From 9f13a8412f3bfb2b7e4fd6d47acc7ee881d84ec0 Mon Sep 17 00:00:00 2001
From: Jonathan Colon
Date: Thu, 26 May 2022 10:23:19 -0400
Subject: [PATCH 1/7] Removed PSSharedGoods/PSWriteColor module dependency
---
AsBuiltReport.Microsoft.AD.psd1 | 8 -
README.md | 6 -
Src/Private/Get-AbrADSiteReplication.ps1 | 1 +
Src/Private/SharedUtilsFunctions.ps1 | 874 +++++++++++++++++-
.../Invoke-AsBuiltReport.Microsoft.AD.ps1 | 2 -
5 files changed, 874 insertions(+), 17 deletions(-)
diff --git a/AsBuiltReport.Microsoft.AD.psd1 b/AsBuiltReport.Microsoft.AD.psd1
index be23f6a..a32cf12 100644
--- a/AsBuiltReport.Microsoft.AD.psd1
+++ b/AsBuiltReport.Microsoft.AD.psd1
@@ -59,14 +59,6 @@ RequiredModules = @(
@{
ModuleName = 'PSPKI';
ModuleVersion = '3.7.2'
- },
- @{
- ModuleName = 'PSSharedGoods';
- ModuleVersion = '0.0.224'
- },
- @{
- ModuleName = 'PSWriteColor';
- ModuleVersion = '0.87.3'
}
)
diff --git a/README.md b/README.md
index d0c4c34..369e128 100644
--- a/README.md
+++ b/README.md
@@ -68,8 +68,6 @@ PowerShell 5.1 or PowerShell 7, and the following PowerShell modules are require
- [GroupPolicy Module](https://docs.microsoft.com/en-us/powershell/module/grouppolicy/?view=windowsserver2019-ps)
- [DhcpServer Module](https://docs.microsoft.com/en-us/powershell/module/dhcpserver/?view=windowsserver2019-ps)
- [DnsServer Module](https://docs.microsoft.com/en-us/powershell/module/dnsserver/?view=windowsserver2019-ps)
-- [PSSharedGoods Module](https://www.powershellgallery.com/packages/PSSharedGoods/)
-- [PSWriteColor Module](https://www.powershellgallery.com/packages/PSWriteColor/0.87.3)
### Linux & macOS
@@ -88,8 +86,6 @@ Due to a limitation of the WinRM component, a domain-joined machine is needed, a
```powershell
Install-Module -Name PSPKI
-Install-Module -Name PSWriteColor
-Install-Module -Name PSSharedGoods
Install-Module -Name AsBuiltReport.Microsoft.AD
Install-WindowsFeature -Name RSAT-AD-PowerShell
Install-WindowsFeature -Name RSAT-DNS-Server
@@ -101,8 +97,6 @@ Install-WindowsFeature -Name GPMC
```powershell
Install-Module -Name PSPKI
-Install-Module -Name PSWriteColor
-Install-Module -Name PSSharedGoods
Install-Module -Name AsBuiltReport.Microsoft.AD
Add-WindowsCapability -online -Name 'Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'
Add-WindowsCapability -online -Name 'Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0'
diff --git a/Src/Private/Get-AbrADSiteReplication.ps1 b/Src/Private/Get-AbrADSiteReplication.ps1
index 5ac1137..f233322 100644
--- a/Src/Private/Get-AbrADSiteReplication.ps1
+++ b/Src/Private/Get-AbrADSiteReplication.ps1
@@ -133,6 +133,7 @@ function Get-AbrADSiteReplication {
if ($HealthCheck.Site.Replication -and ($OutObj | Where-Object {$NULL -notlike $_.'Last Error'})) {
Paragraph "Health Check:" -Italic -Bold -Underline
Paragraph "Best Practices: Failing SYSVOL replication may cause Group Policy problems." -Italic -Bold
+ BlankLine
}
}
catch {
diff --git a/Src/Private/SharedUtilsFunctions.ps1 b/Src/Private/SharedUtilsFunctions.ps1
index be7dcdd..fdc50ec 100644
--- a/Src/Private/SharedUtilsFunctions.ps1
+++ b/Src/Private/SharedUtilsFunctions.ps1
@@ -416,7 +416,7 @@ function Get-WinADDFSHealth {
}
foreach ($DC in $DomainControllersFull) {
- Write-Verbose "Get-WinADDFSHealth - Processing $($DC.HostName) for $Domain"
+ Write-Verbose "Get-WinADDFSHealth - Processing $($DC.Name) $($DC.HostName) for $Domain"
$DCName = $DC.Name
$Hostname = $DC.Hostname
$DN = $DC.DistinguishedName
@@ -560,6 +560,152 @@ function Get-WinADDFSHealth {
$Table
}
+function ConvertTo-OperatingSystem {
+ <#
+ .SYNOPSIS
+ Allows easy conversion of OperatingSystem, Operating System Version to proper Windows 10 naming based on WMI or AD
+
+ .DESCRIPTION
+ Allows easy conversion of OperatingSystem, Operating System Version to proper Windows 10 naming based on WMI or AD
+
+ .PARAMETER OperatingSystem
+ Operating System as returned by Active Directory
+
+ .PARAMETER OperatingSystemVersion
+ Operating System Version as returned by Active Directory
+
+ .EXAMPLE
+ $Computers = Get-ADComputer -Filter * -Properties OperatingSystem, OperatingSystemVersion | ForEach-Object {
+ $OPS = ConvertTo-OperatingSystem -OperatingSystem $_.OperatingSystem -OperatingSystemVersion $_.OperatingSystemVersion
+ Add-Member -MemberType NoteProperty -Name 'OperatingSystemTranslated' -Value $OPS -InputObject $_ -Force
+ $_
+ }
+ $Computers | Select-Object DNS*, Name, SamAccountName, Enabled, OperatingSystem*, DistinguishedName | Format-Table
+
+ .EXAMPLE
+ $Registry = Get-PSRegistry -ComputerName 'AD1' -RegistryPath 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
+ ConvertTo-OperatingSystem -OperatingSystem $Registry.ProductName -OperatingSystemVersion $Registry.CurrentBuildNumber
+
+ .NOTES
+ General notes
+ #>
+ [CmdletBinding()]
+ param(
+ [string] $OperatingSystem,
+ [string] $OperatingSystemVersion
+ )
+
+ if ($OperatingSystem -like 'Windows 10*' -or $OperatingSystem -like 'Windows 11*') {
+ $Systems = @{
+ # This is how it's written in AD
+ '10.0 (22000)' = 'Windows 11 21H2'
+ '10.0 (19043)' = 'Windows 10 21H1'
+ '10.0 (19042)' = 'Windows 10 20H2'
+ '10.0 (19041)' = 'Windows 10 2004'
+ '10.0 (18898)' = 'Windows 10 Insider Preview'
+ '10.0 (18363)' = "Windows 10 1909"
+ '10.0 (18362)' = "Windows 10 1903"
+ '10.0 (17763)' = "Windows 10 1809"
+ '10.0 (17134)' = "Windows 10 1803"
+ '10.0 (16299)' = "Windows 10 1709"
+ '10.0 (15063)' = "Windows 10 1703"
+ '10.0 (14393)' = "Windows 10 1607"
+ '10.0 (10586)' = "Windows 10 1511"
+ '10.0 (10240)' = "Windows 10 1507"
+
+ # This is how WMI/CIM stores it
+ '10.0.22000' = 'Windows 11 21H2'
+ '10.0.19043' = 'Windows 10 21H1'
+ '10.0.19042' = 'Windows 10 20H2'
+ '10.0.19041' = 'Windows 10 2004'
+ '10.0.18898' = 'Windows 10 Insider Preview'
+ '10.0.18363' = "Windows 10 1909"
+ '10.0.18362' = "Windows 10 1903"
+ '10.0.17763' = "Windows 10 1809"
+ '10.0.17134' = "Windows 10 1803"
+ '10.0.16299' = "Windows 10 1709"
+ '10.0.15063' = "Windows 10 1703"
+ '10.0.14393' = "Windows 10 1607"
+ '10.0.10586' = "Windows 10 1511"
+ '10.0.10240' = "Windows 10 1507"
+
+ # This is how it's written in registry
+ '22000' = 'Windows 11 21H2'
+ '19043' = 'Windows 10 21H1'
+ '19042' = 'Windows 10 20H2'
+ '19041' = 'Windows 10 2004'
+ '18898' = 'Windows 10 Insider Preview'
+ '18363' = "Windows 10 1909"
+ '18362' = "Windows 10 1903"
+ '17763' = "Windows 10 1809"
+ '17134' = "Windows 10 1803"
+ '16299' = "Windows 10 1709"
+ '15063' = "Windows 10 1703"
+ '14393' = "Windows 10 1607"
+ '10586' = "Windows 10 1511"
+ '10240' = "Windows 10 1507"
+ }
+ $System = $Systems[$OperatingSystemVersion]
+ if (-not $System) {
+ $System = $OperatingSystem
+ }
+ } elseif ($OperatingSystem -like 'Windows Server*') {
+ # May need updates https://docs.microsoft.com/en-us/windows-server/get-started/windows-server-release-info
+ # to detect Core
+
+ $Systems = @{
+ # This is how it's written in AD
+ '10.0 (20348)' = 'Windows Server 2022'
+ '10.0 (19042)' = 'Windows Server 2019 20H2'
+ '10.0 (19041)' = 'Windows Server 2019 2004'
+ '10.0 (18363)' = 'Windows Server 2019 1909'
+ '10.0 (18362)' = "Windows Server 2019 1903" # (Datacenter Core, Standard Core)
+ '10.0 (17763)' = "Windows Server 2019 1809" # (Datacenter, Essentials, Standard)
+ '10.0 (17134)' = "Windows Server 2016 1803" # (Datacenter, Standard)
+ '10.0 (14393)' = "Windows Server 2016 1607"
+ '6.3 (9600)' = 'Windows Server 2012 R2'
+ '6.1 (7601)' = 'Windows Server 2008 R2'
+ '5.2 (3790)' = 'Windows Server 2003'
+
+ # This is how WMI/CIM stores it
+ '10.0.20348' = 'Windows Server 2022'
+ '10.0.19042' = 'Windows Server 2019 20H2'
+ '10.0.19041' = 'Windows Server 2019 2004'
+ '10.0.18363' = 'Windows Server 2019 1909'
+ '10.0.18362' = "Windows Server 2019 1903" # (Datacenter Core, Standard Core)
+ '10.0.17763' = "Windows Server 2019 1809" # (Datacenter, Essentials, Standard)
+ '10.0.17134' = "Windows Server 2016 1803" ## (Datacenter, Standard)
+ '10.0.14393' = "Windows Server 2016 1607"
+ '6.3.9600' = 'Windows Server 2012 R2'
+ '6.1.7601' = 'Windows Server 2008 R2' # i think
+ '5.2.3790' = 'Windows Server 2003' # i think
+
+ # This is how it's written in registry
+ '20348' = 'Windows Server 2022'
+ '19042' = 'Windows Server 2019 20H2'
+ '19041' = 'Windows Server 2019 2004'
+ '18363' = 'Windows Server 2019 1909'
+ '18362' = "Windows Server 2019 1903" # (Datacenter Core, Standard Core)
+ '17763' = "Windows Server 2019 1809" # (Datacenter, Essentials, Standard)
+ '17134' = "Windows Server 2016 1803" # (Datacenter, Standard)
+ '14393' = "Windows Server 2016 1607"
+ '9600' = 'Windows Server 2012 R2'
+ '7601' = 'Windows Server 2008 R2'
+ '3790' = 'Windows Server 2003'
+ }
+ $System = $Systems[$OperatingSystemVersion]
+ if (-not $System) {
+ $System = $OperatingSystem
+ }
+ } else {
+ $System = $OperatingSystem
+ }
+ if ($System) {
+ $System
+ } else {
+ 'Unknown'
+ }
+}
function Get-WinADDuplicateSPN {
<#
@@ -760,4 +906,730 @@ Function Get-WinADDuplicateObject {
[PSCustomObject] $ConflictObject
}
}
+}
+
+function Get-ComputerSplit {
+ [CmdletBinding()]
+ param(
+ [string[]] $ComputerName
+ )
+ if ($null -eq $ComputerName) {
+ $ComputerName = $Env:COMPUTERNAME
+ }
+ try {
+ $LocalComputerDNSName = [System.Net.Dns]::GetHostByName($Env:COMPUTERNAME).HostName
+ } catch {
+ $LocalComputerDNSName = $Env:COMPUTERNAME
+ }
+ $ComputersLocal = $null
+ [Array] $Computers = foreach ($Computer in $ComputerName) {
+ if ($Computer -eq '' -or $null -eq $Computer) {
+ $Computer = $Env:COMPUTERNAME
+ }
+ if ($Computer -ne $Env:COMPUTERNAME -and $Computer -ne $LocalComputerDNSName) {
+ $Computer
+ } else {
+ $ComputersLocal = $Computer
+ }
+ }
+ , @($ComputersLocal, $Computers)
+}
+
+
+function Get-WinADForestDetails {
+
+ <#
+ .SYNOPSIS
+ Used by As Built Report to get AD duplicate object info.
+ .DESCRIPTION
+
+ .NOTES
+ Version: 0.1.0
+ Author: Przemysław Kłys
+
+ .EXAMPLE
+
+ .LINK
+
+ #>
+ [CmdletBinding()]
+ param(
+ [alias('ForestName')][string] $Forest,
+ [string[]] $ExcludeDomains,
+ [string[]] $ExcludeDomainControllers,
+ [alias('Domain', 'Domains')][string[]] $IncludeDomains,
+ [alias('DomainControllers', 'ComputerName')][string[]] $IncludeDomainControllers,
+ [switch] $SkipRODC,
+ [string] $Filter = '*',
+ [switch] $TestAvailability,
+ [ValidateSet('All', 'Ping', 'WinRM', 'PortOpen', 'Ping+WinRM', 'Ping+PortOpen', 'WinRM+PortOpen')] $Test = 'All',
+ [int[]] $Ports = 135,
+ [int] $PortsTimeout = 100,
+ [int] $PingCount = 1,
+ [switch] $Extended,
+ [System.Collections.IDictionary] $ExtendedForestInformation
+ )
+ if ($Global:ProgressPreference -ne 'SilentlyContinue') {
+ $TemporaryProgress = $Global:ProgressPreference
+ $Global:ProgressPreference = 'SilentlyContinue'
+ }
+
+ if (-not $ExtendedForestInformation) {
+ # standard situation, building data from AD
+ $Findings = [ordered] @{ }
+ try {
+ if ($Forest) {
+ $ForestInformation = Get-ADForest -ErrorAction Stop -Identity $Forest
+ } else {
+ $ForestInformation = Get-ADForest -ErrorAction Stop
+ }
+ <#
+ $ForestInformation = [ordered] @{
+ ApplicationPartitions = $ForestInf.ApplicationPartitions | ForEach-Object -Process { $_ } # : {DC=DomainDnsZones,DC=ad,DC=evotec,DC=xyz, DC=DomainDnsZones,DC=ad,DC=evotec,DC=pl, DC=ForestDnsZones,DC=ad,DC=evotec,DC=xyz}
+ CrossForestReferences = $ForestInf.CrossForestReferences | ForEach-Object -Process { $_ } # : {}
+ DomainNamingMaster = $ForestInf.DomainNamingMaster # : AD1.ad.evotec.xyz
+ Domains = $ForestInf.Domains | ForEach-Object -Process { $_ } # : {ad.evotec.xyz, ad.evotec.pl}
+ ForestMode = $ForestInf.ForestMode # : Windows2012R2Forest
+ GlobalCatalogs = $ForestInf.GlobalCatalogs | ForEach-Object -Process { $_ } # : {AD1.ad.evotec.xyz, AD2.ad.evotec.xyz, ADRODC.ad.evotec.pl, AD3.ad.evotec.xyz...}
+ Name = $ForestInf.Name # : ad.evotec.xyz
+ PartitionsContainer = $ForestInf.PartitionsContainer # : CN=Partitions,CN=Configuration,DC=ad,DC=evotec,DC=xyz
+ RootDomain = $ForestInf.RootDomain # : ad.evotec.xyz
+ SchemaMaster = $ForestInf.SchemaMaster # : AD1.ad.evotec.xyz
+ Sites = $ForestInf.Sites | ForEach-Object -Process { $_ } # : {KATOWICE-1, KATOWICE-2}
+ SPNSuffixes = $ForestInf.SPNSuffixes | ForEach-Object -Process { $_ } # : {}
+ UPNSuffixes = $ForestInf.UPNSuffixes | ForEach-Object -Process { $_ } # : {myneva.eu, single.evotec.xyz, newUPN@com, evotec.xyz...}
+ }
+ #>
+ } catch {
+ Write-Warning "Get-WinADForestDetails - Error discovering DC for Forest - $($_.Exception.Message)"
+ return
+ }
+ if (-not $ForestInformation) {
+ return
+ }
+ $Findings['Forest'] = $ForestInformation
+ $Findings['ForestDomainControllers'] = @()
+ $Findings['QueryServers'] = @{ }
+ $Findings['DomainDomainControllers'] = @{ }
+ [Array] $Findings['Domains'] = foreach ($Domain in $ForestInformation.Domains) {
+ if ($IncludeDomains) {
+ if ($Domain -in $IncludeDomains) {
+ $Domain.ToLower()
+ }
+ # We skip checking for exclusions
+ continue
+ }
+ if ($Domain -notin $ExcludeDomains) {
+ $Domain.ToLower()
+ }
+ }
+ # We want to have QueryServers always available for all domains
+ [Array] $DomainsActive = foreach ($Domain in $Findings['Forest'].Domains) {
+ try {
+ $DC = Get-ADDomainController -DomainName $Domain -Discover -ErrorAction Stop
+
+ $OrderedDC = [ordered] @{
+ Domain = $DC.Domain
+ Forest = $DC.Forest
+ HostName = [Array] $DC.HostName
+ IPv4Address = $DC.IPv4Address
+ IPv6Address = $DC.IPv6Address
+ Name = $DC.Name
+ Site = $DC.Site
+ }
+
+ } catch {
+ Write-Warning "Get-WinADForestDetails - Error discovering DC for domain $Domain - $($_.Exception.Message)"
+ continue
+ }
+ if ($Domain -eq $Findings['Forest']['Name']) {
+ $Findings['QueryServers']['Forest'] = $OrderedDC
+ }
+ $Findings['QueryServers']["$Domain"] = $OrderedDC
+ # lets return domain as something that wroks
+ $Domain
+ }
+
+ # we need to make sure to remove domains that don't have DCs for some reason
+ [Array] $Findings['Domains'] = foreach ($Domain in $Findings['Domains']) {
+ if ($Domain -notin $DomainsActive) {
+ Write-Warning "Get-WinADForestDetails - Domain $Domain doesn't seem to be active (no DCs). Skipping."
