Skip to content

Testimo is PowerShell module for running health checks for Active Directory (and later on any other server type) against a bunch of different tests

License

Notifications You must be signed in to change notification settings

freefox20000/Testimo

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Testimo - PowerShell Module

Testimo is a PowerShell Module to help with basic/more advanced testing of Active Directory and maybe in future other types of servers. Testimo is an alpha product and as such things do change. It's goal is to be fully automated solution where one can run the command and get results without executing 50 little functions.

If you're new to Testimo you should read this blog post!

Note: At present this module is not supported in PowerShell Core/PowerShell 7. This is because the Testimo module depends on other Microsoft moodules that are also not supported in PowerShell 7, including GroupPolicy and ServerManager. There is an issue tracking this compatibiity which you can follow: EvotecIT#110.

Things to know:

  • ✅ Configuration hash is not written in stone and can change rapidly as Testimo gets tested
  • ✅ Ideas are VERY welcome
  • ✅ There's a big mess in files/function names - I'm still testing things out creating some random names, will be cleaned up later on
  • ✅ There are lots of details missing for tests, and some things may not work as you want - please report issues or if you know how, fix them
  • ✅ I don't know EVERYTHING - I'm very open to help with making Testimo more robust, detailed and easy to use
  • ✅ This module works great in Windows PowerShell!

Known Issues / By Design

  • Requirements for Sources work differently then for Tests
    • For Sources when Requirements are not met Testimo skips it totally from output
    • For Tests when Requirements are not met Testimo marks it as skipped

Installation

Install-Module -Name Testimo -AllowClobber -Force

Force and AllowClobber aren't really nessecary but they do skip errors in case some appear.

Updates

Update-Module -Name Testimo

Alternatively, rerunnng Install-Module with force will trigger reinstallation or update

Install-Module -Name Testimo -AllowClobber -Force

That's it. Whenever there's new version you simply run the command and you can enjoy it. Remember, that you may need to close, reopen PowerShell session if you have already used module before updating it.

The important thing is if something works for you on production, keep using it till you test the new version on a test computer. I do changes that may not be big, but big enough that auto-update will break your code. For example, small rename to a parameter and your code stops working! Be responsible!

Usage

With output to screen and HTML

Invoke-Testimo

Generate all tests but display content only in PowerShell

Invoke-Testimo -HideHTML

Image Image Image

Please keep in mind that there is currently known issue that running all tests while works correctly generated HTML is very very slow when switching Tabs. It's advised to run seperate tests which will generate smaller file which will be more responsive

Invoke-Testimo -Source 'ForestOptionalFeatures','DomainWellKnownFolders','ForestSubnets' -Online -ReportPath $PSScriptRoot\Reports\TestimoSummary.html -AlwaysShowSteps

There are also other parameters available With option to be able to process output - for example to email

Invoke-Testimo -ReturnResults

Using Invoke-Testimo with non-default configuration

Following configuration allows you to:

  • Edit default TestImo configuration with some other values
  • Exclude one of the domains
  • Return Results for future processing
  • Limit sources to only 4 types (you could also limit that via Hashtable but this way is quicker for Adhoc enabling/disabling)
Import-Module Testimo

$OutputOrderedDictionary = Get-TestimoConfiguration
$OutputOrderedDictionary.ForestOptionalFeatures.Tests.RecycleBinEnabled.Enable = $false
$OutputOrderedDictionary.ForestOptionalFeatures.Tests.LapsAvailable.Enable = $true
$OutputOrderedDictionary.ForestOptionalFeatures.Tests.LapsAvailable.Parameters.ExpectedValue = $false

$Sources = @(
    'ForestFSMORoles'
    'ForestOptionalFeatures'
    'ForestBackup'
    'ForestOrphanedAdmins'
    'DomainPasswordComplexity'
    'DomainKerberosAccountAge'
    'DomainDNSScavengingForPrimaryDNSServer'
    'DCWindowsUpdates'
)

$TestResults = Invoke-Testimo -PassThru -ExcludeDomains 'ad.evotec.pl' -Sources $Sources -Configuration $OutputOrderedDictionary
$TestResults | Format-Table -AutoSize *

Be sure to checkout Examples section for more How-To.

Changing default configuration

Testimo comes with preset rules that may not apply to your environment. You may want to change some things like disabling some tests or changing some values (to an extent). There are 3 ways to do it. Depending on how you want to save/edit/pass configuration to TestIMO - I leave it up to you.

