bwya77 / pshtml-ad-report Goto Github PK
View Code? Open in Web Editor NEWCreate a high level interactive HTML report for you Active Directory environment using PowerShell
License: MIT License
Create a high level interactive HTML report for you Active Directory environment using PowerShell
License: MIT License
The Script is awesome, hoever i noticed that Last Log on Date not populating in the users Tab.
function cross_check_domain($member_list)
{
# Snapshot the user count to make things a bit quicker with larger loop lengths
$count = $member_list.member.count
$current = 0
# Enumerate users in the group
foreach ( $m in $member_list.member )
{
# Display some information that we are progressing:
[int]$percent = $current/$count * 100
Write-Progress -Activity "Processing $($count) objects for users from $($localdomain) against $($remotedomain) - object: $($m)" -PercentComplete $percent
$current = $current+1
# Loop code
}
ccsrpsw
Hi,
The report looks great. I ran into issues during the compiling report phase. Can you look into this issue?:
Working on Dashboard Report...
Done!
Working on Groups Report...
Done!
Working on Organizational Units Report...
Done!
Working on Users Report...
Done!
Working on Group Policy Report...
Done!
Working on Computers Report...
Done!
Compiling Report...
Get-HTMLContentDataTable : Cannot bind argument to parameter 'ArrayOfObjects' because it is an empty collection.
At C:\Users\adminaspect\Documents\AD-reportMdG.ps1:1401 char:45
~~~~~~~~~~~~~~~~~~~~~
Get-HTMLContentDataTable : Cannot bind argument to parameter 'ArrayOfObjects' because it is an empty collection.
At C:\Users\adminaspect\Documents\AD-reportMdG.ps1:1498 char:45
~~~~~~~~~~~~~~~~~~~~~
Save-HTMLReport : Cannot bind argument to parameter 'ReportContent' because it is null.
At C:\Users\adminaspect\Documents\AD-reportMdG.ps1:1545 char:32
~~~~~~~~~~~~
The groups should be identified by their default SIDs, as the names are region-specific.
You can find the groups at
https://support.microsoft.com/de-de/help/243330/well-known-security-identifiers-in-windows-operating-systems as suggested at https://www.reddit.com/r/sysadmin/comments/a31c5v/powershell_create_an_interactive_active_directory/eb4jq0u/
Cannot convert value "System.Management.Automation.PSCustomObject" to type "System.Management.Automation.SwitchParameter". Boolean parameters accept only Boolean values and numbers, such as $True,
$False, 1 or 0.
At C:\Users\xxxx\Downloads\PSHTML-AD-Report\PSHTML-AD-Report-master\PSHTML-AD.ps1:1180 char:10
First of all, thank you very much for this great report. It is very useful to me.
I want to use local resources for the logos, but when I put the path in the variable, the logo doesn't show.
I tried with
$CompanyLogo = "C:\Users\Matt\Pictures\leftlogo.jpg"
and with
Any idea how to solve this ?
Getting the following error. New donwload, first run, no changes made. It did install the needed module.
At C:\Users\myname\Desktop\PSHTML-AD.ps1:876 char:3
+ $userphaventloggedonrecentlytable.Add($obj)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Add:String) [], RuntimeException
+ FullyQualifiedErrorId : MethodNotFound
New to this project and came across with a google search when tasked internally with creating some reports for security people. Awesome work and so helpful for people like me who have a short time frame but large remit! :)
Some performance observations from a quick glance:
$OwnerDN = Get-ADGroup -Filter { name -eq $Group.Name } -Properties managedBy | Select-Object -ExpandProperty ManagedBy
Try{
$Manager = Get-ADUser -Filter { distinguishedname -like $OwnerDN } -t | Select-Object -ExpandProperty Name
}Catch{
write-host -ForegroundColor Yellow "Cannot resolve the manager, " $Manager " on the group " $group.name
}
So:
I have never used GitHub or powershell so I will learn how to get involved and make a code submission over next day or two.
Cannot convert argument "value", with value: "10675199.02:48:05.4775807", for "AddDays" to type "System.Double":
"Cannot convert the "10675199.02:48:05.4775807" value of type "System.TimeSpan" to type "System.Double"."
At C:\PSScripts\PSHTML-AD.ps1:946 char:4
+ $expireson = $passwordsetdate.AddDays($maxPasswordAge)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodException
+ FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument
When looking for old computers and active directory has been restored at some point, all old computers that haven't logged in since the restore happened show the same Modified Date (ie, the day the restore happened)
When I run get-adcomputers looking for LastLogonDate per computer, it is different from what's listed for Modified date.