+ continue
+ }
+ $Domain
+ }
+
+ [Array] $Findings['ForestDomainControllers'] = foreach ($Domain in $Findings.Domains) {
+ $QueryServer = $Findings['QueryServers'][$Domain]['HostName'][0]
+
+ [Array] $AllDC = try {
+ try {
+ $DomainControllers = Get-ADDomainController -Filter $Filter -Server $QueryServer -ErrorAction Stop
+ } catch {
+ Write-Warning "Get-WinADForestDetails - Error listing DCs for domain $Domain - $($_.Exception.Message)"
+ continue
+ }
+ foreach ($S in $DomainControllers) {
+ if ($IncludeDomainControllers.Count -gt 0) {
+ If (-not $IncludeDomainControllers[0].Contains('.')) {
+ if ($S.Name -notin $IncludeDomainControllers) {
+ continue
+ }
+ } else {
+ if ($S.HostName -notin $IncludeDomainControllers) {
+ continue
+ }
+ }
+ }
+ if ($ExcludeDomainControllers.Count -gt 0) {
+ If (-not $ExcludeDomainControllers[0].Contains('.')) {
+ if ($S.Name -in $ExcludeDomainControllers) {
+ continue
+ }
+ } else {
+ if ($S.HostName -in $ExcludeDomainControllers) {
+ continue
+ }
+ }
+ }
+ $Server = [ordered] @{
+ Domain = $Domain
+ HostName = $S.HostName
+ Name = $S.Name
+ Forest = $ForestInformation.RootDomain
+ Site = $S.Site
+ IPV4Address = $S.IPV4Address
+ IPV6Address = $S.IPV6Address
+ IsGlobalCatalog = $S.IsGlobalCatalog
+ IsReadOnly = $S.IsReadOnly
+ IsSchemaMaster = ($S.OperationMasterRoles -contains 'SchemaMaster')
+ IsDomainNamingMaster = ($S.OperationMasterRoles -contains 'DomainNamingMaster')
+ IsPDC = ($S.OperationMasterRoles -contains 'PDCEmulator')
+ IsRIDMaster = ($S.OperationMasterRoles -contains 'RIDMaster')
+ IsInfrastructureMaster = ($S.OperationMasterRoles -contains 'InfrastructureMaster')
+ OperatingSystem = $S.OperatingSystem
+ OperatingSystemVersion = $S.OperatingSystemVersion
+ OperatingSystemLong = ConvertTo-OperatingSystem -OperatingSystem $S.OperatingSystem -OperatingSystemVersion $S.OperatingSystemVersion
+ LdapPort = $S.LdapPort
+ SslPort = $S.SslPort
+ DistinguishedName = $S.ComputerObjectDN
+ Pingable = $null
+ WinRM = $null
+ PortOpen = $null
+ Comment = ''
+ }
+ if ($TestAvailability) {
+ if ($Test -eq 'All' -or $Test -like 'Ping*') {
+ $Server.Pingable = Test-Connection -ComputerName $Server.IPV4Address -Quiet -Count $PingCount
+ }
+ if ($Test -eq 'All' -or $Test -like '*WinRM*') {
+ $Server.WinRM = (Test-WinRM -ComputerName $Server.HostName).Status
+ }
+ if ($Test -eq 'All' -or '*PortOpen*') {
+ $Server.PortOpen = (Test-ComputerPort -Server $Server.HostName -PortTCP $Ports -Timeout $PortsTimeout).Status
+ }
+ }
+ [PSCustomObject] $Server
+ }
+ } catch {
+ [PSCustomObject]@{
+ Domain = $Domain
+ HostName = ''
+ Name = ''
+ Forest = $ForestInformation.RootDomain
+ IPV4Address = ''
+ IPV6Address = ''
+ IsGlobalCatalog = ''
+ IsReadOnly = ''
+ Site = ''
+ SchemaMaster = $false
+ DomainNamingMasterMaster = $false
+ PDCEmulator = $false
+ RIDMaster = $false
+ InfrastructureMaster = $false
+ LdapPort = ''
+ SslPort = ''
+ DistinguishedName = ''
+ Pingable = $null
+ WinRM = $null
+ PortOpen = $null
+ Comment = $_.Exception.Message -replace "`n", " " -replace "`r", " "
+ }
+ }
+ if ($SkipRODC) {
+ [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC | Where-Object { $_.IsReadOnly -eq $false }
+ #$Findings[$Domain] = $AllDC | Where-Object { $_.IsReadOnly -eq $false }
+ } else {
+ [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC
+ #$Findings[$Domain] = $AllDC
+ }
+ # Building all DCs for whole Forest
+ [Array] $Findings['DomainDomainControllers'][$Domain]
+ }
+ if ($Extended) {
+ $Findings['DomainsExtended'] = @{ }
+ $Findings['DomainsExtendedNetBIOS'] = @{ }
+ foreach ($DomainEx in $Findings['Domains']) {
+ try {
+ #$Findings['DomainsExtended'][$DomainEx] = Get-ADDomain -Server $Findings['QueryServers'][$DomainEx].HostName[0]
+
+ $Findings['DomainsExtended'][$DomainEx] = Get-ADDomain -Server $Findings['QueryServers'][$DomainEx].HostName[0] | ForEach-Object {
+ # We need to use ForEach-Object to convert ADPropertyValueCollection to normal strings. Otherwise Copy-Dictionary fails
+ #True False ADPropertyValueCollection System.Collections.CollectionBase
+
+ [ordered] @{
+ AllowedDNSSuffixes = $_.AllowedDNSSuffixes | ForEach-Object -Process { $_ } #: { }
+ ChildDomains = $_.ChildDomains | ForEach-Object -Process { $_ } #: { }
+ ComputersContainer = $_.ComputersContainer #: CN = Computers, DC = ad, DC = evotec, DC = xyz
+ DeletedObjectsContainer = $_.DeletedObjectsContainer #: CN = Deleted Objects, DC = ad, DC = evotec, DC = xyz
+ DistinguishedName = $_.DistinguishedName #: DC = ad, DC = evotec, DC = xyz
+ DNSRoot = $_.DNSRoot #: ad.evotec.xyz
+ DomainControllersContainer = $_.DomainControllersContainer #: OU = Domain Controllers, DC = ad, DC = evotec, DC = xyz
+ DomainMode = $_.DomainMode #: Windows2012R2Domain
+ DomainSID = $_.DomainSID.Value #: S - 1 - 5 - 21 - 853615985 - 2870445339 - 3163598659
+ ForeignSecurityPrincipalsContainer = $_.ForeignSecurityPrincipalsContainer #: CN = ForeignSecurityPrincipals, DC = ad, DC = evotec, DC = xyz
+ Forest = $_.Forest #: ad.evotec.xyz
+ InfrastructureMaster = $_.InfrastructureMaster #: AD1.ad.evotec.xyz
+ LastLogonReplicationInterval = $_.LastLogonReplicationInterval #:
+ LinkedGroupPolicyObjects = $_.LinkedGroupPolicyObjects | ForEach-Object -Process { $_ } #:
+ LostAndFoundContainer = $_.LostAndFoundContainer #: CN = LostAndFound, DC = ad, DC = evotec, DC = xyz
+ ManagedBy = $_.ManagedBy #:
+ Name = $_.Name #: ad
+ NetBIOSName = $_.NetBIOSName #: EVOTEC
+ ObjectClass = $_.ObjectClass #: domainDNS
+ ObjectGUID = $_.ObjectGUID #: bc875580 - 4c70-41ad-a487-c57337e26024
+ ParentDomain = $_.ParentDomain #:
+ PDCEmulator = $_.PDCEmulator #: AD1.ad.evotec.xyz
+ PublicKeyRequiredPasswordRolling = $_.PublicKeyRequiredPasswordRolling | ForEach-Object -Process { $_ } #:
+ QuotasContainer = $_.QuotasContainer #: CN = NTDS Quotas, DC = ad, DC = evotec, DC = xyz
+ ReadOnlyReplicaDirectoryServers = $_.ReadOnlyReplicaDirectoryServers | ForEach-Object -Process { $_ } #: { }
+ ReplicaDirectoryServers = $_.ReplicaDirectoryServers | ForEach-Object -Process { $_ } #: { AD1.ad.evotec.xyz, AD2.ad.evotec.xyz, AD3.ad.evotec.xyz }
+ RIDMaster = $_.RIDMaster #: AD1.ad.evotec.xyz
+ SubordinateReferences = $_.SubordinateReferences | ForEach-Object -Process { $_ } #: { DC = ForestDnsZones, DC = ad, DC = evotec, DC = xyz, DC = DomainDnsZones, DC = ad, DC = evotec, DC = xyz, CN = Configuration, DC = ad, DC = evotec, DC = xyz }
+ SystemsContainer = $_.SystemsContainer #: CN = System, DC = ad, DC = evotec, DC = xyz
+ UsersContainer = $_.UsersContainer #: CN = Users, DC = ad, DC = evotec, DC = xyz
+ }
+ }
+
+ $NetBios = $Findings['DomainsExtended'][$DomainEx]['NetBIOSName']
+ $Findings['DomainsExtendedNetBIOS'][$NetBios] = $Findings['DomainsExtended'][$DomainEx]
+ } catch {
+ Write-Warning "Get-WinADForestDetails - Error gathering Domain Information for domain $DomainEx - $($_.Exception.Message)"
+ continue
+ }
+ }
+ }
+ # Bring back setting as per default
+ if ($TemporaryProgress) {
+ $Global:ProgressPreference = $TemporaryProgress
+ }
+
+ $Findings
+ } else {
+ # this takes care of limiting output to only what we requested, but based on prior input
+ # this makes sure we ask once for all AD stuff and then subsequent calls just filter out things
+ # this should be much faster then asking again and again for stuff from AD
+ $Findings = Copy-DictionaryManual -Dictionary $ExtendedForestInformation
+ [Array] $Findings['Domains'] = foreach ($_ in $Findings.Domains) {
+ if ($IncludeDomains) {
+ if ($_ -in $IncludeDomains) {
+ $_.ToLower()
+ }
+ # We skip checking for exclusions
+ continue
+ }
+ if ($_ -notin $ExcludeDomains) {
+ $_.ToLower()
+ }
+ }
+ # Now that we have Domains we need to remove all DCs that are not from domains we excluded or included
+ foreach ($_ in [string[]] $Findings.DomainDomainControllers.Keys) {
+ if ($_ -notin $Findings.Domains) {
+ $Findings.DomainDomainControllers.Remove($_)
+ }
+ }
+ # Same as above but for query servers - we don't remove queried servers
+ #foreach ($_ in [string[]] $Findings.QueryServers.Keys) {
+ # if ($_ -notin $Findings.Domains -and $_ -ne 'Forest') {
+ # $Findings.QueryServers.Remove($_)
+ # }
+ #}
+ # Now that we have Domains we need to remove all Domains that are excluded or included
+ foreach ($_ in [string[]] $Findings.DomainsExtended.Keys) {
+ if ($_ -notin $Findings.Domains) {
+ $Findings.DomainsExtended.Remove($_)
+ $NetBiosName = $Findings.DomainsExtended.$_.'NetBIOSName'
+ if ($NetBiosName) {
+ $Findings.DomainsExtendedNetBIOS.Remove($NetBiosName)
+ }
+ }
+ }
+ [Array] $Findings['ForestDomainControllers'] = foreach ($Domain in $Findings.Domains) {
+ [Array] $AllDC = foreach ($S in $Findings.DomainDomainControllers["$Domain"]) {
+ if ($IncludeDomainControllers.Count -gt 0) {
+ If (-not $IncludeDomainControllers[0].Contains('.')) {
+ if ($S.Name -notin $IncludeDomainControllers) {
+ continue
+ }
+ } else {
+ if ($S.HostName -notin $IncludeDomainControllers) {
+ continue
+ }
+ }
+ }
+ if ($ExcludeDomainControllers.Count -gt 0) {
+ If (-not $ExcludeDomainControllers[0].Contains('.')) {
+ if ($S.Name -in $ExcludeDomainControllers) {
+ continue
+ }
+ } else {
+ if ($S.HostName -in $ExcludeDomainControllers) {
+ continue
+ }
+ }
+ }
+ $S
+ }
+ if ($SkipRODC) {
+ [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC | Where-Object { $_.IsReadOnly -eq $false }
+ } else {
+ [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC
+ }
+ # Building all DCs for whole Forest
+ [Array] $Findings['DomainDomainControllers'][$Domain]
+ }
+ $Findings
+ }
+}
+
+function Get-CimData {
+ <#
+ .SYNOPSIS
+ Helper function for retreiving CIM data from local and remote computers
+
+ .DESCRIPTION
+ Helper function for retreiving CIM data from local and remote computers
+
+ .PARAMETER ComputerName
+ Specifies computer on which you want to run the CIM operation. You can specify a fully qualified domain name (FQDN), a NetBIOS name, or an IP address. If you do not specify this parameter, the cmdlet performs the operation on the local computer using Component Object Model (COM).
+
+ .PARAMETER Protocol
+ Specifies the protocol to use. The acceptable values for this parameter are: DCOM, Default, or Wsman.
+
+ .PARAMETER Class
+ Specifies the name of the CIM class for which to retrieve the CIM instances. You can use tab completion to browse the list of classes, because PowerShell gets a list of classes from the local WMI server to provide a list of class names.
+
+ .PARAMETER Properties
+ Specifies a set of instance properties to retrieve. Use this parameter when you need to reduce the size of the object returned, either in memory or over the network. The object returned also contains the key properties even if you have not listed them using the Property parameter. Other properties of the class are present but they are not populated.
+
+ .EXAMPLE
+ Get-CimData -Class 'win32_bios' -ComputerName AD1,EVOWIN
+
+ Get-CimData -Class 'win32_bios'
+
+ # Get-CimClass to get all classes
+
+ .NOTES
+ General notes
+ #>
+
+ [CmdletBinding()]
+ param(
+ [parameter(Mandatory)][string] $Class,
+ [string] $NameSpace = 'root\cimv2',
+ [string[]] $ComputerName = $Env:COMPUTERNAME,
+ [ValidateSet('Default', 'Dcom', 'Wsman')][string] $Protocol = 'Default',
+ [string[]] $Properties = '*'
+ )
+ $ExcludeProperties = 'CimClass', 'CimInstanceProperties', 'CimSystemProperties', 'SystemCreationClassName', 'CreationClassName'
+
+ # Querying CIM locally usually doesn't work. This means if you're querying same computer you neeed to skip CimSession/ComputerName if it's local query
+ [Array] $ComputersSplit = Get-ComputerSplit -ComputerName $ComputerName
+
+ $CimObject = @(
+ # requires removal of this property for query
+ [string[]] $PropertiesOnly = $Properties | Where-Object { $_ -ne 'PSComputerName' }
+ # Process all remote computers
+ $Computers = $ComputersSplit[1]
+ if ($Computers.Count -gt 0) {
+ if ($Protocol = 'Default') {
+ Get-CimInstance -ClassName $Class -ComputerName $Computers -ErrorAction SilentlyContinue -Property $PropertiesOnly -Namespace $NameSpace -Verbose:$false -ErrorVariable ErrorsToProcess | Select-Object -Property $Properties -ExcludeProperty $ExcludeProperties
+ } else {
+ $Option = New-CimSessionOption -Protocol $Protocol
+ $Session = New-CimSession -ComputerName $Computers -SessionOption $Option -ErrorAction SilentlyContinue
+ $Info = Get-CimInstance -ClassName $Class -CimSession $Session -ErrorAction SilentlyContinue -Property $PropertiesOnly -Namespace $NameSpace -Verbose:$false -ErrorVariable ErrorsToProcess | Select-Object -Property $Properties -ExcludeProperty $ExcludeProperties
+ $null = Remove-CimSession -CimSession $Session -ErrorAction SilentlyContinue
+ $Info
+ }
+ }
+ foreach ($E in $ErrorsToProcess) {
+ Write-Warning -Message "Get-CimData - No data for computer $($E.OriginInfo.PSComputerName). Failed with errror: $($E.Exception.Message)"
+ }
+ # Process local computer
+ $Computers = $ComputersSplit[0]
+ if ($Computers.Count -gt 0) {
+ $Info = Get-CimInstance -ClassName $Class -ErrorAction SilentlyContinue -Property $PropertiesOnly -Namespace $NameSpace -Verbose:$false -ErrorVariable ErrorsLocal | Select-Object -Property $Properties -ExcludeProperty $ExcludeProperties
+ $Info | Add-Member -Name 'PSComputerName' -Value $Computers -MemberType NoteProperty -Force
+ $Info
+ }
+ foreach ($E in $ErrorsLocal) {
+ Write-Warning -Message "Get-CimData - No data for computer $($Env:COMPUTERNAME). Failed with errror: $($E.Exception.Message)"
+ }
+ )
+ $CimObject
+}
+
+function ConvertFrom-DistinguishedName {
+ <#
+ .SYNOPSIS
+ Converts a Distinguished Name to CN, OU, Multiple OUs or DC
+
+ .DESCRIPTION
+ Converts a Distinguished Name to CN, OU, Multiple OUs or DC
+
+ .PARAMETER DistinguishedName
+ Distinguished Name to convert
+
+ .PARAMETER ToOrganizationalUnit
+ Converts DistinguishedName to Organizational Unit
+
+ .PARAMETER ToDC
+ Converts DistinguishedName to DC
+
+ .PARAMETER ToDomainCN
+ Converts DistinguishedName to Domain CN
+
+ .EXAMPLE
+ $DistinguishedName = 'CN=Przemyslaw Klys,OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz'
+ ConvertFrom-DistinguishedName -DistinguishedName $DistinguishedName -ToOrganizationalUnit
+
+ Output:
+ OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz
+
+ .EXAMPLE
+ $DistinguishedName = 'CN=Przemyslaw Klys,OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz'
+ ConvertFrom-DistinguishedName -DistinguishedName $DistinguishedName
+
+ Output:
+ Przemyslaw Klys
+
+ .EXAMPLE
+ ConvertFrom-DistinguishedName -DistinguishedName 'OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz' -ToMultipleOrganizationalUnit -IncludeParent
+
+ Output:
+ OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz
+ OU=Production,DC=ad,DC=evotec,DC=xyz
+
+ .EXAMPLE
+ ConvertFrom-DistinguishedName -DistinguishedName 'OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz' -ToMultipleOrganizationalUnit
+
+ Output:
+ OU=Production,DC=ad,DC=evotec,DC=xyz
+
+ .EXAMPLE
+ $Con = @(
+ 'CN=Windows Authorization Access Group,CN=Builtin,DC=ad,DC=evotec,DC=xyz'
+ 'CN=Mmm,DC=elo,CN=nee,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=ad,DC=evotec,DC=xyz'
+ 'CN=e6d5fd00-385d-4e65-b02d-9da3493ed850,CN=Operations,CN=DomainUpdates,CN=System,DC=ad,DC=evotec,DC=xyz'
+ 'OU=Domain Controllers,DC=ad,DC=evotec,DC=pl'
+ 'OU=Microsoft Exchange Security Groups,DC=ad,DC=evotec,DC=xyz'
+ )
+
+ ConvertFrom-DistinguishedName -DistinguishedName $Con -ToLastName
+
+ Output:
+ Windows Authorization Access Group
+ Mmm
+ e6d5fd00-385d-4e65-b02d-9da3493ed850
+ Domain Controllers
+ Microsoft Exchange Security Groups
+
+ .NOTES
+ General notes
+ #>
+ [CmdletBinding(DefaultParameterSetName = 'Default')]
+ param(
+ [Parameter(ParameterSetName = 'ToOrganizationalUnit')]
+ [Parameter(ParameterSetName = 'ToMultipleOrganizationalUnit')]
+ [Parameter(ParameterSetName = 'ToDC')]
+ [Parameter(ParameterSetName = 'ToDomainCN')]
+ [Parameter(ParameterSetName = 'Default')]
+ [Parameter(ParameterSetName = 'ToLastName')]
+ [alias('Identity', 'DN')][Parameter(ValueFromPipeline, ValueFromPipelineByPropertyName, Position = 0)][string[]] $DistinguishedName,
+ [Parameter(ParameterSetName = 'ToOrganizationalUnit')][switch] $ToOrganizationalUnit,
+ [Parameter(ParameterSetName = 'ToMultipleOrganizationalUnit')][alias('ToMultipleOU')][switch] $ToMultipleOrganizationalUnit,
+ [Parameter(ParameterSetName = 'ToMultipleOrganizationalUnit')][switch] $IncludeParent,
+ [Parameter(ParameterSetName = 'ToDC')][switch] $ToDC,
+ [Parameter(ParameterSetName = 'ToDomainCN')][switch] $ToDomainCN,
+ [Parameter(ParameterSetName = 'ToLastName')][switch] $ToLastName
+ )
+ Process {
+ foreach ($Distinguished in $DistinguishedName) {
+ if ($ToDomainCN) {
+ $DN = $Distinguished -replace '.*?((DC=[^=]+,)+DC=[^=]+)$', '$1'
+ $CN = $DN -replace ',DC=', '.' -replace "DC="
+ if ($CN) {
+ $CN
+ }
+ } elseif ($ToOrganizationalUnit) {
+ $Value = [Regex]::Match($Distinguished, '(?=OU=)(.*\n?)(?<=.)').Value
+ if ($Value) {
+ $Value
+ }
+ } elseif ($ToMultipleOrganizationalUnit) {
+ if ($IncludeParent) {
+ $Distinguished
+ }
+ while ($true) {
+ #$dn = $dn -replace '^.+?,(?=CN|OU|DC)'
+ $Distinguished = $Distinguished -replace '^.+?,(?=..=)'
+ if ($Distinguished -match '^DC=') {
+ break
+ }
+ $Distinguished
+ }
+ } elseif ($ToDC) {
+ #return [Regex]::Match($DistinguishedName, '(?=DC=)(.*\n?)(?<=.)').Value
+ # return [Regex]::Match($DistinguishedName, '.*?(DC=.*)').Value
+ $Value = $Distinguished -replace '.*?((DC=[^=]+,)+DC=[^=]+)$', '$1'
+ if ($Value) {
+ $Value
+ }
+ #return [Regex]::Match($DistinguishedName, 'CN=.*?(DC=.*)').Groups[1].Value
+ } elseif ($ToLastName) {
+ # Would be best if it worked, but there is too many edge cases so hand splits seems to be the best solution
+ # Feel free to change it back to regex if you know how ;)
+ <# https://stackoverflow.com/questions/51761894/regex-extract-ou-from-distinguished-name
+ $Regex = "^(?:(?CN=(?.*?)),)?(?(?:(?(?:CN|OU).*?),)?(?(?:DC=.*)+))$"
+ $Found = $Distinguished -match $Regex
+ if ($Found) {
+ $Matches.name
+ }
+ #>
+ $NewDN = $Distinguished -split ",DC="
+ if ($NewDN[0].Contains(",OU=")) {
+ [Array] $ChangedDN = $NewDN[0] -split ",OU="
+ } elseif ($NewDN[0].Contains(",CN=")) {
+ [Array] $ChangedDN = $NewDN[0] -split ",CN="
+ } else {
+ [Array] $ChangedDN = $NewDN[0]
+ }
+ if ($ChangedDN[0].StartsWith('CN=')) {
+ $ChangedDN[0] -replace 'CN=', ''
+ } else {
+ $ChangedDN[0] -replace 'OU=', ''
+ }
+ } else {
+ $Regex = '^CN=(?.+?)(?(?:(?:OU|CN).+?(?DC.+?))$'
+ #$Output = foreach ($_ in $Distinguished) {
+ $Found = $Distinguished -match $Regex
+ if ($Found) {
+ $Matches.cn
+ }
+ #}
+ #$Output.cn
+ }
+ }
+ }
+}
+function Test-WinRM {
+ [CmdletBinding()]
+ param (
+ [alias('Server')][string[]] $ComputerName
+ )
+ $Output = foreach ($Computer in $ComputerName) {
+ $Test = [PSCustomObject] @{
+ Output = $null
+ Status = $null
+ ComputerName = $Computer
+ }
+ try {
+ $Test.Output = Test-WSMan -ComputerName $Computer -ErrorAction Stop
+ $Test.Status = $true
+ } catch {
+ $Test.Status = $false
+ }
+ $Test
+ }
+ $Output
+}
+
+function Test-ComputerPort {
+ [CmdletBinding()]
+ param (
+ [alias('Server')][string[]] $ComputerName,
+ [int[]] $PortTCP,
+ [int[]] $PortUDP,
+ [int]$Timeout = 5000
+ )
+ begin {
+ if ($Global:ProgressPreference -ne 'SilentlyContinue') {
+ $TemporaryProgress = $Global:ProgressPreference
+ $Global:ProgressPreference = 'SilentlyContinue'
+ }
+ }
+ process {
+ foreach ($Computer in $ComputerName) {
+ foreach ($P in $PortTCP) {
+ $Output = [ordered] @{
+ 'ComputerName' = $Computer
+ 'Port' = $P
+ 'Protocol' = 'TCP'
+ 'Status' = $null
+ 'Summary' = $null
+ 'Response' = $null
+ }
+
+ $TcpClient = Test-NetConnection -ComputerName $Computer -Port $P -InformationLevel Detailed -WarningAction SilentlyContinue
+ if ($TcpClient.TcpTestSucceeded) {
+ $Output['Status'] = $TcpClient.TcpTestSucceeded
+ $Output['Summary'] = "TCP $P Successful"
+ } else {
+ $Output['Status'] = $false
+ $Output['Summary'] = "TCP $P Failed"
+ $Output['Response'] = $Warnings
+ }
+ [PSCustomObject]$Output
+ }
+ foreach ($P in $PortUDP) {
+ $Output = [ordered] @{
+ 'ComputerName' = $Computer
+ 'Port' = $P
+ 'Protocol' = 'UDP'
+ 'Status' = $null
+ 'Summary' = $null
+ }
+ $UdpClient = [System.Net.Sockets.UdpClient]::new($Computer, $P)
+ $UdpClient.Client.ReceiveTimeout = $Timeout
+ # $UdpClient.Connect($Computer, $P)
+ $Encoding = [System.Text.ASCIIEncoding]::new()
+ $byte = $Encoding.GetBytes("Evotec")
+ [void]$UdpClient.Send($byte, $byte.length)
+ $RemoteEndpoint = [System.Net.IPEndPoint]::new([System.Net.IPAddress]::Any, 0)
+ try {
+ $Bytes = $UdpClient.Receive([ref]$RemoteEndpoint)
+ [string]$Data = $Encoding.GetString($Bytes)
+ If ($Data) {
+ $Output['Status'] = $true
+ $Output['Summary'] = "UDP $P Successful"
+ $Output['Response'] = $Data
+ }
+ } catch {
+ $Output['Status'] = $false
+ $Output['Summary'] = "UDP $P Failed"
+ $Output['Response'] = $_.Exception.Message
+ }
+ $UdpClient.Close()
+ $UdpClient.Dispose()
+ [PSCustomObject]$Output
+ }
+
+ }
+ }
+ end {
+ # Bring back setting as per default
+ if ($TemporaryProgress) {
+ $Global:ProgressPreference = $TemporaryProgress
+ }
+ }
}
\ No newline at end of file
diff --git a/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1 b/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1
index 1fd5dfc..32717db 100644
--- a/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1
+++ b/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1
@@ -42,8 +42,6 @@ function Invoke-AsBuiltReport.Microsoft.AD {
}
Get-RequiredModule -Name PSPKI -Version '3.7.2'
- Get-RequiredModule -Name PSWriteColor -Version '0.87.3'
- Get-RequiredModule -Name PSSharedGoods -Version '0.0.224'
# Import Report Configuration
From 6731cd95aa39e962f6c6519d714346161f8b58e6 Mon Sep 17 00:00:00 2001
From: Jonathan Colon
Date: Fri, 24 Jun 2022 11:35:28 -0400
Subject: [PATCH 2/7] Update README.md
---
README.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/README.md b/README.md
index d0c4c34..aae8ebb 100644
--- a/README.md
+++ b/README.md
@@ -24,6 +24,10 @@
+
+
+
+
# Microsoft AD As Built Report
From f8aa3f95246aeab0cb24f1f86351f9475d454635 Mon Sep 17 00:00:00 2001
From: Jonathan Colon
Date: Fri, 24 Jun 2022 11:36:04 -0400
Subject: [PATCH 3/7] Update README.md
---
README.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/README.md b/README.md
index aae8ebb..2e20dd1 100644
--- a/README.md
+++ b/README.md
@@ -24,7 +24,6 @@
-
From a263c0dc1f2ae798cb5e2ad5e396ccb700b2e907 Mon Sep 17 00:00:00 2001
From: Jonathan Colon
Date: Fri, 22 Jul 2022 16:59:02 -0400
Subject: [PATCH 4/7] fix Group report for well-known groups without support
for international domains #42
---
AsBuiltReport.Microsoft.AD.psd1 | 2 +-
CHANGELOG.md | 10 ++++++
Src/Private/Get-AbrADDomainObject.ps1 | 44 +++++++++++++++++++--------
3 files changed, 43 insertions(+), 13 deletions(-)
diff --git a/AsBuiltReport.Microsoft.AD.psd1 b/AsBuiltReport.Microsoft.AD.psd1
index a32cf12..a34eb46 100644
--- a/AsBuiltReport.Microsoft.AD.psd1
+++ b/AsBuiltReport.Microsoft.AD.psd1
@@ -12,7 +12,7 @@
RootModule = 'AsBuiltReport.Microsoft.AD.psm1'
# Version number of this module.
-ModuleVersion = '0.7.3'
+ModuleVersion = '0.7.4'
# Supported PSEditions
# CompatiblePSEditions = @()
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1e01cce..031d9f4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,15 @@
# :arrows_clockwise: Microsoft AD As Built Report Changelog
+## [0.7.4] - 2022-xx-xx
+### Changed
+
+- Access well known groups via SID to include international names and expand them to localized group names.
