Hi wanted to check if you can help me to get extension attribute 12 details in this script along with all the details

Howdy there!

Might be worth a cycle to add to -GenExcel to see if the installed version of excel is activated. An unactivated excel breaks the command.

My domain uses Last, First format for the accounts. When the script parses the ManagedByValue it returns only the Last Name. The DN is a follow:

CN=Ramos, Carlos,OU=Technology_HQ,OU=Users,DC=Domain,DC=local

Script result is Ramos\

I thought I could fix with the follow code replacement but not sure why it is not wording.
Your Code: ManagedBy = (ManagedByValue.Split(',')[0]).Split('=')[1];
Replacement: ManagedBy = (ManagedByValue.Split(',OU=')[0]).Replace(',',',').Replace('CN=','');

I see your code uses a Class. Never used them so wondering it the syntax of it is not acceptable in a class.

I would think it would be advantages for your script to be able to handle such a situation. I have worked with several large companies and they all used Last, First for accounts. Only ran into one merge where the other company use first last.

Any help is appreciated.

Thanks,

Carlos

PS Beautiful work on the script. Thanks for sharing it.

First, great software. It has been a lifesaver for me and my company. The 3 times I have run it, when I go to the User Stats, the code says =CountA(Users!A301:A301)-1. and I always end up with a total of 0 in Red, and the percentages are always throwing a divide by zero error. is that correct?

thanks

Hi,

I'd like to see an option for PDF in the -OutputType parameter. I think it could be really helpful for those that just want a quick read only file (point in time) to throw into their documentation and for audits.

I am getting this error on a system that has Excel installed as part of the Microsoft 365 Aps for enterprise suit.

I am receiving an issue where when I run the command:

.\ADRecon.ps1 -Protocol LDAP -DomainController -Credential -Collect Forest,Domain,PasswordPolicy,FineGrainedPasswordPolicy,DomainControllers,Users,UserSPNs,Groups,GroupMembers,OUs,GPOs,GPOReport,DNSZones,Printers,Computers,ComputerSPNs,LAPS,Bitlocker -OutputType Excel

A parameter cannot be found that matches parameter name 'Protocol'.
At line:1 char:15

• .\ADRecon.ps1 -Protocol LDAP -DomainController IP -Credential ...

•           ~~~~~~~~~
  

  • CategoryInfo : InvalidArgument: (:) [ADRecon.ps1], ParameterBindingException
  • FullyQualifiedErrorId : NamedParameterNotFound,ADRecon.ps1

The older version worked fine. This only started after I upgraded to the newer version of the powershell script.
Please advise. Thank you.

For Example:
I'm trying to generate a report by overriding the DormantTimeSpan parameter in the adrecon.ps1 script. I'm using the following command:
./adrecon.ps1 -DormantTimeSpan 180 -GenExcel "..path\to\report"

The script executes without any errors, but the generated report still contains the default results. I have tried various combinations, but I have been unsuccessful in getting the desired output.

Operating System: Windows 10 Ver 22H2
PowerShell Version: 5.1.19041.3

Choosing options to export to JSON gives XML output.

The JSON object is a string which does not have a .Save() method, it looks like this line was copied from the XML option where the XML object does have a .Save() method, so I just copied this from the HTML function and it works correctly.

Replace line 4159 in Function Export-ADRJSON, originally:

(ConvertTo-JSON -InputObject $ADRObj).Save($ADFileName)

with:

ConvertTo-JSON -InputObject $ADRObj | Out-File -FilePath $ADFileName

This looks like it was just an oversight while copying and pasting the XML function, but the Export-ADRJSON function was actually never called from anywhere in the script.

Replace line 4316 in Function Export-ADR, originally:

Export-ADRXML -ADRObj $ADRObj -ADFileName $ADFileName

with:

Export-ADRJSON -ADRObj $ADRObj -ADFileName $ADFileName

Would love to be able to run this and get a password quality report on each user as well.

Thanks!

Hi, is there a way to add the Users City to the export?

