Skip to content
Testimo is PowerShell module for running health checks for Active Directory (and later on any other server type) against a bunch of different tests
PowerShell
Branch: master
Clone or download
This branch is 28 commits behind EvotecIT:master.

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Example
Private
Public
Publish
LICENSE
README.MD
Testimo.psd1
Testimo.psm1

README.MD

Testimo - PowerShell Module

Testimo is a PowerShell Module to help with basic/more advanced testing of Active Directory and maybe in future other types of servers. Testimo is an alpha product and as such things do change. It's goal is to be fully automated solution where one can run the command and get results without executing 50 little functions.

If you're new to Testimo you should read this blog post!

Things to know:

  • Configuration hash is not written in stone and can change rapidly as Testimo gets tested
  • Ideas are VERY welcome
  • There's a big mess in files/function names - I'm still testing things out creating some random names, will be cleaned up later on
  • There are lots of details missing for tests, and some things may not work as you want - please report issues or if you know how, fix them
  • I don't know EVERYTHING - I'm very open to help with making Testimo more robust, detailed and easy to use

ChangeLog

  • 0.0.37 - Unreleased

    • Engine
      • Update to DomainSecurityUsers to exclude DomainGuests
      • Fix for ExpectedOutput $false
    • Tests
      • Fix for DomainSecurityUsers - tnx itpro-tips #89
      • Added DomainSecurityKRBGT
      • Improved DCNetworkSettings - DNS: DNS servers on Ethernet should include the loopback address, but not as the first entry - #90 - tnx itpro-tips
      • Improved DCNetworkSettings - DNS: Ethernet should have static IPv4 settings (disabled by default) - #90 - tnx itpro-tips
  • 0.0.36 - 2020.03.04

    • Engine
      • Fix for broken tests
  • 0.0.35 - 2020.03.04

    • Engine
      • Added MustExists (True/False) for Parameters
      • Fixes for In/NotIn
      • Fixes for Inclusion/Exclusion DC/Domain
      • Fixes for ExpectedCount 0 not working
    • Tests
      • DCServices Improvement with XBOX Service
      • Added DCSMBSharesPermissions
      • Added DomainSecurityUsers
      • Added DCUNCHardenedPaths - read potential issues of implementing UNC Hardened Paths. If you enable and things go south GPOs won't work.
  • 0.0.34 - 2020.01.29

    • Tests
      • Modify repadmin (ForestReplicationStatus) for non-english OS #86 - tnx Fiyorden
  • 0.0.33 - 2020.01.28

    • Tests
      • Fixing legacy ADM files check - #84 - tnx PMORMR
  • 0.0.32 - 2020.01.27

    • Tests
      • Fix for DCGroupPolicySYSVOL - #83 - tnx PMORMR
  • 0.0.31 - 2020.01.23

    • Engine
      • Fix for loading configuration
  • 0.0.30 - 2020.01.19

    • Engine
      • Fix for version checks
  • 0.0.29 - 2020.01.19

    • Engine
      • Added IncludeDomain, IncludeDomainControllers (when used skips Exclusions)
        • This requires heavy improvements - soon enough
      • Fixes issue when first running single source and then running all tests (it would use the "old source" instead of using defaults)
    • Tests
      • Fix for Windows Roles and Feature for other language (non-english) #79 - tnx Fiyorden
      • Added LDAPInsecureBindings
  • 0.0.28 - 2019.12.29

    • Engine
      • Fix for not running tests for DC if no Forest/Domain tests are present
      • Added -SkipRODC parameter to skip DCs that are RODC
  • 0.0.27 - 2019.12.26

    • Engine
      • Better support for Portable Testimo
  • 0.0.26 - 2019.12.26

    • Engine
      • Improvments to some error handling
      • Added Version/Date Published (#72)
      • Do not run Tests for Domain/DomainControllers if not enabled
    • Updated modules
      • ADEssentials to 0.0.27 (Get-WinADDFSHealth fixed)
      • Other dependencies also updated
    • Tests
      • Fix for DNSForwaders
      • Added DomainComputersUnsupported (older than 2008)
      • Added DomainComputersUnsupportedMainstream (2008 computers with support from Microsoft)
  • 0.0.25 - 2019.11.18