+
+### Fixed
+
+- Fixes [#42](https://github.com/AsBuiltReport/AsBuiltReport.Microsoft.AD/issues/42)
+
+-
## [0.7.3] - 2022-05-13
### Added
diff --git a/Src/Private/Get-AbrADDomainObject.ps1 b/Src/Private/Get-AbrADDomainObject.ps1
index 6872397..49245b2 100644
--- a/Src/Private/Get-AbrADDomainObject.ps1
+++ b/Src/Private/Get-AbrADDomainObject.ps1
@@ -5,7 +5,7 @@ function Get-AbrADDomainObject {
.DESCRIPTION
.NOTES
- Version: 0.7.2
+ Version: 0.7.4
Author: Jonathan Colon
Twitter: @jcolonfzenpr
Github: rebelinux
@@ -213,21 +213,37 @@ function Get-AbrADDomainObject {
if ($Domain) {
Write-PscriboMessage "Collecting Privileged Group in Active Directory."
try {
+ $DomainSID = Invoke-Command -Session $TempPssSession {(Get-ADDomain -Identity $using:Domain).domainsid.Value}
$DC = Invoke-Command -Session $TempPssSession {Get-ADDomain -Identity $using:Domain | Select-Object -ExpandProperty ReplicaDirectoryServers | Select-Object -First 1}
- if ($Domain -eq (Get-ADForest).Name) {
- $Groups = 'Domain Admins','Enterprise Admins','Administrators','Server Operators','DnsAdmins','Remote Desktop Users','Incoming Forest Trust Builders','Key Admins','Backup Operators','Cert Publishers','Print Operators','Account Operators','Schema Admins'
+ if ($Domain -eq $ADSystem.Name) {
+ #$Groups = 'Domain Admins','Enterprise Admins','Administrators','Server Operators','DnsAdmins','Remote Desktop Users','Incoming Forest Trust Builders','Key Admins','Backup Operators','Cert Publishers','Print Operators','Account Operators','Schema Admins'
+ $GroupsSID = "$DomainSID-512","$DomainSID-519",'S-1-5-32-544','S-1-5-32-549',"$DomainSID-1101",'S-1-5-32-555','S-1-5-32-557',"$DomainSID-526",'S-1-5-32-551',"$DomainSID-517",'S-1-5-32-550','S-1-5-32-548',"$DomainSID-518"
}
else {
- $Groups = 'Domain Admins','Server Operators','DnsAdmins','Remote Desktop Users','Key Admins','Backup Operators','Cert Publishers','Print Operators','Account Operators'
+ #$Groups = 'Domain Admins','Server Operators','DnsAdmins','Remote Desktop Users','Key Admins','Backup Operators','Cert Publishers','Print Operators','Account Operators'
+ $GroupsSID = "$DomainSID-512",'S-1-5-32-544','S-1-5-32-549',"$DomainSID-1101",'S-1-5-32-555','S-1-5-32-557',"$DomainSID-526",'S-1-5-32-551',"$DomainSID-517",'S-1-5-32-550','S-1-5-32-548'
}
- if ($Groups) {
- foreach ($Group in $Groups) {
- $GroupObject = Invoke-Command -Session $TempPssSession {Get-ADGroupMember -Server $using:DC -Identity $using:Group -Recursive -ErrorAction SilentlyContinue}
- $inObj = [ordered] @{
- 'Group Name' = $Group
- 'Count' = ($GroupObject | Measure-Object).Count
+ if ($GroupsSID) {
+ foreach ($GroupSID in $GroupsSID) {
+ try {
+ $Group = Invoke-Command -Session $TempPssSession {Get-ADGroup -Server $using:DC -Filter * | Select-Object -Property SID,Name | Where-Object {$_.SID -like $using:GroupSID}}
+ if ($Group) {
+ Write-PscriboMessage "Collecting Privileged Group $($Group.Name) with SID $($Group.SID)"
+ $GroupObject = Invoke-Command -Session $TempPssSession {Get-ADGroupMember -Server $using:DC -Identity ($using:Group).Name -Recursive -ErrorAction SilentlyContinue}
+ $inObj = [ordered] @{
+ 'Group Name' = $Group.Name
+ 'Count' = ($GroupObject | Measure-Object).Count
+ }
+ $OutObj += [pscustomobject]$inobj
+ }
}
- $OutObj += [pscustomobject]$inobj
+ catch {
+ Write-PscriboMessage -IsWarning "$($_.Exception.Message) (Privileged Group in Active Directory item)"
+ }
+ }
+
+ if ($HealthCheck.Domain.Security) {
+ $OutObj | Where-Object { $_.'Group Name' -eq 'Schema Admins' -and $_.Count -gt 1 } | Set-Style -Style Warning
}
$TableParams = @{
@@ -238,7 +254,11 @@ function Get-AbrADDomainObject {
if ($Report.ShowTableCaptions) {
$TableParams['Caption'] = "- $($TableParams.Name)"
}
- $OutObj | Sort-Object -Property 'Group Name' | Table @TableParams
+ $OutObj | Sort-Object -Property 'Group Name' | Table @TableParams
+ if ($HealthCheck.Domain.Security -and ($OutObj | Where-Object { $_.'Group Name' -eq 'Schema Admins' -and $_.Count -gt 1 })) {
+ Paragraph "Health Check:" -Italic -Bold -Underline
+ Paragraph "Secutiry Best Practice: The Schema Admins group is a privileged group in a forest root domain. Members of the Schema Admins group can make changes to the schema, which is the framework for the Active Directory forest. Changes to the schema are not frequently required. This group only contains the Built-in Administrator account by default. Additional accounts must only be added when changes to the schema are necessary and then must be removed." -Italic -Bold
+ }
}
}
catch {
From 58838faa3f09b971c268a6f87b63a9fc11d94bfa Mon Sep 17 00:00:00 2001
From: Jonathan Colon
Date: Fri, 22 Jul 2022 17:00:57 -0400
Subject: [PATCH 5/7] Update to Changelog
---
CHANGELOG.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 031d9f4..4af33bb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,12 +4,11 @@
### Changed
- Access well known groups via SID to include international names and expand them to localized group names.
+- Removed PSSharedGoods/PSWriteColor module dependency
### Fixed
- Fixes [#42](https://github.com/AsBuiltReport/AsBuiltReport.Microsoft.AD/issues/42)
-
--
## [0.7.3] - 2022-05-13
### Added
From 54ece322691eb069405f45b86f58f2b21a52e7ff Mon Sep 17 00:00:00 2001
From: Jonathan Colon
Date: Fri, 22 Jul 2022 21:39:04 -0400
Subject: [PATCH 6/7] Update Sample Microsoft AD As Built Report.html
---
.../Sample Microsoft AD As Built Report.html | 2373 ++++++++++-------
1 file changed, 1433 insertions(+), 940 deletions(-)
diff --git a/Samples/Sample Microsoft AD As Built Report.html b/Samples/Sample Microsoft AD As Built Report.html
index 828eaee..3029590 100644
--- a/Samples/Sample Microsoft AD As Built Report.html
+++ b/Samples/Sample Microsoft AD As Built Report.html
@@ -45,302 +45,302 @@
-
Microsoft AD As Built Report
Zen Pr Solutions
+
Microsoft AD As Built Report
Zen Pr Solutions
Author: | Jonathan Colon |
-Date: | Wednesday, May 11, 2022 |
+Date: | Friday, July 22, 2022 |
Version: | 1.0 |
-
1 PHARMAX.LOCAL Active Directory Report
The following section provides a summary of the Active Directory Infrastructure configuration for PHARMAX.LOCAL.
1.1 Forest Information.
The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network. At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.
+
1 PHARMAX.LOCAL Active Directory Report
The following section provides a summary of the Active Directory Infrastructure configuration for PHARMAX.LOCAL.
1.1 Forest Information.
The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network. At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.
Forest Name | pharmax.local |
Forest Functional Level | Windows2016Forest |
@@ -357,13 +357,13 @@
UPN Suffixes | - |
Table 1 - Forest Summary - PHARMAX.LOCAL
-
1.1.1 Optional Features
+1.1.1 Optional Features
Name | Required Forest Mode | Enabled |
Privileged Access Management Feature | Windows2016Forest | No |
Recycle Bin Feature | Windows2008R2Forest | Yes |
Table 2 - Optional Features - PHARMAX.LOCAL
-1.1.2 Domain Sites
+1.1.2 Domain Sites
Site Name | Description | Subnets | Creation Date |
ACAD | - | 172.23.4.0/24 | 9/5/2021 |
Cayey-Branch | Site of Cayey, PR Branch | 10.10.0.0/16 | 9/3/2021 |
@@ -372,7 +372,7 @@
UIA | - | 172.23.7.0/24 | 5/11/2022 |
Table 3 - Sites - PHARMAX.LOCAL
-Health Check:
Corrective Actions: Ensure Sites have an associated subnet. If subnets are not associated with AD Sites users in the AD Sites might choose a remote domain controller for authentication which in turn might result in excessive use of a remote domain controller.
Best Practices: Ensure Sites have a defined description.
1.1.2.1 Site Subnets
+Health Check:
Corrective Actions: Ensure Sites have an associated subnet. If subnets are not associated with AD Sites users in the AD Sites might choose a remote domain controller for authentication which in turn might result in excessive use of a remote domain controller.
Best Practices: Ensure Sites have a defined description.
1.1.2.1 Site Subnets
Subnet | Description | Sites | Creation Date |
10.10.0.0/16 | Cayey-Networks | Cayey-Branch | 9/12/2020 |
10.9.1.0/24 | - | Pharmax-HQ | 9/14/2021 |
@@ -381,13 +381,13 @@
192.168.0.0/16 | - | Pharmax-HQ | 9/12/2020 |
Table 4 - Site Subnets - PHARMAX.LOCAL
-Health Check:
Best Practices: Ensure that subnets has a defined description.
1.1.2.2 Site Links
+Health Check:
Best Practices: Ensure that subnets has a defined description.
1.1.2.2 Site Links
Site Link Name | Cost | Replication Frequency | Transport Protocol | Sites |
PHARMAX-to-ACAD | 100 | 15 min | IP | ACAD Pharmax-HQ |
Pharmax-to-All | 100 | 15 min | IP | UIA Dead-Site ACAD Cayey-Branch Pharmax-HQ |
Table 5 - Site Links - PHARMAX.LOCAL
-1.2 Active Directory Domain Information
An Active Directory domain is a collection of objects within a Microsoft Active Directory network. An object can be a single user or a group or it can be a hardware component, such as a computer or printer.Each domain holds a database containing object identity information. Active Directory domains can be identified using a DNS name, which can be the same as an organization's public domain name, a sub-domain or an alternate version (which may end in .local).
1.2.1 UIA.LOCAL Domain Configuration
The following section provides a summary of the Active Directory Domain Information.
+1.2 Active Directory Domain Information
An Active Directory domain is a collection of objects within a Microsoft Active Directory network. An object can be a single user or a group or it can be a hardware component, such as a computer or printer.Each domain holds a database containing object identity information. Active Directory domains can be identified using a DNS name, which can be the same as an organization's public domain name, a sub-domain or an alternate version (which may end in .local).
1.2.1 UIA.LOCAL Domain Configuration
The following section provides a summary of the Active Directory Domain Information.
Domain Name | uia |
NetBIOS Name | UIA |
@@ -405,16 +405,25 @@
Users Container | uia.local/Users |
ReadOnly Replica Directory Servers | - |
ms-DS-MachineAccountQuota | 10 |
-RID Issued | 1600 |
-RID Available | 1073740223 |
+RID Issued | 4600 |
+RID Available | 1073737223 |
Table 6 - Domain Summary - UIA.LOCAL
-1.2.1.1 Health Check - DFS Health
The following section details Distributed File System health status for Domain UIA.LOCAL.
+1.2.1.1 Health Check - Naming Context Last Backup
The following section details naming context last backup time for Domain UIA.LOCAL.
+Naming Context | Last Backup | Last Backup in Days |
+CN=Configuration,DC=pharmax,DC=local | 2022:05:13 | 70 |
+CN=Schema,CN=Configuration,DC=pharmax,DC=local | 2022:05:13 | 70 |
+DC=DomainDnsZones,DC=uia,DC=local | 2022:05:13 | 70 |
+DC=ForestDnsZones,DC=pharmax,DC=local | 2022:05:13 | 70 |
+DC=uia,DC=local | 2022:05:13 | 70 |
+
+
Table 7 - Naming Context Last Backup - UIA.LOCAL
+Health Check:
Corrective Actions: Ensure there is a recent (<180 days) Active Directory backup.
1.2.1.2 Health Check - DFS Health
The following section details Distributed File System health status for Domain UIA.LOCAL.
DC Name | Replication State | GPO Count | Sysvol Count | Identical Count | Stop Replication On AutoRecovery |
DC-UIA-01V | Normal | 2 | 2 | Yes | No |
-
Table 7 - Domain Last Backup - UIA.LOCAL
-Health Check:
Corrective Actions: Ensure an identical GPO/SYSVOL content for the domain controller in all Active Directory domains.
1.2.1.2 Flexible Single Master Operations (FSMO)
The following section provides a summary of the Active Directory FSMO for Domain UIA.LOCAL.
+Table 8 - Domain Last Backup - UIA.LOCAL
+Health Check:
Corrective Actions: Ensure an identical GPO/SYSVOL content for the domain controller in all Active Directory domains.
1.2.1.3 Flexible Single Master Operations (FSMO)
The following section provides a summary of the Active Directory FSMO for Domain UIA.LOCAL.
Infrastructure Master Server | DC-UIA-01V.uia.local |
RID Master Server | DC-UIA-01V.uia.local |
@@ -422,8 +431,8 @@
Domain Naming Master Server | Server-DC-01V.pharmax.local |
Schema Master Server | Server-DC-01V.pharmax.local |
-
Table 8 - FSMO Server - uia.local
-1.2.1.3 Domain and Trusts
The following section provides a summary of Active Directory Trust information on UIA.LOCAL.
+Table 9 - FSMO Server - uia.local
+1.2.1.4 Domain and Trusts
The following section provides a summary of Active Directory Trust information on UIA.LOCAL.
Name | pharmax.local |
Path | uia.local/System/pharmax.local |
@@ -437,71 +446,73 @@
Trust Type | Uplevel |
Uplevel Only | No |
-
Table 9 - Trusts - UIA.LOCAL
-1.2.1.4 Domain Object Count
The following section provides a summary of the Active Directory Object Count on UIA.LOCAL.
+Table 10 - Trusts - UIA.LOCAL
+1.2.1.5 Domain Object Count
The following section provides a summary of the Active Directory Object Count on UIA.LOCAL.
-Computers | 1 |
+Computers | 100 |
Servers | 1 |
Domain Controller | 1 |
Global Catalog | 1 |
-Users | 4 |
-Privileged Users | 2 |
-Groups | 45 |
+Users | 2494 |
+Privileged Users | 25 |
+Groups | 543 |
-
Table 10 - Object Count - UIA.LOCAL
-1.2.1.5 User Accounts in Active Directory
The following table provide a summary of the User Accounts from UIA.LOCAL.
+Table 11 - Object Count - UIA.LOCAL
+1.2.1.6 User Accounts in Active Directory
The following table provide a summary of the User Accounts from UIA.LOCAL.
Status | Count | Percentage |
-Enabled | 2 | 50% |
-Disabled | 2 | 50% |
+Enabled | 2492 | 100% |
+Disabled | 2 | 0% |
-
Table 11 - User Accounts in Active Directory - UIA.LOCAL
-1.2.1.6 Status of Users Accounts
The following table provide a summary of the User Accounts from UIA.LOCAL.
+Table 12 - User Accounts in Active Directory - UIA.LOCAL
+1.2.1.7 Status of Users Accounts
The following table provide a summary of the User Accounts from UIA.LOCAL.
Category | Enabled Count | Enabled % | Disabled Count | Disabled % | Total Count | Total % |
-Cannot Change Password | 13 | 325 | 1 | 25 | 14 | 350 |
-Password Never Expires | 1 | 25 | 1 | 25 | 2 | 50 |
-Must Change Password at Logon | 1 | 25 | 1 | 25 | 1 | 25 |
-Password Age (> 42 days) | 1 | 25 | 1 | 25 | 0 | 0 |
-SmartcardLogonRequired | 1 | 25 | 1 | 25 | 0 | 0 |
-SidHistory | 1 | 25 | 1 | 25 | 0 | 0 |
-Never Logged in | 1 | 25 | 2 | 50 | 3 | 75 |
-Dormant (> 90 days) | 1 | 25 | 2 | 50 | 3 | 75 |
-Password Not Required | 1 | 25 | 1 | 25 | 2 | 50 |
-Account Expired | 1 | 25 | 1 | 25 | 0 | 0 |
-Account Lockout | 1 | 25 | 1 | 25 | 0 | 0 |
+Cannot Change Password | 13 | 1 | 1 | 0 | 14 | 1 |
+Password Never Expires | 1 | 0 | 1 | 0 | 2 | 0 |
+Must Change Password at Logon | 1 | 0 | 1 | 0 | 2 | 0 |
+Password Age (> 42 days) | 2490 | 100 | 1 | 0 | 2491 | 100 |
+SmartcardLogonRequired | 1 | 0 | 1 | 0 | 0 | 0 |
+SidHistory | 1 | 0 | 1 | 0 | 0 | 0 |
+Never Logged in | 2491 | 100 | 2 | 0 | 2493 | 100 |
+Dormant (> 90 days) | 2491 | 100 | 2 | 0 | 2493 | 100 |
+Password Not Required | 1 | 0 | 1 | 0 | 2 | 0 |
+Account Expired | 1 | 0 | 1 | 0 | 0 | 0 |
+Account Lockout | 1 | 0 | 1 | 0 | 0 | 0 |
-
Table 12 - Status of User Accounts - UIA.LOCAL
-1.2.1.7 Privileged Group Count
The following table provide a summary of the Privileged Group count from UIA.LOCAL.
+Table 13 - Status of User Accounts - UIA.LOCAL
+1.2.1.8 Privileged Group Count
The following table provide a summary of the Privileged Group count from UIA.LOCAL.
Group Name | Count |
-Account Operators | 0 |
-Backup Operators | 0 |
-Cert Publishers | 0 |
-DnsAdmins | 0 |
-Domain Admins | 1 |
-Key Admins | 0 |
-Print Operators | 0 |
-Remote Desktop Users | 0 |
-Server Operators | 0 |
-
-
Table 13 - Privileged Group Count - UIA.LOCAL
-1.2.1.8 Computer Accounts in Active Directory
The following table provide a summary of the Computer Accounts from UIA.LOCAL.
+Account Operators | 1 |
+Administrators | 10 |
+Backup Operators | 2 |
+Cert Publishers | 1 |
+DnsAdmins | 3 |
+Domain Admins | 6 |
+Key Admins | 5 |
+Print Operators | 3 |
+Remote Desktop Users | 2 |
+Server Operators | 2 |
+
+
Table 14 - Privileged Group Count - UIA.LOCAL
+1.2.1.9 Computer Accounts in Active Directory
The following table provide a summary of the Computer Accounts from UIA.LOCAL.
Status | Count | Percentage |
-Enabled | 1 | 0 |
-Disabled | 1 | 0 |
+Enabled | 100 | 100% |
+Disabled | 0 | 0% |
-
Table 14 - Computer Accounts in Active Directory - UIA.LOCAL
-1.2.1.9 Status of Computer Accounts
The following table provide a summary of the Computer Accounts from UIA.LOCAL.
+Table 15 - Computer Accounts in Active Directory - UIA.LOCAL
+1.2.1.10 Status of Computer Accounts
The following table provide a summary of the Computer Accounts from UIA.LOCAL.
Category | Enabled Count | Enabled % | Disabled Count | Disabled % | Total Count | Total % |
-Dormant (> 90 days) | 1 | 0 | 1 | 0 | 0 | 0 |
-Password Age (> 30 days) | 1 | 0 | 1 | 0 | 0 | 0 |
-SidHistory | 1 | 0 | 1 | 0 | 0 | 0 |
+Dormant (> 90 days) | 99 | 99 | 0 | 0 | 99 | 99 |
+Password Age (> 30 days) | 99 | 99 | 0 | 0 | 99 | 99 |
+SidHistory | 1 | 1 | 1 | 1 | 0 | 0 |
-
Table 15 - Status of Computer Accounts - UIA.LOCAL
-1.2.1.10 Operating Systems Count
The following table provide a summary of the Operating System count from UIA.LOCAL.
