Krishna has a security assessment script that pulls important security facts from Active Directory and generates nicely viewable reports in HTML format by highlighting the spots that require attention.
The powershell script covers:
- User account issues and Inactive accounts
- Users with ReversibleEncryptionPasswordArray
- Use Kerberos DES encryption types for this account
- Do not require Kerberos pre-authentication
- Review the domain password policy
- Tombstone lifetime and backups
- Unconstrained Kerberos delegation
- Scan SYSVOL for Group Policy Preference passwords
- Review KRBTGT account information
- Audit privileged AD groups
Security assessment helps to identify settings that do not meet the security standards. And remediation guidelines and best practices can be defined based on the assessment outcome.
Links: