Advanced Active Directory Monitoring Tool
# Advanced Active Directory Monitoring Tool
# Import required modules
Import-Module ActiveDirectory
Import-Module GroupPolicy
function Show-Menu {
Clear-Host
Write-Host "=== Advanced Active Directory Monitoring Tool ===" -ForegroundColor Cyan
Write-Host "1. Check Domain Controllers Health"
Write-Host "2. Analyze User Accounts"
Write-Host "3. Monitor Group Policy Changes"
Write-Host "4. Audit Active Directory Replication"
Write-Host "5. Check DNS Health"
Write-Host "6. Monitor FSMO Roles"
Write-Host "7. Analyze Active Directory Structure"
Write-Host "8. Check Trust Relationships"
Write-Host "9. Monitor Active Directory Services"
Write-Host "10. Generate Comprehensive Report"
Write-Host "11. Exit"
}
function Check-DomainControllersHealth {
Write-Host "`nChecking Domain Controllers Health..." -ForegroundColor Yellow
$dcs = Get-ADDomainController -Filter *
$results = @()
foreach ($dc in $dcs) {
$status = Test-Connection -ComputerName $dc.HostName -Count 1 -Quiet
$dcdiag = Invoke-Command -ComputerName $dc.HostName -ScriptBlock { dcdiag /test:services /test:advertising /test:fsmocheck } -ErrorAction SilentlyContinue
$results += [PSCustomObject]@{
Name = $dc.HostName
Online = if ($status) { "Yes" } else { "No" }
Services = if ($dcdiag -match "passed test Services") { "Passed" } else { "Failed" }
Advertising = if ($dcdiag -match "passed test Advertising") { "Passed" } else { "Failed" }
FSMORoles = if ($dcdiag -match "passed test FsmoCheck") { "Passed" } else { "Failed" }
}
}
$results | Format-Table -AutoSize
}
function Analyze-UserAccounts {
Write-Host "`nAnalyzing User Accounts..." -ForegroundColor Yellow
$inactiveThreshold = (Get-Date).AddDays(-90)
$users = Get-ADUser -Filter * -Properties LastLogonDate, PasswordLastSet, PasswordNeverExpires, Enabled
$userAnalysis = @{
TotalUsers = $users.Count
ActiveUsers = ($users | Where-Object { $_.Enabled -eq $true }).Count
InactiveUsers = ($users | Where-Object { $_.LastLogonDate -lt $inactiveThreshold }).Count
PasswordNeverExpires = ($users | Where-Object { $_.PasswordNeverExpires -eq $true }).Count
RecentlyCreated = ($users | Where-Object { $_.Created -gt (Get-Date).AddDays(-30) }).Count
}
$userAnalysis | Format-Table -AutoSize
}
function Monitor-GroupPolicyChanges {
Write-Host "`nMonitoring Group Policy Changes..." -ForegroundColor Yellow
$domain = Get-ADDomain
$gpos = Get-GPO -All -Domain $domain.DNSRoot
$recentChanges = $gpos | Where-Object { $_.ModificationTime -gt (Get-Date).AddDays(-7) }
$recentChanges | Select-Object DisplayName, ModificationTime, Owner | Format-Table -AutoSize
}
function Audit-ADReplication {
Write-Host "`nAuditing Active Directory Replication..." -ForegroundColor Yellow
$results = repadmin /showrepl * /csv | ConvertFrom-Csv
$failedReplications = $results | Where-Object { $_."Number of Failures" -ne "0" }
if ($failedReplications) {
$failedReplications | Select-Object "Source DC", "Destination DC", "Number of Failures", "Last Failure Time" | Format-Table -AutoSize
} else {
Write-Host "No replication failures detected." -ForegroundColor Green
}
}
function Check-DNSHealth {
Write-Host "`nChecking DNS Health..." -ForegroundColor Yellow
$dnsServers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName
foreach ($server in $dnsServers) {
$result = Invoke-Command -ComputerName $server -ScriptBlock { dnscmd /info }
if ($result -match "DNS Server is running") {
Write-Host "$server: DNS Service is running" -ForegroundColor Green
} else {
Write-Host "$server: DNS Service is not running" -ForegroundColor Red
}
}
}
function Monitor-FSMORoles {
Write-Host "`nMonitoring FSMO Roles..." -ForegroundColor Yellow
$roles = Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster
$roles | Add-Member -MemberType NoteProperty -Name "SchemaMaster" -Value (Get-ADForest).SchemaMaster
$roles | Add-Member -MemberType NoteProperty -Name "DomainNamingMaster" -Value (Get-ADForest).DomainNamingMaster
$roles | Format-List
}
function Analyze-ADStructure {
Write-Host "`nAnalyzing Active Directory Structure..." -ForegroundColor Yellow
$domainInfo = Get-ADDomain
$forestInfo = Get-ADForest
Write-Host "Domain: $($domainInfo.DNSRoot)"
Write-Host "Forest: $($forestInfo.Name)"
Write-Host "Domain Controllers: $((Get-ADDomainController -Filter *).Count)"
Write-Host "OUs: $((Get-ADOrganizationalUnit -Filter *).Count)"
Write-Host "Groups: $((Get-ADGroup -Filter *).Count)"
Write-Host "Users: $((Get-ADUser -Filter *).Count)"
Write-Host "Computers: $((Get-ADComputer -Filter *).Count)"
}
function Check-TrustRelationships {
Write-Host "`nChecking Trust Relationships..." -ForegroundColor Yellow
$trusts = Get-ADTrust -Filter *
foreach ($trust in $trusts) {
$status = Test-ComputerSecureChannel -Server $trust.Name
Write-Host "Trust with $($trust.Name): $(if ($status) { 'Healthy' } else { 'Unhealthy' })"
}
}
function Monitor-ADServices {
Write-Host "`nMonitoring Active Directory Services..." -ForegroundColor Yellow
$dcs = Get-ADDomainController -Filter *
foreach ($dc in $dcs) {