+Table 16 - Status of Computer Accounts - UIA.LOCAL
+1.2.1.11 Operating Systems Count
The following table provide a summary of the Operating System count from UIA.LOCAL.
Operating System | Count |
+ | 99 |
Windows Server 2022 Datacenter Evaluation | 1 |
-
Table 16 - Operating System Count - UIA.LOCAL
-1.2.1.11 Default Domain Password Policy
The following section provides a summary of the Default Domain Password Policy on UIA.LOCAL.
+Table 17 - Operating System Count - UIA.LOCAL
+1.2.1.12 Default Domain Password Policy
The following section provides a summary of the Default Domain Password Policy on UIA.LOCAL.
Password Must Meet Complexity Requirements | Yes |
Path | uia.local/ |
@@ -514,11 +525,11 @@
Enforce Password History | 24 |
Store Password using Reversible Encryption | No |
-
Table 17 - Default Domain Password Policy - UIA.LOCAL
-1.2.1.12 Health Check - Account Security Assessment
The following section provide a summary of the Account Security Assessment on Domain UIA.LOCAL.
+Table 18 - Default Domain Password Policy - UIA.LOCAL
+1.2.1.13 Health Check - Account Security Assessment
The following section provide a summary of the Account Security Assessment on Domain UIA.LOCAL.
-Total Users | 4 |
-Enabled Users | 2 |
+Total Users | 2494 |
+Enabled Users | 2492 |
Disabled Users | 2 |
Enabled Inactive Users | 1 |
Users With Reversible Encryption Password | 0 |
@@ -528,40 +539,112 @@
User Does Not Require Pre Auth | 0 |
Users With SID History | 0 |
-
Table 18 - Account Security Assessment - UIA.LOCAL
-Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.
1.2.1.13 Health Check - Privileged Users Assessment
The following section details probable AD Admin accounts (user accounts with AdminCount set to 1) on Domain UIA.LOCAL
+Table 19 - Account Security Assessment - UIA.LOCAL
+Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.
1.2.1.14 Health Check - Privileged Users Assessment
The following section details probable AD Admin accounts (user accounts with AdminCount set to 1) on Domain UIA.LOCAL
Username | Created | Password Last Set | Last Logon Date |
-krbtgt | 5/11/2022 | 5/11/2022 | - |
Administrator | 5/11/2022 | 1/26/2022 | 5/11/2022 |
-
-
Table 19 - Privileged User Assessment - UIA.LOCAL
-Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.
1.2.1.14 Health Check - Service Accounts Assessment
The following section details probable AD Service Accounts (user accounts with SPNs) on Domain UIA.LOCAL
+krbtgt | 5/11/2022 | 5/11/2022 | - |
+ERNEST_WALLACE | 5/14/2022 | 5/14/2022 | - |
+SYBIL_BIRD | 5/14/2022 | 5/14/2022 | - |
+SASHA_PRESTON | 5/14/2022 | 5/14/2022 | - |
+MONA_SYKES | 5/14/2022 | 5/14/2022 | - |
+KENDRICK_RAYMOND | 5/14/2022 | 5/14/2022 | - |
+ADA_MARSHALL | 5/14/2022 | 5/14/2022 | - |
+ELISABETH_GOMEZ | 5/14/2022 | 5/14/2022 | - |
+AVA_MERRILL | 5/14/2022 | 5/14/2022 | - |
+HUGO_MERRITT | 5/14/2022 | 5/14/2022 | - |
+AMELIA_VALENCIA | 5/14/2022 | 5/14/2022 | - |
+CAROLE_COLEMAN | 5/14/2022 | 5/14/2022 | - |
+SARAH_GREER | 5/14/2022 | 5/14/2022 | - |
+ANGEL_MCDANIEL | 5/14/2022 | 5/14/2022 | - |
+THOMAS_CASH | 5/14/2022 | 5/14/2022 | - |
+ALISSA_SHAW | 5/14/2022 | 5/14/2022 | - |
+JESSE_WHEELER | 5/14/2022 | 5/14/2022 | - |
+DARRIN_KLEIN | 5/14/2022 | 5/14/2022 | - |
+JOSIE_WHEELER | 5/14/2022 | 5/14/2022 | - |
+LEONARDO_TALLEY | 5/14/2022 | 5/14/2022 | - |
+RAYMOND_HENDERSON | 5/14/2022 | 5/14/2022 | - |
+LINA_BEASLEY | 5/14/2022 | 5/14/2022 | - |
+RACHELLE_ADAMS | 5/14/2022 | 5/14/2022 | - |
+LENA_HENDRICKS | 5/14/2022 | 5/14/2022 | - |
+
+
Table 20 - Privileged User Assessment - UIA.LOCAL
+Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.
1.2.1.15 Health Check - Service Accounts Assessment
The following section details probable AD Service Accounts (user accounts with SPNs) on Domain UIA.LOCAL
Username | Enabled | Password Last Set | Last Logon Date | Service Principal Name |
+DEAN_WILEY | Yes | 5/14/2022 | - | CIFS/ESMWWEBS1000001 |
+MICHELE_WILCOX | Yes | 5/14/2022 | - | CIFS/ESMWWKS1000000 |
+ELISABETH_GOMEZ | Yes | 5/14/2022 | - | CIFS/FSRWWKS1000001 |
+VILMA_KEY | Yes | 5/14/2022 | - | CIFS/HREWDBAS1000000 |
+WILLA_CLARKE | Yes | 5/14/2022 | - | CIFS/ITSWVIR1000000 |
+JESSE_WHEELER | Yes | 5/14/2022 | - | CIFS/SECWWEBS1000000 |
+CHRISTINE_HARMON | Yes | 5/14/2022 | - | CIFS/TSTWCTRX1000000 |
+KERMIT_KINNEY | Yes | 5/14/2022 | - | ftp/AWSWLPT1000000 |
+IRMA_RODGERS | Yes | 5/14/2022 | - | ftp/AZRWCTRX1000000 |
+NUMBERS_CHEN | Yes | 5/14/2022 | - | ftp/AZRWSECS1000000 |
+CLAYTON_HEWITT | Yes | 5/14/2022 | - | ftp/BDEWVIR1000000 |
+AMOS_DAUGHERTY | Yes | 5/14/2022 | - | ftp/ESMWLPT1000001 |
+JAIME_DAWSON | Yes | 5/14/2022 | - | ftp/ESMWVIR1000000 |
+TIM_HUMPHREY | Yes | 5/14/2022 | - | ftp/FINWWKS1000001 |
+GLENDA_PATE | Yes | 5/14/2022 | - | ftp/ITSWVIR1000000 |
+ROYCE_BERNARD | Yes | 5/14/2022 | - | ftp/TSTWWKS1000002 |
+BARBARA_SKINNER | Yes | 5/14/2022 | - | https/AWSWAPPS1000000 |
+KATE_CARR | Yes | 5/14/2022 | - | https/AWSWVIR1000000 |
+CHUCK_MANNING | Yes | 5/14/2022 | - | https/BDEWSECS1000001 |
+DEBBIE_FORD | Yes | 5/14/2022 | - | https/DC-UIA-01V |
+ISSAC_BUCK | Yes | 5/14/2022 | - | https/FINWLPT1000002 |
+JOHN_YOUNG | Yes | 5/14/2022 | - | https/GOOWWEBS1000000 |
+RITA_SPARKS | Yes | 5/14/2022 | - | https/HREWWEBS1000000 |
+COLEMAN_KENNEDY | Yes | 5/14/2022 | - | https/TSTWLPT1000001 |
krbtgt | No | 5/11/2022 | - | kadmin/changepw |
-
-
Table 20 - Service Accounts Assessment - UIA.LOCAL
-Health Check:
Corrective Actions: Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged. They are almost always over-privileged due to documented vendor requirements or because of operational challenges. Ensure there aren't any account with weak security posture.
1.2.1.15 Health Check - KRBTGT Account Audit
The following section provide a summary of KRBTGT account on Domain UIA.LOCAL.
+NEWTON_PENNINGTON | Yes | 5/14/2022 | - | kafka/AWSWWKS1000000 |
+NANETTE_GARRETT | Yes | 5/14/2022 | - | kafka/AZRWWEBS1000000 |
+TAMI_MULLINS | Yes | 5/14/2022 | - | kafka/ESMWWKS1000001 |
+NIGEL_FARMER | Yes | 5/14/2022 | - | kafka/ESMWWKS1000002 |
+CURT_POOLE | Yes | 5/14/2022 | - | kafka/FINWAPPS1000001 |
+LUCIANO_KINNEY | Yes | 5/14/2022 | - | kafka/FINWCTRX1000000 |
+HARRIS_DAVENPORT | Yes | 5/14/2022 | - | kafka/FSRWWKS1000001 |
+6182398383SA | Yes | 5/14/2022 | - | kafka/SECWSECS1000000 |
+JACQUELINE_MANN | Yes | 5/14/2022 | - | kafka/SECWWKS1000000 |
+FRANKLIN_SMITH | Yes | 5/14/2022 | - | kafka/TSTWCTRX1000000 |
+KITTY_CLARKE | Yes | 5/14/2022 | - | MSSQL/BDEWLPT1000001 POP3/AZRWAPPS1000000 |
+LEONARDO_VAUGHAN | Yes | 5/14/2022 | - | MSSQL/ESMWWEBS1000002 |
+CELIA_MUNOZ | Yes | 5/14/2022 | - | MSSQL/FSRWDBAS1000000 |
+KAREEM_HAHN | Yes | 5/14/2022 | - | MSSQL/HREWVIR1000000 |
+MATILDA_RAMSEY | Yes | 5/14/2022 | - | MSSQL/HREWVIR1000001 |
+GILDA_COOPER | Yes | 5/14/2022 | - | MSSQL/OGCWAPPS1000000 |
+NATALIA_HOUSTON | Yes | 5/14/2022 | - | MSSQL/TSTWLPT1000000 |
+ELIZA_WALTERS | Yes | 5/14/2022 | - | POP3/AWSWAPPS1000000 |
+AMALIA_MCLAUGHLIN | Yes | 5/14/2022 | - | POP3/AWSWLPT1000000 |
+GERRY_HUFF | Yes | 5/14/2022 | - | POP3/AWSWVIR1000000 |
+MIRANDA_KIRKLAND | Yes | 5/14/2022 | - | POP3/BDEWWKS1000000 |
+CORNELIA_WASHINGTON | Yes | 5/14/2022 | - | POP3/ESMWWEBS1000001 |
+ADOLFO_MCNEIL | Yes | 5/14/2022 | - | POP3/FINWCTRX1000000 |
+WINSTON_BAILEY | Yes | 5/14/2022 | - | POP3/FINWLPT1000003 |
+LAMONT_JUAREZ | Yes | 5/14/2022 | - | POP3/HREWWKS1000000 |
+
+
Table 21 - Service Accounts Assessment - UIA.LOCAL
+Health Check:
Corrective Actions: Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged. They are almost always over-privileged due to documented vendor requirements or because of operational challenges. Ensure there aren't any account with weak security posture.
1.2.1.16 Health Check - KRBTGT Account Audit
The following section provide a summary of KRBTGT account on Domain UIA.LOCAL.
Name | krbtgt |
Created | 05/11/2022 13:56:07 |
Password Last Set | 05/11/2022 13:56:07 |
Distinguished Name | CN=krbtgt,CN=Users,DC=uia,DC=local |
-
Table 21 - KRBTGT Account Audit - UIA.LOCAL
-Health Check:
Best Practice: Microsoft advises changing the krbtgt account password at regular intervals to keep the environment more secure.
1.2.1.16 Health Check - Administrator Account Audit
The following section provide a summary of Administrator account on Domain UIA.LOCAL.
+Table 22 - KRBTGT Account Audit - UIA.LOCAL
+Health Check:
Best Practice: Microsoft advises changing the krbtgt account password at regular intervals to keep the environment more secure.
1.2.1.17 Health Check - Administrator Account Audit
The following section provide a summary of Administrator account on Domain UIA.LOCAL.
Name | Administrator |
Created | 05/11/2022 13:54:55 |
Password Last Set | 01/26/2022 20:44:53 |
Distinguished Name | CN=Administrator,CN=Users,DC=uia,DC=local |
-
Table 22 - Administrator Account Audit - UIA.LOCAL
-Health Check:
Best Practice: Microsoft advises changing the administrator account password at regular intervals to keep the environment more secure.
1.2.1.17 Domain Controller Summary
A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain.
+Table 23 - Administrator Account Audit - UIA.LOCAL
+Health Check:
Best Practice: Microsoft advises changing the administrator account password at regular intervals to keep the environment more secure.
1.2.1.18 Domain Controller Summary
A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain.
DC Name | Domain Name | Site | Global Catalog | Read Only | IP Address |
DC-UIA-01V | uia.local | UIA | Yes | No | 172.23.7.1 |
-
Table 23 - Domain Controller Summary - UIA.LOCAL
-1.2.1.17.1 Hardware Inventory
The following section provides a summary of the Domain Controller Hardware for UIA.LOCAL.
+Table 24 - Domain Controller Summary - UIA.LOCAL
+1.2.1.18.1 Hardware Inventory
The following section provides a summary of the Domain Controller Hardware for UIA.LOCAL.
Name | DC-UIA-01V |
Windows Product Name | Windows Server 2022 Datacenter Evaluation |
@@ -585,26 +668,26 @@
Number of Logical Cores | 2 |
Physical Memory (GB) | 4.00 GB |
-
Table 24 - Domain Controller Hardware - DC-UIA-01V
-1.2.1.17.2 NTDS Information
The following section provides a summary of the Domain Controller NTDS file size on UIA.LOCAL.
+Table 25 - Domain Controller Hardware - DC-UIA-01V
+1.2.1.18.2 NTDS Information
The following section provides a summary of the Domain Controller NTDS file size on UIA.LOCAL.
DC Name | Database File | Database Size | Log Path | SysVol Path |
-DC-UIA-01V | C:\Windows\NTDS\ntds.dit | 52.00 MB | C:\Windows\NTDS | C:\Windows\SYSVOL\sysvol |
+DC-UIA-01V | C:\Windows\NTDS\ntds.dit | 80.00 MB | C:\Windows\NTDS | C:\Windows\SYSVOL\sysvol |
-
Table 25 - NTDS Database File Usage - UIA.LOCAL
-1.2.1.17.3 Time Source Information
The following section provides a summary of the Domain Controller Time Source configuration on UIA.LOCAL.
+Table 26 - NTDS Database File Usage - UIA.LOCAL
+1.2.1.18.3 Time Source Information
The following section provides a summary of the Domain Controller Time Source configuration on UIA.LOCAL.
Name | Time Server | Type |
DC-UIA-01V | Domain Hierarchy | DOMHIER |
-
Table 26 - Time Source Configuration - UIA.LOCAL
-1.2.1.17.4 Health Check - Installed Software on DC
The following section provides a summary of additional software running on UIA.LOCAL.
1.2.1.17.5 Roles
The following section provides a summary of the Domain Controller Role & Features information.
1.2.1.17.5.1 DC-UIA-01V
+Table 27 - Time Source Configuration - UIA.LOCAL
+1.2.1.18.4 Health Check - Installed Software on DC
The following section provides a summary of additional software running on UIA.LOCAL.
1.2.1.18.5 Roles
The following section provides a summary of the Domain Controller Role & Features information.
1.2.1.18.5.1 DC-UIA-01V
Name | Parent | InstallState |
Active Directory Domain Services | Role | Active Directory Domain Services (AD DS) stores information about objects on the network and makes this information available to users and network administrators. AD DS uses domain controllers to give network users access to permitted resources anywhere on the network through a single logon process. |
DHCP Server | Role | Dynamic Host Configuration Protocol (DHCP) Server enables you to centrally configure, manage, and provide temporary IP addresses and related information for client computers. |
DNS Server | Role | Domain Name System (DNS) Server provides name resolution for TCP/IP networks. DNS Server is easier to manage when it is installed on the same server as Active Directory Domain Services. If you select the Active Directory Domain Services role, you can install and configure DNS Server and Active Directory Domain Services to work together. |
File and Storage Services | Role | File and Storage Services includes services that are always installed, as well as functionality that you can install to help manage file servers and storage. |
-
Table 27 - Roles - DC-UIA-01V
-Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.1.17.6 Health Check - DC Diagnostic
The following section provides a summary of the Active Directory DC Diagnostic.
1.2.1.17.6.1 DC-UIA-01V
+Table 28 - Roles - DC-UIA-01V
+Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.1.18.6 Health Check - DC Diagnostic
The following section provides a summary of the Active Directory DC Diagnostic.
1.2.1.18.6.1 DC-UIA-01V
Test Name | Result |
Advertising | failed |
CheckSDRefDom | passed |
@@ -633,8 +716,8 @@
SysVolCheck | failed |
VerifyReferences | passed |
-
Table 28 - Domain Controller DCDiag - DC-UIA-01V
-1.2.1.17.7 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.1.17.7.1 DC-UIA-01V
+Table 29 - Domain Controller DCDiag - DC-UIA-01V
+1.2.1.18.7 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.1.18.7.1 DC-UIA-01V
Display Name | Short Name | Status |
| | |
Active Directory Domain Services | NTDS | Running |
@@ -647,8 +730,8 @@
NetLogon | Netlogon | Running |
Windows Time | W32Time | Running |
-
Table 29 - Domain Controller Infrastructure Services Status Information.
-1.2.1.17.8 Sites Replication
The following section provides a summary of the Active Directory Site Replication information.
+Table 30 - Domain Controller Infrastructure Services Status Information.
+1.2.1.18.8 Sites Replication
The following section provides a summary of the Active Directory Site Replication information.
DC Name | DC-UIA-01V |
GUID | 26fe30d7-5edb-4acd-8098-f0695eac1e26 |
@@ -661,7 +744,7 @@
Enabled | Yes |
Created | Wed, 11 May 2022 17:57:17 GMT |
-
Table 30 - Site Replication - DC-UIA-01V
+Table 31 - Site Replication - DC-UIA-01V
DC Name | DC-UIA-01V |
@@ -675,34 +758,260 @@
Enabled | Yes |
Created | Wed, 11 May 2022 17:57:17 GMT |
-
Table 31 - Site Replication - DC-UIA-01V
-1.2.1.17.9 Sites Replication Failure
The following section provides a summary of the Active Directory Site Replication Failure information.
+Table 32 - Site Replication - DC-UIA-01V
+1.2.1.18.9 Group Policy Objects Summary
The following section provides a summary of the Group Policy Objects for domain UIA.LOCAL.
-Server Name | DC-UIA-01V |
-Partner | SERVER-DC-01V |
-Last Error | 1908 |
-Failure Type | Link |
-Failure Count | 0 |
-First Failure Time | Wed, 11 May 2022 17:54:50 GMT |
+GPO Name | Default Domain Policy |
+GPO Status | All Settings Enabled |
+Created | 05/11/2022 |
+Modified | 05/11/2022 |
+Description | |
+Owner | UIA\Domain Admins |
-
Table 32 - Site Replication Failure - DC-UIA-01V
-Health Check:
Best Practices: Failing SYSVOL replication may cause Group Policy problems.
1.2.1.17.10 Group Policy Objects Summary
The following section provides a summary of the Group Policy Objects for domain UIA.LOCAL.
-GPO Name | GPO Status | Owner |
-Default Domain Controllers Policy | All Settings Enabled | UIA\Domain Admins |
-Default Domain Policy | All Settings Enabled | UIA\Domain Admins |
+Table 33 - GPO - Default Domain Policy
+
+
+GPO Name | Default Domain Controllers Policy |
+GPO Status | All Settings Enabled |
+Created | 05/11/2022 |
+Modified | 05/11/2022 |
+Description | |
+Owner | UIA\Domain Admins |
-
Table 33 - GPO - UIA.LOCAL
-1.2.1.17.10.1 GPO Central Store Repository
The following section provides information of the status of Central Store. Corrective Action: Deploy centralized GPO repository.
+Table 34 - GPO - Default Domain Controllers Policy
+1.2.1.18.9.1 GPO Central Store Repository
The following section provides information of the status of Central Store. Corrective Action: Deploy centralized GPO repository.
Domain | Configured | Central Store Path |
UIA.LOCAL | No | \\uia.local\SYSVOL\uia.local\Policies\PolicyDefinitions |
-
Table 34 - GPO Central Store - UIA.LOCAL
-Health Check:
Best Practices: Ensure Central Store is deployed to centralized GPO repository.
1.2.1.17.11 Organizational Units
The following section provides a summary of Active Directory Organizational Unit information.
+Table 35 - GPO Central Store - UIA.LOCAL
+Health Check:
Best Practices: Ensure Central Store is deployed to centralized GPO repository.
1.2.1.18.10 Organizational Units
The following section provides a summary of Active Directory Organizational Unit information.
Name | Path | Linked GPO |
+.SecFrame.com | uia.local/.SecFrame.com | - |
+Admin | uia.local/Admin | - |
+Staging | uia.local/Admin/Staging | - |
+Tier 0 | uia.local/Admin/Tier 0 | - |
+T0-Accounts | uia.local/Admin/Tier 0/T0-Accounts | - |
+T0-Devices | uia.local/Admin/Tier 0/T0-Devices | - |
+T0-Permissions | uia.local/Admin/Tier 0/T0-Permissions | - |
+T0-Roles | uia.local/Admin/Tier 0/T0-Roles | - |
+T0-Servers | uia.local/Admin/Tier 0/T0-Servers | - |
+Tier 1 | uia.local/Admin/Tier 1 | - |
+T1-Accounts | uia.local/Admin/Tier 1/T1-Accounts | - |
+T1-Devices | uia.local/Admin/Tier 1/T1-Devices | - |
+T1-Permissions | uia.local/Admin/Tier 1/T1-Permissions | - |
+T1-Roles | uia.local/Admin/Tier 1/T1-Roles | - |
+T1-Servers | uia.local/Admin/Tier 1/T1-Servers | - |
+Tier 2 | uia.local/Admin/Tier 2 | - |
+T2-Accounts | uia.local/Admin/Tier 2/T2-Accounts | - |
+T2-Devices | uia.local/Admin/Tier 2/T2-Devices | - |
+T2-Permissions | uia.local/Admin/Tier 2/T2-Permissions | - |
+T2-Roles | uia.local/Admin/Tier 2/T2-Roles | - |
+T2-Servers | uia.local/Admin/Tier 2/T2-Servers | - |
Domain Controllers | uia.local/Domain Controllers | Default Domain Controllers Policy |
-
-
Table 35 - Organizational Unit - UIA.LOCAL
-1.2.2 PHARMAX.LOCAL Domain Configuration
The following section provides a summary of the Active Directory Domain Information.