    • Engine
      • Small configuration saving fixes
      • Added version
    • Tests
      • ForestObjectsWithConflict - Added
      • DCRDPSecurity - Added
        • Minimum Encryption Level
      • DCServiceWINRM - Added
        • DisableRunAS
      • DCSMBProtocols - added BPA findings - Added
        • AutoDisconnectTimeout
        • CachedOpenLimit
        • DurableHandleV2TimeoutInSeconds
        • EnableSMB1Protocol
        • EnableSMB2Protocol
        • MaxThreadsPerQueue
        • Smb2CreditsMin
        • Smb2CreditsMax
        • RequireSecuritySignature
      • DCNetSessionEnumaration (Net Cease) - Added
        • Hardening Net Session Enumeration
      • DCLanManServer - Added
        • Microsoft network server: Digitally sign communications (if client agrees)
        • Microsoft network server: Digitally sign communications (always)
        • Users are not forcibly disconnected when logon hours expire.
  • 0.0.23 - 2019.10.08

    • Tests
      • DCDiagnostics - Added
        • Basically wrapper over DcDiag
          • Checks Connectivity
          • Checks Advertising
          • Checks CheckSecurityError
          • Checks CutoffServers
          • Checks FrsEvent
          • Checks DFSREvent
          • Checks SysVolCheck
          • Checks FrsSysVol
          • Checks KccEvent
          • Checks KnowsOfRoleHolders
          • Checks MachineAccount
          • Checks NCSecDesc
          • Checks NetLogons
          • Checks ObjectsReplicated
          • Checks Replications
          • Checks RidManager
          • Checks Services
          • Checks SystemLog
          • Checks Topology
          • Checks VerifyEnterpriseReferences
          • Checks VerifyReferences
          • Checks VerifyReplicas
          • Checks DNS
          • Checks ForestDnsZonesCheckSDRefDom
          • Checks ForestDnsZonesCrossRefValidation
          • Checks DomainDnsZonesCheckSDRefDom
          • Checks DomainDnsZonesCrossRefValidation
          • Checks SchemaCheckSDRefDom
          • Checks SchemaCrossRefValidation
          • Checks ConfigurationCheckSDRefDom
          • Checks ConfigurationCrossRefValidation
          • Checks NetbiosCheckSDRefDom
          • Checks NetbiosCrossRefValidation
          • Checks DNSDomain
          • Checks LocatorCheck
          • Checks FsmoCheck
          • Checks Intersite
      • DCEventLog - Added
        • Check for Application Log - LogMode/LogFull
        • Check for System Log - LogMode/LogFull
        • Check for PowerShell Log - LogMode/LogFull
        • Check for Security Log - Size/SizeMax/LogMode/LogFull
        • Check for Security Log - Default Security Permissions
      • DCTimeSynchronizationExternal
      • DCDFS - Added
        • DFS should be Healthy
        • Central Repository for GPO for Domain should be available
        • Central Repository for GPO for DC should be available
        • GPO Count should match folder count
        • MemberReference should return TRUE
        • DFSErrors should be 0
        • DFSLocalSetting should be TRUE
        • DomainSystemVolume should be TRUE
        • SYSVOLSubscription should be TRUE
        • DFSR AutoRecovery should be enabled (not stopped)
      • DCDFSRAutoRecovery - DELETED
        • Moved to DCDFS
      • DomainDHCPAuthorized - Added but DISABLED
        • Check added, by default disabled.
      • DCTimeSettings
      • DomainGroupPolicyADM - Added
        • Added check for legacy ADM files
      • DCGroupPolicySYSVOL - Added
        • Added check if all GPO's have their folder on SYSVOL
      • DCLanManagerSettings - Added
        • Added checks for Lan Manager Settings
      • DCTimeSynchronizationInternal
        • Added check for LastBootUpTime be less than X (60) days
    • Engine
      • Added checks for potential NULL after Where-Object (fails tests now, while before it would ignore it)
      • Added parameters for SourceParameters for use within Sources #41 - tnx James Rudd
      • Changed export / import configuration to support SourceParameters/ExpectedOutput. #41 - tnx James Rudd
      • Support for Requirements/CommandAvailable
  • 0.0.22 - 2019.09.10

