Microsoft Active Directory Health Check PowerShell Script Version 2.0

In July 2014, Jeff Wouters (PowerShell MVP) released his Active Directory Health Check script. A little while ago, a user emailed me asking for help as they were trying to run the script using Microsoft Word 2016. Jeff had left my email address in the error message so I reached out to Jeff for permission to update his script. Jeff stated he would no longer be updating his script and I could maintain it on my site. Along with the help of Michael B. Smith (Exchange MVP) and a hard-working, dedicated group of testers, the script will now be maintained and housed on my site.

#Version 2.0 9-May-2016

  • Added alias for AddDateTime of ADT
  • Added alias for CompanyName of CN
  • Added -Dev parameter to create a text file of script errors
  • Added more script information to the console output when script starts
  • Added -ScriptInfo (SI) parameter to create a text file of script information
  • Added support for emailing output report
  • Added support for output folder
  • Added word 2016 support
  • Fixed numerous issues discovered with the latest update to PowerShell V5
  • Fixed several incorrect variable names that kept PDFs from saving in Windows 10 and Office 2013
  • General code cleanup by Michael B. Smith
  • Output to CSV rewritten by Michael B. Smith
  • Removed the 10 second pauses waiting for Word to save and close
  • Removed unused parameters Text, HTML, ComputerName, Hardware
  • Significant Active Directory changes have been implemented by Michael B. Smith
  • Updated help text

What the Script Checks

  • Sites and Services
    • Sites
    • Sites – Without a description
    • Sites – Without one or more subnet(s)
    • Sites – No server(s)
    • Sites – Without a connection
  • Organisational Units
    • OU – GPO inheritance blocked
  • Domain Controllers
    • Domain Controllers – No contact in the last 3 months
  • Member Servers
    • Member Servers – Password never expires
    • Member Servers – Password more than 6 months old
    • Member Servers – Account never expires
    • Member Servers – Account disabled
  • Users
    • Users – Direct member of a Domain Local Group
    • Users – Password never expires
    • Users – Password not required
    • Users – Change password at next logon
    • Users – Password not changed in last 12 months
    • Users – Account without expiration date
    • Users – Do not require Kerberos preauthentication
    • Users – Disabled
  • Groups
    • Groups – Privileged groups
    • Groups – Privileged – More than 5 members
    • Groups – Privileged – No members
    • Groups – Primary – Empty (no members)

Michael B. Smith put a LOT of time and effort into optimizing the code and writing new AD functions to make sure the data returned met our OCD standards.

Chris M. put a lot of time into trying to get the CSV output working but it turned out to be harder than he or I thought it would be. Michael B. Smith had to write a new CSV output function.

David M. is a brutal but very patient tester who tested every combination of script parameters. I have received almost 250MB worth of sample reports and log files from David.

If there are other AD Health Checks you would like to see included or you see errors in the data, please email me. [email protected]

You can always find the most current script by going to http://carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

About Carl Webster

Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

View all posts by Carl Webster

27 Responses to “Microsoft Active Directory Health Check PowerShell Script Version 2.0”

  1. Edward McAuley Says:

    Dear Carl,

    Great job. Thank you for making all of your work, and the work of those others who have contributed, available for open access. I am finding these scripts very useful professionally. Thank you again.

    – E

    Reply

  2. Chad Says:

    Where is the script to download please?

    Reply

  3. Matias Says:

    Excellent work, I need to run it without office, in html or txt, you can tell me which is the correct syntax so that it does not use office?
    From already thank you very much.

    Reply

  4. Podo Says:

    Hi Carl,
    please what am I missing ?

    PS C:\tmp\ad> .\ADDS_Inventory_V2_Signed.ps1

    Do you want to run software from this untrusted publisher?
    File C:\tmp\ad\ADDS_Inventory_V2_Signed.ps1 is published by CN=”Carl Webster Consulting, LLC”, O=”Carl Webster
    Consulting, LLC”, L=Tullahoma, S=TN, C=US and is not trusted on your system. Only run scripts from trusted publishers.
    [V] Never run [D] Do not run [R] Run once [A] Always run [?] Help (default is “D”): R
    Cannot process the “#requires” statement at line 2 because it is not in the correct format.
    The “#requires” statement must be in one of the following formats:
    “#requires -shellid ”
    “#requires -version ”
    “#requires -pssnapin [-version ]”
    At line:1 char:31
    + .\ADDS_Inventory_V2_Signed.ps1 <<<<
    + CategoryInfo : ObjectNotFound: (:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Reply

    • Carl Webster Says:

      You must be running PowerShell V2? You need to be running PowerShell V3.

      The first line of the script is “#Requires -Version 3.0”.

      The ReadMe file states: “NOTE: This script requires PowerShell V3 or later.”

      Thanks

      Webster

      Reply

  5. Kevin Eyer Says:

    Is this script not compatible with Word 2016? The script aborts and claims that the version of Word is untested or unsupported. Any suggestions??