+Grouper-Groups | uia.local/Grouper-Groups | - |
+People | uia.local/People | - |
+AWS | uia.local/People/AWS | - |
+AZR | uia.local/People/AZR | - |
+BDE | uia.local/People/BDE | - |
+Deprovisioned | uia.local/People/Deprovisioned | - |
+ESM | uia.local/People/ESM | - |
+FIN | uia.local/People/FIN | - |
+FSR | uia.local/People/FSR | - |
+GOO | uia.local/People/GOO | - |
+HRE | uia.local/People/HRE | - |
+ITS | uia.local/People/ITS | - |
+OGC | uia.local/People/OGC | - |
+SEC | uia.local/People/SEC | - |
+TST | uia.local/People/TST | - |
+Unassociated | uia.local/People/Unassociated | - |
+Quarantine | uia.local/Quarantine | - |
+Stage | uia.local/Stage | - |
+AWS | uia.local/Stage/AWS | - |
+Devices | uia.local/Stage/AWS/Devices | - |
+Groups | uia.local/Stage/AWS/Groups | - |
+ServiceAccounts | uia.local/Stage/AWS/ServiceAccounts | - |
+Test | uia.local/Stage/AWS/Test | - |
+AZR | uia.local/Stage/AZR | - |
+Devices | uia.local/Stage/AZR/Devices | - |
+Groups | uia.local/Stage/AZR/Groups | - |
+ServiceAccounts | uia.local/Stage/AZR/ServiceAccounts | - |
+Test | uia.local/Stage/AZR/Test | - |
+BDE | uia.local/Stage/BDE | - |
+Devices | uia.local/Stage/BDE/Devices | - |
+Groups | uia.local/Stage/BDE/Groups | - |
+ServiceAccounts | uia.local/Stage/BDE/ServiceAccounts | - |
+Test | uia.local/Stage/BDE/Test | - |
+ESM | uia.local/Stage/ESM | - |
+Devices | uia.local/Stage/ESM/Devices | - |
+Groups | uia.local/Stage/ESM/Groups | - |
+ServiceAccounts | uia.local/Stage/ESM/ServiceAccounts | - |
+Test | uia.local/Stage/ESM/Test | - |
+FIN | uia.local/Stage/FIN | - |
+Devices | uia.local/Stage/FIN/Devices | - |
+Groups | uia.local/Stage/FIN/Groups | - |
+ServiceAccounts | uia.local/Stage/FIN/ServiceAccounts | - |
+Test | uia.local/Stage/FIN/Test | - |
+FSR | uia.local/Stage/FSR | - |
+Devices | uia.local/Stage/FSR/Devices | - |
+Groups | uia.local/Stage/FSR/Groups | - |
+ServiceAccounts | uia.local/Stage/FSR/ServiceAccounts | - |
+Test | uia.local/Stage/FSR/Test | - |
+GOO | uia.local/Stage/GOO | - |
+Devices | uia.local/Stage/GOO/Devices | - |
+Groups | uia.local/Stage/GOO/Groups | - |
+ServiceAccounts | uia.local/Stage/GOO/ServiceAccounts | - |
+Test | uia.local/Stage/GOO/Test | - |
+HRE | uia.local/Stage/HRE | - |
+Devices | uia.local/Stage/HRE/Devices | - |
+Groups | uia.local/Stage/HRE/Groups | - |
+ServiceAccounts | uia.local/Stage/HRE/ServiceAccounts | - |
+Test | uia.local/Stage/HRE/Test | - |
+ITS | uia.local/Stage/ITS | - |
+Devices | uia.local/Stage/ITS/Devices | - |
+Groups | uia.local/Stage/ITS/Groups | - |
+ServiceAccounts | uia.local/Stage/ITS/ServiceAccounts | - |
+Test | uia.local/Stage/ITS/Test | - |
+OGC | uia.local/Stage/OGC | - |
+Devices | uia.local/Stage/OGC/Devices | - |
+Groups | uia.local/Stage/OGC/Groups | - |
+ServiceAccounts | uia.local/Stage/OGC/ServiceAccounts | - |
+Test | uia.local/Stage/OGC/Test | - |
+SEC | uia.local/Stage/SEC | - |
+Devices | uia.local/Stage/SEC/Devices | - |
+Groups | uia.local/Stage/SEC/Groups | - |
+ServiceAccounts | uia.local/Stage/SEC/ServiceAccounts | - |
+Test | uia.local/Stage/SEC/Test | - |
+TST | uia.local/Stage/TST | - |
+Devices | uia.local/Stage/TST/Devices | - |
+Groups | uia.local/Stage/TST/Groups | - |
+ServiceAccounts | uia.local/Stage/TST/ServiceAccounts | - |
+Test | uia.local/Stage/TST/Test | - |
+Testing | uia.local/Testing | - |
+Tier 1 | uia.local/Tier 1 | - |
+AWS | uia.local/Tier 1/AWS | - |
+Devices | uia.local/Tier 1/AWS/Devices | - |
+Groups | uia.local/Tier 1/AWS/Groups | - |
+ServiceAccounts | uia.local/Tier 1/AWS/ServiceAccounts | - |
+Test | uia.local/Tier 1/AWS/Test | - |
+AZR | uia.local/Tier 1/AZR | - |
+Devices | uia.local/Tier 1/AZR/Devices | - |
+Groups | uia.local/Tier 1/AZR/Groups | - |
+ServiceAccounts | uia.local/Tier 1/AZR/ServiceAccounts | - |
+Test | uia.local/Tier 1/AZR/Test | - |
+BDE | uia.local/Tier 1/BDE | - |
+Devices | uia.local/Tier 1/BDE/Devices | - |
+Groups | uia.local/Tier 1/BDE/Groups | - |
+ServiceAccounts | uia.local/Tier 1/BDE/ServiceAccounts | - |
+Test | uia.local/Tier 1/BDE/Test | - |
+ESM | uia.local/Tier 1/ESM | - |
+Devices | uia.local/Tier 1/ESM/Devices | - |
+Groups | uia.local/Tier 1/ESM/Groups | - |
+ServiceAccounts | uia.local/Tier 1/ESM/ServiceAccounts | - |
+Test | uia.local/Tier 1/ESM/Test | - |
+FIN | uia.local/Tier 1/FIN | - |
+Devices | uia.local/Tier 1/FIN/Devices | - |
+Groups | uia.local/Tier 1/FIN/Groups | - |
+ServiceAccounts | uia.local/Tier 1/FIN/ServiceAccounts | - |
+Test | uia.local/Tier 1/FIN/Test | - |
+FSR | uia.local/Tier 1/FSR | - |
+Devices | uia.local/Tier 1/FSR/Devices | - |
+Groups | uia.local/Tier 1/FSR/Groups | - |
+ServiceAccounts | uia.local/Tier 1/FSR/ServiceAccounts | - |
+Test | uia.local/Tier 1/FSR/Test | - |
+GOO | uia.local/Tier 1/GOO | - |
+Devices | uia.local/Tier 1/GOO/Devices | - |
+Groups | uia.local/Tier 1/GOO/Groups | - |
+ServiceAccounts | uia.local/Tier 1/GOO/ServiceAccounts | - |
+Test | uia.local/Tier 1/GOO/Test | - |
+HRE | uia.local/Tier 1/HRE | - |
+Devices | uia.local/Tier 1/HRE/Devices | - |
+Groups | uia.local/Tier 1/HRE/Groups | - |
+ServiceAccounts | uia.local/Tier 1/HRE/ServiceAccounts | - |
+Test | uia.local/Tier 1/HRE/Test | - |
+ITS | uia.local/Tier 1/ITS | - |
+Devices | uia.local/Tier 1/ITS/Devices | - |
+Groups | uia.local/Tier 1/ITS/Groups | - |
+ServiceAccounts | uia.local/Tier 1/ITS/ServiceAccounts | - |
+Test | uia.local/Tier 1/ITS/Test | - |
+OGC | uia.local/Tier 1/OGC | - |
+Devices | uia.local/Tier 1/OGC/Devices | - |
+Groups | uia.local/Tier 1/OGC/Groups | - |
+ServiceAccounts | uia.local/Tier 1/OGC/ServiceAccounts | - |
+Test | uia.local/Tier 1/OGC/Test | - |
+SEC | uia.local/Tier 1/SEC | - |
+Devices | uia.local/Tier 1/SEC/Devices | - |
+Groups | uia.local/Tier 1/SEC/Groups | - |
+ServiceAccounts | uia.local/Tier 1/SEC/ServiceAccounts | - |
+Test | uia.local/Tier 1/SEC/Test | - |
+TST | uia.local/Tier 1/TST | - |
+Devices | uia.local/Tier 1/TST/Devices | - |
+Groups | uia.local/Tier 1/TST/Groups | - |
+ServiceAccounts | uia.local/Tier 1/TST/ServiceAccounts | - |
+Test | uia.local/Tier 1/TST/Test | - |
+Tier 2 | uia.local/Tier 2 | - |
+AWS | uia.local/Tier 2/AWS | - |
+Devices | uia.local/Tier 2/AWS/Devices | - |
+Groups | uia.local/Tier 2/AWS/Groups | - |
+ServiceAccounts | uia.local/Tier 2/AWS/ServiceAccounts | - |
+Test | uia.local/Tier 2/AWS/Test | - |
+AZR | uia.local/Tier 2/AZR | - |
+Devices | uia.local/Tier 2/AZR/Devices | - |
+Groups | uia.local/Tier 2/AZR/Groups | - |
+ServiceAccounts | uia.local/Tier 2/AZR/ServiceAccounts | - |
+Test | uia.local/Tier 2/AZR/Test | - |
+BDE | uia.local/Tier 2/BDE | - |
+Devices | uia.local/Tier 2/BDE/Devices | - |
+Groups | uia.local/Tier 2/BDE/Groups | - |
+ServiceAccounts | uia.local/Tier 2/BDE/ServiceAccounts | - |
+Test | uia.local/Tier 2/BDE/Test | - |
+ESM | uia.local/Tier 2/ESM | - |
+Devices | uia.local/Tier 2/ESM/Devices | - |
+Groups | uia.local/Tier 2/ESM/Groups | - |
+ServiceAccounts | uia.local/Tier 2/ESM/ServiceAccounts | - |
+Test | uia.local/Tier 2/ESM/Test | - |
+FIN | uia.local/Tier 2/FIN | - |
+Devices | uia.local/Tier 2/FIN/Devices | - |
+Groups | uia.local/Tier 2/FIN/Groups | - |
+ServiceAccounts | uia.local/Tier 2/FIN/ServiceAccounts | - |
+Test | uia.local/Tier 2/FIN/Test | - |
+FSR | uia.local/Tier 2/FSR | - |
+Devices | uia.local/Tier 2/FSR/Devices | - |
+Groups | uia.local/Tier 2/FSR/Groups | - |
+ServiceAccounts | uia.local/Tier 2/FSR/ServiceAccounts | - |
+Test | uia.local/Tier 2/FSR/Test | - |
+GOO | uia.local/Tier 2/GOO | - |
+Devices | uia.local/Tier 2/GOO/Devices | - |
+Groups | uia.local/Tier 2/GOO/Groups | - |
+ServiceAccounts | uia.local/Tier 2/GOO/ServiceAccounts | - |
+Test | uia.local/Tier 2/GOO/Test | - |
+HRE | uia.local/Tier 2/HRE | - |
+Devices | uia.local/Tier 2/HRE/Devices | - |
+Groups | uia.local/Tier 2/HRE/Groups | - |
+ServiceAccounts | uia.local/Tier 2/HRE/ServiceAccounts | - |
+Test | uia.local/Tier 2/HRE/Test | - |
+ITS | uia.local/Tier 2/ITS | - |
+Devices | uia.local/Tier 2/ITS/Devices | - |
+Groups | uia.local/Tier 2/ITS/Groups | - |
+ServiceAccounts | uia.local/Tier 2/ITS/ServiceAccounts | - |
+Test | uia.local/Tier 2/ITS/Test | - |
+OGC | uia.local/Tier 2/OGC | - |
+Devices | uia.local/Tier 2/OGC/Devices | - |
+Groups | uia.local/Tier 2/OGC/Groups | - |
+ServiceAccounts | uia.local/Tier 2/OGC/ServiceAccounts | - |
+Test | uia.local/Tier 2/OGC/Test | - |
+SEC | uia.local/Tier 2/SEC | - |
+Devices | uia.local/Tier 2/SEC/Devices | - |
+Groups | uia.local/Tier 2/SEC/Groups | - |
+ServiceAccounts | uia.local/Tier 2/SEC/ServiceAccounts | - |
+Test | uia.local/Tier 2/SEC/Test | - |
+TST | uia.local/Tier 2/TST | - |
+Devices | uia.local/Tier 2/TST/Devices | - |
+Groups | uia.local/Tier 2/TST/Groups | - |
+ServiceAccounts | uia.local/Tier 2/TST/ServiceAccounts | - |
+Test | uia.local/Tier 2/TST/Test | - |
+
+
Table 36 - Organizational Unit - UIA.LOCAL
+1.2.2 PHARMAX.LOCAL Domain Configuration
The following section provides a summary of the Active Directory Domain Information.
Domain Name | pharmax |
NetBIOS Name | PHARMAX |
@@ -723,23 +1032,23 @@
RID Issued | 8100 |
RID Available | 1073733723 |
-
Table 36 - Domain Summary - PHARMAX.LOCAL
-1.2.2.1 Health Check - Naming Context Last Backup
The following section details naming context last backup time for Domain PHARMAX.LOCAL.
+Table 37 - Domain Summary - PHARMAX.LOCAL
+1.2.2.1 Health Check - Naming Context Last Backup
The following section details naming context last backup time for Domain PHARMAX.LOCAL.
Naming Context | Last Backup | Last Backup in Days |
-CN=Configuration,DC=pharmax,DC=local | 2022:05:11 | 0 |
-CN=Schema,CN=Configuration,DC=pharmax,DC=local | 2022:05:11 | 0 |
-DC=DomainDnsZones,DC=pharmax,DC=local | 2022:05:02 | 8 |
-DC=ForestDnsZones,DC=pharmax,DC=local | 2022:05:11 | 0 |
-DC=pharmax,DC=local | 2022:05:02 | 8 |
-
-
Table 37 - Naming Context Last Backup - PHARMAX.LOCAL
-Health Check:
Corrective Actions: Ensure there is a recent (<180 days) Active Directory backup.
1.2.2.2 Health Check - DFS Health
The following section details Distributed File System health status for Domain PHARMAX.LOCAL.
+CN=Configuration,DC=pharmax,DC=local | 2022:05:13 | 70 |
+CN=Schema,CN=Configuration,DC=pharmax,DC=local | 2022:05:13 | 70 |
+DC=DomainDnsZones,DC=pharmax,DC=local | 2022:05:02 | 80 |
+DC=ForestDnsZones,DC=pharmax,DC=local | 2022:05:13 | 70 |
+DC=pharmax,DC=local | 2022:05:02 | 80 |
+
+
Table 38 - Naming Context Last Backup - PHARMAX.LOCAL
+Health Check:
Corrective Actions: Ensure there is a recent (<180 days) Active Directory backup.
1.2.2.2 Health Check - DFS Health
The following section details Distributed File System health status for Domain PHARMAX.LOCAL.
DC Name | Replication State | GPO Count | Sysvol Count | Identical Count | Stop Replication On AutoRecovery |
CAYEY-DC-01V | Normal | 14 | 14 | Yes | No |
SERVER-DC-01V | Normal | 14 | 14 | Yes | No |
-
Table 38 - Domain Last Backup - PHARMAX.LOCAL
-Health Check:
Corrective Actions: Ensure an identical GPO/SYSVOL content for the domain controller in all Active Directory domains.
1.2.2.3 Flexible Single Master Operations (FSMO)
The following section provides a summary of the Active Directory FSMO for Domain PHARMAX.LOCAL.
+Table 39 - Domain Last Backup - PHARMAX.LOCAL
+Health Check:
Corrective Actions: Ensure an identical GPO/SYSVOL content for the domain controller in all Active Directory domains.
1.2.2.3 Flexible Single Master Operations (FSMO)
The following section provides a summary of the Active Directory FSMO for Domain PHARMAX.LOCAL.
Infrastructure Master Server | Server-DC-01V.pharmax.local |
RID Master Server | Server-DC-01V.pharmax.local |
@@ -747,8 +1056,8 @@
Domain Naming Master Server | Server-DC-01V.pharmax.local |
Schema Master Server | Server-DC-01V.pharmax.local |
-
Table 39 - FSMO Server - pharmax.local
-1.2.2.4 Domain and Trusts
The following section provides a summary of Active Directory Trust information on PHARMAX.LOCAL.
+Table 40 - FSMO Server - pharmax.local
+1.2.2.4 Domain and Trusts
The following section provides a summary of Active Directory Trust information on PHARMAX.LOCAL.
Name | acad.pharmax.local |
Path | pharmax.local/System/acad.pharmax.local |
@@ -762,7 +1071,7 @@
Trust Type | Uplevel |
Uplevel Only | No |
-
Table 40 - Trusts - PHARMAX.LOCAL
+Table 41 - Trusts - PHARMAX.LOCAL
Name | uia.local |
@@ -777,40 +1086,40 @@
Trust Type | Uplevel |
Uplevel Only | No |
-
Table 41 - Trusts - PHARMAX.LOCAL
-1.2.2.5 Domain Object Count
The following section provides a summary of the Active Directory Object Count on PHARMAX.LOCAL.
+Table 42 - Trusts - PHARMAX.LOCAL
+1.2.2.5 Domain Object Count
The following section provides a summary of the Active Directory Object Count on PHARMAX.LOCAL.
-Computers | 197 |
-Servers | 59 |
+Computers | 201 |
+Servers | 63 |
Domain Controller | 2 |
Global Catalog | 1 |
Users | 2889 |
Privileged Users | 19 |
Groups | 564 |
-
Table 42 - Object Count - PHARMAX.LOCAL
-1.2.2.6 User Accounts in Active Directory
The following table provide a summary of the User Accounts from PHARMAX.LOCAL.
+Table 43 - Object Count - PHARMAX.LOCAL
+1.2.2.6 User Accounts in Active Directory
The following table provide a summary of the User Accounts from PHARMAX.LOCAL.
Status | Count | Percentage |
Enabled | 2885 | 100% |
Disabled | 4 | 0% |
-
Table 43 - User Accounts in Active Directory - PHARMAX.LOCAL
-1.2.2.7 Status of Users Accounts
The following table provide a summary of the User Accounts from PHARMAX.LOCAL.
+Table 44 - User Accounts in Active Directory - PHARMAX.LOCAL
+1.2.2.7 Status of Users Accounts
The following table provide a summary of the User Accounts from PHARMAX.LOCAL.
Category | Enabled Count | Enabled % | Disabled Count | Disabled % | Total Count | Total % |
Cannot Change Password | 13 | 0 | 1 | 0 | 14 | 0 |
Password Never Expires | 17 | 1 | 3 | 0 | 20 | 1 |
Must Change Password at Logon | 0 | 0 | 2 | 0 | 2 | 0 |
-Password Age (> 42 days) | 4 | 0 | 1 | 0 | 5 | 0 |
+Password Age (> 42 days) | 2866 | 99 | 1 | 0 | 2867 | 99 |
SmartcardLogonRequired | 1 | 0 | 1 | 0 | 2 | 0 |
SidHistory | 1 | 0 | 1 | 0 | 0 | 0 |
Never Logged in | 2869 | 99 | 4 | 0 | 2873 | 99 |
-Dormant (> 90 days) | 2881 | 100 | 4 | 0 | 2885 | 100 |
+Dormant (> 90 days) | 2882 | 100 | 4 | 0 | 2886 | 100 |
Password Not Required | 2 | 0 | 2 | 0 | 4 | 0 |
Account Expired | 1 | 0 | 1 | 0 | 1 | 0 |
Account Lockout | 1 | 0 | 1 | 0 | 0 | 0 |
-
Table 44 - Status of User Accounts - PHARMAX.LOCAL
-1.2.2.8 Privileged Group Count
The following table provide a summary of the Privileged Group count from PHARMAX.LOCAL.
+Table 45 - Status of User Accounts - PHARMAX.LOCAL
+1.2.2.8 Privileged Group Count
The following table provide a summary of the Privileged Group count from PHARMAX.LOCAL.
Group Name | Count |
Account Operators | 1 |
Administrators | 6 |
@@ -823,24 +1132,24 @@
Key Admins | 2 |
Print Operators | 1 |
Remote Desktop Users | 3 |
-Schema Admins | 1 |
+Schema Admins | 25 |
Server Operators | 3 |
-
Table 45 - Privileged Group Count - PHARMAX.LOCAL
-1.2.2.9 Computer Accounts in Active Directory
The following table provide a summary of the Computer Accounts from PHARMAX.LOCAL.
+Table 46 - Privileged Group Count - PHARMAX.LOCAL
+Health Check:
Secutiry Best Practice: The Schema Admins group is a privileged group in a forest root domain. Members of the Schema Admins group can make changes to the schema, which is the framework for the Active Directory forest. Changes to the schema are not frequently required. This group only contains the Built-in Administrator account by default. Additional accounts must only be added when changes to the schema are necessary and then must be removed.
1.2.2.9 Computer Accounts in Active Directory
The following table provide a summary of the Computer Accounts from PHARMAX.LOCAL.
Status | Count | Percentage |
-Enabled | 193 | 98% |
+Enabled | 197 | 98% |
Disabled | 4 | 2% |
-
Table 46 - Computer Accounts in Active Directory - PHARMAX.LOCAL
-1.2.2.10 Status of Computer Accounts
The following table provide a summary of the Computer Accounts from PHARMAX.LOCAL.
+Table 47 - Computer Accounts in Active Directory - PHARMAX.LOCAL
+1.2.2.10 Status of Computer Accounts
The following table provide a summary of the Computer Accounts from PHARMAX.LOCAL.
Category | Enabled Count | Enabled % | Disabled Count | Disabled % | Total Count | Total % |
-Dormant (> 90 days) | 172 | 87 | 4 | 2 | 176 | 89 |
-Password Age (> 30 days) | 178 | 90 | 4 | 2 | 182 | 92 |
-SidHistory | 1 | 1 | 1 | 1 | 0 | 0 |
+Dormant (> 90 days) | 172 | 86 | 4 | 2 | 176 | 88 |
+Password Age (> 30 days) | 182 | 91 | 4 | 2 | 186 | 93 |
+SidHistory | 1 | 0 | 1 | 0 | 0 | 0 |
-
Table 47 - Status of Computer Accounts - PHARMAX.LOCAL
-1.2.2.11 Operating Systems Count
The following table provide a summary of the Operating System count from PHARMAX.LOCAL.
+Table 48 - Status of Computer Accounts - PHARMAX.LOCAL
+1.2.2.11 Operating Systems Count
The following table provide a summary of the Operating System count from PHARMAX.LOCAL.
Operating System | Count |
| 103 |
CentOS | 1 |
@@ -848,7 +1157,7 @@
EMC File Server | 1 |
NetApp Release 9.5P6 | 1 |
NetApp Release 9.8 | 1 |
-NetApp Release 9.9.1 | 1 |
+NetApp Release 9.8P7 | 1 |
NetApp Release 9.9.1P1 | 3 |
OneFS | 1 |
redhat-linux-gnu | 1 |
@@ -857,12 +1166,13 @@
Windows 10 Enterprise | 1 |
Windows 10 Enterprise Evaluation | 15 |
Windows Server 2016 Standard Evaluation | 10 |
-Windows Server 2019 Standard Evaluation | 40 |
+Windows Server 2019 Standard | 1 |
+Windows Server 2019 Standard Evaluation | 39 |
Windows Server 2022 Datacenter | 3 |
-Windows Server 2022 Datacenter Evaluation | 6 |
+Windows Server 2022 Datacenter Evaluation | 10 |
-
Table 48 - Operating System Count - PHARMAX.LOCAL
-1.2.2.12 Default Domain Password Policy
The following section provides a summary of the Default Domain Password Policy on PHARMAX.LOCAL.
