-
Microsoft Active Directory Health Check PowerShell Script Version 2.0
May 9, 2016
In July 2014, Jeff Wouters (PowerShell MVP) released his Active Directory Health Check script. A little while ago, a user emailed me asking for help as they were trying to run the script using Microsoft Word 2016. Jeff had left my email address in the error message so I reached out to Jeff for permission to update his script. Jeff stated he would no longer be updating his script and I could maintain it on my site. Along with the help of Michael B. Smith (Exchange MVP) and a hard-working, dedicated group of testers, the script will now be maintained and housed on my site.
#Version 2.0 9-May-2016
- Added alias for AddDateTime of ADT
- Added alias for CompanyName of CN
- Added -Dev parameter to create a text file of script errors
- Added more script information to the console output when script starts
- Added -ScriptInfo (SI) parameter to create a text file of script information
- Added support for emailing output report
- Added support for output folder
- Added word 2016 support
- Fixed numerous issues discovered with the latest update to PowerShell V5
- Fixed several incorrect variable names that kept PDFs from saving in Windows 10 and Office 2013
- General code cleanup by Michael B. Smith
- Output to CSV rewritten by Michael B. Smith
- Removed the 10 second pauses waiting for Word to save and close
- Removed unused parameters Text, HTML, ComputerName, Hardware
- Significant Active Directory changes have been implemented by Michael B. Smith
- Updated help text
What the Script Checks
- Sites and Services
- Sites
- Sites – Without a description
- Sites – Without one or more subnet(s)
- Sites – No server(s)
- Sites – Without a connection
- Organisational Units
- OU – GPO inheritance blocked
- Domain Controllers
- Domain Controllers – No contact in the last 3 months
- Member Servers
- Member Servers – Password never expires
- Member Servers – Password more than 6 months old
- Member Servers – Account never expires
- Member Servers – Account disabled
- Users
- Users – Direct member of a Domain Local Group
- Users – Password never expires
- Users – Password not required
- Users – Change password at next logon
- Users – Password not changed in last 12 months
- Users – Account without expiration date
- Users – Do not require Kerberos preauthentication
- Users – Disabled
- Groups
- Groups – Privileged groups
- Groups – Privileged – More than 5 members
- Groups – Privileged – No members
- Groups – Primary – Empty (no members)
Michael B. Smith put a LOT of time and effort into optimizing the code and writing new AD functions to make sure the data returned met our OCD standards.
Chris M. put a lot of time into trying to get the CSV output working but it turned out to be harder than he or I thought it would be. Michael B. Smith had to write a new CSV output function.
David M. is a brutal but very patient tester who tested every combination of script parameters. I have received almost 250MB worth of sample reports and log files from David.
If there are other AD Health Checks you would like to see included or you see errors in the data, please email me. webster@carlwebster.com
You can always find the most current script by going to https://carlwebster.com/where-to-get-copies-of-the-documentation-scripts/
Thanks
Webster
36 Responses to “Microsoft Active Directory Health Check PowerShell Script Version 2.0”
Leave a Reply to Carl Webster
October 4, 2018 at 3:59 am
Hi Sir,
Since im running this script on the server which have no MS suite installed …possible to get the output in some other way ??? in pdf format ?
and what changes i should do in the script for me to get a .pdf format
October 19, 2018 at 8:07 pm
No. THe original author only did Word/PDF output.
Sorry
Webster
May 31, 2018 at 10:04 pm
Hi Carl. Thank you for the great work keeping this script updated!
I’m a n00b at scripting, and I was trying to modify this to output using our company fonts and colors. Especially the alternating shade colors on the tables it creates.
I tried modifying the $BackgroundColor variable with RGB values instead of $null, but I don’t think I did it right. I tried changing the $FontName variable to ‘Verdana” and did get that changed, but the Automatic Table 2 selected seems to like its font and shading colors, and the CoverPage kept its default fonts. As a last ditch effort, I created a new Cover Page and saved it as XYZ in Word 2016 (based on Whisp, which DOES work) but when I name it as the -CoverPage XYZ parameter, it says its not a valid cover page option.
Any advice would be very much appreciated, and even more so if you built those parameters into the next version of the script! Thanks in advance!
June 1, 2018 at 12:22 am
I have never figured out how to get the script to work with custom templates. I spent a week a couple of years ago working on it and never got it working.
Webster
June 1, 2018 at 2:15 pm
Well if YOU couldn’t get that working, then I don’t feel bad! 🙂 Thx for replying.
