AD account Audit - find privilege user accounts

This script will help you to fing all type of privilege accounts in your active directory and generate report of the same.To Determine Privilege accounts across the domain base on user group membership. 1.High Privilege Accounts - Users who's account is member of Domain Admin, A

5 Star
11,542 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
  • Forest with multiples Domains
    1 Posts | Last post March 10, 2020
    • Hi, could you help with the sentence to include all domains in the Forest?
  • account disabled messages
    1 Posts | Last post December 13, 2018
    • Hi, 
      When I ran the script in test environment , immediately I got a list of account as disabled and then I terminated the script. 
      Is this the right behavior?
  • Localization issues
    1 Posts | Last post December 04, 2018
    • This script only works on english domains.
      It checks for membership using the CN of the administrative groups, which will differ in non-english versions, such as the german "Domänen-Admins" instead of "Domain Admins", etc.
      As a result, the script tells me, that there are no privileged users at all.
      Instead it might be possible to use the SID to check membership of administrative groups.
  • wrongly pulling high priv accounts
    1 Posts | Last post June 09, 2018
    • script works fine however given multiple users which are not part of domain admins, Enter, sche or administrators group.
      script is simple, got confused how it is listed multiple accounts which dont have any direct or indirect membership :(
  • Privilege Designation Issue (High, Limited or "Non-")
    1 Posts | Last post June 07, 2018
    • The user privilege designation seems to work well as long as the accounts are *direct* members of a built-in security group. If they are members of a second-level security group that belongs to a built-in group, this is not recognized by the script. For example, if an admin user is a member of "CompanyAdmins" and THAT group is a member of "Domain Admins" (a built-in group), The script does not recognize them as a "High Privilege User". This is an issue.  How can this be corrected?
  • I confim this script still works on 2008R2 server
    1 Posts | Last post May 17, 2018
    • Just wanted to say, i used this script, works really nice. Want to run on aspecific OU ? Add '-domain' or whatever matches your OU and tree. Tx.
  • Add Parameter for specific OU
    1 Posts | Last post December 14, 2017
    • What could be the parameter to run this script on specific OU in the AD please?
  • Script throws error
    1 Posts | Last post August 22, 2017
    • Dear Arun Sabale,
      This script is not working!
      I ran this script as it is while enabling the execution policy; however, this script failed on two domain controllers, the first DC is a windows Server 2008 R2 Std & the second one is Windows Server 2012 R2.
      Following are the error that I got in both operating systems.
      Windows Server 2008 R2 Standard:---
      PS C:\Users\y.shiva.venkidachala\Desktop> .\ADPrivilegeAccounts-Audit-v3.ps1
      Missing closing ')' in expression.
      At C:\Users\y.shiva.venkidachala\Desktop\ADPrivilegeAccounts-Audit-v3.ps1:19 ch
      +      <<<< [String] $Domain
          + CategoryInfo          : ParserError: (CloseParenToken:TokenId) [], Parse
          + FullyQualifiedErrorId : MissingEndParenthesisInExpression
      Windows Server 2012 R2:--
      PS C:\Users\y.shiva.venkidachala\Desktop> .\ADPrivilegeAccounts-Audit-v3.ps1
      At C:\Users\y.shiva.venkidachala\Desktop\ADPrivilegeAccounts-Audit-v3.ps1:15
      + [CmdletBinding(DefaultParametersetName="CurrentForest")]
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      Unexpected attribute 'CmdletBinding'.
      At C:\Users\y.shiva.venkidachala\Desktop\ADPrivilegeAccounts-Audit-v3.ps1:16
      + param
      + ~~~~~
      Unexpected token 'param' in expression or statement.
          + CategoryInfo          : ParserError: (:) [], ParseException
          + FullyQualifiedErrorId : UnexpectedAttribute
      Where is the script failing?
  • execution policy
    2 Posts | Last post March 01, 2017
    • Hello, I downloaded this script and attempted to run it.  I get the message that the script is not remote signed.  Would it be possible to add in a remote sign?  Or which execution policy must this script be run under?  
    • You can set the execution policy to be unrestricted.
      Set-ExecutionPolicy unrestricted
  • Accounts only show once.
    1 Posts | Last post March 01, 2017
    • I have an issues to where if a user is selected in one area of the report, they will not show up in another. I had to split the Domain admins vs Enterprise Admins to separate it further. Here is an example.
      admin.joe is a member of Domain Admins and Enterprise Admins. He will only show in one category and should be reported in both.
1 - 10 of 12 Items