+Table 49 - Operating System Count - PHARMAX.LOCAL
+1.2.2.12 Default Domain Password Policy
The following section provides a summary of the Default Domain Password Policy on PHARMAX.LOCAL.
Password Must Meet Complexity Requirements | Yes |
Path | pharmax.local/ |
@@ -875,8 +1185,8 @@
Enforce Password History | 24 |
Store Password using Reversible Encryption | No |
-
Table 49 - Default Domain Password Policy - PHARMAX.LOCAL
-1.2.2.13 Fined Grained Password Policies
The following section provides a summary of the Fined Grained Password Policies on PHARMAX.LOCAL.
+Table 50 - Default Domain Password Policy - PHARMAX.LOCAL
+1.2.2.13 Fined Grained Password Policies
The following section provides a summary of the Fined Grained Password Policies on PHARMAX.LOCAL.
Password Setting Name | Administrators |
Domain Name | pharmax.local |
@@ -893,7 +1203,7 @@
Precedence | 1 |
Applies To | horizon-ic, dbuser, jocolon |
-
Table 50 - Fined Grained Password Policies - Administrators
+Table 51 - Fined Grained Password Policies - Administrators
Password Setting Name | Test |
@@ -911,8 +1221,8 @@
Precedence | 1 |
Applies To | vmuserro |
-
Table 51 - Fined Grained Password Policies - Test
-1.2.2.14 Group Managed Service Accounts (GMSA)
The following section provides a summary of the Group Managed Service Accounts on PHARMAX.LOCAL.
+Table 52 - Fined Grained Password Policies - Test
+1.2.2.14 Group Managed Service Accounts (GMSA)
The following section provides a summary of the Group Managed Service Accounts on PHARMAX.LOCAL.
Name | SQLServer |
SamAccountName | SQLServer$ |
@@ -928,7 +1238,7 @@
Password Expired | No |
Password Last Set | 09/27/2020 14:14:22 |
-
Table 52 - Group Managed Service Accounts - SQLServer
+Table 53 - Group Managed Service Accounts - SQLServer
Name | adfsgmsa |
@@ -945,8 +1255,8 @@
Password Expired | No |
Password Last Set | 10/07/2020 18:36:16 |
-
Table 53 - Group Managed Service Accounts - adfsgmsa
-1.2.2.15 Health Check - Account Security Assessment
The following section provide a summary of the Account Security Assessment on Domain PHARMAX.LOCAL.
+Table 54 - Group Managed Service Accounts - adfsgmsa
+1.2.2.15 Health Check - Account Security Assessment
The following section provide a summary of the Account Security Assessment on Domain PHARMAX.LOCAL.
Total Users | 2889 |
Enabled Users | 2885 |
@@ -959,12 +1269,12 @@
User Does Not Require Pre Auth | 0 |
Users With SID History | 0 |
-
Table 54 - Account Security Assessment - PHARMAX.LOCAL
-Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.
1.2.2.16 Health Check - Privileged Users Assessment
The following section details probable AD Admin accounts (user accounts with AdminCount set to 1) on Domain PHARMAX.LOCAL
+Table 55 - Account Security Assessment - PHARMAX.LOCAL
+Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.
1.2.2.16 Health Check - Privileged Users Assessment
The following section details probable AD Admin accounts (user accounts with AdminCount set to 1) on Domain PHARMAX.LOCAL
Username | Created | Password Last Set | Last Logon Date |
krbtgt | 6/10/2018 | 6/10/2018 | - |
-Administrator | 6/10/2018 | 6/10/2018 | 5/2/2022 |
-jocolon | 12/4/2019 | 11/30/2021 | 5/7/2022 |
+Administrator | 6/10/2018 | 6/10/2018 | 12/22/2043 |
+jocolon | 12/4/2019 | 11/30/2021 | 12/22/2043 |
svc_SCCM_ClientPush | 9/12/2020 | 9/12/2020 | 9/14/2020 |
DAMIAN_LEVY | 4/5/2022 | 4/5/2022 | - |
JUDSON_BULLOCK | 4/5/2022 | 4/5/2022 | - |
@@ -982,8 +1292,8 @@
LAWANDA_JOSEPH | 4/5/2022 | 4/5/2022 | - |
NICHOLAS_SCHROEDER | 4/5/2022 | 4/5/2022 | - |
-
Table 55 - Privileged User Assessment - PHARMAX.LOCAL
-Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.
1.2.2.17 Health Check - Service Accounts Assessment
The following section details probable AD Service Accounts (user accounts with SPNs) on Domain PHARMAX.LOCAL
+Table 56 - Privileged User Assessment - PHARMAX.LOCAL
+Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.
1.2.2.17 Health Check - Service Accounts Assessment
The following section details probable AD Service Accounts (user accounts with SPNs) on Domain PHARMAX.LOCAL
Username | Enabled | Password Last Set | Last Logon Date | Service Principal Name |
vcenter | Yes | 12/13/2019 | 12/13/2019 | CIFS/ACAD-DNS-01V |
7007675057SA | Yes | 4/5/2022 | - | CIFS/DR-DC-01V |
@@ -1082,34 +1392,34 @@
MARICELA_GARDNER | Yes | 4/5/2022 | - | POP3/VEEAM-HV-01 |
CLAUDE_BOYD | Yes | 4/5/2022 | - | POP3/vm-001v |
-
Table 56 - Service Accounts Assessment - PHARMAX.LOCAL
-Health Check:
Corrective Actions: Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged. They are almost always over-privileged due to documented vendor requirements or because of operational challenges. Ensure there aren't any account with weak security posture.
1.2.2.18 Health Check - Unconstrained Kerberos Delegation
The following section provide a summary of unconstrained kerberos delegation on Domain PHARMAX.LOCAL.
+Table 57 - Service Accounts Assessment - PHARMAX.LOCAL
+Health Check:
Corrective Actions: Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged. They are almost always over-privileged due to documented vendor requirements or because of operational challenges. Ensure there aren't any account with weak security posture.
1.2.2.18 Health Check - Unconstrained Kerberos Delegation
The following section provide a summary of unconstrained kerberos delegation on Domain PHARMAX.LOCAL.
Name | Distinguished Name |
HV-SERVER-01V | CN=HV-SERVER-01V,OU=Member Servers,DC=pharmax,DC=local |
-
Table 57 - Unconstrained Kerberos Delegation - PHARMAX.LOCAL
-Health Check:
Corrective Actions: Ensure there aren't any unconstrained kerberos delegation in Active Directory.
1.2.2.19 Health Check - KRBTGT Account Audit
The following section provide a summary of KRBTGT account on Domain PHARMAX.LOCAL.
+Table 58 - Unconstrained Kerberos Delegation - PHARMAX.LOCAL
+Health Check:
Corrective Actions: Ensure there aren't any unconstrained kerberos delegation in Active Directory.
1.2.2.19 Health Check - KRBTGT Account Audit
The following section provide a summary of KRBTGT account on Domain PHARMAX.LOCAL.
Name | krbtgt |
Created | 06/10/2018 21:00:49 |
Password Last Set | 06/10/2018 21:00:49 |
Distinguished Name | CN=krbtgt,CN=Users,DC=pharmax,DC=local |
-
Table 58 - KRBTGT Account Audit - PHARMAX.LOCAL
-Health Check:
Best Practice: Microsoft advises changing the krbtgt account password at regular intervals to keep the environment more secure.
1.2.2.20 Health Check - Administrator Account Audit
The following section provide a summary of Administrator account on Domain PHARMAX.LOCAL.
+Table 59 - KRBTGT Account Audit - PHARMAX.LOCAL
+Health Check:
Best Practice: Microsoft advises changing the krbtgt account password at regular intervals to keep the environment more secure.
1.2.2.20 Health Check - Administrator Account Audit
The following section provide a summary of Administrator account on Domain PHARMAX.LOCAL.
Name | Administrator |
Created | 06/10/2018 21:00:05 |
Password Last Set | 06/10/2018 04:01:50 |
Distinguished Name | CN=Administrator,CN=Users,DC=pharmax,DC=local |
-
Table 59 - Administrator Account Audit - PHARMAX.LOCAL
-Health Check:
Best Practice: Microsoft advises changing the administrator account password at regular intervals to keep the environment more secure.
1.2.2.21 Health Check - Duplicate Objects
The following section details Duplicate Objects discovered on Domain PHARMAX.LOCAL.
+Table 60 - Administrator Account Audit - PHARMAX.LOCAL
+Health Check:
Best Practice: Microsoft advises changing the administrator account password at regular intervals to keep the environment more secure.
1.2.2.21 Health Check - Duplicate Objects
The following section details Duplicate Objects discovered on Domain PHARMAX.LOCAL.
Name | Created | Changed | Conflict Changed |
SCCM-DP-01V-Remote-Installation-Services CNF:0b206bf4-6c39-47b2-bd69-3694aa657d76 | 2020:09:13 | 2020:09:13 | 2020:09:13 |
-
Table 60 - Duplicate Object - PHARMAX.LOCAL
-Health Check:
Corrective Actions: Ensure there aren't any duplicate object.
1.2.2.22 Health Check - Duplicate SPN
The following section details Duplicate SPN discovered on Domain PHARMAX.LOCAL.
+Table 61 - Duplicate Object - PHARMAX.LOCAL
+Health Check:
Corrective Actions: Ensure there aren't any duplicate object.
1.2.2.22 Health Check - Duplicate SPN
The following section details Duplicate SPN discovered on Domain PHARMAX.LOCAL.
Name | Count | Distinguished Name |
HOST/ACAD-DNS-01V | 2 | CN=ACAD-DNS-01V,OU=Member Servers,DC=acad,DC=pharmax,DC=local CN=ACAD-DNS-01V,CN=Computers,DC=pharmax,DC=local |
HOST/ACADE-DC-01V | 2 | CN=ACADE-DC-01V,OU=Domain Controllers,DC=acad,DC=pharmax,DC=local CN=ACADE-DC-01V,CN=Computers,DC=pharmax,DC=local |
@@ -1117,25 +1427,25 @@
RestrictedKrbHost/ACADE-DC-01V | 2 | CN=ACADE-DC-01V,OU=Domain Controllers,DC=acad,DC=pharmax,DC=local CN=ACADE-DC-01V,CN=Computers,DC=pharmax,DC=local |
TERMSRV/ACAD-DNS-01V | 2 | CN=ACAD-DNS-01V,OU=Member Servers,DC=acad,DC=pharmax,DC=local CN=ACAD-DNS-01V,CN=Computers,DC=pharmax,DC=local |
-
Table 61 - Duplicate SPN - PHARMAX.LOCAL
-Health Check:
Corrective Actions: Ensure there aren't any duplicate SPNs (other than krbtgt).
1.2.2.23 Domain Controller Summary
A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain.
+Table 62 - Duplicate SPN - PHARMAX.LOCAL
+Health Check:
Corrective Actions: Ensure there aren't any duplicate SPNs (other than krbtgt).
1.2.2.23 Domain Controller Summary
A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain.
DC Name | Domain Name | Site | Global Catalog | Read Only | IP Address |
CAYEY-DC-01V | pharmax.local | Cayey-Branch | No | No | 10.10.33.1 |
SERVER-DC-01V | pharmax.local | Pharmax-HQ | Yes | No | 192.168.5.1 |
-
Table 62 - Domain Controller Summary - PHARMAX.LOCAL
-1.2.2.23.1 Hardware Inventory
The following section provides a summary of the Domain Controller Hardware for PHARMAX.LOCAL.
+Table 63 - Domain Controller Summary - PHARMAX.LOCAL
+1.2.2.23.1 Hardware Inventory
The following section provides a summary of the Domain Controller Hardware for PHARMAX.LOCAL.
Name | Server-DC-01V |
-Windows Product Name | Windows Server 2019 Standard Evaluation |
+Windows Product Name | Windows Server 2019 Standard |
Windows Current Version | 6.3 |
Windows Build Number | 10.0.17763 |
Windows Install Type | Server |
AD Domain | pharmax.local |
Windows Installation Date | 09/08/2020 21:20:17 |
Time Zone | (UTC-04:00) Georgetown, La Paz, Manaus, San Juan |
-License Type | Retail:TB:Eval |
-Partial Product Key | Y7XRX |
+License Type | Volume:GVLK |
+Partial Product Key | J464C |
Manufacturer | VMware, Inc. |
Model | VMware7,1 |
Serial Number | |
@@ -1148,7 +1458,7 @@
Number of Logical Cores | 2 |
Physical Memory (GB) | 4.00 GB |
-
Table 63 - Domain Controller Hardware - SERVER-DC-01V
+Table 64 - Domain Controller Hardware - SERVER-DC-01V
Name | cayey-dc-01v |
@@ -1173,30 +1483,30 @@
Number of Logical Cores | 2 |
Physical Memory (GB) | 4.00 GB |
-
Table 64 - Domain Controller Hardware - CAYEY-DC-01V
-1.2.2.23.2 NTDS Information
The following section provides a summary of the Domain Controller NTDS file size on PHARMAX.LOCAL.
+Table 65 - Domain Controller Hardware - CAYEY-DC-01V
+1.2.2.23.2 NTDS Information
The following section provides a summary of the Domain Controller NTDS file size on PHARMAX.LOCAL.
DC Name | Database File | Database Size | Log Path | SysVol Path |
-CAYEY-DC-01V | C:\Windows\NTDS\ntds.dit | 74.00 MB | C:\Windows\NTDS | C:\Windows\SYSVOL\sysvol |
-SERVER-DC-01V | C:\Windows\NTDS\ntds.dit | 72.00 MB | C:\Windows\NTDS | C:\Windows\SYSVOL\sysvol |
+CAYEY-DC-01V | C:\Windows\NTDS\ntds.dit | 72.00 MB | C:\Windows\NTDS | C:\Windows\SYSVOL\sysvol |
+SERVER-DC-01V | C:\Windows\NTDS\ntds.dit | 84.00 MB | C:\Windows\NTDS | C:\Windows\SYSVOL\sysvol |
-
Table 65 - NTDS Database File Usage - PHARMAX.LOCAL
-1.2.2.23.3 Time Source Information
The following section provides a summary of the Domain Controller Time Source configuration on PHARMAX.LOCAL.
+Table 66 - NTDS Database File Usage - PHARMAX.LOCAL
+1.2.2.23.3 Time Source Information
The following section provides a summary of the Domain Controller Time Source configuration on PHARMAX.LOCAL.
Name | Time Server | Type |
CAYEY-DC-01V | Domain Hierarchy | DOMHIER |
SERVER-DC-01V | 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org | MANUAL (NTP) |
-
Table 66 - Time Source Configuration - PHARMAX.LOCAL
-1.2.2.23.4 Health Check - Installed Software on DC
The following section provides a summary of additional software running on PHARMAX.LOCAL.
1.2.2.23.4.1 SERVER-DC-01V additional software
+Table 67 - Time Source Configuration - PHARMAX.LOCAL
+1.2.2.23.4 Health Check - Installed Software on DC
The following section provides a summary of additional software running on PHARMAX.LOCAL.
1.2.2.23.4.1 SERVER-DC-01V additional software
Name | Publisher | Install Date |
Veeam VSS Hardware Provider | Veeam Software Group GmbH | 20220502 |
-
Table 67 - Installed Software - SERVER-DC-01V
-Health Check:
Best Practices: Do not run other software or services on a Domain Controller.
1.2.2.23.4.2 CAYEY-DC-01V additional software
+Table 68 - Installed Software - SERVER-DC-01V
+Health Check:
Best Practices: Do not run other software or services on a Domain Controller.
1.2.2.23.4.2 CAYEY-DC-01V additional software
Name | Publisher | Install Date |
7-Zip 21.07 (x64 edition) | Igor Pavlov | 20220122 |
-
Table 68 - Installed Software - CAYEY-DC-01V
-Health Check:
Best Practices: Do not run other software or services on a Domain Controller.
1.2.2.23.5 Roles
The following section provides a summary of the Domain Controller Role & Features information.
1.2.2.23.5.1 SERVER-DC-01V
+Table 69 - Installed Software - CAYEY-DC-01V
+Health Check:
Best Practices: Do not run other software or services on a Domain Controller.
1.2.2.23.5 Roles
The following section provides a summary of the Domain Controller Role & Features information.
1.2.2.23.5.1 SERVER-DC-01V
Name | Parent | InstallState |
Active Directory Certificate Services | Role | Active Directory Certificate Services (AD CS) is used to create certification authorities and related role services that allow you to issue and manage certificates used in a variety of applications. |
Active Directory Domain Services | Role | Active Directory Domain Services (AD DS) stores information about objects on the network and makes this information available to users and network administrators. AD DS uses domain controllers to give network users access to permitted resources anywhere on the network through a single logon process. |
@@ -1206,8 +1516,8 @@
Web Server (IIS) | Role | Web Server (IIS) provides a reliable, manageable, and scalable Web application infrastructure. |
Windows Server Update Services | Role | Windows Server Update Services allows network administrators to specify the Microsoft updates that should be installed, create separate groups of computers for different sets of updates, and get reports on the compliance levels of the computers and the updates that must be installed. |
-
Table 69 - Roles - SERVER-DC-01V
-Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.2.23.5.2 CAYEY-DC-01V
+Table 70 - Roles - SERVER-DC-01V
+Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.2.23.5.2 CAYEY-DC-01V
Name | Parent | InstallState |
Active Directory Certificate Services | Role | Active Directory Certificate Services (AD CS) is used to create certification authorities and related role services that allow you to issue and manage certificates used in a variety of applications. |
Active Directory Domain Services | Role | Active Directory Domain Services (AD DS) stores information about objects on the network and makes this information available to users and network administrators. AD DS uses domain controllers to give network users access to permitted resources anywhere on the network through a single logon process. |
@@ -1216,8 +1526,8 @@
File and Storage Services | Role | File and Storage Services includes services that are always installed, as well as functionality that you can install to help manage file servers and storage. |
Web Server (IIS) | Role | Web Server (IIS) provides a reliable, manageable, and scalable Web application infrastructure. |
-
Table 70 - Roles - CAYEY-DC-01V
-Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.2.23.6 Health Check - DC Diagnostic
The following section provides a summary of the Active Directory DC Diagnostic.
1.2.2.23.6.1 SERVER-DC-01V
+Table 71 - Roles - CAYEY-DC-01V
+Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.2.23.6 Health Check - DC Diagnostic
The following section provides a summary of the Active Directory DC Diagnostic.
1.2.2.23.6.1 SERVER-DC-01V
Test Name | Result |
Advertising | passed |
CheckSDRefDom | passed |
@@ -1246,8 +1556,8 @@
SysVolCheck | passed |
VerifyReferences | passed |
-
Table 71 - Domain Controller DCDiag - SERVER-DC-01V
-1.2.2.23.6.2 CAYEY-DC-01V
+Table 72 - Domain Controller DCDiag - SERVER-DC-01V
+1.2.2.23.6.2 CAYEY-DC-01V
Test Name | Result |
Advertising | passed |
CheckSDRefDom | passed |
@@ -1276,8 +1586,8 @@
SysVolCheck | passed |
VerifyReferences | passed |
-
Table 72 - Domain Controller DCDiag - CAYEY-DC-01V
-1.2.2.23.7 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.2.23.7.1 SERVER-DC-01V
+Table 73 - Domain Controller DCDiag - CAYEY-DC-01V
+1.2.2.23.7 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.2.23.7.1 SERVER-DC-01V
Display Name | Short Name | Status |
Active Directory Certificate Services | CertSvc | Running |
Active Directory Domain Services | NTDS | Running |
@@ -1290,8 +1600,8 @@
NetLogon | Netlogon | Running |
Windows Time | W32Time | Running |
-
Table 73 - Domain Controller Infrastructure Services Status Information.
-1.2.2.23.8 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.2.23.8.1 CAYEY-DC-01V
+Table 74 - Domain Controller Infrastructure Services Status Information.
+1.2.2.23.8 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.2.23.8.1 CAYEY-DC-01V
Display Name | Short Name | Status |
Active Directory Certificate Services | CertSvc | Running |
Active Directory Domain Services | NTDS | Running |
@@ -1304,8 +1614,8 @@
NetLogon | Netlogon | Running |
Windows Time | W32Time | Running |
-
Table 74 - Domain Controller Infrastructure Services Status Information.
-1.2.2.23.9 Sites Replication
The following section provides a summary of the Active Directory Site Replication information.
+Table 75 - Domain Controller Infrastructure Services Status Information.
+1.2.2.23.9 Sites Replication
The following section provides a summary of the Active Directory Site Replication information.
DC Name | SERVER-DC-01V |
GUID | 9dd36d8c-c157-4886-b411-c316fdf19c86 |
@@ -1318,7 +1628,7 @@
Enabled | Yes |
Created | Tue, 07 Dec 2021 15:52:27 GMT |
-
Table 75 - Site Replication - SERVER-DC-01V
+Table 76 - Site Replication - SERVER-DC-01V
DC Name | SERVER-DC-01V |
@@ -1332,7 +1642,7 @@
Enabled | Yes |
Created | Wed, 11 May 2022 17:54:53 GMT |
-
Table 76 - Site Replication - SERVER-DC-01V
+Table 77 - Site Replication - SERVER-DC-01V
DC Name | SERVER-DC-01V |
@@ -1346,7 +1656,7 @@
Enabled | Yes |
Created | Sun, 05 Sep 2021 16:24:39 GMT |
-
Table 77 - Site Replication - SERVER-DC-01V
+Table 78 - Site Replication - SERVER-DC-01V
DC Name | CAYEY-DC-01V |
@@ -1360,79 +1670,211 @@
Enabled | Yes |
Created | Tue, 07 Dec 2021 15:55:03 GMT |
-
Table 78 - Site Replication - CAYEY-DC-01V
-1.2.2.23.10 Sites Replication Failure
The following section provides a summary of the Active Directory Site Replication Failure information.
+Table 79 - Site Replication - CAYEY-DC-01V
+1.2.2.23.10 Sites Replication Failure
The following section provides a summary of the Active Directory Site Replication Failure information.
+
+Server Name | Server-DC-01V |
+Partner | DC-UIA-01V |
+Last Error | 1256 |
+Failure Type | Link |
+Failure Count | 0 |
+First Failure Time | Sun, 10 Jul 2022 16:34:20 GMT |
+
+
Table 80 - Site Replication Failure - SERVER-DC-01V
+Health Check:
Best Practices: Failing SYSVOL replication may cause Group Policy problems.
