• Microsoft Active Directory Health Check PowerShell Script Version 2.0

    In July 2014, Jeff Wouters (PowerShell MVP) released his Active Directory Health Check script. A little while ago, a user emailed me asking for help as they were trying to run the script using Microsoft Word 2016. Jeff had left my email address in the error message so I reached out to Jeff for permission to update his script. Jeff stated he would no longer be updating his script and I could maintain it on my site. Along with the help of Michael B. Smith (Exchange MVP) and a hard-working, dedicated group of testers, the script will now be maintained and housed on my site.

    #Version 2.0 9-May-2016

    • Added alias for AddDateTime of ADT
    • Added alias for CompanyName of CN
    • Added -Dev parameter to create a text file of script errors
    • Added more script information to the console output when script starts
    • Added -ScriptInfo (SI) parameter to create a text file of script information
    • Added support for emailing output report
    • Added support for output folder
    • Added word 2016 support
    • Fixed numerous issues discovered with the latest update to PowerShell V5
    • Fixed several incorrect variable names that kept PDFs from saving in Windows 10 and Office 2013
    • General code cleanup by Michael B. Smith
    • Output to CSV rewritten by Michael B. Smith
    • Removed the 10 second pauses waiting for Word to save and close
    • Removed unused parameters Text, HTML, ComputerName, Hardware
    • Significant Active Directory changes have been implemented by Michael B. Smith
    • Updated help text

    What the Script Checks

    • Sites and Services
      • Sites
      • Sites – Without a description
      • Sites – Without one or more subnet(s)
      • Sites – No server(s)
      • Sites – Without a connection
    • Organisational Units
      • OU – GPO inheritance blocked
    • Domain Controllers
      • Domain Controllers – No contact in the last 3 months
    • Member Servers
      • Member Servers – Password never expires
      • Member Servers – Password more than 6 months old
      • Member Servers – Account never expires
      • Member Servers – Account disabled
    • Users
      • Users – Direct member of a Domain Local Group
      • Users – Password never expires
      • Users – Password not required
      • Users – Change password at next logon
      • Users – Password not changed in last 12 months
      • Users – Account without expiration date
      • Users – Do not require Kerberos preauthentication
      • Users – Disabled
    • Groups
      • Groups – Privileged groups
      • Groups – Privileged – More than 5 members
      • Groups – Privileged – No members
      • Groups – Primary – Empty (no members)

    Michael B. Smith put a LOT of time and effort into optimizing the code and writing new AD functions to make sure the data returned met our OCD standards.

    Chris M. put a lot of time into trying to get the CSV output working but it turned out to be harder than he or I thought it would be. Michael B. Smith had to write a new CSV output function.

    David M. is a brutal but very patient tester who tested every combination of script parameters. I have received almost 250MB worth of sample reports and log files from David.

    If there are other AD Health Checks you would like to see included or you see errors in the data, please email me. webster@carlwebster.com

    You can always find the most current script by going to https://carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

    Thanks

    Webster

    About Carl Webster

    Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    36 Responses to “Microsoft Active Directory Health Check PowerShell Script Version 2.0”

    1. sathish kumar Says:

      Hi Sir,

      Since im running this script on the server which have no MS suite installed …possible to get the output in some other way ??? in pdf format ?

      and what changes i should do in the script for me to get a .pdf format

      Reply

    2. Kev Says:

      Hi Carl. Thank you for the great work keeping this script updated!

      I’m a n00b at scripting, and I was trying to modify this to output using our company fonts and colors. Especially the alternating shade colors on the tables it creates.

      I tried modifying the $BackgroundColor variable with RGB values instead of $null, but I don’t think I did it right. I tried changing the $FontName variable to ‘Verdana” and did get that changed, but the Automatic Table 2 selected seems to like its font and shading colors, and the CoverPage kept its default fonts. As a last ditch effort, I created a new Cover Page and saved it as XYZ in Word 2016 (based on Whisp, which DOES work) but when I name it as the -CoverPage XYZ parameter, it says its not a valid cover page option.

      Any advice would be very much appreciated, and even more so if you built those parameters into the next version of the script! Thanks in advance!

      Reply

      • Carl Webster Says:

        I have never figured out how to get the script to work with custom templates. I spent a week a couple of years ago working on it and never got it working.

        Webster

        Reply

        • Kev Says:

          Well if YOU couldn’t get that working, then I don’t feel bad! 🙂 Thx for replying.