    • Tests
      • DCPorts - typo fix OPEN vs CLOSED
  • 0.0.21 - 2019.09.10

    • Tests
      • DCPorts - Checking for port 139 - Require PORT CLOSED (#29 - tnx SP3269)
      • DCNetworkSettings - Netbios TCPIP settings on network card - Require DISABLED (#29 - tnx SP3269)
      • DCWindowsFirewall - was renamed to DCNetworkSettings
      • DomainEmptyOrganizationalUnits - fix for lacking Contacts (#32 - tnx JasonCook599)
      • DNSScavengingForPrimaryDNSServer - fix LT should be GT (#33 - tnx JasonCook599)
      • DomainDNSZonesForest0ADEL - Added new test
      • DomainDNSZonesDomain0ADEL - Added new test
    • Engine
      • Support for match/notmatch/notcontains
  • 0.0.20 - 2019.09.09

    • Fix for configuration loading from JSON file (#30 - tnx Alex)
  • 0.0.19 - 2019.09.08

    • First public release - More information in blog post!

Comments

Keep in mind not all tests apply to each environment. I'm adding those to be flexible and be able to test things as needed. Each of those tests will need additional description and recommendation, most likely with links and steps to fix. Some of the tests are very basic and will need feedback, work on making it a robust test. Nothing is written in stone for now. Things can change day by day.

Things to consider

  • Criticality of Tests - some tests are critical, some are less critical, some are informative only
  • Recommended, Default, Sane - not all tests are equal or make sense in all conditions

Tests are based on:

