-
Notifications
You must be signed in to change notification settings - Fork 0
/
ADDSPAMReport.ps1
107 lines (90 loc) · 2.91 KB
/
ADDSPAMReport.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
$Date = get-date
Import-Module activedirectory
$HTMLHead=@"
<title>PAM Report</title>
<Head>
<STYLE>
BODY{background-color :#FFFFF}
TABLE{Border-width:thin;border-style: solid;border-color:Black;border-collapse: collapse;}
TH{border-width: 1px;padding: 1px;border-style: solid;border-color: black;background-color: ThreeDShadow}
TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color: Transparent}
</STYLE>
</HEAD>
"@
$DomainAdmins = Get-ADGroupMember "Domain Admins" -Recursive | Get-AdUser -Property LastLogonDate | select name,distinguishedName,Enabled,LastLogonDate | ConvertTo-HTML
[array]$DAUsers = (Get-ADGroupmember -Identity "Domain Admins" -Recursive)
$DACount = $DAUsers.count
$EnterpriseAdmins = Get-ADGroupMember "Enterprise Admins" -Recursive | Get-AdUser -Property LastLogonDate | select name,distinguishedName,Enabled,LastLogonDate | ConvertTo-HTML
[array]$EAUsers = (Get-ADGroupmember -Identity "Enterprise Admins" -Recursive)
$EACount = $EAUsers.count
$Administrators = Get-ADGroupMember "Administrators" -Recursive | Get-AdUser -Property LastLogonDate | select name,distinguishedName,Enabled,LastLogonDate | ConvertTo-HTML
[array]$AUsers = (Get-ADGroupmember -Identity "Administrators" -Recursive)
$ACount = $AUsers.count
$BackupOps = Get-ADGroupMember "Backup Operators" -Recursive | Get-AdUser -Property LastLogonDate | select name,distinguishedName,Enabled,LastLogonDate | ConvertTo-HTML
[array]$BOUsers = (Get-ADGroupmember -Identity "Backup Operators" -Recursive)
$BOCount = $BOUsers.count
$SchemaAdmins = Get-ADGroupMember "Schema Admins" -Recursive | Get-AdUser -Property LastLogonDate | select name,distinguishedName,Enabled,LastLogonDate | ConvertTo-HTML
[array]$SAUsers = (Get-ADGroupmember -Identity "Schema Admins" -Recursive)
$SACount = $SAUsers.count
#HTML Body Content
$HTMLBody = @"
<CENTER>
<Font size=4><B>Privileged Access Management Report</B></font></BR>
<I>Script last run:$date</I><BR />
Objective: Show user accounts that have escalated privileges. Service Accounts should be an exception.</BR>
<B>Domain Admins</B><BR />
<TABLE>
<TR>
<TD>$DomainAdmins</TD>
</TR>
</TABLE>
</BR>
<B>Enterprise Admins</B><BR />
<TABLE>
<TR>
<TD>$EnterpriseAdmins</TD>
</TR>
</TABLE>
</BR>
<B>Administrators</B><BR />
<TABLE>
<TR>
<TD>$Administrators</TD>
</TR>
</TABLE>
</BR>
<B>Backup Operators</B><BR />
<TABLE>
<TR>
<TD>$BackupOps</TD>
</TR>
</TABLE>
</BR>
<B>Schema Admins</B><BR />
<TABLE>
<TR>
<TD>$SchemaAdmins</TD>
</TR>
</TABLE>
</BR>
<B>Active Directory Admin Count</B><BR />
<TABLE>
<TR>
<TD>Domain Admins</TD>
<TD>Enterprise Admins</TD>
<TD>Administrators</TD>
<TD>Backup Operators</TD>
<TD>Schema Admins</TD>
</TR>
<TR>
<TD>$DACount</TD>
<TD>$EACount</TD>
<TD>$ACount</TD>
<TD>$BOCount</TD>
<TD>$SACount</TD>
</TR>
</TABLE>
</CENTER></BR>
"@
#Export to HTML
$StatusUpdate | ConvertTo-HTML -head $HTMLHead -body $HTMLBody | out-file "c:\temp\pamreport.html" -Append