Merge pull request #198 from AsBuiltReport/dev

v0.9.3 public release

Author: rebelinux

AsBuiltReport.Microsoft.AD.psd1

@@ -12,7 +12,7 @@
     RootModule = 'AsBuiltReport.Microsoft.AD.psm1'
 
     # Version number of this module.
-    ModuleVersion = '0.9.2'
+    ModuleVersion = '0.9.3'
 
     # Supported PSEditions
     # CompatiblePSEditions = @()
@@ -27,7 +27,7 @@
     # CompanyName = 'Unknown'
 
     # Copyright statement for this module
-    Copyright = '(c) 2024 Jonathan Colon. All rights reserved.'
+    Copyright = '(c) 2025 Jonathan Colon. All rights reserved.'
 
     # Description of the functionality provided by this module
     Description = 'A PowerShell module to generate an as built report on the configuration of Microsoft AD.'
@@ -54,7 +54,7 @@
     RequiredModules = @(
         @{
             ModuleName = 'AsBuiltReport.Core';
-            ModuleVersion = '1.4.1'
+            ModuleVersion = '1.4.2'
         },
         @{
             ModuleName = 'PSPKI';
@@ -66,11 +66,11 @@
         },
         @{
             ModuleName = 'Diagrammer.Microsoft.AD';
-            ModuleVersion = '0.2.7'
+            ModuleVersion = '0.2.8'
         },
         @{
             ModuleName = 'Diagrammer.Core';
-            ModuleVersion = '0.2.13'
+            ModuleVersion = '0.2.15'
         }
 
     )

CHANGELOG.md

@@ -7,6 +7,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ##### This project is community maintained and has no sponsorship from Microsoft, its employees or any of its affiliates.
 
+## [0.9.3] - 2025-02-21
+
+### Added
+
+- Add Site Inventory diagram to the Replication section
+- Add Certificate Authority diagram
+
+
+### Changed
+
+- Move Circular Group Membership section to $InfoLevel.Domain level 4
+- Increase AsBuiltReport.Core to v1.4.2
+- Increase Diagrammer.Core minimum requirement
+- Increase Diagrammer.Microsoft.AD minumum requirement
+
+### Fixed
+
+- Fix error message during DC discovery and WinRM connection
+- Fix Get-WinADLastBackup cmdlet not returning AD partitions when the report generation machine is not part of the same domain or forest as the target domain controller
+- Fix Certificate Authority section displaying content when no data is available
+- Fix DHCP Infrastructure section not identifying if the server is a Domain Controller
+- Fix Enterprise Root Certificate Authority section not displaying table descriptions
+
 ## [0.9.2] - 2025-01-14
 
 ### Added

Src/Private/Get-AbrADCARoot.ps1

@@ -5,7 +5,7 @@ function Get-AbrADCARoot {
     .DESCRIPTION
 
     .NOTES
-        Version:        0.9.1
+        Version:        0.9.3
         Author:         Jonathan Colon
         Twitter:        @jcolonfzenpr
         Github:         rebelinux
@@ -42,23 +42,23 @@ function Get-AbrADCARoot {
                             }
                             'Status' = $CA.ServiceStatus
                         }
-                        $OutObj += [pscustomobject](ConvertTo-HashToYN $inObj)
-                    }
+                        $OutObj = [pscustomobject](ConvertTo-HashToYN $inObj)
 
-                    if ($HealthCheck.CA.Status) {
-                        $OutObj | Where-Object { $_.'Service Status' -notlike 'Running' } | Set-Style -Style Critical -Property 'Service Status'
-                        $OutObj | Where-Object { $_.'Auditing' -notlike 'Running' } | Set-Style -Style Critical -Property 'Auditing'
-                    }
+                        if ($HealthCheck.CA.Status) {
+                            $OutObj | Where-Object { $_.'Service Status' -notlike 'Running' } | Set-Style -Style Critical -Property 'Service Status'
+                            $OutObj | Where-Object { $_.'Auditing' -notlike 'Running' } | Set-Style -Style Critical -Property 'Auditing'
+                        }
 
-                    $TableParams = @{
-                        Name = "Enterprise Root CA - $($ForestInfo.ToString().ToUpper())"
-                        List = $true
-                        ColumnWidths = 40, 60
-                    }
-                    if ($Report.ShowTableCaptions) {
-                        $TableParams['Caption'] = "- $($TableParams.Name)"
+                        $TableParams = @{
+                            Name = "Enterprise Root CA - $($ForestInfo.ToString().ToUpper())"
+                            List = $true
+                            ColumnWidths = 40, 60
+                        }
+                        if ($Report.ShowTableCaptions) {
+                            $TableParams['Caption'] = "- $($TableParams.Name)"
+                        }
+                        $OutObj | Table @TableParams
                     }
-                    $OutObj | Table @TableParams
                 }
             }
         } catch {