$services = Invoke-Command -ComputerName $dc.HostName -ScriptBlock {
Get-Service -Name "NTDS", "DNS", "Netlogon", "KDC" | Select-Object Name, Status
}
Write-Host "Services on $($dc.HostName):"
$services | Format-Table -AutoSize
}
}
function Generate-ComprehensiveReport {
Write-Host "`nGenerating Comprehensive Report..." -ForegroundColor Yellow
$report = @"
===== Active Directory Comprehensive Report =====
Generated on: $(Get-Date)
"@
$report += "`n--- Domain Controllers Health ---`n"
$dcs = Get-ADDomainController -Filter *
foreach ($dc in $dcs) {
$status = Test-Connection -ComputerName $dc.HostName -Count 1 -Quiet
$report += "$($dc.HostName): $(if ($status) { 'Online' } else { 'Offline' })`n"
}
$report += "`n--- User Account Summary ---`n"
$users = Get-ADUser -Filter * -Properties LastLogonDate, PasswordLastSet, PasswordNeverExpires, Enabled
$report += "Total Users: $($users.Count)`n"
$report += "Active Users: $(($users | Where-Object { $_.Enabled -eq $true }).Count)`n"
$report += "Inactive Users (90+ days): $(($users | Where-Object { $_.LastLogonDate -lt (Get-Date).AddDays(-90) }).Count)`n"
$report += "`n--- Recent Group Policy Changes (Last 7 Days) ---`n"
$gpos = Get-GPO -All
$recentChanges = $gpos | Where-Object { $_.ModificationTime -gt (Get-Date).AddDays(-7) }
foreach ($gpo in $recentChanges) {
$report += "$($gpo.DisplayName) - Modified: $($gpo.ModificationTime)`n"
}
$report += "`n--- FSMO Roles ---`n"
$roles = Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster
$roles | Add-Member -MemberType NoteProperty -Name "SchemaMaster" -Value (Get-ADForest).SchemaMaster
$roles | Add-Member -MemberType NoteProperty -Name "DomainNamingMaster" -Value (Get-ADForest).DomainNamingMaster
$report += $roles | Out-String
$report += "`n--- Trust Relationships ---`n"
$trusts = Get-ADTrust -Filter *
foreach ($trust in $trusts) {
$status = Test-ComputerSecureChannel -Server $trust.Name
$report += "Trust with $($trust.Name): $(if ($status) { 'Healthy' } else { 'Unhealthy' })`n"
}
$reportPath = "$env:USERPROFILE\Desktop\AD_Report_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt"
$report | Out-File -FilePath $reportPath
Write-Host "Report generated and saved to: $reportPath" -ForegroundColor Green
}
do {
Show-Menu
$choice = Read-Host "`nEnter your choice (1-11)"
switch ($choice) {
"1" { Check-DomainControllersHealth }
"2" { Analyze-UserAccounts }
"3" { Monitor-GroupPolicyChanges }
"4" { Audit-ADReplication }
"5" { Check-DNSHealth }
"6" { Monitor-FSMORoles }
"7" { Analyze-ADStructure }
"8" { Check-TrustRelationships }
"9" { Monitor-ADServices }
"10" { Generate-ComprehensiveReport }
"11" { Write-Host "Exiting program..." -ForegroundColor Yellow; break }
default { Write-Host "Invalid choice. Please try again." -ForegroundColor Red }
}
if ($choice -ne "11") {
Read-Host "`nPress Enter to continue..."
}
} while ($choice -ne "11")
This Advanced Active Directory Monitoring Tool includes:
- A comprehensive menu with 11 options
- Advanced functions for various AD monitoring and analysis tasks:
- Detailed Domain Controller health check
- User account analysis
- Group Policy change monitoring
- AD replication auditing
- DNS health check
- FSMO roles monitoring
- AD structure analysis
- Trust relationship verification
- AD services monitoring
- Comprehensive report generation
- Use of advanced Active Directory PowerShell cmdlets and system tools
- Detailed output and reporting capabilities
Key features:
- Comprehensive DC Health Check: Includes service status and DCDIAG tests
- User Account Analysis: Provides statistics on active, inactive, and recently created accounts
- Group Policy Monitoring: Tracks recent changes to Group Policies
- Replication Audit: Checks for replication failures across the domain
- DNS Health: Verifies DNS service status on all DCs
- FSMO Roles: Displays the current holders of all FSMO roles
- AD Structure Analysis: Gives an overview of the AD structure including counts of OUs, groups, users, and computers
- Trust Relationships: Checks the health of trust relationships
- Service Monitoring: Checks critical AD services across all DCs
- Comprehensive Report: Generates a detailed report covering multiple aspects of AD health
This tool provides an in-depth analysis of an Active Directory environment. It’s particularly useful for:
- Proactive monitoring of AD health
- Troubleshooting complex AD issues
- Regular AD maintenance and health checks
- Generating reports for audits or management review
Note: To use this script effectively, you need to:
- Run PowerShell as an administrator
- Have the Active Directory and Group Policy PowerShell modules installed
- Have appropriate permissions in the AD environment (Domain Admin or equivalent)
- Some functions may require running on a Domain Controller
This script is suitable for experienced AD administrators who need comprehensive monitoring and analysis capabilities for managing complex Active Directory environments.
Leave a Reply
Want to join the discussion?Feel free to contribute!