Testimo is a PowerShell Module to help with basic/more advanced testing of Active Directory and maybe in future other types of servers. Testimo is an alpha product and as such things do change. It's goal is to be fully automated solution where one can run the command and get results without executing 50 little functions.
If you're new to Testimo you should read this blog post!
Note: At present this module is not supported in PowerShell Core/PowerShell 7. This is because the Testimo module depends on other Microsoft moodules that are also not supported in PowerShell 7, including GroupPolicy and ServerManager. There is an issue tracking this compatibiity which you can follow: EvotecIT#110.
Things to know:
- ✅ Configuration hash is not written in stone and can change rapidly as Testimo gets tested
- ✅ Ideas are VERY welcome
- ✅ There's a big mess in files/function names - I'm still testing things out creating some random names, will be cleaned up later on
- ✅ There are lots of details missing for tests, and some things may not work as you want - please report issues or if you know how, fix them
- ✅ I don't know EVERYTHING - I'm very open to help with making Testimo more robust, detailed and easy to use
- ✅ This module works great in Windows PowerShell!
- Requirements for Sources work differently then for Tests
- For Sources when Requirements are not met Testimo skips it totally from output
- For Tests when Requirements are not met Testimo marks it as skipped
Install-Module -Name Testimo -AllowClobber -Force
Force and AllowClobber aren't really nessecary but they do skip errors in case some appear.
Update-Module -Name Testimo
Alternatively, rerunnng Install-Module
with force will trigger reinstallation or update
Install-Module -Name Testimo -AllowClobber -Force
That's it. Whenever there's new version you simply run the command and you can enjoy it. Remember, that you may need to close, reopen PowerShell session if you have already used module before updating it.
The important thing is if something works for you on production, keep using it till you test the new version on a test computer. I do changes that may not be big, but big enough that auto-update will break your code. For example, small rename to a parameter and your code stops working! Be responsible!
With output to screen and HTML
Invoke-Testimo
Generate all tests but display content only in PowerShell
Invoke-Testimo -HideHTML
Please keep in mind that there is currently known issue that running all tests while works correctly generated HTML is very very slow when switching Tabs. It's advised to run seperate tests which will generate smaller file which will be more responsive
Invoke-Testimo -Source 'ForestOptionalFeatures','DomainWellKnownFolders','ForestSubnets' -Online -ReportPath $PSScriptRoot\Reports\TestimoSummary.html -AlwaysShowSteps
There are also other parameters available With option to be able to process output - for example to email
Invoke-Testimo -ReturnResults
Following configuration allows you to:
- Edit default TestImo configuration with some other values
- Exclude one of the domains
- Return Results for future processing
- Limit sources to only 4 types (you could also limit that via Hashtable but this way is quicker for Adhoc enabling/disabling)
Import-Module Testimo
$OutputOrderedDictionary = Get-TestimoConfiguration
$OutputOrderedDictionary.ForestOptionalFeatures.Tests.RecycleBinEnabled.Enable = $false
$OutputOrderedDictionary.ForestOptionalFeatures.Tests.LapsAvailable.Enable = $true
$OutputOrderedDictionary.ForestOptionalFeatures.Tests.LapsAvailable.Parameters.ExpectedValue = $false
$Sources = @(
'ForestFSMORoles'
'ForestOptionalFeatures'
'ForestBackup'
'ForestOrphanedAdmins'
'DomainPasswordComplexity'
'DomainKerberosAccountAge'
'DomainDNSScavengingForPrimaryDNSServer'
'DCWindowsUpdates'
)
$TestResults = Invoke-Testimo -PassThru -ExcludeDomains 'ad.evotec.pl' -Sources $Sources -Configuration $OutputOrderedDictionary
$TestResults | Format-Table -AutoSize *
Be sure to checkout Examples section for more How-To.
Testimo comes with preset rules that may not apply to your environment. You may want to change some things like disabling some tests or changing some values (to an extent). There are 3 ways to do it. Depending on how you want to save/edit/pass configuration to TestIMO - I leave it up to you.