Straight to FILE/JSON

Get-TestimoConfiguration -FilePath $PSScriptRoot\Configuration\TestimoConfiguration.json

Straight to JSON

Get-TestimoConfiguration -AsJson

Output to Hashtable so you can edit it freely and keep in ps1

$OutputOrderedDictionary = Get-TestimoConfiguration
$OutputOrderedDictionary.ForestOptionalFeatures.Tests.RecycleBinEnabled.Enable = $false
$OutputOrderedDictionary.ForestOptionalFeatures.Tests.LapsAvailable.Enable = $true
$OutputOrderedDictionary.ForestOptionalFeatures.Tests.LapsAvailable.Parameters.ExpectedValue = $false

ChangeLog

  • 0.0.68 - 2021.04.21

    • General
      • 🐛 Small detection of problems with gathering information about Forest
    • Tests
      • 📦 Added DomainSecurityDelegatedObjects
  • 0.0.67 - 2021.04.07

    • Tests
    • 💡 Improved DomainGroupPolicyAssessment
  • 0.0.66 - 2021.04.07

    • Tests
      • 📦 Added DomainSecurityComputers
      • 🔠 Renamed DomainGroupPolicyAssessment due to typo #124 / tnx JasonCook599
      • 🐛 Fixed DomainGroupPolicyAssessment empty and problematic GPOs detection condition #124 / tnx JasonCook599
  • 0.0.65 - 2021.03.23

    • Tests
      • Improvement DomainSecurityUsers
      • Improvement DomainSecurityKRBGT
    • General
      • Improvement of HTML
  • 0.0.64 - 2021.03.23

    • Tests
      • Improvement DomainSecurityUsers
      • Improvement DomainSecurityKRBGT
    • General
      • Improvement of HTML
  • 0.0.63 - 2021.03.23

    • Tests
      • Improvement ForestSubnets
  • 0.0.62 - 2021.03.20

    • Tests
      • Fixed DCDNSResolveExternal reported in #122
      • Improvement ForestTrusts
    • General
      • Improvement of HTML
  • 0.0.61 - 2021.03.17

    • Tests
      • Improved ForestTrusts
      • Improved ForestRoles
    • General
      • Improvement of HTML
  • 0.0.60 - 2021.03.17

    • Tests
      • Improved ForestSubnets
      • Improved ForestSites
      • Improved ForestOptionalFeatures
      • Improved ForestBackup
      • Improved ForestTombstoneLifetime
      • Improved DomainDomainControllers
      • Improved DomainLDAP
      • Improved DomainOrphanedSecurityPrincipals
    • General
      • Added AlwaysShowSteps
      • Improved support for new PSWriteHTML
  • 0.0.59 - 2021.03.01

    • General
      • Misspelled word in report (Extream -> Extreme) #120 - tnx mojomojoman
  • 0.0.58 - 2021.02.25

    • Tests
      • Added ForestSubnets
      • Improved DomainDomainControllers
      • Improved DomainLDAP
      • Improved ForestBackup
      • Improved ForestOrphanedAdmins
      • Improved ForestConfigurationPartitionOwners
      • Improved DomainDuplicateObjects
      • Improved ForestSites
    • General
      • Improved reporting
      • Improved reporting status (assesment)
  • 0.0.57 - 2021.02.21

    • Tests
      • Added DomainLDAP - takes over DCLDAP
      • Disabled DCLDAP by default. Still there just not used.
      • Improved ForestOrphanedAdmins
      • Improved ForestConfigurationPartitionOwners
      • Improved DomainDuplicateObjects
      • Improved DomainDomainControllers
    • General
      • Renamed Parameter ReturnResults to PassThru (left as an alias)
      • Fixed loading configuration from JSON/File/HashTable - Configuration changed so much rebuild will be required
      • Fixed saving configuration to JSON/File/HashTable - Configuration changed so much rebuild will be required
      • Parameter for Invoke-Testimo ShowReport is deprecated and doesn't do anything
      • Parameter for Invoke-Testimo HideHTML was added and prevents auto-opening of HTML
      • Parameter for Invoke-Testimo HideSteps/HideSolution was added to hide solution/steps in case it's not needed
      • Added additional information about HTML report generating where the file was saved (useful if no FilePath was provided)
      • Parameter ReportPath was renamed to FilePath, ReportPath is still an alias - to get it the same as GPOZaurr
    • Reporting
      • Solution/Steps added to Report when available for display
      • Reporting is still getting more and more changes
  • 0.0.56 - 2021.02.07