Any advice on how to manually change those shade colors? It seems to be handled between lines 1500 and 1700, but I’m not even sure if you can change settings like that on Automatic Table 2 or any such thing.
It’s obviously not the end of the world; Ill copy and paste into our template but Id like to learn if you were inclined. Thanks again!
June 1, 2018 at 2:19 pm
IIRC, there are 255 Table formats to select from. I used to have a Word doc with all of them listed but I can’t find it. When I do find it, I will email it to you.
Webster
June 1, 2018 at 3:09 pm
I sent you the info and how to make the necessary changes in the scripts but you supplied me with a fake email address so looks like you can’t get the information you requested.
Webster
June 4, 2018 at 6:29 pm
Hi not sure what happened. It was supposed to forward to my email. Normally I use an alias that forwards like this when posting to avoid trolls. I’ve keyed in my direct email now so please try again. Thank you for your help!
June 4, 2018 at 6:41 pm
Second email attempt on its way.
Webster
July 20, 2017 at 7:52 am
Dear Carl,
Great job. Thank you for making all of your work, and the work of those others who have contributed, available for open access. I am finding these scripts very useful professionally. Thank you again.
– E
January 24, 2017 at 2:35 pm
Where is the script to download please?
January 24, 2017 at 2:37 pm
At the bottom of the article is this:
You can always find the most current script by going to https://carlwebster.com/where-to-get-copies-of-the-documentation-scripts/
Webster
January 22, 2017 at 10:39 am
Excellent work, I need to run it without office, in html or txt, you can tell me which is the correct syntax so that it does not use office?
From already thank you very much.
January 22, 2017 at 10:42 am
That script’s original author only did Word output.
Webster
December 6, 2016 at 1:38 pm
Hi Carl,
please what am I missing ?
PS C:\tmp\ad> .\ADDS_Inventory_V2_Signed.ps1
Do you want to run software from this untrusted publisher?
File C:\tmp\ad\ADDS_Inventory_V2_Signed.ps1 is published by CN=”Carl Webster Consulting, LLC”, O=”Carl Webster
Consulting, LLC”, L=Tullahoma, S=TN, C=US and is not trusted on your system. Only run scripts from trusted publishers.
[V] Never run [D] Do not run [R] Run once [A] Always run [?] Help (default is “D”): R
Cannot process the “#requires” statement at line 2 because it is not in the correct format.
The “#requires” statement must be in one of the following formats:
“#requires -shellid ”
“#requires -version ”
“#requires -pssnapin [-version ]”
At line:1 char:31
+ .\ADDS_Inventory_V2_Signed.ps1 <<<<
+ CategoryInfo : ObjectNotFound: (:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
December 6, 2016 at 2:58 pm
You must be running PowerShell V2? You need to be running PowerShell V3.
The first line of the script is “#Requires -Version 3.0”.
The ReadMe file states: “NOTE: This script requires PowerShell V3 or later.”
Thanks
Webster
December 17, 2016 at 8:21 am
Thanks!
August 16, 2016 at 2:38 pm
Is this script not compatible with Word 2016? The script aborts and claims that the version of Word is untested or unsupported. Any suggestions??
Script Output:
VERBOSE: 08/16/2016 14:36:02: Testing output parameters
VERBOSE: 08/16/2016 14:36:02: MSWord is set
VERBOSE: 08/16/2016 14:36:02: CoName is jeffwouters.nl
VERBOSE: 08/16/2016 14:36:02: Setting up Word
VERBOSE: 08/16/2016 14:36:02: Create Word comObject. If you are not running Word 2007, ignore the next message.
VERBOSE: The object written to the pipeline is an instance of the type “Microsoft.Office.Interop.Word.ApplicationClass” from the component’s primary interoperability assembly. If this type exposes different members
than the IDispatch members, scripts that are written to work with this object might not work if the primary interoperability assembly is not installed.
VERBOSE: 08/16/2016 14:36:05: Determine Word language value
VERBOSE: 08/16/2016 14:36:05: Word language value is 1033
SetupWord :
You are running an untested or unsupported version of Microsoft Word.
Script will end.
Please send info on your version of Word to webster@carlwebster.com
At C:UserskeyerOneDrive – Lps Integration, IncCarl Webster ScriptsAD-Health-Check-v1.0-ALLAD Health Check v1.0 (signed).ps1:2096 char:3
+ SetupWord
+ ~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,SetupWord
VERBOSE: 08/16/2016 14:36:05: System Cleanup
VERBOSE: Performing the operation “Remove variable” on target “Name: Word”.