Get-TestimoConfiguration -FilePath $PSScriptRoot\Configuration\TestimoConfiguration.json
Get-TestimoConfiguration -AsJson
$OutputOrderedDictionary = Get-TestimoConfiguration
$OutputOrderedDictionary.ForestOptionalFeatures.Tests.RecycleBinEnabled.Enable = $false
$OutputOrderedDictionary.ForestOptionalFeatures.Tests.LapsAvailable.Enable = $true
$OutputOrderedDictionary.ForestOptionalFeatures.Tests.LapsAvailable.Parameters.ExpectedValue = $false
-
0.0.68 - 2021.04.21
- General
- 🐛 Small detection of problems with gathering information about Forest
- Tests
- 📦 Added
DomainSecurityDelegatedObjects
- 📦 Added
- General
-
0.0.67 - 2021.04.07
- Tests
- 💡 Improved
DomainGroupPolicyAssessment
-
0.0.66 - 2021.04.07
-
0.0.65 - 2021.03.23
- Tests
- Improvement
DomainSecurityUsers
- Improvement
DomainSecurityKRBGT
- Improvement
- General
- Improvement of HTML
- Tests
-
0.0.64 - 2021.03.23
- Tests
- Improvement
DomainSecurityUsers
- Improvement
DomainSecurityKRBGT
- Improvement
- General
- Improvement of HTML
- Tests
-
0.0.63 - 2021.03.23
- Tests
- Improvement
ForestSubnets
- Improvement
- Tests
-
0.0.62 - 2021.03.20
- Tests
- Fixed
DCDNSResolveExternal
reported in #122 - Improvement
ForestTrusts
- Fixed
- General
- Improvement of HTML
- Tests
-
0.0.61 - 2021.03.17
- Tests
- Improved
ForestTrusts
- Improved
ForestRoles
- Improved
- General
- Improvement of HTML
- Tests
-
0.0.60 - 2021.03.17
- Tests
- Improved
ForestSubnets
- Improved
ForestSites
- Improved
ForestOptionalFeatures
- Improved
ForestBackup
- Improved
ForestTombstoneLifetime
- Improved
DomainDomainControllers
- Improved
DomainLDAP
- Improved
DomainOrphanedSecurityPrincipals
- Improved
- General
- Added
AlwaysShowSteps
- Improved support for new PSWriteHTML
- Added
- Tests
-
0.0.59 - 2021.03.01
- General
- Misspelled word in report (Extream -> Extreme) #120 - tnx mojomojoman
- General
-
0.0.58 - 2021.02.25
- Tests
- Added
ForestSubnets
- Improved
DomainDomainControllers
- Improved
DomainLDAP
- Improved
ForestBackup
- Improved
ForestOrphanedAdmins
- Improved
ForestConfigurationPartitionOwners
- Improved
DomainDuplicateObjects
- Improved
ForestSites
- Added
- General
- Improved reporting
- Improved reporting status (assesment)
- Tests
-
0.0.57 - 2021.02.21
- Tests
- Added
DomainLDAP
- takes overDCLDAP
- Disabled
DCLDAP
by default. Still there just not used. - Improved
ForestOrphanedAdmins
- Improved
ForestConfigurationPartitionOwners
- Improved
DomainDuplicateObjects
- Improved
DomainDomainControllers
- Added
- General
- Renamed Parameter
ReturnResults
toPassThru
(left as an alias) - Fixed loading configuration from JSON/File/HashTable - Configuration changed so much rebuild will be required
- Fixed saving configuration to JSON/File/HashTable - Configuration changed so much rebuild will be required
- Parameter for
Invoke-Testimo
ShowReport is deprecated and doesn't do anything - Parameter for
Invoke-Testimo
HideHTML was added and prevents auto-opening of HTML - Parameter for
Invoke-Testimo
HideSteps/HideSolution was added to hide solution/steps in case it's not needed - Added additional information about HTML report generating where the file was saved (useful if no FilePath was provided)
- Parameter
ReportPath
was renamed toFilePath
,ReportPath
is still an alias - to get it the same as GPOZaurr
- Renamed Parameter
- Reporting
- Solution/Steps added to Report when available for display
- Reporting is still getting more and more changes
- Tests
-
0.0.56 - 2021.02.07
- Tests
- Improved
ForestOrphanedAdmins
- Added
ForestConfigurationPartitionOwners
- Improved
DomainDuplicateObjects
- Improved
DomainDomainControllers
- Improved
DCTimeSynchronizationExternal
- Improved
- Reporting
- HTML report updated with new format, still not final