    • Tests
      • Improved ForestOrphanedAdmins
      • Added ForestConfigurationPartitionOwners
      • Improved DomainDuplicateObjects
      • Improved DomainDomainControllers
      • Improved DCTimeSynchronizationExternal
    • Reporting
      • HTML report updated with new format, still not final
      • Added Importance/Category visibility in HTML -> if only those were updated in all tests 🤣
      • Added Description visibility in HTML -> if only those were updated in all tests 🤣
      • Added Resources visibility in HTML -> if only those were updated in all tests 🤣
  • 0.0.55 - 2021.02.02

    • Improvement to report (domain section)
    • Improvement to DomainDuplicateObjects
    • Improvement to OrphanedForeignSecurityPrincipals
    • Removed ForestDuplicateObjects - duplicate of DomainDuplicateObjects
  • 0.0.54 - 2021.01.29

    • Fixes report to work with IE 11 (not great, not bad either)
  • 0.0.53 - 2021.01.28

    • Improved DomainDomainControllers
  • 0.0.52 - 2021.01.27

    • Improved DCUNCHardenedPaths to check for multiple values
  • 0.0.51 - 2021.01.26

    • Fix for Invoke-Testimo crashing on dead/non-responding/no-access DC #117
  • 0.0.50 - 2021.01.25

    • Fix for Invoke-Testimo returning more than one line of error which would stop Testimo #116
  • 0.0.49 - 2021.01.25

    • Fix for Invoke-Testimo not working correctly with some tests #116
    • Improved some tests
    • Reporting
      • HTML report improved a bit for Domain based checks
  • 0.0.48 - 2021.01.21

    • Fix for Invoke-Testimo not working when no tests are defined
    • Tests
      • Added DomainDomainControllers - covers DC ACL owner, DC Manager, DC Password Last Set, DC Last Logon, Enabled
  • 0.0.47 - 2021.01.19

    • Improvements
      • Added warning & errors to HTML
      • Removed dependency on PSWinDocumentation.AD temporary (no tests for now)
    • Tests
      • Removed DomainGroupPolicyPermissionUnknown
      • Removed GroupPolicyMissingPermissions
      • Added DomainGroupPolicyPermissions - covers unknown, adminitrative, authenticated users and system (both removed + some)
      • Removed DomainGroupPolicyEmptyUnlinked
      • Added DomainGroupPolicyAssesment - covers empty, unlinked, disabled, with problem, optimized, no apply permission
      • Added DomainNetLogonOwner
      • Improved ForestSiteLinksConnections #92
      • Improved ForestTombstoneLifetime - support for forest
  • 0.0.46 - 2020.10.29

    • Improvement to HTML
      • DataStore is now set to JavaStore which allows handling of more data within single HTML file
      • Should have less errors on tab switching
      • Known issue: with lots of tables/charts switching between tabs can take time, be patient
    • Improvement to DomainSecurityKRBGT
    • Improvement to DCWindowsUpdates
    • Removed DomainKerberosAccountAge as it's identical to DomainSecurityKRBGT
    • Removed DomainTrusts as it wasn't really working great
    • Added ForestTrusts with improvements
    • ForestObjectsWithConflict renamed to ForestDuplicateObjects
    • ForestDuplicateObjects disabled by default (same thing as DomainDuplicateObjects just done forest wide)
    • DomainDuplicateObjects enabled by default (same thing as forest just done per domain)
    • DCTimeSettings updated with proper NTP recommendation #65 - tnx SolidKnight, SUBnet192, itpro-tips
  • 0.0.45 - 2020.10.20

    • Reversed on HTML change due to issues
  • 0.0.44 - 2020.10.19

    • HTML
      • HTML report should now be much faster to work with even with larger datasets
    • Tests
      • DomainWellKnownFolders - removed duplicate code
      • Added some additional descriptions to tests, still long way to go
      • Small name fix for DomainGroupPolicySysvol
      • DomainGroupPolicyEmptyUnlinked - added new test
      • Silent GitHub version check
      • Fixes working with lowercase source names
      • Fixes issue Service Status fails on value "Auto" #106 due to change in PSSharedGoods
  • 0.0.43 - 2020.06.17

    • Tests
      • Small name update to OrganizationalUnitsEmpty and OrganizationalUnitsProtected fixing #103
  • 0.0.42 - 2020.06.08

    • Tests
      • Fix for DCNetSessionEnumeration not run against target #102
    • Engine
      • Better Sources handling during typing
  • 0.0.41 - 2020.06.06