Src/Private/Get-AbrADDCDiag.ps1

@@ -5,7 +5,7 @@ function Get-AbrADDCDiag {
     .DESCRIPTION
 
     .NOTES
-        Version:        0.9.1
+        Version:        0.9.3
         Author:         Jonathan Colon
         Twitter:        @jcolonfzenpr
         Github:         rebelinux
@@ -39,9 +39,9 @@ function Get-AbrADDCDiag {
                         $Description = @{
                             "Advertising" = "Validates this Domain Controller can be correctly located through the KDC service. It does not validate the Kerberos tickets answer or the communication through the TCP and UDP port 88.", 'High'
                             "Connectivity" = "Initial connection validation, checks if the DC can be located in the DNS, validates the ICMP ping (1 hop), checks LDAP binding and also the RPC connection. This initial test requires ICMP, LDAP, DNS and RPC connectivity to work properly.", 'Medium'
-                            'VerifyReferences' = 'Validates that several attributes are present for the domain in the countainer and subcontainers in the DC objetcs. This test will fail if any attribute is missing.', 'High'
-                            'FrsEvent' = 'Checks if theres any errors in the event logs regarding FRS replication. If running Windows Server 2008 R2 or newer on all Domain Controllers is possible SYSVOL were already migrated to DFSR, in this case errors found here can be ignored.', 'Medium'
-                            'DFSREvent' = 'Checks if theres any errors in the event logs regarding DFSR replication. If running Windows Server 2008 or older on all Domain Controllers is possible SYSVOL is still using FRS, and in this case errors found here can be ignored. Obs. is highly recommended to migrate SYSVOL to DFSR.', 'Medium'
+                            'VerifyReferences' = 'Validates that several attributes are present for the domain in the container and subcontainers in the DC objects. This test will fail if any attribute is missing.', 'High'
+                            'FrsEvent' = 'Checks if there any errors in the event logs regarding FRS replication. If running Windows Server 2008 R2 or newer on all Domain Controllers is possible SYSVOL were already migrated to DFSR, in this case errors found here can be ignored.', 'Medium'
+                            'DFSREvent' = 'Checks if there any errors in the event logs regarding DFSR replication. If running Windows Server 2008 or older on all Domain Controllers is possible SYSVOL is still using FRS, and in this case errors found here can be ignored. Obs. is highly recommended to migrate SYSVOL to DFSR.', 'Medium'
                             'SysVolCheck' = 'Validates if the registry key HKEY_Local_Machine\System\CurrentControlSet\Services\Netlogon\Parameters\SysvolReady=1 exist. This registry has to exist with value 1 for the DCs SYSVOL to be advertised.', 'High'
                             'KccEvent' = 'Validates through KCC there were no errors in the Event Viewer > Applications and Services Logs > Directory Services event log in the past 15 minutes (default time).', 'High'
                             'KnowsOfRoleHolders' = 'Checks if this Domain Controller is aware of which DC (or DCs) hold the FSMOs.', 'High'
@@ -52,7 +52,7 @@ function Get-AbrADDCDiag {
                             'Replications' = 'Makes a deep validation to check the main replication for all naming contexts in this Domain Controller.', 'High'
                             'RidManager' = 'Validates this Domain Controller can locate and contact the RID Master FSMO role holder. This test is skipped in RODCs.', 'High'
                             'Services' = 'Validates if the core Active Directory services are running in this Domain Controller. The services verified are: RPCSS, EVENTSYSTEM, DNSCACHE, ISMSERV, KDC, SAMSS, WORKSTATION, W32TIME, NETLOGON, NTDS (in case Windows Server 2008 or newer) and DFSR (if SYSVOL is using DFSR).', 'High'
-                            'SystemLog' = 'Checks if there is any erros in the Event Viewer > System event log in the past 60 minutes. Since the System event log records data from many places, errors reported here may lead to false positive and must be investigated further. The impact of this validation is marked as Low.', 'Low'
+                            'SystemLog' = 'Checks if there is any errors in the Event Viewer > System event log in the past 60 minutes. Since the System event log records data from many places, errors reported here may lead to false positive and must be investigated further. The impact of this validation is marked as Low.', 'Low'
                             'Topology' = 'Topology Checks that the KCC has generated a fully connected topology for all domain controllers.', 'Medium'
                             'VerifyReplicas' = 'Checks that all application directory partitions are fully instantiated on all replica servers.', 'High'
                             'CutoffServers' = 'Checks for any server that is not receiving replications because its partners are not running', 'Medium'

Src/Private/Get-AbrADDFSHealth.ps1

@@ -5,7 +5,7 @@ function Get-AbrADDFSHealth {
     .DESCRIPTION
 
     .NOTES
-        Version:        0.9.2
+        Version:        0.9.3
         Author:         Jonathan Colon
         Twitter:        @jcolonfzenpr
         Github:         rebelinux
@@ -139,7 +139,7 @@ function Get-AbrADDFSHealth {
                         }
 
