Active Directory vCheck

When I was a Systems Administrator, one of the things we wanted to know was if there were issues with our Active Directory environment.  Things like directory health, stale computers, and if someone had modified the domain admins group were at the top of that list.

The scripts below were built in an attempt to give a quick overview of the Active Directory.  These plugins were built on top of Alan Renouf’s vCheck (@alanrenouf) which provides a great framework for the building of your own scripts.  Check out his site if you haven’t already!

To install the vCheck, simply extract the contents of the zip file to a directory on your computer.  If you are running this against a Server 2008 R2 server you’ll need to enable WinRM and install  the AD Web Services.  I ran my tests against a Server 2012 domain controller with no issues.

If you haven’t modified your signing settings, you may need to change your powershell options to “RemoteSigned.  http://technet.microsoft.com/library/hh847748.aspx

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

Once you’ve extracted the components, simple run the vcheck.ps1 script which will ask you some questions to customize the script for your own environment.

The following items will be checked and give you a report:

• The Current Flexible Single Master Operators Role locations
• Any user accounts that are currently locked out
• A quick count of Users and Computers
• The list of users in the Domain Admins group
• User accounts that are set with “Account does not expire”
• Stale Computers
• DCDiag

That’s it!  You can then sit back and run your report anytime you want need an update, or schedule the script and run it daily!  Here is an example report.

Download the Active Directory vCheck Plugin here:  ADvCheck.zip

It’s pretty easy to add additional plugins to suit your own needs as well, just write your PowerShell scripts and throw them in the plugins directory.

Thanks to Alan Renouf as well as PowerCLI man (@PowerCliMan) for the tool!