It would be great to include the computer last logon date or replace Modified date with this since it is a better indicator of when the computer was last used.
Thanks
n line 83 had to manually change the "-" character as it was coming up as illegal. Not sure if this was an issue with VScode, GitHub corrupting the code, or some other odd issue.
"Pre–Windows 2000 Compatible Access"
This report is mostly functional without elevated privileges with a few exceptions. The SecurityLogs section requires elevated privileges. This is started on line 443.
At the very least, it would be useful if this script could detect whether is has the necessary privileges before running given commands. It helps to eliminated errors on the screen.
any chance we can get windows 2019 Versions and identify Windows 10 Pro/Enterprise and LTSC in the pie charts. it would also be helpful on the pie charts to put the number of devices rather than hover over them.
other then that looks great. Wishlist: export to word format for a document to deliver management.
Running the script and encountering this error
Working on Users Report...
Method invocation failed because [System.Management.Automation.PSCustomObject] does not contain a method named 'Add'.
At C:\temp\adreport.ps1:630 char:1
+ CategoryInfo : InvalidOperation: (Add:String) [], RuntimeException
+ FullyQualifiedErrorId : MethodNotFound
I seem to be having this issue below:
Save-HTMLReport : Cannot bind argument to parameter 'ReportContent' because it is null.
At line:1 char:32
~~~~~~~~~~~~
Thank you very much for this great report. I really appreciate it.
I tried to run the script from my PC against a different AD domain using PSDrive and I almost succeded (for Users, OUs, Groups and Computers) but I got Group Policy from my local domain...
Do you think it would be possible to fully run the report against a different AD domain?
Cheers
frank
Using the ISO 8601 date format allows the file listing to sort more naturally.
Currently, the script outputs file with the DD-MM-YYYY format, which is horrible. ISO 8601 uses a YYYY-MM-DD (big->little).
On the Dashboard and Users Pages,under Accounts, the "Users Haven't Logged on in X Days" table is not wrapping the UserPrincipalName field. This is making the table underlap with the "Accounts Created in X Days or Less" table.
Hello,
great script and great work.
It would be nice (and useful) to have the possibility to work on ALL child domains inside a Forest or, at least, to specify the "working domain" as parameter.
Regards.
Red.
I was wondering if it would be possible to include the settings for the GPO's in the group policy tab using "Get-GPOReport -All".
Hi, quick question:
According to the name of this module, I had the impression you were using PSHTML for the HTML rendering part. Seems I was wrong. I wanted to ask: Have you considered using PSHTML for the HTML & Chart generation?
Save-HTMLReport : Cannot bind argument to parameter 'ReportContent' because it is null.
At line:1 char:32
~~~~~~~~~~~~
Get-HTMLContentDataTable : Cannot bind argument to parameter 'ArrayOfObjects' because it is an empty collection.
At line:1 char:45
~~~~~~~~~~~~~~~~~~~~~~~~
For example, There is another bit, in the section where you loop through all the user accounts and do an "get-aduser [name] -properties *" on a per account basis. But... you already have the information in the $Allusers variables, and in fact on the 'foreach' $User variable you have, so you could pull that information out too without lookin anything up. Look around line 685ish:
Foreach ($User in $AllUsers)
{
$AttVar = get-aduser -filter {name -eq $User.Name} -Properties * | Select-Object Enabled,PasswordExpired, PasswordLastSet, PasswordNeverExpires, PasswordNotRequired, Name, SamAccountName, EmailAddress, AccountExpirationDate, @{ Name = 'lastlogon'; Expression = { LastLogonConvert $_.lastlogon } }, DistinguishedName
If you think about it, $User already has the result of this so you should be able to do something like this:
$AttVar = $User | Select-Object Enabled,PasswordExpired, PasswordLastSet, PasswordNeverExpires, PasswordNotRequired, Name, SamAccountName, EmailAddress, AccountExpirationDate, @{ Name = 'lastlogon'; Expression = { LastLogonConvert $_.lastlogon } }, DistinguishedName
At C:\Users\administrator.DEGROOT\Downloads\PSHTML-AD.ps1:245 char:22
The '<' operator is reserved for future use.
At C:\Users\administrator.DEGROOT\Downloads\PSHTML-AD.ps1:263 char:79
Missing file specification after redirection operator.
At C:\Users\administrator.DEGROOT\Downloads\PSHTML-AD.ps1:379 char:10
The '<' operator is reserved for future use.
At C:\Users\administrator.DEGROOT\Downloads\PSHTML-AD.ps1:384 char:210
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quot
ation marks ("&") to pass it as part of a string.