Hey,

it is asking me for credentials, why can it uses existing credentials.

Hi,
great job and thank you for sharing.
It would be nice to have HTML reports with home page and hyperlinks to all detailed reports (like Excel) and graphs, to be able to publish the results on internal webserver.
Regards.

Red.

It would be awesome if the output for users, computers, groups, and group members could be generated in bloodhound compatible format as well.

I randomly keep getting this error when running the program.

Command
C:\Users\<nope>\Desktop\AD-Recon-Logs\ADRecon.ps1 -DomainController <FQDN> -Credential domain\user -OutputDir C:\Users\<Nope>\Desktop\AD-Recon-Logs\Test\

Error
[*] ADRecon v180429 by Prashant Mahajan (@prashant3535) from Sense of Security. [*] Running on <Domain>\Computer - Member Workstation [EXCEPTION] A parameter cannot be found that matches parameter name 'Server'.

Whenever I try to run the script I get a message that it was detected as a virus by Microsoft defender and many other anti-viruses.
Is there a fix/explanation for this?

PS C: \ ADRecon-master>. \ ADRecon.ps1-LDAP protocol -DomainController server01.sidkron.local -Credential sidkron \ administ
ractor
C: \ ADRecon-master \ ADRecon.ps1: It is not possible to process the transformation of the argument into a parameter 'Credential'. It is not
It is possible to convert the value "sidkron \ administrator" of type "System.String" into type "System.Management.Automation.PSCred
ential ".
In line: 1 character: 82
+. \ ADRecon.ps1-LDAP protocol -DomainController server01.sidkron.local -Credential <<<< sidkron \ administrator
+ CategoryInfo: InvalidData: (:) [ADRecon.ps1], ParameterBindin ... mationException
+ FullyQualifiedErrorId: ParameterArgumentTransformationError, ADRecon.ps1

Is there any way to limit the numbers of requests/querys made to AD? e.g. no more than 500 object requests per minute?

thanks!

Hi,
non-ascii characters are not displayed correctly in excel report.

Getting this error from a different system with Excel 2016 installed. Excel is activated Version 16.0.4549.1000

Export-ADRExcel : [EXCEPTION] Unable to get the SaveAs property of the Workbook class
At C:\users<username>\Downloads\ADRecon.ps1:12646 char:13

•         Export-ADRExcel $ADROutputDir
  

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
  • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Export-ADRExcel

While running ADRecon on windows 7 + powershell 2.0 I saw this error

Multiple ambiguous overloads found for "Split" and the argument count: "2".
At C:\123\ADRecon-master\ADRecon.ps1:4879 char:117
+                 $Obj | Add-Member -MemberType NoteProperty -Name Name -Value
([System.String]::Join(" ", $name.Split <<<< ([System.String[]]$null, [System.S
tringSplitOptions]::RemoveEmptyEntries)))
    + CategoryInfo          : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodCountCouldNotFindBest

Multiple ambiguous overloads found for "Split" and the argument count: "2".
At C:\123\ADRecon-master\ADRecon.ps1:4879 char:117
+                 $Obj | Add-Member -MemberType NoteProperty -Name Name -Value
([System.String]::Join(" ", $name.Split <<<< ([System.String[]]$null, [System.S
tringSplitOptions]::RemoveEmptyEntries)))
    + CategoryInfo          : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodCountCouldNotFindBest

Hi, first, thanks so much for making this code available!

Secondly, I’ve been struggling to add other attributes like user accounts’ “info”, the pivot tables don’t seem to like that... would it be possible to understand which lines would have to be modified to include other attributes for computer, group, and user objects without affecting any other part of the script?

Thanks again!

Hi,

Would you have any idea why the following errors occurs ?
I am not proficient in Powershell unfortunately.