    • Engine
      • Renamed MustExists to ExpectedOutput for Parameters in Tests for unified experience
      • Added ExpectedResult for Parameters in Tests
        • This works in a way where if we use WhereObject filtering on Array you can check if output is given or not and fail/pass right away
        • This brings 3 ways to test ExpectedCount, ExpectedValue or ExpectedResult
        • ExpectedResult ignores all other settings in parameters except for WhereObject
    • Tests
      • Added DomainGroupPolicyPermissionConsistency (requires GPOZaurr PowerShell module)
      • Added DomainGroupPolicyOwner (requires GPOZaurr PowerShell module)
        • Test for: GPO: Owner Consistent
        • Test for: GPO: Owner Administrative
      • Added DomainGroupPolicyPermissionUnknown (requires GPOZaurr PowerShell module)
      • Added DomainGroupPolicySysvol (requires GPOZaurr PowerShell module)
      • Renamed DCGroupPolicySYSVOL to DCGroupPolicySYSVOLDC to prevent conflict with per Domain checks
      • Replaced DomainGroupPolicyADM with GPOZaurr command
  • 0.0.40 - 2020.05.09

    • Engine
      • ExpectedOutput is now required for Source
    • Tests
      • ExpectedOutput (true/false/null) added for all tests
      • Fix regression ForestReplicationStatus if multiple DC
      • Fix regression ForestReplication if multiple DC
      • Added DomainDuplicateObjects test - finds CNF objects
  • 0.0.39 - 2020.04.11

    • Engine
      • Add requirements (IsInternalForest = $true) for tests that do not support external forest (such as repadmin)
      • Fixed ExpectedCount not working correctly for some values (no sure why it worked at all)
    • Reporting
      • Improved output to not include empty tabs
    • Tests
      • Improved ForestReplicationStatus if only 1 DC, disabled if asking for external forest
      • Improved ForestReplication if only 1 DC
      • Renamed DomainEmptyOrganizationalUnits to DomainOrganizationalUnitsEmpty
      • Added DomainOrganizationalUnitsProtected
      • Improved DCServices for non-existing spooler service
      • Changed DomainPasswordComplexity Lockout Treshold changed to 5+
      • Renamed DCNetSessionEnumaration to DCNetSessionEnumeration - tnx subnet192 #99
      • Added DCDNSForwarders - DNS: More than one forwarding server should be configured
      • Added DomainExchangeUsers - Exchange Users: Missing MailNickName monitors for issue described on blog
      • Improved DNSScavengingForPrimaryDNSServer
    • Other
      • Fix typos - tnx subnet192 #99
  • 0.0.38 - 2020.03.14

    • Added GroupPolicy and ActiveDirectory to RequiredModules and ExternalModuleDependencies preventing error reported in #91
  • 0.0.37 - 2020.03.13

    • Engine
      • Update to DomainSecurityUsers to exclude DomainGuests
      • Fix for ExpectedOutput $false
    • Tests
      • Fix for DomainSecurityUsers - tnx itpro-tips #89
      • Added DomainSecurityKRBGT
      • Improved DCNetworkSettings - DNS: DNS servers on Ethernet should include the loopback address, but not as the first entry - #90 - tnx itpro-tips
      • Improved DCNetworkSettings - DNS: Ethernet should have static IPv4 settings (disabled by default) - #90 - tnx itpro-tips
      • Improved DCLanManServer - ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression - Disabled by default, as patch is available
  • 0.0.36 - 2020.03.04

    • Engine
      • Fix for broken tests
  • 0.0.35 - 2020.03.04

    • Engine
      • Added MustExists (True/False) for Parameters
      • Fixes for In/NotIn
      • Fixes for Inclusion/Exclusion DC/Domain
      • Fixes for ExpectedCount 0 not working
    • Tests
      • DCServices Improvement with XBOX Service
      • Added DCSMBSharesPermissions
      • Added DomainSecurityUsers
      • Added DCUNCHardenedPaths - read potential issues of implementing UNC Hardened Paths. If you enable and things go south GPOs won't work.
  • 0.0.34 - 2020.01.29

    • Tests
      • Modify repadmin (ForestReplicationStatus) for non-english OS #86 - tnx Fiyorden
  • 0.0.33 - 2020.01.28

    • Tests
      • Fixing legacy ADM files check - #84 - tnx PMORMR
  • 0.0.32 - 2020.01.27

    • Tests
      • Fix for DCGroupPolicySYSVOL - #83 - tnx PMORMR
  • 0.0.31 - 2020.01.23

    • Engine
      • Fix for loading configuration
  • 0.0.30 - 2020.01.19

    • Engine
      • Fix for version checks
  • 0.0.29 - 2020.01.19

    • Engine
      • Added IncludeDomain, IncludeDomainControllers (when used skips Exclusions)
        • This requires heavy improvements - soon enough
      • Fixes issue when first running single source and then running all tests (it would use the "old source" instead of using defaults)
    • Tests
      • Fix for Windows Roles and Feature for other language (non-english) #79 - tnx Fiyorden
      • Added LDAPInsecureBindings
  • 0.0.28 - 2019.12.29

    • Engine
      • Fix for not running tests for DC if no Forest/Domain tests are present
      • Added -SkipRODC parameter to skip DCs that are RODC
  • 0.0.27 - 2019.12.26

    • Engine
      • Better support for Portable Testimo
  • 0.0.26 - 2019.12.26

    • Engine
      • Improvments to some error handling
      • Added Version/Date Published (#72)
      • Do not run Tests for Domain/DomainControllers if not enabled
    • Updated modules
      • ADEssentials to 0.0.27 (Get-WinADDFSHealth fixed)
      • Other dependencies also updated
    • Tests
      • Fix for DNSForwaders
      • Added DomainComputersUnsupported (older than 2008)
      • Added DomainComputersUnsupportedMainstream (2008 computers with support from Microsoft)
  • 0.0.25 - 2019.11.18

    • Engine
      • Small configuration saving fixes
      • Added version
    • Tests
      • ForestObjectsWithConflict - Added
      • DCRDPSecurity - Added
        • Minimum Encryption Level
      • DCServiceWINRM - Added
        • DisableRunAS
      • DCSMBProtocols - added BPA findings - Added
        • AutoDisconnectTimeout
        • CachedOpenLimit
        • DurableHandleV2TimeoutInSeconds
        • EnableSMB1Protocol
        • EnableSMB2Protocol
        • MaxThreadsPerQueue
        • Smb2CreditsMin
        • Smb2CreditsMax
        • RequireSecuritySignature
      • DCNetSessionEnumeration (Net Cease) - Added
        • Hardening Net Session Enumeration
      • DCLanManServer - Added
        • Microsoft network server: Digitally sign communications (if client agrees)
        • Microsoft network server: Digitally sign communications (always)
        • Users are not forcibly disconnected when logon hours expire.
  • 0.0.23 - 2019.10.08

    • Tests
      • DCDiagnostics - Added
        • Basically wrapper over DcDiag
          • Checks Connectivity
          • Checks Advertising
          • Checks CheckSecurityError
          • Checks CutoffServers
          • Checks FrsEvent
          • Checks DFSREvent
          • Checks SysVolCheck
          • Checks FrsSysVol
          • Checks KccEvent
          • Checks KnowsOfRoleHolders
          • Checks MachineAccount
          • Checks NCSecDesc
          • Checks NetLogons
          • Checks ObjectsReplicated
          • Checks Replications
          • Checks RidManager
          • Checks Services
          • Checks SystemLog
          • Checks Topology
          • Checks VerifyEnterpriseReferences
          • Checks VerifyReferences
          • Checks VerifyReplicas
          • Checks DNS
          • Checks ForestDnsZonesCheckSDRefDom
          • Checks ForestDnsZonesCrossRefValidation
          • Checks DomainDnsZonesCheckSDRefDom
          • Checks DomainDnsZonesCrossRefValidation
          • Checks SchemaCheckSDRefDom
          • Checks SchemaCrossRefValidation
          • Checks ConfigurationCheckSDRefDom
          • Checks ConfigurationCrossRefValidation
          • Checks NetbiosCheckSDRefDom
          • Checks NetbiosCrossRefValidation
          • Checks DNSDomain
          • Checks LocatorCheck
          • Checks FsmoCheck
          • Checks Intersite
      • DCEventLog - Added
        • Check for Application Log - LogMode/LogFull
        • Check for System Log - LogMode/LogFull
        • Check for PowerShell Log - LogMode/LogFull
        • Check for Security Log - Size/SizeMax/LogMode/LogFull
        • Check for Security Log - Default Security Permissions
      • DCTimeSynchronizationExternal
      • DCDFS - Added
        • DFS should be Healthy
        • Central Repository for GPO for Domain should be available
        • Central Repository for GPO for DC should be available
        • GPO Count should match folder count
        • MemberReference should return TRUE
        • DFSErrors should be 0
        • DFSLocalSetting should be TRUE
        • DomainSystemVolume should be TRUE
        • SYSVOLSubscription should be TRUE
        • DFSR AutoRecovery should be enabled (not stopped)
      • DCDFSRAutoRecovery - DELETED
        • Moved to DCDFS
      • DomainDHCPAuthorized - Added but DISABLED
        • Check added, by default disabled.
      • DCTimeSettings
      • DomainGroupPolicyADM - Added
        • Added check for legacy ADM files
      • DCGroupPolicySYSVOL - Added
        • Added check if all GPO's have their folder on SYSVOL
      • DCLanManagerSettings - Added
        • Added checks for Lan Manager Settings
      • DCTimeSynchronizationInternal
        • Added check for LastBootUpTime be less than X (60) days
    • Engine
      • Added checks for potential NULL after Where-Object (fails tests now, while before it would ignore it)
      • Added parameters for SourceParameters for use within Sources #41 - tnx James Rudd
      • Changed export / import configuration to support SourceParameters/ExpectedOutput. #41 - tnx James Rudd
      • Support for Requirements/CommandAvailable
  • 0.0.22 - 2019.09.10