- Added Importance/Category visibility in HTML -> if only those were updated in all tests 🤣
- Added Description visibility in HTML -> if only those were updated in all tests 🤣
- Added Resources visibility in HTML -> if only those were updated in all tests 🤣
- Tests
-
0.0.55 - 2021.02.02
- Improvement to report (domain section)
- Improvement to
DomainDuplicateObjects
- Improvement to
OrphanedForeignSecurityPrincipals
- Removed
ForestDuplicateObjects
- duplicate ofDomainDuplicateObjects
-
0.0.54 - 2021.01.29
- Fixes report to work with IE 11 (not great, not bad either)
-
0.0.53 - 2021.01.28
- Improved
DomainDomainControllers
- Improved
-
0.0.52 - 2021.01.27
- Improved
DCUNCHardenedPaths
to check for multiple values
- Improved
-
0.0.51 - 2021.01.26
- Fix for Invoke-Testimo crashing on dead/non-responding/no-access DC #117
-
0.0.50 - 2021.01.25
- Fix for Invoke-Testimo returning more than one line of error which would stop Testimo #116
-
0.0.49 - 2021.01.25
- Fix for Invoke-Testimo not working correctly with some tests #116
- Improved some tests
- Reporting
- HTML report improved a bit for Domain based checks
-
0.0.48 - 2021.01.21
- Fix for Invoke-Testimo not working when no tests are defined
- Tests
- Added
DomainDomainControllers
- covers DC ACL owner, DC Manager, DC Password Last Set, DC Last Logon, Enabled
- Added
-
0.0.47 - 2021.01.19
- Improvements
- Added warning & errors to HTML
- Removed dependency on
PSWinDocumentation.AD
temporary (no tests for now)
- Tests
- Removed
DomainGroupPolicyPermissionUnknown
- Removed
GroupPolicyMissingPermissions
- Added
DomainGroupPolicyPermissions
- covers unknown, adminitrative, authenticated users and system (both removed + some) - Removed
DomainGroupPolicyEmptyUnlinked
- Added
DomainGroupPolicyAssesment
- covers empty, unlinked, disabled, with problem, optimized, no apply permission - Added
DomainNetLogonOwner
- Improved
ForestSiteLinksConnections
#92 - Improved
ForestTombstoneLifetime
- support for forest
- Removed
- Improvements
-
0.0.46 - 2020.10.29
- Improvement to
HTML
- DataStore is now set to
JavaStore
which allows handling of more data within single HTML file - Should have less errors on tab switching
- Known issue: with lots of tables/charts switching between tabs can take time, be patient
- DataStore is now set to
- Improvement to
DomainSecurityKRBGT
- Improvement to
DCWindowsUpdates
- Removed
DomainKerberosAccountAge
as it's identical toDomainSecurityKRBGT
- Removed
DomainTrusts
as it wasn't really working great - Added
ForestTrusts
with improvements -
ForestObjectsWithConflict
renamed toForestDuplicateObjects
-
ForestDuplicateObjects
disabled by default (same thing asDomainDuplicateObjects
just done forest wide) -
DomainDuplicateObjects
enabled by default (same thing as forest just done per domain) -
DCTimeSettings
updated with proper NTP recommendation #65 - tnx SolidKnight, SUBnet192, itpro-tips
- Improvement to
-
0.0.45 - 2020.10.20
- Reversed on HTML change due to issues
-
0.0.44 - 2020.10.19
- HTML
- HTML report should now be much faster to work with even with larger datasets
- Tests
-
DomainWellKnownFolders
- removed duplicate code - Added some additional descriptions to tests, still long way to go
- Small name fix for
DomainGroupPolicySysvol
-
DomainGroupPolicyEmptyUnlinked
- added new test - Silent
GitHub
version check - Fixes working with lowercase source names
- Fixes issue
Service Status fails on value "Auto"
#106 due to change inPSSharedGoods
-
- HTML
-
0.0.43 - 2020.06.17
- Tests
- Small name update to
OrganizationalUnitsEmpty
andOrganizationalUnitsProtected
fixing #103
- Small name update to
- Tests
-
0.0.42 - 2020.06.08
- Tests
- Fix for
DCNetSessionEnumeration
not run against target #102
