bwya77 / pshtml-ad-report Goto Github PK

The Script is awesome, hoever i noticed that Last Log on Date not populating in the users Tab.

function cross_check_domain($member_list)
{
# Snapshot the user count to make things a bit quicker with larger loop lengths
$count = $member_list.member.count
$current = 0

# Enumerate users in the group
foreach ( $m in $member_list.member )
{
    # Display some information that we are progressing:
    [int]$percent = $current/$count * 100
    Write-Progress -Activity "Processing $($count) objects for users from $($localdomain) against $($remotedomain) - object: $($m)" -PercentComplete $percent
    $current = $current+1

# Loop code
}

ccsrpsw

Hi,
The report looks great. I ran into issues during the compiling report phase. Can you look into this issue?:

Working on Dashboard Report...
Done!
Working on Groups Report...
Done!
Working on Organizational Units Report...
Done!
Working on Users Report...
Done!
Working on Group Policy Report...
Done!
Working on Computers Report...
Done!
Compiling Report...
Get-HTMLContentDataTable : Cannot bind argument to parameter 'ArrayOfObjects' because it is an empty collection.
At C:\Users\adminaspect\Documents\AD-reportMdG.ps1:1401 char:45

• ... alReport.Add($(Get-HTMLContentDataTable $NewCreatedUsersTable -HideFo ...

•                                         ~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Get-HTMLContentDataTable], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyCollectionNotAllowed,Get-HTMLContentDataTable

Get-HTMLContentDataTable : Cannot bind argument to parameter 'ArrayOfObjects' because it is an empty collection.
At C:\Users\adminaspect\Documents\AD-reportMdG.ps1:1498 char:45

• ... alReport.Add($(Get-HTMLContentDataTable $NewCreatedUsersTable -HideFo ...

•                                         ~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Get-HTMLContentDataTable], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyCollectionNotAllowed,Get-HTMLContentDataTable

Save-HTMLReport : Cannot bind argument to parameter 'ReportContent' because it is null.
At C:\Users\adminaspect\Documents\AD-reportMdG.ps1:1545 char:32

• Save-HTMLReport -ReportContent $FinalReport -ShowReport -ReportName $ ...

•                            ~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Save-HTMLReport], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Save-HTMLReport

The groups should be identified by their default SIDs, as the names are region-specific.
You can find the groups at
https://support.microsoft.com/de-de/help/243330/well-known-security-identifiers-in-windows-operating-systems as suggested at https://www.reddit.com/r/sysadmin/comments/a31c5v/powershell_create_an_interactive_active_directory/eb4jq0u/

Cannot convert value "System.Management.Automation.PSCustomObject" to type "System.Management.Automation.SwitchParameter". Boolean parameters accept only Boolean values and numbers, such as $True,
$False, 1 or 0.
At C:\Users\xxxx\Downloads\PSHTML-AD-Report\PSHTML-AD-Report-master\PSHTML-AD.ps1:1180 char:10

First of all, thank you very much for this great report. It is very useful to me.

I want to use local resources for the logos, but when I put the path in the variable, the logo doesn't show.

I tried with
$CompanyLogo = "C:\Users\Matt\Pictures\leftlogo.jpg"
and with
$CompanyLogo = "\localhost\c$\Users\Matt\Pictures\leftlogo.jpg"

Any idea how to solve this ?

Getting the following error. New donwload, first run, no changes made. It did install the needed module.