    • Tests
      • DCPorts - typo fix OPEN vs CLOSED
  • 0.0.21 - 2019.09.10

    • Tests
      • DCPorts - Checking for port 139 - Require PORT CLOSED (#29 - tnx SP3269)
      • DCNetworkSettings - Netbios TCPIP settings on network card - Require DISABLED (#29 - tnx SP3269)
      • DCWindowsFirewall - was renamed to DCNetworkSettings
      • DomainEmptyOrganizationalUnits - fix for lacking Contacts (#32 - tnx JasonCook599)
      • DNSScavengingForPrimaryDNSServer - fix LT should be GT (#33 - tnx JasonCook599)
      • DomainDNSZonesForest0ADEL - Added new test
      • DomainDNSZonesDomain0ADEL - Added new test
    • Engine
      • Support for match/notmatch/notcontains
  • 0.0.20 - 2019.09.09

    • Fix for configuration loading from JSON file (#30 - tnx Alex)
  • 0.0.19 - 2019.09.08

    • First public release - More information in blog post!

Comments

Keep in mind not all tests apply to each environment. I'm adding those to be flexible and be able to test things as needed. Each of those tests will need additional description and recommendation, most likely with links and steps to fix. Some of the tests are very basic and will need feedback, work on making it a robust test. Nothing is written in stone for now. Things can change day by day.

Things to consider

  • Criticality of Tests - some tests are critical, some are less critical, some are informative only
  • Recommended, Default, Sane - not all tests are equal or make sense in all conditions

Tests are based on:

