A comprehensive PowerShell-based Active Directory security assessment platform that combines multiple audit modules into a single, powerful tool for security professionals, system administrators, and penetration testers.
- Core AD Enumeration: Users, groups, computers, organizational units
- LDAP Domain Intelligence: Complete directory dump with JSON/HTML output
- Security Analysis: Kerberoasting, ASREPRoast, delegation vulnerabilities
- Kerberos Assessment: Ticket policies, encryption weaknesses
- Certificate Services Audit: PKI vulnerabilities, ESC attack vectors
- Trust Relationship Analysis: Domain/forest trusts, SID history abuse
- Delegation Security Review: Unconstrained, constrained, and resource-based delegation
- Compliance Reporting: Security baseline assessment and scoring
- Interactive HTML Dashboards: Executive and technical views
- JSON Export: Machine-readable data (ldapdomaindump-style)
- CSV Reports: Spreadsheet-compatible data exports
- XML Reports: Structured technical documentation
- Executive Summaries: Business-focused findings and recommendations
- Multi-threaded execution for improved performance
- Automated remediation guides with PowerShell scripts
- Risk scoring and prioritization framework
- Interactive and non-interactive modes
- Comprehensive logging and error handling
- Evidence collection and documentation
- Installation
- Quick Start
- Usage Examples
- Detailed Walkthroughs
- Module Documentation
- Output Structure
- Prerequisites
- Security Considerations
- Contributing
- License
# Download the script
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/javalogicuser/remy-AD/refs/heads/main/remy-ad-audit.ps1" -OutFile "remy-ad-audit.ps1"
# Set execution policy (if needed)
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUsergit clone https://github.com/javalogicuser/remy-AD.git
cd remy-ADInstall-Module -Name RemyADAudit# Navigate to script directory
cd C:\path\to\remy-ad-audit
# Run with interactive prompts
.\remy-ad-audit.ps1# Run with minimal parameters
.\remy-ad-audit.ps1 -DomainController "dc01.corp.local" -DomainName "corp.local" -SkipPrompts# Focus on security vulnerabilities
.\remy-ad-audit.ps1 -DomainController "192.168.1.10" -DomainName "corp.local" -Modules @('security','kerberos','certificates') -SkipPrompts.\remy-ad-audit.ps1 `
-DomainController "dc01.corp.local" `
-DomainName "corp.local" `
-Modules @('all') `
-Format "All" `
-IncludeRemediation `
-SkipPromptsOutput: Complete security assessment with all modules, full reporting suite, and remediation guides.
.\remy-ad-audit.ps1 `
-DomainController "10.0.0.100" `
-DomainName "internal.company.com" `
-Modules @('kerberos','security') `
-Format "HTML" `
-Threads 20 `
-SkipPromptsOutput: Focused analysis on Kerberos vulnerabilities with HTML dashboard.
$creds = Get-Credential
.\remy-ad-audit.ps1 `
-DomainController "dc.enterprise.local" `
-DomainName "enterprise.local" `
-Credential $creds `
-Modules @('compliance','core') `
-ComplianceReport `
-OutputPath "C:\Audit_Reports" `
-SkipPromptsOutput: Compliance-focused assessment with custom credentials and specified output location.
.\remy-ad-audit.ps1 `
-DomainController "pki-dc.corp.local" `
-DomainName "corp.local" `
-Modules @('certificates','security') `
-Format "JSON" `
-Verbose `
-SkipPromptsOutput: PKI security assessment with detailed JSON output and verbose logging.
