• Microsoft Active Directory Documentation Script V3.03

    February 22, 2021

    Active Directory, PowerShell

    Version 3.03 22-Feb-2021

    • Added a Try/Catch and -LDAPFilter when checking for the Exchange schema  attributes to suppress the error if Exchange is not installed
    • Added Domain SID to the Domain Information section
    • Added SYSVOL State to Function OutputADFileLocations
      • If SYSVOL State is not 4, highlight in red
    • Added updates from Michael B. Smith for MaxPasswordAge
      • Update Function getDSUsers
      • Update Function GetMaximumPasswordAge
    • Changed from using Test-Connection to Test-NetConnection -Port 88
      • Port 88 is the KDC and is unique to DCs (thanks to Matthew Woolnough for the suggestion)
    • Cleaned up console output
    • In Function BuildMultiColumnTable:
      • Prevent a division by 0 error if $MaxLength was 0
      • Fixed OutOfBounds array error (appears to be a corner case when there are 11 subnets assigned to a Site)
    • Fixed bug to now catch empty Site Subnet arrays
      • Added text “No Subnets linked to this site”
    • Updated Function GetComputerServices to add “***” in the Text output when the service type is Automatic and Status is Stopped
    • Updated Function getDSUsers to handle processing accounts in the Foreign Security Principals container
      • Find all orphaned SIDs
      • Get a count of orphaned SIDs
      • Added Function OutputFSPUserInfo to output the Orphaned SIDs and the groups those SIDs are members of
    • Updated Function ProcessGroupInformation to put HTML output in Red when:
      • Password Last Change is null or not set
      • Password Never Expires is True
      • Account is Disabled
    • Updated the help text
    • Updated the ReadMe file
    • When processing Groups for attribute adminCount -eq 1, fixed where the group name doesn’t match the samAccountName or the distinguishedName
    • When processing Groups that have attribute adminCount -eq 1, check if there was an error retrieving members of the group
      • If there was an error, add the text “Unable to retrieve group members. Check for orphaned SIDs.” in place of the group members

    After running this script update, I recommend you search the output file for “sysvol state” and “foreign security”.

    If you see any Domain Controllers where the SYSVOL state is not 4, then read this article.

    If you have any orphaned SIDs in the Foreign Security Principals container, you need to determine if there are any trusts in the domain (included in the output). If there are no trusts, you may have orphans. If there are trusts, look at the Domain SID for each trusted domain to see if any of those SIDs match any of the Domain SIDs for the orphaned SIDs. If there are any matches, then name resolution for the SIDs is slow and the orphans are not orphans and you can safely ignore them.

    You can always find the most current script by going to https://carlwebster.com/where-to-get-copies-of-the-documentation-scripts/



    About Carl Webster

    Carl Webster is an independent consultant specializing in Citrix, Active Directory, and technical documentation. Carl (aka “Webster”) serves the broader Citrix community by writing articles (see CarlWebster.com) and by being the most active person in the Citrix Zone on Experts Exchange. Webster has a long history in the IT industry beginning with mainframes in 1977, PCs and application development in 1986, and network engineering in 2001. He has worked with Citrix products since 1990 with the premiere of their first product – the MULTIUSER OS/2.

    View all posts by Carl Webster

    2 Responses to “Microsoft Active Directory Documentation Script V3.03”

    1. Jorge Eduardo Cavallin Says:

      Hi Carl. I wish you are very well. Usually, I use “Microsoft Active Directory Documentation Script V3.0” script.
      On Windows 7/8/10 client computers. To determine its health status I use several independent powershell commands. Do you have any scripting that includes diagnostic tests that should be executed in windows 7/8/10 to determine their integrity together in the active directory? Thank you


    Leave a Reply