    Script Output:

    VERBOSE: 08/16/2016 14:36:02: Testing output parameters
    VERBOSE: 08/16/2016 14:36:02: MSWord is set
    VERBOSE: 08/16/2016 14:36:02: CoName is jeffwouters.nl
    VERBOSE: 08/16/2016 14:36:02: Setting up Word
    VERBOSE: 08/16/2016 14:36:02: Create Word comObject. If you are not running Word 2007, ignore the next message.
    VERBOSE: The object written to the pipeline is an instance of the type “Microsoft.Office.Interop.Word.ApplicationClass” from the component’s primary interoperability assembly. If this type exposes different members
    than the IDispatch members, scripts that are written to work with this object might not work if the primary interoperability assembly is not installed.
    VERBOSE: 08/16/2016 14:36:05: Determine Word language value
    VERBOSE: 08/16/2016 14:36:05: Word language value is 1033
    SetupWord :
    You are running an untested or unsupported version of Microsoft Word.
    Script will end.
    Please send info on your version of Word to [email protected]
    At C:\Users\keyer\OneDrive – Lps Integration, Inc\Carl Webster Scripts\AD-Health-Check-v1.0-ALL\AD Health Check v1.0 (signed).ps1:2096 char:3
    + SetupWord
    + ~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,SetupWord

    VERBOSE: 08/16/2016 14:36:05: System Cleanup
    VERBOSE: Performing the operation “Remove variable” on target “Name: Word”.
    VERBOSE: 08/16/2016 14:36:05: Script has been aborted

    Reply

  6. Rob Says:

    Hi,

    Great script but can I use it only against a child domain?

    Thanks

    Reply

    • Carl Webster Says:

      I don’t believe so. The original author, Jeff WOuters, uses ( [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() ).Domains to retrieve a list of all domains in a forest. Since you have the code, you could alter the script to process only a specified domain.

      Webster

      Reply

    • Carl Webster Says:

      I will do my best to add that capability in version 2.1.

      Webster

      Reply

  7. Tim Says:

    When trying to use ADHCv2, I keep getting a “Microsoft.PowerShell.Commands.WriteErrorException,ProcessDocumentOutput”, regardless of output type, etc, that I choose. Thoughts?

    Reply

    • Carl Webster Says:

      Run the script with the -dev and -si parameters and email me the two log files generated.

      [email protected]

      Webster

      Reply

    • Tim Says:

      Issue appears to be the way in which Word 2013 is saving. Rather than simply saving the doc, it’s popping a dialog box. I can choose my format to save there, and that works. However, if I run the script to save in PDF, the dialog pops up for the first save (the docx) then appears to error out on the second save (to pdf).

      Reply

      • Carl Webster Says:

        I only see that in click-to-run versions of Word. I never see that with full installs of Word.

        Webster

  8. Gert Nielsen Says:

    I need to run the documentation script against a large Xenapp 7.8 farm. Could you please tell me what will not work, if I remove the validation for XenApp ver. < 7.8? I will gladly test a beta of the script for XenApp 7.8?

    Gert Nielsen

    Reply

    • Carl Webster Says:

      The AD Health Check script can be run from any domain joined computer that has Microsoft Word installed. This script doesn’t check for any specific Citrix product or version.

      If you are asking about the XenDesktop 7.x documentation script, just run the prior version before i added checking for 7.8 or later. Send me an email and i eill add you to the 7.8+ script testers.

      Webster

      Reply

  9. Irwin Strachan Says:

    Hi Carl,

    I think you should look into PSCribo for documentation. It’s real easy and let’s you concentrate on what’s important. I have something similar fro documenting Active Directory. Here’s a link to the gist to help you get started:

    https://gist.github.com/irwins/498bc3c24262cc39f051139c070f0850

    The idea is to gather all necessary information first and then use PSCribo for documentation purposes… I started the Active Directory because I already had it… You can use the same concept for GPOs Users & Groups!

    HTH.

    Rg./Irwin

    Reply

  10. Wojciech Sciesinski Says:

    Hi,
    I analyzed the last version of the script ADDS_Inventory_V1_2.ps1 using PSScriptAnalyzer module v. 1.5.0

    PS ADDSV1.2> Invoke-ScriptAnalyzer -Path .\ADDS_Inventory_V1_2.ps1 | group -Property RuleName | select Name,Count

    Name Count
    —- —–
    PSAvoidUsingWMICmdlet 9
    PSUseBOMForUnicodeEncodedFile 1
    PSUseDeclaredVarsMoreThanAssigments 1
    PSAvoidGlobalVars 5
    PSAvoidUsingCmdletAliases 79
    PSAvoidUsingWriteHost 2
    PSPossibleIncorrectComparisonWithNull 26

    If is any repository when I can contribute update?

    Reply

  11. Gael Says:

    I’d even add, if you publish the code on github the whole community could contribute to make it better, while keeping you in control of what contribution is merged to your project.

    Reply

  12. Jeffrey Snover Says:

    1) Cool stuff!
    2) This is the sort of function that we are encouraging the community to use Pester and the OperationValidation Framework (https://www.powershellgallery.com/packages/OperationValidation/1.0.1 ) for – have you considered that?
    3) I bet you’d get a ton more downloads if you posted your scripts to the PowerShell Gallery

    Jeffrey Snover [MSFT]

    Reply

    • Carl Webster Says:

      Mr. Snover it is an honor to have you visit my site. You have made my week.

      1. Thanks.
      2. I have no idea what Pester is and I will look at the OperationValidation stuff. I am neither a programmer or developer. I am just a bulldog who sees a need and works until it is taken care of.
      3. Had never thought of that. Didn’t think my scripts were quality enough for any gallery. Are you sure scripts as large as mine would be welcome there?

      Again, thanks for honoring me with a visit.

      Webster

      Reply

Leave a Reply