- Fix for
- Engine
- Better
Sources
handling during typing
- Better
- Tests
-
0.0.41 - 2020.06.06
- Engine
- Renamed
MustExists
toExpectedOutput
for Parameters in Tests for unified experience - Added
ExpectedResult
for Parameters in Tests- This works in a way where if we use WhereObject filtering on Array you can check if output is given or not and fail/pass right away
- This brings 3 ways to test
ExpectedCount
,ExpectedValue
orExpectedResult
-
ExpectedResult
ignores all other settings in parameters except forWhereObject
- Renamed
- Tests
- Added
DomainGroupPolicyPermissionConsistency
(requiresGPOZaurr
PowerShell module) - Added
DomainGroupPolicyOwner
(requiresGPOZaurr
PowerShell module)- Test for:
GPO: Owner Consistent
- Test for:
GPO: Owner Administrative
- Test for:
- Added
DomainGroupPolicyPermissionUnknown
(requiresGPOZaurr
PowerShell module) - Added
DomainGroupPolicySysvol
(requiresGPOZaurr
PowerShell module) - Renamed
DCGroupPolicySYSVOL
toDCGroupPolicySYSVOLDC
to prevent conflict with per Domain checks - Replaced
DomainGroupPolicyADM
withGPOZaurr
command
- Added
- Engine
-
0.0.40 - 2020.05.09
- Engine
- ExpectedOutput is now required for Source
- Tests
- ExpectedOutput (true/false/null) added for all tests
- Fix regression
ForestReplicationStatus
if multiple DC - Fix regression
ForestReplication
if multiple DC - Added
DomainDuplicateObjects
test - finds CNF objects
- Engine
-
0.0.39 - 2020.04.11
- Engine
- Add requirements (IsInternalForest = $true) for tests that do not support external forest (such as repadmin)
- Fixed
ExpectedCount
not working correctly for some values (no sure why it worked at all)
- Reporting
- Improved output to not include empty tabs
- Tests
- Improved
ForestReplicationStatus
if only 1 DC, disabled if asking for external forest - Improved
ForestReplication
if only 1 DC - Renamed
DomainEmptyOrganizationalUnits
toDomainOrganizationalUnitsEmpty
- Added
DomainOrganizationalUnitsProtected
- Improved
DCServices
for non-existing spooler service - Changed
DomainPasswordComplexity
Lockout Treshold changed to 5+ - Renamed
DCNetSessionEnumaration
toDCNetSessionEnumeration
- tnx subnet192 #99 - Added
DCDNSForwarders
- DNS: More than one forwarding server should be configured - Added
DomainExchangeUsers
- Exchange Users: Missing MailNickName monitors for issue described on blog - Improved
DNSScavengingForPrimaryDNSServer
- Improved
- Other
- Fix typos - tnx subnet192 #99
- Engine
-
0.0.38 - 2020.03.14
- Added GroupPolicy and ActiveDirectory to RequiredModules and ExternalModuleDependencies preventing error reported in #91
-
0.0.37 - 2020.03.13
- Engine
- Update to
DomainSecurityUsers
to exclude DomainGuests - Fix for ExpectedOutput $false
- Update to
- Tests
- Fix for
DomainSecurityUsers
- tnx itpro-tips #89 - Added DomainSecurityKRBGT
- Improved
DCNetworkSettings
- DNS: DNS servers on Ethernet should include the loopback address, but not as the first entry - #90 - tnx itpro-tips - Improved
DCNetworkSettings
- DNS: Ethernet should have static IPv4 settings (disabled by default) - #90 - tnx itpro-tips - Improved
DCLanManServer
- ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression - Disabled by default, as patch is available
- Fix for
- Engine
-
0.0.36 - 2020.03.04
- Engine
- Fix for broken tests
- Engine
-
0.0.35 - 2020.03.04
- Engine
- Added MustExists (True/False) for Parameters
- Fixes for In/NotIn
- Fixes for Inclusion/Exclusion DC/Domain
- Fixes for ExpectedCount 0 not working
- Tests
- DCServices Improvement with XBOX Service
- Added DCSMBSharesPermissions
- Added DomainSecurityUsers
- Added DCUNCHardenedPaths - read potential issues of implementing UNC Hardened Paths. If you enable and things go south GPOs won't work.