Server Name | Server-DC-01V |
Partner | ACADE-DC-01V |
-Last Error | 8524 |
+Last Error | 1256 |
Failure Type | Link |
Failure Count | 0 |
-First Failure Time | Wed, 11 May 2022 18:10:50 GMT |
+First Failure Time | Sun, 10 Jul 2022 16:34:20 GMT |
-
Table 79 - Site Replication Failure - SERVER-DC-01V
-Health Check:
Best Practices: Failing SYSVOL replication may cause Group Policy problems.
+Table 81 - Site Replication Failure - SERVER-DC-01V
+Health Check:
Best Practices: Failing SYSVOL replication may cause Group Policy problems.
Server Name | Server-DC-01V |
Partner | CAYEY-DC-01V |
Last Error | 8524 |
Failure Type | Link |
Failure Count | 0 |
-First Failure Time | Wed, 11 May 2022 18:10:50 GMT |
+First Failure Time | Sun, 10 Jul 2022 16:34:20 GMT |
-
Table 80 - Site Replication Failure - SERVER-DC-01V
-Health Check:
Best Practices: Failing SYSVOL replication may cause Group Policy problems.
1.2.2.23.11 Group Policy Objects Summary
The following section provides a summary of the Group Policy Objects for domain PHARMAX.LOCAL.
-GPO Name | GPO Status | Owner |
-Assign-Applications | All Settings Enabled | PHARMAX\Domain Admins |
-Certificate AutoEnrollment | User Settings Disabled | PHARMAX\Domain Admins |
-Dead Policy | All Settings Disabled | PHARMAX\Domain Admins |
-Default Domain Controllers Policy | All Settings Enabled | PHARMAX\Domain Admins |
-Default Domain Policy | All Settings Enabled | PHARMAX\Domain Admins |
-Horizon-DEM | All Settings Enabled | PHARMAX\Domain Admins |
-LAPS Configuration | All Settings Enabled | PHARMAX\Domain Admins |
-Linux-Settings-GPO | All Settings Disabled | PHARMAX\Domain Admins |
-ProfileUnity | All Settings Enabled | PHARMAX\Domain Admins |
-SCCM - Restricted Group and General Settings | All Settings Enabled | PHARMAX\Domain Admins |
-SCEP Configuration | All Settings Enabled | PHARMAX\Domain Admins |
-VEEAM_Disable_Firewall | All Settings Enabled | PHARMAX\Domain Admins |
-VEEAM_Local_Administrators | All Settings Enabled | PHARMAX\Domain Admins |
-WSUS - Domain Policy | User Settings Disabled | PHARMAX\Domain Admins |
-
-
Table 81 - GPO - PHARMAX.LOCAL
-Health Check:
Best Practices: Ensure 'All Settings Disabled' GPO are removed from Active Directory.
1.2.2.23.11.1 GPO Central Store Repository
The following section provides information of the status of Central Store. Corrective Action: Deploy centralized GPO repository.
+Table 82 - Site Replication Failure - SERVER-DC-01V
+Health Check:
Best Practices: Failing SYSVOL replication may cause Group Policy problems.
1.2.2.23.11 Group Policy Objects Summary
The following section provides a summary of the Group Policy Objects for domain PHARMAX.LOCAL.
+
+GPO Name | Assign-Applications |
+GPO Status | All Settings Enabled |
+Created | 03/10/2021 |
+Modified | 03/10/2021 |
+Description | |
+Owner | PHARMAX\Domain Admins |
+
+
Table 83 - GPO - Assign-Applications
+
+
+GPO Name | Certificate AutoEnrollment |
+GPO Status | User Settings Disabled |
+Created | 01/25/2020 |
+Modified | 06/30/2021 |
+Description | |
+Owner | PHARMAX\Domain Admins |
+
+
Table 84 - GPO - Certificate AutoEnrollment
+
+
+GPO Name | Default Domain Policy |
+GPO Status | All Settings Enabled |
+Created | 06/10/2018 |
+Modified | 12/19/2021 |
+Description | |
+Owner | PHARMAX\Domain Admins |
+
+
Table 85 - GPO - Default Domain Policy
+
+
+GPO Name | VEEAM_Disable_Firewall |
+GPO Status | All Settings Enabled |
+Created | 12/13/2019 |
+Modified | 09/08/2020 |
+Description | |
+Owner | PHARMAX\Domain Admins |
+
+
Table 86 - GPO - VEEAM_Disable_Firewall
+
+
+GPO Name | Default Domain Controllers Policy |
+GPO Status | All Settings Enabled |
+Created | 06/10/2018 |
+Modified | 11/01/2020 |
+Description | |
+Owner | PHARMAX\Domain Admins |
+
+
Table 87 - GPO - Default Domain Controllers Policy
+
+
+GPO Name | ProfileUnity |
+GPO Status | All Settings Enabled |
+Created | 06/08/2020 |
+Modified | 10/05/2021 |
+Description | |
+Owner | PHARMAX\Domain Admins |
+
+
Table 88 - GPO - ProfileUnity
+
+
+GPO Name | VEEAM_Local_Administrators |
+GPO Status | All Settings Enabled |
+Created | 12/13/2019 |
+Modified | 05/20/2022 |
+Description | |
+Owner | PHARMAX\Domain Admins |
+
+
Table 89 - GPO - VEEAM_Local_Administrators
+
+
+GPO Name | WSUS - Domain Policy |
+GPO Status | User Settings Disabled |
+Created | 02/23/2020 |
+Modified | 03/10/2021 |
+Description | |
+Owner | PHARMAX\Domain Admins |
+
+
Table 90 - GPO - WSUS - Domain Policy
+
+
+GPO Name | SCEP Configuration |
+GPO Status | All Settings Enabled |
+Created | 09/14/2020 |
+Modified | 10/04/2020 |
+Description | |
+Owner | PHARMAX\Domain Admins |
+
+
Table 91 - GPO - SCEP Configuration
+
+
+GPO Name | Dead Policy |
+GPO Status | All Settings Disabled |
+Created | 10/05/2021 |
+Modified | 01/22/2022 |
+Description | |
+Owner | PHARMAX\Domain Admins |
+
+
Table 92 - GPO - Dead Policy
+
+
+GPO Name | Horizon-DEM |
+GPO Status | All Settings Enabled |
+Created | 03/01/2020 |
+Modified | 09/08/2020 |
+Description | |
+Owner | PHARMAX\Domain Admins |
+
+
Table 93 - GPO - Horizon-DEM
+
+
+GPO Name | Linux-Settings-GPO |
+GPO Status | All Settings Disabled |
+Created | 05/22/2021 |
+Modified | 02/04/2022 |
+Description | |
+Owner | PHARMAX\Domain Admins |
+
+
Table 94 - GPO - Linux-Settings-GPO
+
+
+GPO Name | SCCM - Restricted Group and General Settings |
+GPO Status | All Settings Enabled |
+Created | 09/12/2020 |
+Modified | 09/12/2020 |
+Description | |
+Owner | PHARMAX\Domain Admins |
+
+
Table 95 - GPO - SCCM - Restricted Group and General Settings
+
+
+GPO Name | LAPS Configuration |
+GPO Status | All Settings Enabled |
+Created | 11/01/2020 |
+Modified | 11/01/2020 |
+Description | |
+Owner | PHARMAX\Domain Admins |
+
+
Table 96 - GPO - LAPS Configuration
+1.2.2.23.11.1 GPO Central Store Repository
The following section provides information of the status of Central Store. Corrective Action: Deploy centralized GPO repository.
Domain | Configured | Central Store Path |
PHARMAX.LOCAL | Yes | \\pharmax.local\SYSVOL\pharmax.local\Policies\PolicyDefinitions |
-
Table 82 - GPO Central Store - PHARMAX.LOCAL
-1.2.2.23.11.2 GPO with User Logon/Logoff Script
The following section provides a summary of Group Policy Objects with Logon/Logoff Script.
+Table 97 - GPO Central Store - PHARMAX.LOCAL
+1.2.2.23.11.2 GPO with User Logon/Logoff Script
The following section provides a summary of Group Policy Objects with Logon/Logoff Script.
GPO Name | GPO Status | Type | Script |
Dead Policy | All Settings Disabled | Logoff | %systemdrive%\Program Files\ProfileUnity\Client.NET\LwL.ProfileUnity.Client.Logoff.exe |
Horizon-DEM | All Settings Enabled | Logoff | C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe |
ProfileUnity | All Settings Enabled | Logoff | %systemdrive%\Program Files\ProfileUnity\Client.NET\LwL.ProfileUnity.Client.Logoff.exe |
-
Table 83 - GPO with Logon/Logoff Script - PHARMAX.LOCAL
-1.2.2.23.11.3 GPO with Computer Startup/Shutdown Script
The following section provides a summary of Group Policy Objects with Startup/Shutdown Script.
+Table 98 - GPO with Logon/Logoff Script - PHARMAX.LOCAL
+1.2.2.23.11.3 GPO with Computer Startup/Shutdown Script
The following section provides a summary of Group Policy Objects with Startup/Shutdown Script.
GPO Name | GPO Status | Type | Script |
Dead Policy | All Settings Disabled | Startup | \\pharmax.local\netlogon\profileunity\LwL.ProfileUnity.Client.Startup.exe |
ProfileUnity | All Settings Enabled | Startup | \\pharmax.local\netlogon\profileunity\LwL.ProfileUnity.Client.Startup.exe |
-
Table 84 - GPO with Startup/Shutdown Script - PHARMAX.LOCAL
-1.2.2.23.11.4 Health Check - Unlinked GPO
The following section provides a summary of the Unlinked Group Policy Objects.
+Table 99 - GPO with Startup/Shutdown Script - PHARMAX.LOCAL
+1.2.2.23.11.4 Health Check - Unlinked GPO
The following section provides a summary of the Unlinked Group Policy Objects.
GPO Name | Created | Modified | Computer Enabled | User Enabled |
Dead Policy | 2021-10-05 | 2022-01-22 | No | No |
-
Table 85 - Unlinked GPO - PHARMAX.LOCAL
-Health Check:
Corrective Actions: Remove Unused GPO from Active Directory.
1.2.2.23.11.5 Health Check - Empty GPOs
The following section provides a summary of the Empty Group Policy Objects.
+Table 100 - Unlinked GPO - PHARMAX.LOCAL
+Health Check:
Corrective Actions: Remove Unused GPO from Active Directory.
1.2.2.23.11.5 Health Check - Empty GPOs
The following section provides a summary of the Empty Group Policy Objects.
GPO Name | Created | Modified | Description |
Linux-Settings-GPO | 2021-05-23 | 2022-02-04 | - |
-
Table 86 - Empty GPO - PHARMAX.LOCAL
-Health Check:
Corrective Actions: No User and Computer parameters are set: Remove Unused GPO in Active Directory.
1.2.2.23.11.6 Health Check - Enforced GPO
The following section provides a summary of the Enforced Group Policy Objects.
+Table 101 - Empty GPO - PHARMAX.LOCAL
+Health Check:
Corrective Actions: No User and Computer parameters are set: Remove Unused GPO in Active Directory.
1.2.2.23.11.6 Health Check - Enforced GPO
The following section provides a summary of the Enforced Group Policy Objects.
GPO Name | Enforced | Order | Target |
Linux-Settings-GPO | Yes | 1 | pharmax.local/LinuxMachines |
-
Table 87 - Enforced GPO - PHARMAX.LOCAL
-Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.
1.2.2.23.12 Organizational Units
The following section provides a summary of Active Directory Organizational Unit information.
+Table 102 - Enforced GPO - PHARMAX.LOCAL
+Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.
1.2.2.23.12 Organizational Units
The following section provides a summary of Active Directory Organizational Unit information.
Name | Path | Linked GPO |
.SecFrame.com | pharmax.local/.SecFrame.com | - |
Admin | pharmax.local/Admin | - |
@@ -1676,14 +2118,14 @@
VEEAM Servers | pharmax.local/VEEAM Servers | VEEAM_Disable_Firewall, VEEAM_Local_Administrators |
VEEAM WorkStations | pharmax.local/VEEAM WorkStations | VEEAM_Local_Administrators, VEEAM_Disable_Firewall |
-
Table 88 - Organizational Unit - PHARMAX.LOCAL
-1.2.2.23.12.1 Health Check - OU with GPO Blocked Inheritance
The following section provides a summary of the Blocked Inheritance Group Policy Objects.
+Table 103 - Organizational Unit - PHARMAX.LOCAL
+1.2.2.23.12.1 Health Check - OU with GPO Blocked Inheritance
The following section provides a summary of the Blocked Inheritance Group Policy Objects.
OU Name | Container Type | Inheritance Blocked | Path |
fortinet ems | OU | Yes | pharmax.local/Fortinet EMS |
linuxmachines | OU | Yes | pharmax.local/LinuxMachines |
-
Table 89 - Blocked Inheritance GPO - PHARMAX.LOCAL
-Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.
1.2.3 ACAD.PHARMAX.LOCAL Domain Configuration
The following section provides a summary of the Active Directory Domain Information.
+Table 104 - Blocked Inheritance GPO - PHARMAX.LOCAL
+Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.
1.2.3 ACAD.PHARMAX.LOCAL Domain Configuration
The following section provides a summary of the Active Directory Domain Information.
Domain Name | acad |
NetBIOS Name | ACAD |
@@ -1704,22 +2146,22 @@
RID Issued | 1600 |
RID Available | 1073740223 |
-
Table 90 - Domain Summary - ACAD.PHARMAX.LOCAL
-1.2.3.1 Health Check - Naming Context Last Backup
The following section details naming context last backup time for Domain ACAD.PHARMAX.LOCAL.
+Table 105 - Domain Summary - ACAD.PHARMAX.LOCAL
+1.2.3.1 Health Check - Naming Context Last Backup
The following section details naming context last backup time for Domain ACAD.PHARMAX.LOCAL.
Naming Context | Last Backup | Last Backup in Days |
-CN=Configuration,DC=pharmax,DC=local | 2022:05:11 | 0 |
-CN=Schema,CN=Configuration,DC=pharmax,DC=local | 2022:05:11 | 0 |
-DC=acad,DC=pharmax,DC=local | 2021:09:05 | 248 |
-DC=DomainDnsZones,DC=acad,DC=pharmax,DC=local | 2021:09:05 | 248 |
-DC=ForestDnsZones,DC=pharmax,DC=local | 2022:05:11 | 0 |
-
-
Table 91 - Naming Context Last Backup - ACAD.PHARMAX.LOCAL
-Health Check:
Corrective Actions: Ensure there is a recent (<180 days) Active Directory backup.
1.2.3.2 Health Check - DFS Health
The following section details Distributed File System health status for Domain ACAD.PHARMAX.LOCAL.
+CN=Configuration,DC=pharmax,DC=local | 2022:05:13 | 70 |
+CN=Schema,CN=Configuration,DC=pharmax,DC=local | 2022:05:13 | 70 |
+DC=acad,DC=pharmax,DC=local | 2021:09:05 | 320 |
+DC=DomainDnsZones,DC=acad,DC=pharmax,DC=local | 2021:09:05 | 320 |
+DC=ForestDnsZones,DC=pharmax,DC=local | 2022:05:13 | 70 |
+
+
Table 106 - Naming Context Last Backup - ACAD.PHARMAX.LOCAL
+Health Check:
Corrective Actions: Ensure there is a recent (<180 days) Active Directory backup.
1.2.3.2 Health Check - DFS Health
The following section details Distributed File System health status for Domain ACAD.PHARMAX.LOCAL.
DC Name | Replication State | GPO Count | Sysvol Count | Identical Count | Stop Replication On AutoRecovery |
ACADE-DC-01V | Normal | 6 | 6 | Yes | No |
-
Table 92 - Domain Last Backup - ACAD.PHARMAX.LOCAL
-Health Check:
Corrective Actions: Ensure an identical GPO/SYSVOL content for the domain controller in all Active Directory domains.
1.2.3.3 Flexible Single Master Operations (FSMO)
The following section provides a summary of the Active Directory FSMO for Domain ACAD.PHARMAX.LOCAL.
+Table 107 - Domain Last Backup - ACAD.PHARMAX.LOCAL
+Health Check:
Corrective Actions: Ensure an identical GPO/SYSVOL content for the domain controller in all Active Directory domains.
1.2.3.3 Flexible Single Master Operations (FSMO)
The following section provides a summary of the Active Directory FSMO for Domain ACAD.PHARMAX.LOCAL.
Infrastructure Master Server | acade-dc-01v.acad.pharmax.local |
RID Master Server | acade-dc-01v.acad.pharmax.local |
@@ -1727,8 +2169,8 @@
Domain Naming Master Server | Server-DC-01V.pharmax.local |
Schema Master Server | Server-DC-01V.pharmax.local |
-
Table 93 - FSMO Server - acad.pharmax.local
-1.2.3.4 Domain and Trusts
The following section provides a summary of Active Directory Trust information on ACAD.PHARMAX.LOCAL.
+Table 108 - FSMO Server - acad.pharmax.local
+1.2.3.4 Domain and Trusts
The following section provides a summary of Active Directory Trust information on ACAD.PHARMAX.LOCAL.
Name | pharmax.local |
Path | acad.pharmax.local/System/pharmax.local |
@@ -1742,8 +2184,8 @@
Trust Type | Uplevel |
Uplevel Only | No |
-
Table 94 - Trusts - ACAD.PHARMAX.LOCAL
-1.2.3.5 Domain Object Count
The following section provides a summary of the Active Directory Object Count on ACAD.PHARMAX.LOCAL.
+Table 109 - Trusts - ACAD.PHARMAX.LOCAL
+1.2.3.5 Domain Object Count
The following section provides a summary of the Active Directory Object Count on ACAD.PHARMAX.LOCAL.
Computers | 2 |
Servers | 2 |
@@ -1753,14 +2195,14 @@
Privileged Users | 2 |
Groups | 46 |
-
Table 95 - Object Count - ACAD.PHARMAX.LOCAL
-1.2.3.6 User Accounts in Active Directory
The following table provide a summary of the User Accounts from ACAD.PHARMAX.LOCAL.
+Table 110 - Object Count - ACAD.PHARMAX.LOCAL
+1.2.3.6 User Accounts in Active Directory
The following table provide a summary of the User Accounts from ACAD.PHARMAX.LOCAL.
Status | Count | Percentage |
Enabled | 2 | 50% |
Disabled | 2 | 50% |
-
Table 96 - User Accounts in Active Directory - ACAD.PHARMAX.LOCAL
-1.2.3.7 Status of Users Accounts
The following table provide a summary of the User Accounts from ACAD.PHARMAX.LOCAL.
+Table 111 - User Accounts in Active Directory - ACAD.PHARMAX.LOCAL
+1.2.3.7 Status of Users Accounts
The following table provide a summary of the User Accounts from ACAD.PHARMAX.LOCAL.
Category | Enabled Count | Enabled % | Disabled Count | Disabled % | Total Count | Total % |
Cannot Change Password | 13 | 325 | 1 | 25 | 14 | 350 |
Password Never Expires | 1 | 25 | 1 | 25 | 1 | 25 |
@@ -1774,10 +2216,11 @@
Account Expired | 1 | 25 | 1 | 25 | 0 | 0 |
Account Lockout | 1 | 25 | 1 | 25 | 0 | 0 |
-
Table 97 - Status of User Accounts - ACAD.PHARMAX.LOCAL
-1.2.3.8 Privileged Group Count
The following table provide a summary of the Privileged Group count from ACAD.PHARMAX.LOCAL.
+Table 112 - Status of User Accounts - ACAD.PHARMAX.LOCAL
+1.2.3.8 Privileged Group Count
The following table provide a summary of the Privileged Group count from ACAD.PHARMAX.LOCAL.
Group Name | Count |
Account Operators | 0 |
+Administrators | 6 |
Backup Operators | 1 |
Cert Publishers | 1 |
DnsAdmins | 0 |
@@ -1787,26 +2230,26 @@
Remote Desktop Users | 0 |
Server Operators | 0 |
-
Table 98 - Privileged Group Count - ACAD.PHARMAX.LOCAL
-1.2.3.9 Computer Accounts in Active Directory
The following table provide a summary of the Computer Accounts from ACAD.PHARMAX.LOCAL.
+Table 113 - Privileged Group Count - ACAD.PHARMAX.LOCAL
+1.2.3.9 Computer Accounts in Active Directory
The following table provide a summary of the Computer Accounts from ACAD.PHARMAX.LOCAL.
Status | Count | Percentage |
Enabled | 2 | 100% |
Disabled | 0 | 0% |
-
Table 99 - Computer Accounts in Active Directory - ACAD.PHARMAX.LOCAL
-1.2.3.10 Status of Computer Accounts
The following table provide a summary of the Computer Accounts from ACAD.PHARMAX.LOCAL.
+Table 114 - Computer Accounts in Active Directory - ACAD.PHARMAX.LOCAL
+1.2.3.10 Status of Computer Accounts
The following table provide a summary of the Computer Accounts from ACAD.PHARMAX.LOCAL.
Category | Enabled Count | Enabled % | Disabled Count | Disabled % | Total Count | Total % |
-Dormant (> 90 days) | 1 | 50 | 1 | 50 | 0 | 0 |
-Password Age (> 30 days) | 1 | 50 | 1 | 50 | 0 | 0 |
+Dormant (> 90 days) | 1 | 50 | 1 | 50 | 1 | 50 |
+Password Age (> 30 days) | 1 | 50 | 1 | 50 | 1 | 50 |
SidHistory | 1 | 50 | 1 | 50 | 0 | 0 |
-
Table 100 - Status of Computer Accounts - ACAD.PHARMAX.LOCAL
-1.2.3.11 Operating Systems Count
The following table provide a summary of the Operating System count from ACAD.PHARMAX.LOCAL.
+Table 115 - Status of Computer Accounts - ACAD.PHARMAX.LOCAL
+1.2.3.11 Operating Systems Count
The following table provide a summary of the Operating System count from ACAD.PHARMAX.LOCAL.
Operating System | Count |
Windows Server 2019 Standard Evaluation | 2 |
-
Table 101 - Operating System Count - ACAD.PHARMAX.LOCAL
-1.2.3.12 Default Domain Password Policy
The following section provides a summary of the Default Domain Password Policy on ACAD.PHARMAX.LOCAL.
+Table 116 - Operating System Count - ACAD.PHARMAX.LOCAL
+1.2.3.12 Default Domain Password Policy
The following section provides a summary of the Default Domain Password Policy on ACAD.PHARMAX.LOCAL.
Password Must Meet Complexity Requirements | Yes |
Path | acad.pharmax.local/ |
@@ -1819,8 +2262,8 @@
Enforce Password History | 24 |
Store Password using Reversible Encryption | No |
-
Table 102 - Default Domain Password Policy - ACAD.PHARMAX.LOCAL
-1.2.3.13 Fined Grained Password Policies
The following section provides a summary of the Fined Grained Password Policies on ACAD.PHARMAX.LOCAL.
+Table 117 - Default Domain Password Policy - ACAD.PHARMAX.LOCAL
+1.2.3.13 Fined Grained Password Policies
The following section provides a summary of the Fined Grained Password Policies on ACAD.PHARMAX.LOCAL.