On line 575, there is another call to the Domain Controller with Get-ADUser when all of the users are already stored in the $AllUsers variable.
I think that it would be more efficient to swap:
$Manager = Get-ADUser -Filter { distinguishedname -like $OwnerDN } | Select-Object -ExpandProperty Name
to
$allusers.where{$_.DistinguishedName -like $OwnerDN} | Select-Object -ExpandProperty Name
The report currently does a decent job of reporting on the joined Windows systems and displaying the breakdown by OS version. It does completely lack identification of non-Windows in the "Computer Overview" section. It does identify those in the "Computers" section. This data is also lacking in the "Computers Operating System Breakdown" section. For the latter, I'd suggest two charts, the one you already have, and another for a breakdown of Windows vs Non-Windows categories.
In our organization we have 902 joined systems. 412 CentOS, 408 Windows, 14 Darwin, 14 Hyper-V Server, 1 Solaris, and 53 blank/unknown entries.
I was looking at something like this recently called pingcastle, which does a few similar things. I would run ping castle in your lab and see what you could nab from its report for this.
A security section would be awesome, so something like:
Check for accounts that don't have password expiry set
Get-ADUser -Filter 'useraccountcontrol -band 65536' -Properties useraccountcontrol
Check for accounts that have no password requirement
Get-ADUser -Filter 'useraccountcontrol -band 32' -Properties useraccountcontrol
Accounts that have the password stored in a reversibly encrypted format
Get-ADUser -Filter 'useraccountcontrol -band 128' -Properties useraccountcontrol
List users that are trusted for Kerberos delegation (Accounts can make Kerberos tickets for everyone)
Get-ADUser -Filter 'useraccountcontrol -band 524288' -Properties useraccountcontrol
List accounts that don't require pre-authentication (Attackers can request a TGT without a password/timestamp)
Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol
List accounts that have credentials encrypted with DES (Insecure)
Get-ADUser -Filter 'useraccountcontrol -band 2097152' -Properties useraccountcontrol
Check ANONYMOUS LOGON is not a member of Pre-Windows 2000 Compatible Access https://blogs.technet.microsoft.com/poshchap/2015/06/12/security-focus-check-active-directory-for-anonymous-access/ $PreWindows_2000_Compatible_Access = "S-1-5-32-554" $Anonymous_Logon = "S-1-5-7" Get-ADGroupMember -Identity
Check for stale accounts
contextfull comments (143)report
bopsbt
During execution, I get the following error for every user in the domain. This happens regardless of privilege level.
Method invocation failed because [System.Management.Automation.PSCustomObject] does not contain a method named 'add'.
At C:\Users\ecrist\Desktop\PSHTML-AD.ps1:720 char:3
+ $userphaventloggedonrecentlytable.add($obj)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (add:String) [], RuntimeException
+ FullyQualifiedErrorId : MethodNotFound
The block of code responsible is the following:
#Get users that haven't logged on in X amount of days, var is set at start of script
If (($User.Enabled -eq $True) -and ($User.LastLogonDate -lt (Get-Date).AddDays(-$Days)) -and ($User.LastLogonDate -ne $NULL))
{
$obj = [PSCustomObject]@{
'Name' = $User.Name
'UserPrincipalName' = $User.UserPrincipalName
'Enabled' = $AttVar.Enabled
'Protected from Deletion' = $User.ProtectedFromAccidentalDeletion
'Last Logon' = $AttVar.lastlogon
'Password Never Expires' = $AttVar.PasswordNeverExpires
'Days Until Password Expires' = $daystoexpire
}
$userphaventloggedonrecentlytable.add($obj)
}
Hello and sorry for my English,
I use win 2019 controler in French.
When i launch the script i have this errors :
Lot of errors like this with diffrent groups :
Cannot resolve the manager, on the group Accès DCOM service de certificats
errors for users :
`Working on Users Report ...
Unable to convert the "value" argument (value "180.00: 00: 00") from "AddDays" to type "System.Double": "Unable to convert the value" 180.00: 00: 00 "of type" System.TimeSpan "In type" System.Double ". "
To the character Line: 946: 4
$ expireson = $ passwordsetdate.AddDays ($ maxPasswordAge)
New-TimeSpan: Unable to link the "End" parameter to the target. Exception when setting "End": "Unable to convert null to type" System.DateTime ". "
To the character Line: 950: 53
... $ daystoexpire = (New-TimeSpan -Start $ today -End $ Expireson) .Days
and for computers
`Working on Computers Report ...
Get-ADComputer: The server returned the following error: Invalid enumeration context.
To the character Line: 1211: 14
$ Computers = Get-ADComputer -Filter * -Properties *
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.