Type Name Area Description
Forest Backup Backup Verify last backup time should be [less than X days]
Forest Replication Connectivity Verify each DC in replication site can [reach other replication members]
Forest Replication using Repadmin Connectivity Verify each DC in replication site can [reach other replication members]
Forest Optional Features Features Verify Optional Feature Recycle Bin should be [Enabled]
Forest Optional Features Features Verify Optional Feature Privileged Access Management Feature should be [Enabled]
Forest Optional Features Features Verify Optional Feature Laps should be enabled [Configured]
Forest Sites Verification Sites Verify each site has at least [one subnet configured]
Forest Sites Verification Sites Verify each site has at least [one domain controller configured]
Forest Site Links Site Links Verify each site link is automatic
Forest Site Links Site Links Verify each site link uses notifications
Forest Site Links Site Links Verify each site link does not use notifications
Forest Roles Connectivity Verify each FSMO holder is [reachable]
Forest Orphaned/Empty Admins Security Verify there are no Orphaned Admins (users/groups/computers)
Forest Tombstone Lifetime Features Verify Tombstone lifetime is greater or equal 180 days
Domain Roles Connectivity Verify each FSMO holder is [reachable]
Domain Password Complexity Requirements Password Verify Password Complexity Policy should be [Enabled]
Domain Password Complexity Requirements Password Verify Password Length should be [greater than X]
Domain Password Complexity Requirements Password Verify Password Threshold should be [greater than X]
Domain Password Complexity Requirements Password Verify Password Lockout Duration should be [greater than X minutes]
Domain Password Complexity Requirements Password Verify Password Lockout Observation Window should be [greater than X minutes]
Domain Password Complexity Requirements Password Verify Password Minimum Age should be [greater than X]
Domain Password Complexity Requirements Password Verify Password History Count should be [greater than X]
Domain Password Complexity Requirements Password Verify Password Reversible Encryption should be [Disabled]
Domain Trust Availability Connectivity Verify each Trust status is OK
Domain Trust Unconstrained TGTDelegation Security Verify each Trust TGTDelegation is set to True
Domain Kerberos Account Age Security Verify Kerberos Last Password Change Should be less than 180 days
Domain Groups: Account Operators Security Verify Group is empty
Domain Groups: Schema Admins Security Verify Group is empty
Domain User: Administrator Security Verify Last Password Change should be less than 360 days or account disabled
Domain DNS Forwarders DNS Verify DNS Forwarders are identical on all DNS nodes
Domain DNS Scavenging - Primary DNS Server DNS Verify DNS Scavenging is set to [X days]
Domain DNS Scavenging - Primary DNS Server DNS Verify DNS Scavenging State is set to True
Domain DNS Scavenging - Primary DNS Server DNS Verify DNS Scavenging Time is less than [X days]
Domain DNS Zone Aging DNS Verify DNS Zone Aging is set
Domain DNS Zones Forest 0ADEL Configuration/DNS Verify owner is not 0ADEL
Domain DNS Zones Domain 0ADEL Configuration/DNS Verify owner is not 0ADEL
Domain Well known folder - UsersContainer WellKnownFolders Verify folder is not at it's defaults.
Domain Well known folder - ComputersContainer WellKnownFolders Verify folder is not at it's defaults.
Domain Well known folder - DomainControllersContainer WellKnownFolders Verify folder is at it's defaults.
Domain Well known folder - DeletedObjectsContainer WellKnownFolders Verify folder is at it's defaults.
Domain Well known folder - SystemsContainer WellKnownFolders Verify folder is at it's defaults.
Domain Well known folder - LostAndFoundContainer WellKnownFolders Verify folder is at it's defaults.
Domain Well known folder - QuotasContainer WellKnownFolders Verify folder is at it's defaults.
Domain Well known folder - ForeignSecurityPrincipalsContainer WellKnownFolders Verify folder is at it's defaults.
Domain Orphaned Foreign Security Principals Cleanup Verify there are no orphaned FSP objects.
Domain Orphaned/Empty Organizational Units Cleanup Verify there are no orphaned Organizational Units
Domain Group Policy Missing Permissions Configuration Verify Authenticated Users/Domain Computers are on each and every Group Policy
Domain DFSR Sysvol Configuration Verify SYSVOL is DFSR
Domain NTDS Parameters Configuration Verify Domain Controller is writable (DSA Not Writable)
Domain Controller Information Configuration Verify Is enabled
Domain Controller Information Configuration Verify Is global catalog
Domain Controller Service Status Services Verify all {Services} are [running]
Domain Controller Service Status Services Verify all {Services} are set to [automatic startup]
Domain Controller Service Status (Print Spooler) Security Verify Print Spooler Service is set to disabled
Domain Controller Service Status (Print Spooler) Security Verify Print Spooler Service is stopped
Domain Controller Ping Connectivity Connectivity Verify DC is [reachable]
Domain Controller Ports Connectivity Verify Following ports 53, 88, 135, 139, 389, 445, 464, 636, 3268, 3269, 9389 are open
Domain Controller RDP Ports Connectivity Verify Following ports 3389 (RDP) is open
Domain Controller RDP Security Connectivity Verify NLA is enabled
Domain Controller LDAP Connectivity Connectivity Verify all {LDAP Ports} are open]
Domain Controller LDAP Connectivity Connectivity Verify all {LDAP SSL Ports} are open]
Domain Controller Windows Firewall Connectivity Verify windows firewall is enabled for all network cards
Domain Controller Windows Remote Management Connectivity Verify Windows Remote Management identification requests are managed
Domain Controller Resolves internal DNS queries DNS Verify DNS on DC [resolves Internal DNS]
Domain Controller Resolves external DNS queries DNS Verify DNS on DC [resolves External DNS]
Domain Controller Name servers for primary domain zone DNS Verify DNS Name servers for primary zone are identical
Domain Controller Responds to PowerShell Queries PowerShell Verify DC responds to PowerShell queries
Domain Controller TimeSettings Time Verify PDC should [sync time to external source]
Domain Controller TimeSettings Time Verify Non-PDC should [sync time to PDC emulator]
Domain Controller TimeSettings Time Verify Virtualized DCs should [sync to hypervisor during boot time only]
Domain Controller Time Synchronization Internal Time Verify Time Synchronization Difference to PDC [less than X seconds]
Domain Controller Time Synchronization External Time Verify Time Synchronization Difference to pool.ntp.org [less than X seconds]
Domain Controller Disk Free Computer Verify OS partition Free space is [at least X %]
Domain Controller Disk Free Computer Verify NTDS partition Free space is [at least X %]
Domain Controller Operating System Computer Verify Windows Operating system is Windows 2012 or higher
Domain Controller Windows Updates Computer Verify Last patch was installed less than 60 days ago
Domain Controller SMB Protocols Security Verify SMB v1 protocol is disabled
Domain Controller SMB Protocols Security Verify SMB v2 protocol is enabled
Domain Controller SMB Shares Security Verify default SMB shares NETLOGON/SYSVOL are visible
Domain Controller DFSR AutoRecovery Security Verify DFSR AutoRecovery is enabled
Domain Controller Windows Roles and Features Security Verify Windows Features for AD/DNS/File Services are enabled