- Engine
-
0.0.34 - 2020.01.29
- Tests
- Modify repadmin (ForestReplicationStatus) for non-english OS #86 - tnx Fiyorden
- Tests
-
0.0.33 - 2020.01.28
- Tests
- Fixing legacy ADM files check - #84 - tnx PMORMR
- Tests
-
0.0.32 - 2020.01.27
- Tests
- Fix for DCGroupPolicySYSVOL - #83 - tnx PMORMR
- Tests
-
0.0.31 - 2020.01.23
- Engine
- Fix for loading configuration
- Engine
-
0.0.30 - 2020.01.19
- Engine
- Fix for version checks
- Engine
-
0.0.29 - 2020.01.19
- Engine
- Added IncludeDomain, IncludeDomainControllers (when used skips Exclusions)
- This requires heavy improvements - soon enough
- Fixes issue when first running single source and then running all tests (it would use the "old source" instead of using defaults)
- Added IncludeDomain, IncludeDomainControllers (when used skips Exclusions)
- Tests
- Fix for Windows Roles and Feature for other language (non-english) #79 - tnx Fiyorden
- Added LDAPInsecureBindings
- Engine
-
0.0.28 - 2019.12.29
- Engine
- Fix for not running tests for DC if no Forest/Domain tests are present
- Added -SkipRODC parameter to skip DCs that are RODC
- Engine
-
0.0.27 - 2019.12.26
- Engine
- Better support for Portable Testimo
- Engine
-
0.0.26 - 2019.12.26
- Engine
- Improvments to some error handling
- Added Version/Date Published (#72)
- Do not run Tests for Domain/DomainControllers if not enabled
- Updated modules
- ADEssentials to 0.0.27 (Get-WinADDFSHealth fixed)
- Other dependencies also updated
- Tests
- Fix for DNSForwaders
- Added DomainComputersUnsupported (older than 2008)
- Added DomainComputersUnsupportedMainstream (2008 computers with support from Microsoft)
- Engine
-
0.0.25 - 2019.11.18
- Engine
- Small configuration saving fixes
- Added version
- Tests
- ForestObjectsWithConflict - Added
- DCRDPSecurity - Added
- Minimum Encryption Level
- DCServiceWINRM - Added
- DisableRunAS
- DCSMBProtocols - added BPA findings - Added
- AutoDisconnectTimeout
- CachedOpenLimit
- DurableHandleV2TimeoutInSeconds
- EnableSMB1Protocol
- EnableSMB2Protocol
- MaxThreadsPerQueue
- Smb2CreditsMin
- Smb2CreditsMax
- RequireSecuritySignature
- DCNetSessionEnumeration (Net Cease) - Added
- Hardening Net Session Enumeration
- DCLanManServer - Added
- Microsoft network server: Digitally sign communications (if client agrees)
- Microsoft network server: Digitally sign communications (always)
- Users are not forcibly disconnected when logon hours expire.
- Engine
-
0.0.23 - 2019.10.08
- Tests
- DCDiagnostics - Added
- Basically wrapper over DcDiag
- Checks Connectivity
- Checks Advertising
- Checks CheckSecurityError
- Checks CutoffServers
- Checks FrsEvent
- Checks DFSREvent
- Checks SysVolCheck
- Checks FrsSysVol
- Checks KccEvent
- Checks KnowsOfRoleHolders
- Checks MachineAccount
- Checks NCSecDesc
- Checks NetLogons
- Checks ObjectsReplicated
- Checks Replications
- Checks RidManager
- Checks Services
- Checks SystemLog
- Checks Topology
- Checks VerifyEnterpriseReferences
- Checks VerifyReferences
- Checks VerifyReplicas
- Checks DNS
- Checks ForestDnsZonesCheckSDRefDom
- Checks ForestDnsZonesCrossRefValidation
- Checks DomainDnsZonesCheckSDRefDom
- Checks DomainDnsZonesCrossRefValidation
- Checks SchemaCheckSDRefDom
- Checks SchemaCrossRefValidation
- Checks ConfigurationCheckSDRefDom
- Checks ConfigurationCrossRefValidation
- Checks NetbiosCheckSDRefDom
- Checks NetbiosCrossRefValidation
- Checks DNSDomain
- Checks LocatorCheck
- Checks FsmoCheck
- Checks Intersite
- Basically wrapper over DcDiag
- DCEventLog - Added
- Check for Application Log - LogMode/LogFull
- Check for System Log - LogMode/LogFull
- Check for PowerShell Log - LogMode/LogFull
- Check for Security Log - Size/SizeMax/LogMode/LogFull
- Check for Security Log - Default Security Permissions
- DCTimeSynchronizationExternal
- Supports parameters #41 - tnx James Rudd
- DCDFS - Added
- DFS should be Healthy
- Central Repository for GPO for Domain should be available
- Central Repository for GPO for DC should be available
- GPO Count should match folder count
- MemberReference should return TRUE
- DFSErrors should be 0
- DFSLocalSetting should be TRUE
- DomainSystemVolume should be TRUE
- SYSVOLSubscription should be TRUE
- DFSR AutoRecovery should be enabled (not stopped)
- DCDFSRAutoRecovery - DELETED
- Moved to DCDFS
- DomainDHCPAuthorized - Added but DISABLED
- Check added, by default disabled.