                         if ($HealthCheck.Domain.DFS) {
-                            $OutObj | Where-Object { $_.'Extension' -notin ('.bat', '.exe', '.nix', '.vbs', '.pol', '.reg', '.xml', '.admx', '.adml', '.inf', '.ini', '.adm', '.kix', '.msi', '.ps1', '.cmd', '.ico') } | Set-Style -Style Warning -Property 'Extension'
+                            $OutObj | Where-Object { $_.'Extension' -notin ('.bat', '.exe', '.nix', '.vbs', '.pol', '.reg', '.xml', '.admx', '.adml', '.inf', '.ini', '.adm', '.kix', '.msi', '.ps1', '.cmd', '.ico', '.cmtx') } | Set-Style -Style Warning -Property 'Extension'
                         }
 
                         $TableParams = @{
@@ -206,7 +206,7 @@ function Get-AbrADDFSHealth {
                         }
 
                         if ($HealthCheck.Domain.DFS) {
-                            $OutObj | Where-Object { $_.'Extension' -notin ('.bat', '.exe', '.nix', '.vbs', '.pol', '.reg', '.xml', '.admx', '.adml', '.inf', '.ini', '.adm', '.kix', '.msi', '.ps1', '.cmd', '.ico') } | Set-Style -Style Warning -Property 'Extension'
+                            $OutObj | Where-Object { $_.'Extension' -notin ('.bat', '.exe', '.nix', '.vbs', '.pol', '.reg', '.xml', '.admx', '.adml', '.inf', '.ini', '.adm', '.kix', '.msi', '.ps1', '.cmd', '.ico', '.cmtx') } | Set-Style -Style Warning -Property 'Extension'
                         }
 
                         $TableParams = @{

Src/Private/Get-AbrADDomainController.ps1

@@ -5,7 +5,7 @@ function Get-AbrADDomainController {
     .DESCRIPTION
 
     .NOTES
-        Version:        0.9.2
+        Version:        0.9.3
         Author:         Jonathan Colon
         Twitter:        @jcolonfzenpr
         Github:         rebelinux
@@ -261,7 +261,7 @@ function Get-AbrADDomainController {
                                                 BlankLine
                                                 Paragraph {
                                                     Text "Best Practice:" -Bold
-                                                    Text "Disable SMB v1: SMB v1 is an outdated protocol that is vulnerable to several security issues. It is recommended to disable SMBv1 on all systems to enhance security and reduce the risk of exploitation. SMB v1 has been deprecated and replaced by SMB v2 and SMB v3, which offer improved performance and security features."
+                                                    Text "Disable SMBv1: SMBv1 is an outdated protocol that is vulnerable to several security issues. It is recommended to disable SMBv1 on all systems to enhance security and reduce the risk of exploitation. SMB v1 has been deprecated and replaced by SMB v2 and SMB v3, which offer improved performance and security features."
                                                 }
                                             }
                                         }

Src/Private/Get-AbrADDomainObject.ps1

@@ -5,7 +5,7 @@ function Get-AbrADDomainObject {
     .DESCRIPTION
 
     .NOTES
-        Version:        0.9.2
+        Version:        0.9.3
         Author:         Jonathan Colon
         Twitter:        @jcolonfzenpr
         Github:         rebelinux
@@ -606,7 +606,7 @@ function Get-AbrADDomainObject {
                             Write-PScriboMessage -IsWarning "$($_.Exception.Message) (Empty Groups Objects Section)"
                         }
                     }
-                    if ($HealthCheck.Domain.BestPractice) {
+                    if ($HealthCheck.Domain.BestPractice -and $InfoLevel.Domain -ge 4) {
                         try {
                             $OutObj = @()
                             # Loop through each parent group
@@ -937,9 +937,9 @@ function Get-AbrADDomainObject {
                                     'Lockout Duration' = $PasswordPolicy.LockoutDuration.toString("mm' minutes'")
                                     'Lockout Threshold' = $PasswordPolicy.LockoutThreshold
                                     'Lockout Observation Window' = $PasswordPolicy.LockoutObservationWindow.toString("mm' minutes'")
-                                    'Maximun Password Age' = $PasswordPolicy.MaxPasswordAge.toString("dd' days'")
-                                    'Minimun Password Age' = $PasswordPolicy.MinPasswordAge.toString("dd' days'")
-                                    'Minimun Password Length' = $PasswordPolicy.MinPasswordLength
+                                    'Maximum Password Age' = $PasswordPolicy.MaxPasswordAge.toString("dd' days'")
+                                    'Minimum Password Age' = $PasswordPolicy.MinPasswordAge.toString("dd' days'")
+                                    'Minimum Password Length' = $PasswordPolicy.MinPasswordLength
                                     'Enforce Password History' = $PasswordPolicy.PasswordHistoryCount
                                     'Store Password using Reversible Encryption' = $PasswordPolicy.ReversibleEncryptionEnabled
                                 }