# Ensure you have appropriate permissions
whoami /groups | findstr "Domain Admins\|Enterprise Admins"
# Check PowerShell version
$PSVersionTable.PSVersion# Start with interactive mode for first run
.\remy-ad-audit.ps1
# Follow prompts:
# π Enter Domain Controller: dc01.corp.local
# π’ Enter Domain Name: corp.local
# π Use alternate credentials? N
# 𧩠Enter modules: all
# π Output Directory: [Enter for default]# HTML dashboard opens automatically
# Navigate to: $env:TEMP\AD_Audit_Reports_[timestamp]\Reports\HTML\AD_Audit_Dashboard.html
# Review executive summary
Get-Content "$env:TEMP\AD_Audit_Reports_*\Executive_Summary.txt"# Create dedicated audit user (recommended)
New-ADUser -Name "AuditUser" -SamAccountName "audituser" -UserPrincipalName "audituser@corp.local"
Add-ADGroupMember -Identity "Domain Admins" -Members "audituser"
# Store credentials securely
$securePassword = Read-Host "Enter audit user password" -AsSecureString
$auditCreds = New-Object System.Management.Automation.PSCredential("corp\audituser", $securePassword).\remy-ad-audit.ps1 `
-DomainController "dc01.corp.local" `
-DomainName "corp.local" `
-Credential $auditCreds `
-Modules @('core','security','kerberos','certificates','trusts','delegation','compliance') `
-Format "All" `
-OutputPath "C:\SecurityAudits\$(Get-Date -Format 'yyyyMMdd')" `
-IncludeRemediation `
-ComplianceReport `
-Threads 15 `
-Verbose `
-SkipPrompts# Review high-risk findings
$jsonReport = Get-Content "C:\SecurityAudits\*\Reports\JSON\AD_Audit_Complete.json" | ConvertFrom-Json
$jsonReport.Statistics
# Generate custom report
$highRiskFindings = $jsonReport.Findings | Where-Object {$_.Risk -eq "High"}
$highRiskFindings | Export-Csv "C:\SecurityAudits\HighRisk_Summary.csv" -NoTypeInformation# Start with LDAP domain dump
.\remy-ad-audit.ps1 `
-DomainController "192.168.1.10" `
-DomainName "target.local" `
-Modules @('ldap','core') `
-Format "JSON" `
-OutputPath "C:\PenTest\Recon" `
-SkipPrompts# Focus on attack vectors
.\remy-ad-audit.ps1 `
-DomainController "192.168.1.10" `
-DomainName "target.local" `
-Modules @('security','kerberos','delegation') `
-Format "JSON" `
-OutputPath "C:\PenTest\Vulns" `
-SkipPrompts# Combine results for reporting
$reconData = Get-Content "C:\PenTest\Recon\Reports\JSON\*.json" | ConvertFrom-Json
$vulnData = Get-Content "C:\PenTest\Vulns\Reports\JSON\*.json" | ConvertFrom-Json
# Create evidence package
Compress-Archive -Path "C:\PenTest\*" -DestinationPath "C:\Evidence\AD_Assessment_$(Get-Date -Format 'yyyyMMdd').zip"Purpose: Fundamental AD enumeration and baseline data collection
Capabilities:
- Domain information gathering
- User account enumeration
- Computer account discovery
- Group membership analysis
- Organizational unit structure
- Domain controller identification
Output: User lists, computer inventories, group hierarchies
Purpose: Comprehensive directory intelligence gathering
Capabilities:
- Complete LDAP tree enumeration
- Schema analysis
- Attribute extraction
- Permission mapping
- ldapdomaindump-style output
Output: JSON domain dump, LDAP tree structure, schema documentation
Purpose: Core security vulnerability identification
Capabilities:
- Privileged account analysis
- Password policy assessment
- Account lockout configuration
- Stale account identification
- Permission auditing
- Security group analysis
Output: Security findings, privileged user lists, policy compliance reports
Purpose: Kerberos protocol security assessment
Capabilities:
- Kerberoastable account identification
- ASREPRoast vulnerability detection
- Encryption algorithm analysis
- Ticket lifetime evaluation
- SPN enumeration
Output: Kerberoastable users, weak encryption findings, ticket policy analysis
Purpose: PKI infrastructure security review
Capabilities:
- Certificate Authority enumeration
- Certificate template analysis