"
At D:\powershell\activedirectory\ADRecon.ps1:121 char:86

• ... "Header header-logged-out position-relative f4 py-3" role="banner" >

•                                                                      ~
  

Missing file specification after redirection operator.
At D:\powershell\activedirectory\ADRecon.ps1:136 char:21

•                 ~
  

The '<' operator is reserved for future use.
At D:\powershell\activedirectory\ADRecon.ps1:140 char:21

•                 ~
  

The '<' operator is reserved for future use.
At D:\powershell\activedirectory\ADRecon.ps1:145 char:21

•                 ~
  

The '<' operator is reserved for future use.
At D:\powershell\activedirectory\ADRecon.ps1:150 char:21

•                 ~
  

The '<' operator is reserved for future use.
At D:\powershell\activedirectory\ADRecon.ps1:154 char:21

•                 ~
  

The '<' operator is reserved for future use.
At D:\powershell\activedirectory\ADRecon.ps1:388 char:185

• ... TF-8" method="post"><input name="utf8" type="hidden" value="✓" ...

•                                                             ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At D:\powershell\activedirectory\ADRecon.ps1:392 char:18

• Join GitHub today

•              ~
  

The '<' operator is reserved for future use.
At D:\powershell\activedirectory\ADRecon.ps1:501 char:53

•                                                 ~
  

Missing file specification after redirection operator.
At D:\powershell\activedirectory\ADRecon.ps1:518 char:17

•             ~
  

The '<' operator is reserved for future use.
Not all parse errors were reported. Correct the reported errors and try again.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : MissingFileSpecification
"
I have tried with many set of parameters without any change in errors

Thanks

Zoltan

In some environments where the Active Directory Recycle Bin is enabled, it is reported as disabled in the CSV and Excel reports when using the LDAP method from a Stand Alone workstation. There are two primary possible reasons why this occurs:

1. AD Recycle Bin is available via Server 2008 R2 and later forest levels (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-). According to the scripts own FLAD variable, the forest functional level integer value for 2008R2 is 4, but in both the ADWS and LDAP Recycle Bin Feature Status Enumeration code, there is a check to see if Forest Mode is 6 or greater (Windows 2012R2 or later) before it will even enumerate the feature. This should be 4 to include Windows Server 2008R2 and later - correct?

2. For the LDAP method from a standalone workstation, some AD environments have been observed returning the "msDS-EnabledFeatureBL" property in all lower case. While powershell is mostly case indifferent, it appears that this Active Directory property is case sensitive.

• https://social.technet.microsoft.com/Forums/windowsserver/en-US/b95eb187-16fe-41d0-bd8e-2f22b1e5f140/query-userprincipalname-usign-powershell?forum=winserverpowershell
• https://social.technet.microsoft.com/Forums/windowsserver/en-US/78e10a25-deca-4378-bc45-5c5d2ee5734c/powershell-case-sensitivity

For environments where the property is returned in all lower case "msds-enabledfeaturebl" (see example below on a manual step through of the ADRecon script)

the check "$ADRecycleBin.Properties.'msDS-EnabledFeatureBL'.Count -gt 0" fails (even when Recycle Bin is enabled) and the report shows the Recycle Bin Feature as disabled. This is all despite the script enumerating the $ADRecycleBin variable correctly on a manual step through; the output of the variable shows the Recycle Bin Feature option is enabled and the proper applied scope when the affected property is called using all lower case, I am not certain that this property is always returned in lower case - but have found two different AD environments where it is.

Hi all,

Very silly question here, but I keep getting an invalid path error everytime I try to use the -GenExcel flag.
Is this wrong:
-GenExcel C:/ADRecon-Report/

Hi, While running the script just by typing /AdRecon.ps1 gives me following warnings & error.
I am not sure how to even begin to debug. Can you help?

WARNING: Error initializing default drive: 'The server has rejected the client credentials.'.
WARNING: [Invoke-ADRecon] Error importing ActiveDirectory Module from RSAT (Remote Server Administration Tools) ... Co
ntinuing with LDAP
[*] Running on heiway.net\HSTSHEA19097 - Member Server
[Invoke-ADRecon] LDAP bind Unsuccessful
*