Type Name Area Description
Forest Backup Backup Verify last backup time should be [less than X days]
Forest Replication Connectivity Verify each DC in replication site can [reach other replication members]
Forest Replication using Repadmin Connectivity Verify each DC in replication site can [reach other replication members]
Forest Optional Features Features Verify Optional Feature Recycle Bin should be [Enabled]
Forest Optional Features Features Verify Optional Feature Privileged Access Management Feature should be [Enabled]
Forest Optional Features Features Verify Optional Feature Laps should be enabled [Configured]
Forest Sites Verification Sites Verify each site has at least [one subnet configured]
Forest Sites Verification Sites Verify each site has at least [one domain controller configured]
Forest Site Links Site Links Verify each site link is automatic
Forest Site Links Site Links Verify each site link uses notifications
Forest Site Links Site Links Verify each site link does not use notifications
Forest Roles Connectivity Verify each FSMO holder is [reachable]
Forest Orphaned/Empty Admins Security Verify there are no Orphaned Admins (users/groups/computers)
Forest Tombstone Lifetime Features Verify Tombstone lifetime is greater or equal 180 days
Domain Roles Connectivity Verify each FSMO holder is [reachable]
Domain Password Complexity Requirements Password Verify Password Complexity Policy should be [Enabled]
Domain Password Complexity Requirements Password Verify Password Length should be [greater than X]
Domain Password Complexity Requirements Password Verify Password Threshold should be [greater than X]
Domain Password Complexity Requirements Password Verify Password Lockout Duration should be [greater than X minutes]
Domain Password Complexity Requirements Password Verify Password Lockout Observation Window should be [greater than X minutes]
Domain Password Complexity Requirements Password Verify Password Minimum Age should be [greater than X]
Domain Password Complexity Requirements Password Verify Password History Count should be [greater than X]
Domain Password Complexity Requirements Password Verify Password Reversible Encryption should be [Disabled]
Domain Trust Availability Connectivity Verify each Trust status is OK
Domain Trust Unconstrained TGTDelegation Security Verify each Trust TGTDelegation is set to True
Domain Kerberos Account Age Security Verify Kerberos Last Password Change Should be less than 180 days
Domain Groups: Account Operators Security Verify Group is empty
Domain Groups: Schema Admins Security Verify Group is empty
Domain User: Administrator Security Verify Last Password Change should be less than 360 days or account disabled
Domain DNS Forwarders DNS Verify DNS Forwarders are identical on all DNS nodes
Domain DNS Scavenging - Primary DNS Server DNS Verify DNS Scavenging is set to [X days]
Domain DNS Scavenging - Primary DNS Server DNS Verify DNS Scavenging State is set to True
Domain DNS Scavenging - Primary DNS Server DNS Verify DNS Scavenging Time is less than [X days]
Domain DNS Zone Aging DNS Verify DNS Zone Aging is set
Domain DNS Zones Forest 0ADEL Configuration/DNS Verify owner is not 0ADEL
Domain DNS Zones Domain 0ADEL Configuration/DNS Verify owner is not 0ADEL
Domain Well known folder - UsersContainer WellKnownFolders Verify folder is not at it's defaults.
Domain Well known folder - ComputersContainer WellKnownFolders Verify folder is not at it's defaults.
Domain Well known folder - DomainControllersContainer WellKnownFolders Verify folder is at it's defaults.
Domain Well known folder - DeletedObjectsContainer WellKnownFolders Verify folder is at it's defaults.
Domain Well known folder - SystemsContainer WellKnownFolders Verify folder is at it's defaults.
Domain Well known folder - LostAndFoundContainer WellKnownFolders Verify folder is at it's defaults.
Domain Well known folder - QuotasContainer WellKnownFolders Verify folder is at it's defaults.
Domain Well known folder - ForeignSecurityPrincipalsContainer WellKnownFolders Verify folder is at it's defaults.
Domain Orphaned Foreign Security Principals Cleanup Verify there are no orphaned FSP objects.
Domain Orphaned/Empty Organizational Units Cleanup Verify there are no orphaned Organizational Units
Domain Group Policy Missing Permissions Configuration Verify Authenticated Users/Domain Computers are on each and every Group Policy
Domain DFSR Sysvol Configuration Verify SYSVOL is DFSR
Domain NTDS Parameters Configuration Verify Domain Controller is writable (DSA Not Writable)
Domain Controller Information Configuration Verify Is enabled
Domain Controller Information Configuration Verify Is global catalog
Domain Controller Service Status Services Verify all {Services} are [running]
Domain Controller Service Status Services Verify all {Services} are set to [automatic startup]
Domain Controller Service Status (Print Spooler) Security Verify Print Spooler Service is set to disabled
Domain Controller Service Status (Print Spooler) Security Verify Print Spooler Service is stopped
Domain Controller Ping Connectivity Connectivity Verify DC is [reachable]
Domain Controller Ports Connectivity Verify Following ports 53, 88, 135, 139, 389, 445, 464, 636, 3268, 3269, 9389 are open
Domain Controller RDP Ports Connectivity Verify Following ports 3389 (RDP) is open
Domain Controller RDP Security Connectivity Verify NLA is enabled
Domain Controller LDAP Connectivity Connectivity Verify all {LDAP Ports} are open]
Domain Controller LDAP Connectivity Connectivity Verify all {LDAP SSL Ports} are open]
Domain Controller Windows Firewall Connectivity Verify windows firewall is enabled for all network cards
Domain Controller Windows Remote Management Connectivity Verify Windows Remote Management identification requests are managed
Domain Controller Resolves internal DNS queries DNS Verify DNS on DC [resolves Internal DNS]
Domain Controller Resolves external DNS queries DNS Verify DNS on DC [resolves External DNS]
Domain Controller Name servers for primary domain zone DNS Verify DNS Name servers for primary zone are identical
Domain Controller Responds to PowerShell Queries PowerShell Verify DC responds to PowerShell queries
Domain Controller TimeSettings Time Verify PDC should [sync time to external source]
Domain Controller TimeSettings Time Verify Non-PDC should [sync time to PDC emulator]
Domain Controller TimeSettings Time Verify Virtualized DCs should [sync to hypervisor during boot time only]
Domain Controller Time Synchronization Internal Time Verify Time Synchronization Difference to PDC [less than X seconds]
Domain Controller Time Synchronization External Time Verify Time Synchronization Difference to pool.ntp.org [less than X seconds]
Domain Controller Disk Free Computer Verify OS partition Free space is [at least X %]
Domain Controller Disk Free Computer Verify NTDS partition Free space is [at least X %]
Domain Controller Operating System Computer Verify Windows Operating system is Windows 2012 or higher
Domain Controller Windows Updates Computer Verify Last patch was installed less than 60 days ago
Domain Controller SMB Protocols Security Verify SMB v1 protocol is disabled
Domain Controller SMB Protocols Security Verify SMB v2 protocol is enabled
Domain Controller SMB Shares Security Verify default SMB shares NETLOGON/SYSVOL are visible
Domain Controller DFSR AutoRecovery Security Verify DFSR AutoRecovery is enabled
Domain Controller Windows Roles and Features Security Verify Windows Features for AD/DNS/File Services are enabled