- ESC vulnerability detection (ESC1-ESC8)
- Certificate permission auditing
- Expired certificate identification
Output: PKI security findings, vulnerable templates, certificate inventories
Purpose: Trust relationship security analysis
Capabilities:
- Domain trust enumeration
- Forest trust analysis
- External trust review
- SID history detection
- Trust security assessment
Output: Trust relationship maps, SID history findings, trust security recommendations
Purpose: Delegation configuration security review
Capabilities:
- Unconstrained delegation detection
- Constrained delegation analysis
- Resource-based constrained delegation review
- Delegation vulnerability assessment
Output: Delegation findings, security recommendations, configuration analysis
Purpose: Security baseline and compliance assessment
Capabilities:
- Password policy compliance
- Account lockout policy review
- Audit policy assessment
- Security setting evaluation
- Compliance scoring
Output: Compliance scorecards, policy gap analysis, remediation recommendations
AD_Audit_Reports_YYYYMMDD_HHMMSS/
βββ π Reports/
β βββ π HTML/
β β βββ AD_Audit_Dashboard.html # Interactive security dashboard
β β βββ Executive_Summary.html # High-level findings
β β βββ Technical_Details.html # Detailed technical analysis
β β βββ Compliance_Report.html # Compliance assessment
β βββ π JSON/
β β βββ AD_Audit_Complete.json # Complete audit data
β β βββ ldapdomaindump_style.json # LDAP domain dump
β β βββ Security_Findings.json # Security vulnerabilities
β β βββ Compliance_Results.json # Compliance assessment
β βββ π CSV/
β β βββ Users.csv # User account data
β β βββ Computers.csv # Computer account data
β β βββ Groups.csv # Group information
β β βββ Security_Issues.csv # Security findings
β β βββ Kerberoastable_Users.csv # Kerberoastable accounts
β βββ π XML/
β βββ AD_Audit_Report.xml # Structured XML report
βββ πΎ Data/
β βββ π§ Core/
β β βββ domain_info.json # Domain metadata
β β βββ users_raw.json # Raw user data
β β βββ computers_raw.json # Raw computer data
β βββ π‘οΈ Security/
β β βββ vulnerabilities.json # Security vulnerabilities
β β βββ privileged_users.json # Privileged accounts
β β βββ security_policies.json # Security configuration
β βββ π« Kerberos/
β β βββ kerberoastable.json # Kerberoastable accounts
β β βββ asreproastable.json # ASREPRoastable accounts
β β βββ kerberos_policy.json # Kerberos settings
β βββ π Certificates/
β β βββ certificate_authorities.json # CA information
β β βββ certificate_templates.json # Template analysis
β β βββ esc_vulnerabilities.json # ESC findings
β βββ π€ Trusts/
β βββ domain_trusts.json # Trust relationships
β βββ sid_history.json # SID history findings
βββ π οΈ Remediation/
β βββ π Scripts/
β β βββ AD_Security_Remediation.ps1 # Automated fixes
β β βββ Disable_Inactive_Users.ps1 # User cleanup
β β βββ Fix_Kerberos_Issues.ps1 # Kerberos hardening
β β βββ Certificate_Cleanup.ps1 # PKI security fixes
β βββ π Guides/
β βββ Security_Remediation_Guide.md # Step-by-step fixes
β βββ Kerberos_Hardening_Guide.md # Kerberos security
β βββ PKI_Security_Guide.md # Certificate services
β βββ Compliance_Implementation.md # Compliance guidance
βββ π Evidence/
β βββ πΈ Screenshots/ # Visual evidence
β βββ π Logs/
β β βββ audit.log # Detailed audit log
β β βββ errors.log # Error tracking
β β βββ performance.log # Performance metrics
β βββ ποΈ Archives/
β βββ raw_data_backup.zip # Complete data backup
βββ π Executive_Summary.txt # Business summary
βββ π§ Configuration.json # Audit configuration
βββ π Statistics.json # Audit statistics
- Operating System: Windows 10/11, Windows Server 2016+
- PowerShell: Version 5.1 or higher
- Memory: Minimum 4GB RAM (8GB+ recommended for large environments)
- Disk Space: 1GB+ free space for reports and logs
- Network: Access to domain controllers on ports 389 (LDAP) and 636 (LDAPS)