Password Setting Name | ACADTest |
Domain Name | acad.pharmax.local |
@@ -1837,8 +2280,8 @@
Precedence | 1 |
Applies To | SCCM-GMSA |
-
Table 103 - Fined Grained Password Policies - ACADTest
-1.2.3.14 Group Managed Service Accounts (GMSA)
The following section provides a summary of the Group Managed Service Accounts on ACAD.PHARMAX.LOCAL.
+Table 118 - Fined Grained Password Policies - ACADTest
+1.2.3.14 Group Managed Service Accounts (GMSA)
The following section provides a summary of the Group Managed Service Accounts on ACAD.PHARMAX.LOCAL.
Name | SCCMMSA |
SamAccountName | SCCMMSA$ |
@@ -1854,8 +2297,8 @@
Password Expired | No |
Password Last Set | 09/11/2021 21:01:33 |
-
Table 104 - Group Managed Service Accounts - SCCMMSA
-1.2.3.15 Health Check - Account Security Assessment
The following section provide a summary of the Account Security Assessment on Domain ACAD.PHARMAX.LOCAL.
+Table 119 - Group Managed Service Accounts - SCCMMSA
+1.2.3.15 Health Check - Account Security Assessment
The following section provide a summary of the Account Security Assessment on Domain ACAD.PHARMAX.LOCAL.
Total Users | 4 |
Enabled Users | 2 |
@@ -1868,40 +2311,40 @@
User Does Not Require Pre Auth | 0 |
Users With SID History | 0 |
-
Table 105 - Account Security Assessment - ACAD.PHARMAX.LOCAL
-Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.
1.2.3.16 Health Check - Privileged Users Assessment
The following section details probable AD Admin accounts (user accounts with AdminCount set to 1) on Domain ACAD.PHARMAX.LOCAL
+Table 120 - Account Security Assessment - ACAD.PHARMAX.LOCAL
+Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.
1.2.3.16 Health Check - Privileged Users Assessment
The following section details probable AD Admin accounts (user accounts with AdminCount set to 1) on Domain ACAD.PHARMAX.LOCAL
Username | Created | Password Last Set | Last Logon Date |
Administrator | 9/5/2021 | 9/5/2021 | 9/18/2021 |
krbtgt | 9/5/2021 | 9/5/2021 | - |
-
Table 106 - Privileged User Assessment - ACAD.PHARMAX.LOCAL
-Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.
1.2.3.17 Health Check - Service Accounts Assessment
The following section details probable AD Service Accounts (user accounts with SPNs) on Domain ACAD.PHARMAX.LOCAL
+Table 121 - Privileged User Assessment - ACAD.PHARMAX.LOCAL
+Health Check:
Corrective Actions: Ensure there aren't any account with weak security posture.
1.2.3.17 Health Check - Service Accounts Assessment
The following section details probable AD Service Accounts (user accounts with SPNs) on Domain ACAD.PHARMAX.LOCAL
Username | Enabled | Password Last Set | Last Logon Date | Service Principal Name |
krbtgt | No | 9/5/2021 | - | kadmin/changepw |
-
Table 107 - Service Accounts Assessment - ACAD.PHARMAX.LOCAL
-Health Check:
Corrective Actions: Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged. They are almost always over-privileged due to documented vendor requirements or because of operational challenges. Ensure there aren't any account with weak security posture.
1.2.3.18 Health Check - KRBTGT Account Audit
The following section provide a summary of KRBTGT account on Domain ACAD.PHARMAX.LOCAL.
+Table 122 - Service Accounts Assessment - ACAD.PHARMAX.LOCAL
+Health Check:
Corrective Actions: Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged. They are almost always over-privileged due to documented vendor requirements or because of operational challenges. Ensure there aren't any account with weak security posture.
1.2.3.18 Health Check - KRBTGT Account Audit
The following section provide a summary of KRBTGT account on Domain ACAD.PHARMAX.LOCAL.
Name | krbtgt |
Created | 09/05/2021 12:25:21 |
Password Last Set | 09/05/2021 12:25:21 |
Distinguished Name | CN=krbtgt,CN=Users,DC=acad,DC=pharmax,DC=local |
-
Table 108 - KRBTGT Account Audit - ACAD.PHARMAX.LOCAL
-Health Check:
Best Practice: Microsoft advises changing the krbtgt account password at regular intervals to keep the environment more secure.
1.2.3.19 Health Check - Administrator Account Audit
The following section provide a summary of Administrator account on Domain ACAD.PHARMAX.LOCAL.
+Table 123 - KRBTGT Account Audit - ACAD.PHARMAX.LOCAL
+Health Check:
Best Practice: Microsoft advises changing the krbtgt account password at regular intervals to keep the environment more secure.
1.2.3.19 Health Check - Administrator Account Audit
The following section provide a summary of Administrator account on Domain ACAD.PHARMAX.LOCAL.
Name | Administrator |
Created | 09/05/2021 12:24:39 |
Password Last Set | 09/05/2021 10:35:45 |
Distinguished Name | CN=Administrator,CN=Users,DC=acad,DC=pharmax,DC=local |
-
Table 109 - Administrator Account Audit - ACAD.PHARMAX.LOCAL
-Health Check:
Best Practice: Microsoft advises changing the administrator account password at regular intervals to keep the environment more secure.
1.2.3.20 Domain Controller Summary
A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain.
+Table 124 - Administrator Account Audit - ACAD.PHARMAX.LOCAL
+Health Check:
Best Practice: Microsoft advises changing the administrator account password at regular intervals to keep the environment more secure.
1.2.3.20 Domain Controller Summary
A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain.
DC Name | Domain Name | Site | Global Catalog | Read Only | IP Address |
ACADE-DC-01V | acad.pharmax.local | ACAD | Yes | No | 172.23.4.1 |
-
Table 110 - Domain Controller Summary - ACAD.PHARMAX.LOCAL
-1.2.3.20.1 Hardware Inventory
The following section provides a summary of the Domain Controller Hardware for ACAD.PHARMAX.LOCAL.
+Table 125 - Domain Controller Summary - ACAD.PHARMAX.LOCAL
+1.2.3.20.1 Hardware Inventory
The following section provides a summary of the Domain Controller Hardware for ACAD.PHARMAX.LOCAL.
Name | acade-dc-01v |
Windows Product Name | Windows Server 2019 Standard Evaluation |
@@ -1925,18 +2368,18 @@
Number of Logical Cores | 2 |
Physical Memory (GB) | 4.00 GB |
-
Table 111 - Domain Controller Hardware - ACADE-DC-01V
-1.2.3.20.2 NTDS Information
The following section provides a summary of the Domain Controller NTDS file size on ACAD.PHARMAX.LOCAL.
+Table 126 - Domain Controller Hardware - ACADE-DC-01V
+1.2.3.20.2 NTDS Information
The following section provides a summary of the Domain Controller NTDS file size on ACAD.PHARMAX.LOCAL.
DC Name | Database File | Database Size | Log Path | SysVol Path |
-ACADE-DC-01V | C:\Windows\NTDS\ntds.dit | 54.00 MB | C:\Windows\NTDS | C:\Windows\SYSVOL\sysvol |
+ACADE-DC-01V | C:\Windows\NTDS\ntds.dit | 66.00 MB | C:\Windows\NTDS | C:\Windows\SYSVOL\sysvol |
-
Table 112 - NTDS Database File Usage - ACAD.PHARMAX.LOCAL
-1.2.3.20.3 Time Source Information
The following section provides a summary of the Domain Controller Time Source configuration on ACAD.PHARMAX.LOCAL.
+Table 127 - NTDS Database File Usage - ACAD.PHARMAX.LOCAL
+1.2.3.20.3 Time Source Information
The following section provides a summary of the Domain Controller Time Source configuration on ACAD.PHARMAX.LOCAL.
Name | Time Server | Type |
ACADE-DC-01V | Domain Hierarchy | DOMHIER |
-
Table 113 - Time Source Configuration - ACAD.PHARMAX.LOCAL
-1.2.3.20.4 Health Check - Installed Software on DC
The following section provides a summary of additional software running on ACAD.PHARMAX.LOCAL.
1.2.3.20.5 Roles
The following section provides a summary of the Domain Controller Role & Features information.
1.2.3.20.5.1 ACADE-DC-01V
+Table 128 - Time Source Configuration - ACAD.PHARMAX.LOCAL
+1.2.3.20.4 Health Check - Installed Software on DC
The following section provides a summary of additional software running on ACAD.PHARMAX.LOCAL.
1.2.3.20.5 Roles
The following section provides a summary of the Domain Controller Role & Features information.
1.2.3.20.5.1 ACADE-DC-01V
Name | Parent | InstallState |
Active Directory Certificate Services | Role | Active Directory Certificate Services (AD CS) is used to create certification authorities and related role services that allow you to issue and manage certificates used in a variety of applications. |
Active Directory Domain Services | Role | Active Directory Domain Services (AD DS) stores information about objects on the network and makes this information available to users and network administrators. AD DS uses domain controllers to give network users access to permitted resources anywhere on the network through a single logon process. |
@@ -1945,8 +2388,8 @@
File and Storage Services | Role | File and Storage Services includes services that are always installed, as well as functionality that you can install to help manage file servers and storage. |
Web Server (IIS) | Role | Web Server (IIS) provides a reliable, manageable, and scalable Web application infrastructure. |
-
Table 114 - Roles - ACADE-DC-01V
-Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.3.20.6 Health Check - DC Diagnostic
The following section provides a summary of the Active Directory DC Diagnostic.
1.2.3.20.6.1 ACADE-DC-01V
+Table 129 - Roles - ACADE-DC-01V
+Health Check:
Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation
1.2.3.20.6 Health Check - DC Diagnostic
The following section provides a summary of the Active Directory DC Diagnostic.
1.2.3.20.6.1 ACADE-DC-01V
Test Name | Result |
Advertising | failed |
CheckSDRefDom | passed |
@@ -1958,7 +2401,7 @@
CrossRefValidation | passed |
CrossRefValidation | passed |
CrossRefValidation | passed |
-DFSREvent | failed |
+DFSREvent | passed |
FrsEvent | passed |
Intersite | passed |
KccEvent | passed |
@@ -1975,8 +2418,8 @@
SysVolCheck | failed |
VerifyReferences | passed |
-
Table 115 - Domain Controller DCDiag - ACADE-DC-01V
-1.2.3.20.7 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.3.20.7.1 ACADE-DC-01V
+Table 130 - Domain Controller DCDiag - ACADE-DC-01V
+1.2.3.20.7 Infrastructure Services Status
The following section provides a summary of the Domain Controller Infrastructure services status.
1.2.3.20.7.1 ACADE-DC-01V
Display Name | Short Name | Status |
Active Directory Certificate Services | CertSvc | Running |
Active Directory Domain Services | NTDS | Running |
@@ -1989,8 +2432,8 @@
NetLogon | Netlogon | Running |
Windows Time | W32Time | Running |
-
Table 116 - Domain Controller Infrastructure Services Status Information.
-1.2.3.20.8 Sites Replication
The following section provides a summary of the Active Directory Site Replication information.
+Table 131 - Domain Controller Infrastructure Services Status Information.
+1.2.3.20.8 Sites Replication
The following section provides a summary of the Active Directory Site Replication information.
DC Name | ACADE-DC-01V |
GUID | 739a49db-275b-4d09-81c8-ab9e5f393977 |
@@ -2003,90 +2446,140 @@
Enabled | Yes |
Created | Sun, 05 Sep 2021 16:26:31 GMT |
-
Table 117 - Site Replication - ACADE-DC-01V
-1.2.3.20.9 Group Policy Objects Summary
The following section provides a summary of the Group Policy Objects for domain ACAD.PHARMAX.LOCAL.
-GPO Name | GPO Status | Owner |
-ACAD Certificate AutoEnrollment | All Settings Enabled | PHARMAX\Enterprise Admins |
-Default Domain Controllers Policy | All Settings Enabled | ACAD\Domain Admins |
-Default Domain Policy | All Settings Enabled | ACAD\Domain Admins |
-Empty Policy ACAD | All Settings Enabled | PHARMAX\Enterprise Admins |
-Logon Script | All Settings Enabled | PHARMAX\Enterprise Admins |
-Unlinked Policy ACAD | All Settings Disabled | PHARMAX\Enterprise Admins |
-
-
Table 118 - GPO - ACAD.PHARMAX.LOCAL
-Health Check:
Best Practices: Ensure 'All Settings Disabled' GPO are removed from Active Directory.
1.2.3.20.9.1 GPO Central Store Repository
The following section provides information of the status of Central Store. Corrective Action: Deploy centralized GPO repository.
+Table 132 - Site Replication - ACADE-DC-01V
+1.2.3.20.9 Group Policy Objects Summary
The following section provides a summary of the Group Policy Objects for domain ACAD.PHARMAX.LOCAL.
+
+GPO Name | Empty Policy ACAD |
+GPO Status | All Settings Enabled |
+Created | 10/05/2021 |
+Modified | 10/05/2021 |
+Description | |
+Owner | PHARMAX\Enterprise Admins |
+
+
Table 133 - GPO - Empty Policy ACAD
+
+
+GPO Name | Default Domain Policy |
+GPO Status | All Settings Enabled |
+Created | 09/05/2021 |
+Modified | 10/19/2021 |
+Description | |
+Owner | ACAD\Domain Admins |
+
+
Table 134 - GPO - Default Domain Policy
+
+
+GPO Name | Unlinked Policy ACAD |
+GPO Status | All Settings Disabled |
+Created | 10/05/2021 |
+Modified | 10/05/2021 |
+Description | |
+Owner | PHARMAX\Enterprise Admins |
+
+
Table 135 - GPO - Unlinked Policy ACAD
+
+
+GPO Name | Default Domain Controllers Policy |
+GPO Status | All Settings Enabled |
+Created | 09/05/2021 |
+Modified | 09/22/2021 |
+Description | |
+Owner | ACAD\Domain Admins |
+
+
Table 136 - GPO - Default Domain Controllers Policy
+
+
+GPO Name | ACAD Certificate AutoEnrollment |
+GPO Status | All Settings Enabled |
+Created | 09/22/2021 |
+Modified | 09/22/2021 |
+Description | |
+Owner | PHARMAX\Enterprise Admins |
+
+
Table 137 - GPO - ACAD Certificate AutoEnrollment
+
+
+GPO Name | Logon Script |
+GPO Status | All Settings Enabled |
+Created | 10/07/2021 |
+Modified | 10/07/2021 |
+Description | |
+Owner | PHARMAX\Enterprise Admins |
+
+
Table 138 - GPO - Logon Script
+1.2.3.20.9.1 GPO Central Store Repository
The following section provides information of the status of Central Store. Corrective Action: Deploy centralized GPO repository.
Domain | Configured | Central Store Path |
ACAD.PHARMAX.LOCAL | No | \\acad.pharmax.local\SYSVOL\acad.pharmax.local\Policies\PolicyDefinitions |
-
Table 119 - GPO Central Store - ACAD.PHARMAX.LOCAL
-Health Check:
Best Practices: Ensure Central Store is deployed to centralized GPO repository.
1.2.3.20.9.2 GPO with User Logon/Logoff Script
The following section provides a summary of Group Policy Objects with Logon/Logoff Script.
+Table 139 - GPO Central Store - ACAD.PHARMAX.LOCAL
+Health Check:
Best Practices: Ensure Central Store is deployed to centralized GPO repository.
1.2.3.20.9.2 GPO with User Logon/Logoff Script
The following section provides a summary of Group Policy Objects with Logon/Logoff Script.
GPO Name | GPO Status | Type | Script |
Logon Script | All Settings Enabled | Logon | \\acad.pharmax.local\NETLOGON\enroll.exe |
-
Table 120 - GPO with Logon/Logoff Script - ACAD.PHARMAX.LOCAL
-1.2.3.20.9.3 Health Check - Unlinked GPO
The following section provides a summary of the Unlinked Group Policy Objects.
+Table 140 - GPO with Logon/Logoff Script - ACAD.PHARMAX.LOCAL
+1.2.3.20.9.3 Health Check - Unlinked GPO
The following section provides a summary of the Unlinked Group Policy Objects.
GPO Name | Created | Modified | Computer Enabled | User Enabled |
Logon Script | 2021-10-07 | 2021-10-07 | Yes | Yes |
Unlinked Policy ACAD | 2021-10-06 | 2021-10-06 | No | No |
-
Table 121 - Unlinked GPO - ACAD.PHARMAX.LOCAL
-Health Check:
Corrective Actions: Remove Unused GPO from Active Directory.
1.2.3.20.9.4 Health Check - Empty GPOs
The following section provides a summary of the Empty Group Policy Objects.
+Table 141 - Unlinked GPO - ACAD.PHARMAX.LOCAL
+Health Check:
Corrective Actions: Remove Unused GPO from Active Directory.
1.2.3.20.9.4 Health Check - Empty GPOs
The following section provides a summary of the Empty Group Policy Objects.
GPO Name | Created | Modified | Description |
Empty Policy ACAD | 2021-10-06 | 2021-10-06 | - |
-
Table 122 - Empty GPO - ACAD.PHARMAX.LOCAL
-Health Check:
Corrective Actions: No User and Computer parameters are set: Remove Unused GPO in Active Directory.
1.2.3.20.9.5 Health Check - Enforced GPO
The following section provides a summary of the Enforced Group Policy Objects.
+Table 142 - Empty GPO - ACAD.PHARMAX.LOCAL
+Health Check:
Corrective Actions: No User and Computer parameters are set: Remove Unused GPO in Active Directory.
1.2.3.20.9.5 Health Check - Enforced GPO
The following section provides a summary of the Enforced Group Policy Objects.
GPO Name | Enforced | Order | Target |
Empty Policy ACAD | Yes | 1 | acad.pharmax.local/Acad Computers/SCCM Computers |
-
Table 123 - Enforced GPO - ACAD.PHARMAX.LOCAL
-Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.
1.2.3.20.10 Organizational Units
The following section provides a summary of Active Directory Organizational Unit information.
+Table 143 - Enforced GPO - ACAD.PHARMAX.LOCAL
+Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.
1.2.3.20.10 Organizational Units
The following section provides a summary of Active Directory Organizational Unit information.
Name | Path | Linked GPO |
Acad Computers | acad.pharmax.local/Acad Computers | - |
SCCM Computers | acad.pharmax.local/Acad Computers/SCCM Computers | Empty Policy ACAD |
Domain Controllers | acad.pharmax.local/Domain Controllers | Default Domain Controllers Policy |
Member Servers | acad.pharmax.local/Member Servers | - |
-
Table 124 - Organizational Unit - ACAD.PHARMAX.LOCAL
-1.2.3.20.10.1 Health Check - OU with GPO Blocked Inheritance
The following section provides a summary of the Blocked Inheritance Group Policy Objects.
+Table 144 - Organizational Unit - ACAD.PHARMAX.LOCAL
+1.2.3.20.10.1 Health Check - OU with GPO Blocked Inheritance
The following section provides a summary of the Blocked Inheritance Group Policy Objects.
OU Name | Container Type | Inheritance Blocked | Path |
sccm computers | OU | Yes | acad.pharmax.local/Acad Computers/SCCM Computers |
-
Table 125 - Blocked Inheritance GPO - ACAD.PHARMAX.LOCAL
-Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.
1.3 Domain Name System Summary
The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols.
1.3.1 UIA.LOCAL DNS Configuration
The following section provides a configuration summary of the DNS service.
1.3.1.1 Infrastructure Summary
The following section provides a summary of the DNS Infrastructure configuration.
+Table 145 - Blocked Inheritance GPO - ACAD.PHARMAX.LOCAL
+Health Check:
Corrective Actions: Review use of enforcement and blocked policy inheritance in Active Directory.
1.3 Domain Name System Summary
The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols.
1.3.1 UIA.LOCAL DNS Configuration
The following section provides a configuration summary of the DNS service.
1.3.1.1 Infrastructure Summary
The following section provides a summary of the DNS Infrastructure configuration.
DC Name | Build Number | IPv6 | DnsSec | ReadOnly DC | Listening IP |
DC-UIA-01V | 20348 | Yes | Yes | No | fe80::fc0b:52e5:4931:6229 172.23.7.1 |
-
Table 126 - Infrastructure Setting - UIA.LOCAL
-1.3.1.1.1 Domain Controller DNS IP Configuration
+Table 146 - Infrastructure Setting - UIA.LOCAL
+1.3.1.1.1 Domain Controller DNS IP Configuration
DC Name | Interface | DNS IP 1 | DNS IP 2 | DNS IP 3 | DNS IP 4 |
DC-UIA-01V | Ethernet0 | 127.0.0.1 | 192.168.5.1 | - | - |
-
Table 127 - IP Configuration - UIA.LOCAL
-Health Check:
Best Practices: DNS configuration on network adapter should include the loopback address, but not as the first entry.
1.3.1.1.2 Application Directory Partition
The following section provides Directory Partition information.
1.3.1.1.2.1 DC-UIA-01V Directory Partition
+Table 147 - IP Configuration - UIA.LOCAL
+Health Check:
Best Practices: DNS configuration on network adapter should include the loopback address, but not as the first entry.
1.3.1.1.2 Application Directory Partition
The following section provides Directory Partition information.
1.3.1.1.2.1 DC-UIA-01V Directory Partition
Name | State | Flags | Zone Count |
DomainDnsZones.acad.pharmax.local | - | Not-Enlisted | 0 |
DomainDnsZones.pharmax.local | - | Not-Enlisted | 0 |
DomainDnsZones.uia.local | DNS_DP_OKAY | Enlisted Auto Domain | 2 |
ForestDnsZones.pharmax.local | DNS_DP_OKAY | Enlisted Auto Forest | 3 |
-
Table 128 - Directory Partitions - UIA.LOCAL
-1.3.1.1.3 Response Rate Limiting (RRL)
+Table 148 - Directory Partitions - UIA.LOCAL
+1.3.1.1.3 Response Rate Limiting (RRL)
DC Name | Status | Responses Per Sec | Errors Per Sec | Window In Sec | Leak Rate | Truncate Rate |
DC-UIA-01V | Disable | 5 | 5 | 5 | 3 | 2 |
-
Table 129 - Response Rate Limiting - UIA.LOCAL
-1.3.1.1.4 Scavenging Options
+Table 149 - Response Rate Limiting - UIA.LOCAL
+1.3.1.1.4 Scavenging Options
DC Name | NoRefresh Interval | Refresh Interval | Scavenging Interval | Last Scavenge Time | Scavenging State |
DC-UIA-01V | 7.00:00:00 | 7.00:00:00 | 00:00:00 | - | Disabled |
-
Table 130 - Scavenging - UIA.LOCAL
-Health Check:
Best Practices: Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs.
1.3.1.1.5 Forwarder Options
+Table 150 - Scavenging - UIA.LOCAL
+Health Check:
Best Practices: Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs.
1.3.1.1.5 Forwarder Options
DC Name | IP Address | Timeout | Use Root Hint | Use Recursion |
DC-UIA-01V | 192.168.5.1 | 3/s | Yes | Yes |
-
Table 131 - Forwarders - UIA.LOCAL
-1.3.1.1.6 Root Hints
The following section provides Root Hints information.
1.3.1.1.6.1 DC-UIA-01V Root Hints