- DCTimeSettings
- Fix for Incorrect NTP Interval #42 - tnx Jakob West
- Added test for checking NTP Incorrect Interval #42 - tnx Jakob West
- Should properly read settings via Policy (GPO) - change in PSSharedGoods #41 - tnx James Rudd
- DomainGroupPolicyADM - Added
- Added check for legacy ADM files
- DCGroupPolicySYSVOL - Added
- Added check if all GPO's have their folder on SYSVOL
- DCLanManagerSettings - Added
- Added checks for Lan Manager Settings
- DCTimeSynchronizationInternal
- Added check for LastBootUpTime be less than X (60) days
- DCDiagnostics - Added
- Engine
- Added checks for potential NULL after Where-Object (fails tests now, while before it would ignore it)
- Added parameters for SourceParameters for use within Sources #41 - tnx James Rudd
- Changed export / import configuration to support SourceParameters/ExpectedOutput. #41 - tnx James Rudd
- Support for Requirements/CommandAvailable
- Tests
-
0.0.22 - 2019.09.10
- Tests
- DCPorts - typo fix OPEN vs CLOSED
- Tests
-
0.0.21 - 2019.09.10
- Tests
- DCPorts - Checking for port 139 - Require PORT CLOSED (#29 - tnx SP3269)
- DCNetworkSettings - Netbios TCPIP settings on network card - Require DISABLED (#29 - tnx SP3269)
- DCWindowsFirewall - was renamed to DCNetworkSettings
- DomainEmptyOrganizationalUnits - fix for lacking Contacts (#32 - tnx JasonCook599)
- DNSScavengingForPrimaryDNSServer - fix LT should be GT (#33 - tnx JasonCook599)
- DomainDNSZonesForest0ADEL - Added new test
- DomainDNSZonesDomain0ADEL - Added new test
- Engine
- Support for match/notmatch/notcontains
- Tests
-
0.0.20 - 2019.09.09
- Fix for configuration loading from JSON file (#30 - tnx Alex)
-
0.0.19 - 2019.09.08
- First public release - More information in blog post!
Keep in mind not all tests apply to each environment. I'm adding those to be flexible and be able to test things as needed. Each of those tests will need additional description and recommendation, most likely with links and steps to fix. Some of the tests are very basic and will need feedback, work on making it a robust test. Nothing is written in stone for now. Things can change day by day.
- Criticality of Tests - some tests are critical, some are less critical, some are informative only
- Recommended, Default, Sane - not all tests are equal or make sense in all conditions
Tests are based on:
- Active Directory CheckList
- AD Health & Checkup
- Some tests I've defined myself
- Feel free to submit your own ideas either via Issues or direct PR.
Type | Name | Area | Description |
---|---|---|---|
Forest | Backup | Backup | Verify last backup time should be [less than X days] |
Forest | Replication | Connectivity | Verify each DC in replication site can [reach other replication members] |
Forest | Replication using Repadmin | Connectivity | Verify each DC in replication site can [reach other replication members] |
Forest | Optional Features | Features | Verify Optional Feature Recycle Bin should be [Enabled] |
Forest | Optional Features | Features | Verify Optional Feature Privileged Access Management Feature should be [Enabled] |
Forest | Optional Features | Features | Verify Optional Feature Laps should be enabled [Configured] |
Forest | Sites Verification | Sites | Verify each site has at least [one subnet configured] |
Forest | Sites Verification | Sites | Verify each site has at least [one domain controller configured] |
Forest | Site Links | Site Links | Verify each site link is automatic |
Forest | Site Links | Site Links | Verify each site link uses notifications |
Forest | Site Links | Site Links | Verify each site link does not use notifications |
Forest | Roles | Connectivity | Verify each FSMO holder is [reachable] |
Forest | Orphaned/Empty Admins | Security | Verify there are no Orphaned Admins (users/groups/computers) |
Forest | Tombstone Lifetime | Features | Verify Tombstone lifetime is greater or equal 180 days |
Domain | Roles | Connectivity | Verify each FSMO holder is [reachable] |
Domain | Password Complexity Requirements | Password | Verify Password Complexity Policy should be [Enabled] |
Domain | Password Complexity Requirements | Password | Verify Password Length should be [greater than X] |
Domain | Password Complexity Requirements | Password | Verify Password Threshold should be [greater than X] |
Domain | Password Complexity Requirements | Password | Verify Password Lockout Duration should be [greater than X minutes] |
Domain | Password Complexity Requirements | Password | Verify Password Lockout Observation Window should be [greater than X minutes] |
Domain | Password Complexity Requirements | Password | Verify Password Minimum Age should be [greater than X] |
Domain | Password Complexity Requirements | Password | Verify Password History Count should be [greater than X] |
Domain | Password Complexity Requirements | Password | Verify Password Reversible Encryption should be [Disabled] |
Domain | Trust Availability | Connectivity | Verify each Trust status is OK |
Domain | Trust Unconstrained TGTDelegation | Security | Verify each Trust TGTDelegation is set to True |
Domain | Kerberos Account Age | Security | Verify Kerberos Last Password Change Should be less than 180 days |
Domain | Groups: Account Operators | Security | Verify Group is empty |
Domain | Groups: Schema Admins | Security | Verify Group is empty |
