion $Registry.CurrentBuildNumber .NOTES - General notes + Version: 0.1.0 + Author: Przemysław Kłys #> [CmdletBinding()] param( @@ -909,6 +910,20 @@ Function Get-WinADDuplicateObject { } function Get-ComputerSplit { + <# + .SYNOPSIS + + .DESCRIPTION + + .NOTES + Version: 0.1.0 + Author: Przemysław Kłys + + .EXAMPLE + + .LINK + + #> [CmdletBinding()] param( [string[]] $ComputerName @@ -1330,7 +1345,9 @@ function Get-CimData { # Get-CimClass to get all classes .NOTES - General notes + Version: 0.1.0 + Author: Przemysław Kłys + #> [CmdletBinding()] @@ -1445,7 +1462,9 @@ function ConvertFrom-DistinguishedName { Microsoft Exchange Security Groups .NOTES - General notes + Version: 0.1.0 + Author: Przemysław Kłys + #> [CmdletBinding(DefaultParameterSetName = 'Default')] param( diff --git a/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1 b/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1 index 32717db..767c57e 100644 --- a/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1 +++ b/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1 @@ -5,7 +5,7 @@ function Invoke-AsBuiltReport.Microsoft.AD { .DESCRIPTION Documents the configuration of Microsoft AD in Word/HTML/Text formats using PScribo. .NOTES - Version: 0.7.3 + Version: 0.7.4 Author: Jonathan Colon Twitter: @jcolonfzenpr Github: rebelinux @@ -22,6 +22,7 @@ function Invoke-AsBuiltReport.Microsoft.AD { ) Write-PScriboMessage -IsWarning "Please refer to the AsBuiltReport.Microsoft.AD github website for more detailed information about this project." + Write-PScriboMessage -IsWarning "Do not forget to update your report configuration file after each new release." Write-PScriboMessage -IsWarning "Documentation: https://github.com/AsBuiltReport/AsBuiltReport.Microsoft.AD" Write-PScriboMessage -IsWarning "Issues or bug reporting: https://github.com/AsBuiltReport/AsBuiltReport.Microsoft.AD/issues"