At C:\Users\myname\Desktop\PSHTML-AD.ps1:876 char:3
+         $userphaventloggedonrecentlytable.Add($obj)
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Add:String) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound

New to this project and came across with a google search when tasked internally with creating some reports for security people. Awesome work and so helpful for people like me who have a short time frame but large remit! :)

Some performance observations from a quick glance:

$OwnerDN = Get-ADGroup -Filter { name -eq $Group.Name } -Properties managedBy | Select-Object -ExpandProperty ManagedBy
Try{
$Manager = Get-ADUser -Filter { distinguishedname -like $OwnerDN } -t | Select-Object -ExpandProperty Name
}Catch{
	write-host -ForegroundColor Yellow "Cannot resolve the manager, " $Manager " on the group " $group.name
}

So:

1. Why not use Get-AdGroup with the DN to avoid an AD Search? Much quicker.
2. If we add each successful lookup of the manager to a hashtable we can look it up there and avoid the call to Get-ADGroup. Much quicker!:)

I have never used GitHub or powershell so I will learn how to get involved and make a code submission over next day or two.

When looking for old computers and active directory has been restored at some point, all old computers that haven't logged in since the restore happened show the same Modified Date (ie, the day the restore happened)

When I run get-adcomputers looking for LastLogonDate per computer, it is different from what's listed for Modified date.

It would be great to include the computer last logon date or replace Modified date with this since it is a better indicator of when the computer was last used.

Thanks

n line 83 had to manually change the "-" character as it was coming up as illegal. Not sure if this was an issue with VScode, GitHub corrupting the code, or some other odd issue.

	"Pre–Windows 2000 Compatible Access"

This report is mostly functional without elevated privileges with a few exceptions. The SecurityLogs section requires elevated privileges. This is started on line 443.

At the very least, it would be useful if this script could detect whether is has the necessary privileges before running given commands. It helps to eliminated errors on the screen.

any chance we can get windows 2019 Versions and identify Windows 10 Pro/Enterprise and LTSC in the pie charts. it would also be helpful on the pie charts to put the number of devices rather than hover over them.

other then that looks great. Wishlist: export to word format for a document to deliver management.

• dsobrero

Running the script and encountering this error

Working on Users Report...
Method invocation failed because [System.Management.Automation.PSCustomObject] does not contain a method named 'Add'.
At C:\temp\adreport.ps1:630 char:1

• $userphaventloggedonrecentlytable.Add($obj)

•   + CategoryInfo          : InvalidOperation: (Add:String) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
  

I seem to be having this issue below:

Save-HTMLReport : Cannot bind argument to parameter 'ReportContent' because it is null.
At line:1 char:32

• Save-HTMLReport -ReportContent $FinalReport -ShowReport -ReportName $ ...

•                            ~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Save-HTMLReport], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Save-HTMLReport

Thank you very much for this great report. I really appreciate it.

I tried to run the script from my PC against a different AD domain using PSDrive and I almost succeded (for Users, OUs, Groups and Computers) but I got Group Policy from my local domain...
Do you think it would be possible to fully run the report against a different AD domain?

Cheers
frank

Using the ISO 8601 date format allows the file listing to sort more naturally.

Currently, the script outputs file with the DD-MM-YYYY format, which is horrible. ISO 8601 uses a YYYY-MM-DD (big->little).

If you click on a heading of a date field, it is sorting as a string, not as a date.

So the results look like this....

On the Dashboard and Users Pages,under Accounts, the "Users Haven't Logged on in X Days" table is not wrapping the UserPrincipalName field. This is making the table underlap with the "Accounts Created in X Days or Less" table.

Hello,
great script and great work.
It would be nice (and useful) to have the possibility to work on ALL child domains inside a Forest or, at least, to specify the "working domain" as parameter.
Regards.

Red.

I was wondering if it would be possible to include the settings for the GPO's in the group policy tab using "Get-GPOReport -All".

Hi, quick question:

According to the name of this module, I had the impression you were using PSHTML for the HTML rendering part. Seems I was wrong. I wanted to ask: Have you considered using PSHTML for the HTML & Chart generation?

Save-HTMLReport : Cannot bind argument to parameter 'ReportContent' because it is null.
At line:1 char:32

• Save-HTMLReport -ReportContent $FinalReport -ShowReport -ReportName $ ...