VERBOSE: 08/16/2016 14:36:05: Script has been aborted
August 16, 2016 at 2:41 pm
You need the 2.0 script.
https://carlwebster.com/downloads/download-info/active-directory-health-check/
Webster
August 11, 2016 at 2:48 am
Hi,
Great script but can I use it only against a child domain?
Thanks
August 11, 2016 at 6:20 am
I don’t believe so. The original author, Jeff WOuters, uses ( [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() ).Domains to retrieve a list of all domains in a forest. Since you have the code, you could alter the script to process only a specified domain.
Webster
August 19, 2016 at 9:28 am
I will do my best to add that capability in version 2.1.
Webster
August 5, 2016 at 10:35 am
When trying to use ADHCv2, I keep getting a “Microsoft.PowerShell.Commands.WriteErrorException,ProcessDocumentOutput”, regardless of output type, etc, that I choose. Thoughts?
August 5, 2016 at 11:01 am
Run the script with the -dev and -si parameters and email me the two log files generated.
webster@carlwebster.com
Webster
August 5, 2016 at 11:15 am
On their way. Thanks.
August 5, 2016 at 11:11 am
Issue appears to be the way in which Word 2013 is saving. Rather than simply saving the doc, it’s popping a dialog box. I can choose my format to save there, and that works. However, if I run the script to save in PDF, the dialog pops up for the first save (the docx) then appears to error out on the second save (to pdf).
August 5, 2016 at 11:15 am
I only see that in click-to-run versions of Word. I never see that with full installs of Word.
Webster
June 15, 2016 at 4:03 am
I need to run the documentation script against a large Xenapp 7.8 farm. Could you please tell me what will not work, if I remove the validation for XenApp ver. < 7.8? I will gladly test a beta of the script for XenApp 7.8?
Gert Nielsen
June 15, 2016 at 7:03 am
The AD Health Check script can be run from any domain joined computer that has Microsoft Word installed. This script doesn’t check for any specific Citrix product or version.
If you are asking about the XenDesktop 7.x documentation script, just run the prior version before i added checking for 7.8 or later. Send me an email and i eill add you to the 7.8+ script testers.
Webster
May 17, 2016 at 7:10 am
Hi Carl,
I think you should look into PSCribo for documentation. It’s real easy and let’s you concentrate on what’s important. I have something similar fro documenting Active Directory. Here’s a link to the gist to help you get started:
https://gist.github.com/irwins/498bc3c24262cc39f051139c070f0850
The idea is to gather all necessary information first and then use PSCribo for documentation purposes… I started the Active Directory because I already had it… You can use the same concept for GPOs Users & Groups!
HTH.
Rg./Irwin
June 8, 2016 at 12:19 pm
As soon as Iain completes PSCribo, then I will take a look at it.
Thanks
Webster
May 13, 2016 at 1:57 am
Hi,
I analyzed the last version of the script ADDS_Inventory_V1_2.ps1 using PSScriptAnalyzer module v. 1.5.0
PS ADDSV1.2> Invoke-ScriptAnalyzer -Path .ADDS_Inventory_V1_2.ps1 | group -Property RuleName | select Name,Count
Name Count
—- —–
PSAvoidUsingWMICmdlet 9
PSUseBOMForUnicodeEncodedFile 1
PSUseDeclaredVarsMoreThanAssigments 1
PSAvoidGlobalVars 5
PSAvoidUsingCmdletAliases 79
PSAvoidUsingWriteHost 2
PSPossibleIncorrectComparisonWithNull 26
If is any repository when I can contribute update?
June 8, 2016 at 12:20 pm
No thanks. I disagree with a lot of what that analyzer analyzes.
Thanks
Webster
May 12, 2016 at 2:12 pm
I’d even add, if you publish the code on github the whole community could contribute to make it better, while keeping you in control of what contribution is merged to your project.
May 10, 2016 at 7:39 am
1) Cool stuff!
2) This is the sort of function that we are encouraging the community to use Pester and the OperationValidation Framework ) for – have you considered that?
3) I bet you’d get a ton more downloads if you posted your scripts to the PowerShell Gallery
Jeffrey Snover [MSFT]
May 10, 2016 at 10:08 am
Mr. Snover it is an honor to have you visit my site. You have made my week.
1. Thanks.
2. I have no idea what Pester is and I will look at the OperationValidation stuff. I am neither a programmer or developer. I am just a bulldog who sees a need and works until it is taken care of.
3. Had never thought of that. Didn’t think my scripts were quality enough for any gallery. Are you sure scripts as large as mine would be welcome there?
Again, thanks for honoring me with a visit.
Webster