Dependencies

  • PowerShell 5.1 - I know, bummer right?
  • RSAT if run externally from Windows 10 machine

When you use the Install-Module option what happens in the backgrouns is that Windows will use PowershellGallery (hosted by Microsoft) to download Testimo and any dependencies this module needs. As it stands all dependencies except one (DSInternals) are my other PowerShell Modules. Why I am using it this way? Because I don't want to write multiple times the same code over and over.

  • Testimo - this module
    • PSWinDocumentation.AD - PowerShell Module that's main purpose is deliver formmated/compressive Active Directory data for documentation purposes. It's read only.
      • DSInternals - Directory Services Internals PowerShell Module and Framework by Michael Grafnetter - it's main purpose is to verify Active Directory Passwords
    • PSWinDocumentation.DNS - PowerShell Module that's main purpose is deliver formmated/compressive DNS data for documentation purposes (it's a bit unfinished product but it works as far Testimo is concerned). It's read only.
    • ADEssentials - PowerShell Module that's supposed to hold a bunch of useful Get/Set tools for Active Directory.
    • PSSharedGoods - PowerShell Module with lots of different, helpfull functions that I have gathered over the years
      • PSWriteColor - PowerShell Module responsible for Console Colors
      • Connectimo - PowerShell Module responsible for Connecting to O365 - while it's not in use in this project PSSharedGoods depends on it, so it's here. No function is used from it.
    • PSWriteHTML - PowerShell Module that creates nice looking reports. Responsible for visual HTML reporting.
    • Emailimo - PowerShell Module that creates nice looking emails. Responsible for emails in Testimo.

In Testimo I'm using internal functions from some of the modules without any real documentation.

Portability

There are times where you may want to use Testimo in Portable way. Following function when executed will download all modules to given path and load them for you. Following blog post shows the way. It was written specifically for Testimo.

Initialize-ModulePortable -Name 'Testimo' -Path "$PSScriptRoot\TestimoPortable" -Download

After that,, you can use Invoke-Testimo as you normally would. You can also skip Download parameter if you already downloaded all the modules before. This function is also available as part of PSSharedGoods module.

Removal

In case you decide that Testimo is not for you, you can easily clean it up. Unfortunetly since Testimo uses all those dependencies as mentioned above you will have to remove all those modules one by one. Additionally if you have been using Testimo and you update it using Update-Module command and other modules got updated as well, it's possible there will be more then 1 version of said modules. Keep in mind that if you already use some of my modules some of the stuff may be already there and needed for different modules. Be careful when removing PowerShellModules.

Option 1

  • Finding where modules are stored (Get-Module -ListAvailable Testimo).ModuleBase
  • Manually deleting all folders Testimo, and other dependant modules

Option 2

  • Run Uninstall-Module
$Modules = @('Testimo', 'PSWinDocumentation.AD','PSWinDocumentation.DNS','ADEssentials', 'PSSharedGoods','PSWriteColor', 'Connectimo', 'DSInternals','Emailimo','PSWriteHTML' )
foreach ($Module in $Modules) {
    Uninstall-Module $Module -Force -AllVersions
}

Due to multiple versions per each module you may need to rerun this couple of times to remove all those mdoules in case there are some problems.

About

Testimo is PowerShell module for running health checks for Active Directory (and later on any other server type) against a bunch of different tests

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • PowerShell 100.0%