Known Issues / By Design

  • Requirements for Sources work differently then for Tests
    • For Sources when Requirements are not met Testimo skips it totally from output
    • For Tests when Requirements are not met Testimo marks it as skipped

To install

Install-Module -Name Testimo -AllowClobber -Force

Force and AllowClobber aren't really nessecary but they do skip errors in case some appear.

And to update

Update-Module -Name Testimo

That's it. Whenever there's new version you simply run the command and you can enjoy it. Remember, that you may need to close, reopen PowerShell session if you have already used module before updating it.

The important thing is if something works for you on production, keep using it till you test the new version on a test computer. I do changes that may not be big, but big enough that auto-update will break your code. For example, small rename to a parameter and your code stops working! Be responsible!

To use after installation

With output to screen only

Invoke-Testimo

Image Image Image

With option to be able to process output - for example to email

Invoke-Testimo -ReturnResults

Changing default configuration

Testimo comes with a preset rules that may not apply to your enrivovment. You may want to change some things like disabling some tests or changing some values (to an extent). There are 3 ways to do it. Depending on how you want to save/edit/pass configuration to TestIMO - I leave it up to you.

Straight to FILE/JSON

Get-TestimoConfiguration -FilePath $PSScriptRoot\Configuration\TestimoConfiguration.json

Straight to JSON

Get-TestimoConfiguration -AsJson

Output to Hashtable so you can edit it freely and keep in ps1

$OutputOrderedDictionary = Get-TestimoConfiguration
$OutputOrderedDictionary.Forest.OptionalFeatures.Tests.RecycleBinEnabled.Enable = $false
$OutputOrderedDictionary.Forest.OptionalFeatures.Tests.LapsAvailable.Enable = $true
$OutputOrderedDictionary.Forest.OptionalFeatures.Tests.LapsAvailable.Parameters.ExpectedValue = $false

Using Invoke-Testimo with non-default configuration

Following configuration allows you to:

  • Edit default TestImo configuration with some other values
  • Exclude one of the domains
  • Return Results for future processing
  • Limit sources to only 4 types (you could also limit that via Hashtable but this way is quicker for adhoc enabling/disabling)
Import-Module Testimo

$OutputOrderedDictionary = Get-TestimoConfiguration
$OutputOrderedDictionary.Forest.OptionalFeatures.Tests.RecycleBinEnabled.Enable = $false
$OutputOrderedDictionary.Forest.OptionalFeatures.Tests.LapsAvailable.Enable = $true
$OutputOrderedDictionary.Forest.OptionalFeatures.Tests.LapsAvailable.Parameters.ExpectedValue = $false