•                            ~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Save-HTMLReport], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Save-HTMLReport

Get-HTMLContentDataTable : Cannot bind argument to parameter 'ArrayOfObjects' because it is an empty collection.
At line:1 char:45

• ... eport.Add($(Get-HTMLContentDataTable $PasswordExpireSoonTable -HideFo ...

•                                      ~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [Get-HTMLContentDataTable], ParameterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyCollectionNotAllowed,Get-HTMLContentDataTable

For example, There is another bit, in the section where you loop through all the user accounts and do an "get-aduser [name] -properties *" on a per account basis. But... you already have the information in the $Allusers variables, and in fact on the 'foreach' $User variable you have, so you could pull that information out too without lookin anything up. Look around line 685ish:

Foreach ($User in $AllUsers)
{

$AttVar = get-aduser -filter {name -eq $User.Name} -Properties * | Select-Object Enabled,PasswordExpired, PasswordLastSet, PasswordNeverExpires, PasswordNotRequired, Name, SamAccountName, EmailAddress, AccountExpirationDate, @{ Name = 'lastlogon'; Expression = { LastLogonConvert $_.lastlogon } }, DistinguishedName

If you think about it, $User already has the result of this so you should be able to do something like this:
$AttVar = $User | Select-Object Enabled,PasswordExpired, PasswordLastSet, PasswordNeverExpires, PasswordNotRequired, Name, SamAccountName, EmailAddress, AccountExpirationDate, @{ Name = 'lastlogon'; Expression = { LastLogonConvert $_.lastlogon } }, DistinguishedName

At C:\Users\administrator.DEGROOT\Downloads\PSHTML-AD.ps1:245 char:22

The '<' operator is reserved for future use.
At C:\Users\administrator.DEGROOT\Downloads\PSHTML-AD.ps1:263 char:79

• ...

Missing file specification after redirection operator.
At C:\Users\administrator.DEGROOT\Downloads\PSHTML-AD.ps1:379 char:10

The '<' operator is reserved for future use.
At C:\Users\administrator.DEGROOT\Downloads\PSHTML-AD.ps1:384 char:210

• ... ck="(Logged out) Header, clicked Sign in, text:sign-in">Sign in< ...

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quot
ation marks ("&") to pass it as part of a string.

On line 575, there is another call to the Domain Controller with Get-ADUser when all of the users are already stored in the $AllUsers variable.

I think that it would be more efficient to swap:
$Manager = Get-ADUser -Filter { distinguishedname -like $OwnerDN } | Select-Object -ExpandProperty Name
to
$allusers.where{$_.DistinguishedName -like $OwnerDN} | Select-Object -ExpandProperty Name

If the file name of the report generated has the date in it, it should be created in the same date style as the user's locale, or set to an ISO standard.

Currently we get mismatches like this.

Not a huge deal, but a little annoyance.

The report currently does a decent job of reporting on the joined Windows systems and displaying the breakdown by OS version. It does completely lack identification of non-Windows in the "Computer Overview" section. It does identify those in the "Computers" section. This data is also lacking in the "Computers Operating System Breakdown" section. For the latter, I'd suggest two charts, the one you already have, and another for a breakdown of Windows vs Non-Windows categories.

In our organization we have 902 joined systems. 412 CentOS, 408 Windows, 14 Darwin, 14 Hyper-V Server, 1 Solaris, and 53 blank/unknown entries.

I was looking at something like this recently called pingcastle, which does a few similar things. I would run ping castle in your lab and see what you could nab from its report for this.