          Any advice on how to manually change those shade colors? It seems to be handled between lines 1500 and 1700, but I’m not even sure if you can change settings like that on Automatic Table 2 or any such thing.

          It’s obviously not the end of the world; Ill copy and paste into our template but Id like to learn if you were inclined. Thanks again!

          Reply

          • Carl Webster Says:

            IIRC, there are 255 Table formats to select from. I used to have a Word doc with all of them listed but I can’t find it. When I do find it, I will email it to you.

            Webster

            Reply

          • Carl Webster Says:

            I sent you the info and how to make the necessary changes in the scripts but you supplied me with a fake email address so looks like you can’t get the information you requested.

            Webster

            Reply

            • Kev Says:

              Hi not sure what happened. It was supposed to forward to my email. Normally I use an alias that forwards like this when posting to avoid trolls. I’ve keyed in my direct email now so please try again. Thank you for your help!

            • Carl Webster Says:

              Second email attempt on its way.

              Webster

    3. Edward McAuley Says:

      Dear Carl,

      Great job. Thank you for making all of your work, and the work of those others who have contributed, available for open access. I am finding these scripts very useful professionally. Thank you again.

      – E

      Reply

    4. Chad Says:

      Where is the script to download please?

      Reply

    5. Matias Says:

      Excellent work, I need to run it without office, in html or txt, you can tell me which is the correct syntax so that it does not use office?
      From already thank you very much.

      Reply

    6. Podo Says:

      Hi Carl,
      please what am I missing ?

      PS C:\tmp\ad> .\ADDS_Inventory_V2_Signed.ps1

      Do you want to run software from this untrusted publisher?
      File C:\tmp\ad\ADDS_Inventory_V2_Signed.ps1 is published by CN=”Carl Webster Consulting, LLC”, O=”Carl Webster
      Consulting, LLC”, L=Tullahoma, S=TN, C=US and is not trusted on your system. Only run scripts from trusted publishers.
      [V] Never run [D] Do not run [R] Run once [A] Always run [?] Help (default is “D”): R
      Cannot process the “#requires” statement at line 2 because it is not in the correct format.
      The “#requires” statement must be in one of the following formats:
      “#requires -shellid ”
      “#requires -version ”
      “#requires -pssnapin [-version ]”
      At line:1 char:31
      + .\ADDS_Inventory_V2_Signed.ps1 <<<<
      + CategoryInfo : ObjectNotFound: (:String) [], CommandNotFoundException
      + FullyQualifiedErrorId : CommandNotFoundException

      Reply

      • Carl Webster Says:

        You must be running PowerShell V2? You need to be running PowerShell V3.

        The first line of the script is “#Requires -Version 3.0”.

        The ReadMe file states: “NOTE: This script requires PowerShell V3 or later.”

        Thanks

        Webster

        Reply

    7. Kevin Eyer Says:

      Is this script not compatible with Word 2016? The script aborts and claims that the version of Word is untested or unsupported. Any suggestions??

      Script Output:

      VERBOSE: 08/16/2016 14:36:02: Testing output parameters
      VERBOSE: 08/16/2016 14:36:02: MSWord is set
      VERBOSE: 08/16/2016 14:36:02: CoName is jeffwouters.nl
      VERBOSE: 08/16/2016 14:36:02: Setting up Word
      VERBOSE: 08/16/2016 14:36:02: Create Word comObject. If you are not running Word 2007, ignore the next message.
      VERBOSE: The object written to the pipeline is an instance of the type “Microsoft.Office.Interop.Word.ApplicationClass” from the component’s primary interoperability assembly. If this type exposes different members
      than the IDispatch members, scripts that are written to work with this object might not work if the primary interoperability assembly is not installed.
      VERBOSE: 08/16/2016 14:36:05: Determine Word language value
      VERBOSE: 08/16/2016 14:36:05: Word language value is 1033
      SetupWord :
      You are running an untested or unsupported version of Microsoft Word.
      Script will end.
      Please send info on your version of Word to webster@carlwebster.com
      At C:\Users\keyer\OneDrive – Lps Integration, Inc\Carl Webster Scripts\AD-Health-Check-v1.0-ALL\AD Health Check v1.0 (signed).ps1:2096 char:3
      + SetupWord
      + ~~~~~~~~~
      + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
      + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,SetupWord

      VERBOSE: 08/16/2016 14:36:05: System Cleanup
      VERBOSE: Performing the operation “Remove variable” on target “Name: Word”.
      VERBOSE: 08/16/2016 14:36:05: Script has been aborted

      Reply

    8. Rob Says:

      Hi,

      Great script but can I use it only against a child domain?