Domain | User: Administrator | Security | Verify Last Password Change should be less than 360 days or account disabled |
Domain | DNS Forwarders | DNS | Verify DNS Forwarders are identical on all DNS nodes |
Domain | DNS Scavenging - Primary DNS Server | DNS | Verify DNS Scavenging is set to [X days] |
Domain | DNS Scavenging - Primary DNS Server | DNS | Verify DNS Scavenging State is set to True |
Domain | DNS Scavenging - Primary DNS Server | DNS | Verify DNS Scavenging Time is less than [X days] |
Domain | DNS Zone Aging | DNS | Verify DNS Zone Aging is set |
Domain | DNS Zones Forest 0ADEL | Configuration/DNS | Verify owner is not 0ADEL |
Domain | DNS Zones Domain 0ADEL | Configuration/DNS | Verify owner is not 0ADEL |
Domain | Well known folder - UsersContainer | WellKnownFolders | Verify folder is not at it's defaults. |
Domain | Well known folder - ComputersContainer | WellKnownFolders | Verify folder is not at it's defaults. |
Domain | Well known folder - DomainControllersContainer | WellKnownFolders | Verify folder is at it's defaults. |
Domain | Well known folder - DeletedObjectsContainer | WellKnownFolders | Verify folder is at it's defaults. |
Domain | Well known folder - SystemsContainer | WellKnownFolders | Verify folder is at it's defaults. |
Domain | Well known folder - LostAndFoundContainer | WellKnownFolders | Verify folder is at it's defaults. |
Domain | Well known folder - QuotasContainer | WellKnownFolders | Verify folder is at it's defaults. |
Domain | Well known folder - ForeignSecurityPrincipalsContainer | WellKnownFolders | Verify folder is at it's defaults. |
Domain | Orphaned Foreign Security Principals | Cleanup | Verify there are no orphaned FSP objects. |
Domain | Orphaned/Empty Organizational Units | Cleanup | Verify there are no orphaned Organizational Units |
Domain | Group Policy Missing Permissions | Configuration | Verify Authenticated Users/Domain Computers are on each and every Group Policy |
Domain | DFSR Sysvol | Configuration | Verify SYSVOL is DFSR |
Domain | NTDS Parameters | Configuration | Verify Domain Controller is writable (DSA Not Writable) |
Domain Controller | Information | Configuration | Verify Is enabled |
Domain Controller | Information | Configuration | Verify Is global catalog |
Domain Controller | Service Status | Services | Verify all {Services} are [running] |
Domain Controller | Service Status | Services | Verify all {Services} are set to [automatic startup] |
Domain Controller | Service Status (Print Spooler) | Security | Verify Print Spooler Service is set to disabled |
Domain Controller | Service Status (Print Spooler) | Security | Verify Print Spooler Service is stopped |
Domain Controller | Ping Connectivity | Connectivity | Verify DC is [reachable] |
Domain Controller | Ports | Connectivity | Verify Following ports 53, 88, 135, 139, 389, 445, 464, 636, 3268, 3269, 9389 are open |
Domain Controller | RDP Ports | Connectivity | Verify Following ports 3389 (RDP) is open |
Domain Controller | RDP Security | Connectivity | Verify NLA is enabled |
Domain Controller | LDAP Connectivity | Connectivity | Verify all {LDAP Ports} are open] |
Domain Controller | LDAP Connectivity | Connectivity | Verify all {LDAP SSL Ports} are open] |
Domain Controller | Windows Firewall | Connectivity | Verify windows firewall is enabled for all network cards |
Domain Controller | Windows Remote Management | Connectivity | Verify Windows Remote Management identification requests are managed |
Domain Controller | Resolves internal DNS queries | DNS | Verify DNS on DC [resolves Internal DNS] |
Domain Controller | Resolves external DNS queries | DNS | Verify DNS on DC [resolves External DNS] |
Domain Controller | Name servers for primary domain zone | DNS | Verify DNS Name servers for primary zone are identical |
Domain Controller | Responds to PowerShell Queries | PowerShell | Verify DC responds to PowerShell queries |
Domain Controller | TimeSettings | Time | Verify PDC should [sync time to external source] |
Domain Controller | TimeSettings | Time | Verify Non-PDC should [sync time to PDC emulator] |
Domain Controller | TimeSettings | Time | Verify Virtualized DCs should [sync to hypervisor during boot time only] |
Domain Controller | Time Synchronization Internal | Time | Verify Time Synchronization Difference to PDC [less than X seconds] |
Domain Controller | Time Synchronization External | Time | Verify Time Synchronization Difference to pool.ntp.org [less than X seconds] |
Domain Controller | Disk Free | Computer | Verify OS partition Free space is [at least X %] |
Domain Controller | Disk Free | Computer | Verify NTDS partition Free space is [at least X %] |
Domain Controller | Operating System | Computer | Verify Windows Operating system is Windows 2012 or higher |
Domain Controller | Windows Updates | Computer | Verify Last patch was installed less than 60 days ago |
Domain Controller | SMB Protocols | Security | Verify SMB v1 protocol is disabled |
Domain Controller | SMB Protocols | Security | Verify SMB v2 protocol is enabled |
Domain Controller | SMB Shares | Security | Verify default SMB shares NETLOGON/SYSVOL are visible |
Domain Controller | DFSR AutoRecovery | Security | Verify DFSR AutoRecovery is enabled |
Domain Controller | Windows Roles and Features | Security | Verify Windows Features for AD/DNS/File Services are enabled |
- PowerShell 5.1 - I know, bummer right?