A security section would be awesome, so something like:

Check for accounts that don't have password expiry set

Get-ADUser -Filter 'useraccountcontrol -band 65536' -Properties useraccountcontrol

Check for accounts that have no password requirement

Get-ADUser -Filter 'useraccountcontrol -band 32' -Properties useraccountcontrol

Accounts that have the password stored in a reversibly encrypted format

Get-ADUser -Filter 'useraccountcontrol -band 128' -Properties useraccountcontrol

List users that are trusted for Kerberos delegation (Accounts can make Kerberos tickets for everyone)

Get-ADUser -Filter 'useraccountcontrol -band 524288' -Properties useraccountcontrol

List accounts that don't require pre-authentication (Attackers can request a TGT without a password/timestamp)

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol

List accounts that have credentials encrypted with DES (Insecure)

Get-ADUser -Filter 'useraccountcontrol -band 2097152' -Properties useraccountcontrol

Check ANONYMOUS LOGON is not a member of Pre-Windows 2000 Compatible Access https://blogs.technet.microsoft.com/poshchap/2015/06/12/security-focus-check-active-directory-for-anonymous-access/ $PreWindows_2000_Compatible_Access = "S-1-5-32-554" $Anonymous_Logon = "S-1-5-7" Get-ADGroupMember -Identity $Pre_Windows_2000_Compatible_Access | Where-Object {$.SID -eq $Anonymous_Logon} List all privileged users for review Get-ADUser -Filter {AdminCount -eq 1}

Check for stale accounts

contextfull comments (143)report

bopsbt

During execution, I get the following error for every user in the domain. This happens regardless of privilege level.

Method invocation failed because [System.Management.Automation.PSCustomObject] does not contain a method named 'add'.
At C:\Users\ecrist\Desktop\PSHTML-AD.ps1:720 char:3
+         $userphaventloggedonrecentlytable.add($obj)
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (add:String) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound

The block of code responsible is the following:

        #Get users that haven't logged on in X amount of days, var is set at start of script
        If (($User.Enabled -eq $True) -and ($User.LastLogonDate -lt (Get-Date).AddDays(-$Days)) -and ($User.LastLogonDate -ne $NULL))
        {
                $obj = [PSCustomObject]@{
                        'Name'                                          = $User.Name
                        'UserPrincipalName'                     = $User.UserPrincipalName
                        'Enabled'                                               = $AttVar.Enabled
                        'Protected from Deletion'               = $User.ProtectedFromAccidentalDeletion
                        'Last Logon'                                    = $AttVar.lastlogon
                        'Password Never Expires'                = $AttVar.PasswordNeverExpires
                        'Days Until Password Expires'   = $daystoexpire
                }
                $userphaventloggedonrecentlytable.add($obj)
        }

Hello and sorry for my English,

I use win 2019 controler in French.

When i launch the script i have this errors :

Lot of errors like this with diffrent groups :

Cannot resolve the manager, on the group Accès DCOM service de certificats

errors for users :
`Working on Users Report ...
Unable to convert the "value" argument (value "180.00: 00: 00") from "AddDays" to type "System.Double": "Unable to convert the value" 180.00: 00: 00 "of type" System.TimeSpan "In type" System.Double ". "
To the character Line: 946: 4

• $ expireson = $ passwordsetdate.AddDays ($ maxPasswordAge)

  • CategoryInfo: NotSpecified: (:) [], MethodException
  • FullyQualifiedErrorId: MethodArgumentConversionInvalidCastArgument

New-TimeSpan: Unable to link the "End" parameter to the target. Exception when setting "End": "Unable to convert null to type" System.DateTime ". "
To the character Line: 950: 53

• ... $ daystoexpire = (New-TimeSpan -Start $ today -End $ Expireson) .Days

  • CategoryInfo: WriteError: (:) [New-TimeSpan], ParameterBindingException
  • FullyQualifiedErrorId: ParameterBindingFailed, Microsoft.PowerShell.Commands.NewTimeSpanCommand`

and for computers
`Working on Computers Report ...
Get-ADComputer: The server returned the following error: Invalid enumeration context.
To the character Line: 1211: 14

• $ Computers = Get-ADComputer -Filter * -Properties *

  • CategoryInfo: NotSpecified: (:) [Get-ADComputer], ADException
  • FullyQualifiedErrorId: ActiveDirectoryServer: 0, Microsoft.ActiveDirectory.Management.Commands.GetADComputer`