      Thanks

      Reply

      • Carl Webster Says:

        I don’t believe so. The original author, Jeff WOuters, uses ( [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() ).Domains to retrieve a list of all domains in a forest. Since you have the code, you could alter the script to process only a specified domain.

        Webster

        Reply

      • Carl Webster Says:

        I will do my best to add that capability in version 2.1.

        Webster

        Reply

    9. Tim Says:

      When trying to use ADHCv2, I keep getting a “Microsoft.PowerShell.Commands.WriteErrorException,ProcessDocumentOutput”, regardless of output type, etc, that I choose. Thoughts?

      Reply

      • Carl Webster Says:

        Run the script with the -dev and -si parameters and email me the two log files generated.

        webster@carlwebster.com

        Webster

        Reply

      • Tim Says:

        Issue appears to be the way in which Word 2013 is saving. Rather than simply saving the doc, it’s popping a dialog box. I can choose my format to save there, and that works. However, if I run the script to save in PDF, the dialog pops up for the first save (the docx) then appears to error out on the second save (to pdf).

        Reply

        • Carl Webster Says:

          I only see that in click-to-run versions of Word. I never see that with full installs of Word.

          Webster

          Reply

    10. Gert Nielsen Says:

      I need to run the documentation script against a large Xenapp 7.8 farm. Could you please tell me what will not work, if I remove the validation for XenApp ver. < 7.8? I will gladly test a beta of the script for XenApp 7.8?

      Gert Nielsen

      Reply

      • Carl Webster Says:

        The AD Health Check script can be run from any domain joined computer that has Microsoft Word installed. This script doesn’t check for any specific Citrix product or version.

        If you are asking about the XenDesktop 7.x documentation script, just run the prior version before i added checking for 7.8 or later. Send me an email and i eill add you to the 7.8+ script testers.

        Webster

        Reply

    11. Irwin Strachan Says:

      Hi Carl,

      I think you should look into PSCribo for documentation. It’s real easy and let’s you concentrate on what’s important. I have something similar fro documenting Active Directory. Here’s a link to the gist to help you get started:

      https://gist.github.com/irwins/498bc3c24262cc39f051139c070f0850

      The idea is to gather all necessary information first and then use PSCribo for documentation purposes… I started the Active Directory because I already had it… You can use the same concept for GPOs Users & Groups!

      HTH.

      Rg./Irwin

      Reply

    12. Wojciech Sciesinski Says:

      Hi,
      I analyzed the last version of the script ADDS_Inventory_V1_2.ps1 using PSScriptAnalyzer module v. 1.5.0

      PS ADDSV1.2> Invoke-ScriptAnalyzer -Path .\ADDS_Inventory_V1_2.ps1 | group -Property RuleName | select Name,Count

      Name Count
      —- —–
      PSAvoidUsingWMICmdlet 9
      PSUseBOMForUnicodeEncodedFile 1
      PSUseDeclaredVarsMoreThanAssigments 1
      PSAvoidGlobalVars 5
      PSAvoidUsingCmdletAliases 79
      PSAvoidUsingWriteHost 2
      PSPossibleIncorrectComparisonWithNull 26

      If is any repository when I can contribute update?

      Reply

    13. Gael Says:

      I’d even add, if you publish the code on github the whole community could contribute to make it better, while keeping you in control of what contribution is merged to your project.

      Reply

    14. Jeffrey Snover Says:

      1) Cool stuff!
      2) This is the sort of function that we are encouraging the community to use Pester and the OperationValidation Framework (https://www.powershellgallery.com/packages/OperationValidation/1.0.1 ) for – have you considered that?
      3) I bet you’d get a ton more downloads if you posted your scripts to the PowerShell Gallery

      Jeffrey Snover [MSFT]

      Reply

      • Carl Webster Says:

        Mr. Snover it is an honor to have you visit my site. You have made my week.

        1. Thanks.
        2. I have no idea what Pester is and I will look at the OperationValidation stuff. I am neither a programmer or developer. I am just a bulldog who sees a need and works until it is taken care of.
        3. Had never thought of that. Didn’t think my scripts were quality enough for any gallery. Are you sure scripts as large as mine would be welcome there?

        Again, thanks for honoring me with a visit.

        Webster

        Reply

    Leave a Reply