- RSAT if run externally from Windows 10 machine
When you use the Install-Module
option what happens in the backgrouns is that Windows will use PowershellGallery (hosted by Microsoft) to download Testimo and any dependencies this module needs.
As it stands all dependencies except one (DSInternals) are my other PowerShell Modules.
Why I am using it this way? Because I don't want to write multiple times the same code over and over.
- Testimo - this module
- PSWinDocumentation.AD - PowerShell Module that's main purpose is deliver formmated/compressive Active Directory data for documentation purposes. It's read only.
- DSInternals - Directory Services Internals PowerShell Module and Framework by Michael Grafnetter - it's main purpose is to verify Active Directory Passwords
- PSWinDocumentation.DNS - PowerShell Module that's main purpose is deliver formmated/compressive DNS data for documentation purposes (it's a bit unfinished product but it works as far Testimo is concerned). It's read only.
- ADEssentials - PowerShell Module that's supposed to hold a bunch of useful Get/Set tools for Active Directory.
- PSSharedGoods - PowerShell Module with lots of different, helpfull functions that I have gathered over the years
- PSWriteColor - PowerShell Module responsible for Console Colors
- Connectimo - PowerShell Module responsible for Connecting to O365 - while it's not in use in this project PSSharedGoods depends on it, so it's here. No function is used from it.
- PSWriteHTML - PowerShell Module that creates nice looking reports. Responsible for visual HTML reporting.
- Emailimo - PowerShell Module that creates nice looking emails. Responsible for emails in Testimo.
- PSWinDocumentation.AD - PowerShell Module that's main purpose is deliver formmated/compressive Active Directory data for documentation purposes. It's read only.
In Testimo I'm using internal functions from some of the modules without any real documentation.
There are times where you may want to use Testimo in Portable way. Following function when executed will download all modules to given path and load them for you. Following blog post shows the way. It was written specifically for Testimo.
Initialize-ModulePortable -Name 'Testimo' -Path "$PSScriptRoot\TestimoPortable" -Download
After that,, you can use Invoke-Testimo
as you normally would.
You can also skip Download parameter if you already downloaded all the modules before.
This function is also available as part of PSSharedGoods module.
In case you decide that Testimo is not for you, you can easily clean it up.
Unfortunetly since Testimo uses all those dependencies as mentioned above you will have to remove all those modules one by one.
Additionally if you have been using Testimo and you update it using Update-Module
command and other modules got updated as well, it's possible there will be more then 1 version of said modules.
Keep in mind that if you already use some of my modules some of the stuff may be already there and needed for different modules. Be careful when removing PowerShellModules.
- Finding where modules are stored
(Get-Module -ListAvailable Testimo).ModuleBase
- Manually deleting all folders Testimo, and other dependant modules
- Run
Uninstall-Module
$Modules = @('Testimo', 'PSWinDocumentation.AD','PSWinDocumentation.DNS','ADEssentials', 'PSSharedGoods','PSWriteColor', 'Connectimo', 'DSInternals','Emailimo','PSWriteHTML' )
foreach ($Module in $Modules) {
Uninstall-Module $Module -Force -AllVersions
}
Due to multiple versions per each module you may need to rerun this couple of times to remove all those mdoules in case there are some problems.