$Sources = @(
    'ForestFSMORoles'
    'ForestOptionalFeatures'
    'ForestBackup'
    'ForestOrphanedAdmins'
    'DomainPasswordComplexity'
    'DomainKerberosAccountAge'
    'DomainDNSScavengingForPrimaryDNSServer'
    'DCWindowsUpdates'
)

$TestResults = Invoke-Testimo -ReturnResults -ExcludeDomains 'ad.evotec.pl' -Sources $Sources -Configuration $OutputOrderedDictionary
$TestResults | Format-Table -AutoSize *

Be sure to checkout Examples section for more How-To.

Dependencies

  • PowerShell 5.1 - I know, bummer right?
  • RSAT if run externally from Windows 10 machine

When you use Install-Module option what happens in the backgrouns is that Windows will use PowershellGallery (hosted by Microsoft) to download Testimo and any dependencies this module needs. As it stands all dependencies except one (DSInternals) are my other PowerShell Modules. Why I am using it this way? Because I don't want to write multiple times same code over and over.

  • Testimo - this module
    • PSWinDocumentation.AD - PowerShell Module that's main purpose is deliver formmated/compressive Active Directory data for documentation purposes. It's read only.
      • DSInternals - Directory Services Internals PowerShell Module and Framework by Michael Grafnetter - it's main purpose is to verify Active Directory Passwords
    • PSWinDocumentation.DNS - PowerShell Module that's main purpose is deliver formmated/compressive DNS data for documentation purposes (it's a bit unfinished product but it works as far Testimo is concerned). It's read only.
    • ADEssentials - PowerShell Module that's supposed to hold a bunch of useful Get/Set tools for Active Directory.
    • PSSharedGoods - PowerShell Module with lots of different, helpfull functions that I have gathered over the years
      • PSWriteColor - PowerShell Module responsible for Console Colors
      • Connectimo - PowerShell Module responsible for Connecting to O365 - while it's not in use in this project PSSharedGoods depends on it, so it's here. No function is used from it.
    • PSWriteHTML - PowerShell Module that creates nice looking reports. Responsible for visual HTML reporting.
    • Emailimo - PowerShell Module that creates nice looking emails. Responsible for emails in Testimo.

In Testimo I'm using internal functions from some of the modules, without any real documentation.

Portability

There are times where you may want to use Testimo in Portable way. Following function when executed will download all modules to given path and load them for you. Following blog post shows the way. It was written specifically for Testimo.

Initialize-ModulePortable -Name 'Testimo' -Path "$PSScriptRoot\TestimoPortable" -Download

After that you can use Invoke-Testimo as you normally would. You can also skip Download parameter if you already downloaded all the modules before. This function is also available as part of PSSharedGoods module.

Removal

In case you decide that Testimo is not for you, you can easily clean it up. Unfortunetly since Testimo uses all those dependencies as mentioned above you will have to remove all those modules one by one. Additionally if you have been using Testimo and you update it using Update-Module command and other modules got updated as well, it's possible there will be more then 1 version of said modules. Keep in mind that if you already use some of my modules some of the stuff may be already there and needed for different modules. Be careful when removing PowerShellModules.

Option 1

  • Finding where modules are stored (Get-Module -ListAvailable Testimo).ModuleBase
  • Manually deleting all folders Testimo, and other dependant modules

Option 2

  • Run Uninstall-Module
$Modules = @('Testimo', 'PSWinDocumentation.AD','PSWinDocumentation.DNS','ADEssentials', 'PSSharedGoods','PSWriteColor', 'Connectimo', 'DSInternals','Emailimo','PSWriteHTML' )
foreach ($Module in $Modules) {
    Uninstall-Module $Module -Force -AllVersions
}

Due to multiple versions per each module you may need to rerun this couple of times to remove all those mdoules in case there are some problems.

You can’t perform that action at this time.