- Domain User: Minimum for basic enumeration
- Domain Admin: Recommended for comprehensive assessment
- Enterprise Admin: Required for forest-level analysis
- Local Admin: For advanced certificate and delegation analysis
- Active Directory PowerShell Module: Enhanced functionality
- RSAT Tools: Additional administrative capabilities
- Certificate Services Tools: PKI analysis features
# Check for required modules
Get-Module -ListAvailable ActiveDirectory
Get-WindowsFeature -Name RSAT-AD-PowerShell- Use dedicated audit accounts with minimal required privileges
- Implement service accounts for automated assessments
- Rotate credentials regularly after assessments
- Log all audit activities for compliance tracking
- Encrypt output files containing sensitive information
- Secure transfer methods for audit reports
- Implement data retention policies for audit artifacts
- Access controls on audit results and logs
- Use encrypted connections (LDAPS) when available
- Monitor network traffic during assessments
- Implement network segmentation for audit activities
- Rate limiting to avoid overwhelming domain controllers
# Example: Secure credential handling
$securePassword = Read-Host "Enter password" -AsSecureString
$credential = New-Object System.Management.Automation.PSCredential("domain\user", $securePassword)
# Example: Encrypted output
$auditData | ConvertTo-Json | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Set-Content "encrypted_audit.txt"- Document authorization before conducting assessments
- Maintain audit trails of all activities
- Follow data handling procedures per organizational policies
- Report findings through established security channels
# Example: Custom security check module
function Invoke-CustomSecurityCheck {
Write-Log "π Running custom security checks..." -Level Info
$customResults = @{
CustomFindings = @()
RiskScore = 0
}
# Your custom logic here
$Global:Config.Results.Custom = $customResults
Write-Log "β
Custom security check completed" -Level Success
}
# Add to main execution flow
$Global:Config.Modules += 'custom'# Example: Send results to SIEM
$auditResults = Get-Content "Reports\JSON\AD_Audit_Complete.json" | ConvertFrom-Json
# Send to Splunk
$splunkUri = "https://splunk.company.com:8088/services/collector"
$headers = @{"Authorization" = "Splunk $splunkToken"}
Invoke-RestMethod -Uri $splunkUri -Method Post -Headers $headers -Body ($auditResults | ConvertTo-Json)
# Send to Microsoft Sentinel
$workspaceId = "your-workspace-id"
$sharedKey = "your-shared-key"
Send-LogAnalyticsData -WorkspaceId $workspaceId -SharedKey $sharedKey -Body ($auditResults | ConvertTo-Json) -LogType "ADSecurityAudit"# Example: Scheduled task for weekly audits
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\remy-ad-audit.ps1 -SkipPrompts"
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 2AM
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -TaskName "Weekly AD Security Audit" -Action $action -Trigger $trigger -Settings $settings# Solution: Check permissions and use appropriate credentials
$testAccess = Test-ADAuthentication -Credential $credential
if (-not $testAccess) {
Write-Warning "Insufficient permissions. Ensure audit account has required privileges."
}# Solution: Set execution policy
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
# Or bypass for single execution
PowerShell.exe -ExecutionPolicy Bypass -File .\remy-ad-audit.ps1# Solution: Install required modules
Install-WindowsFeature -Name RSAT-AD-PowerShell
Import-Module ActiveDirectory -Force# Solution: Test connectivity and firewall rules
Test-NetConnection -ComputerName "dc01.corp.local" -Port 389
Test-NetConnection -ComputerName "dc01.corp.local" -Port 636# Enable verbose logging and debug output
.\remy-ad-audit.ps1 -Verbose -Debug -DomainController "dc01.corp.local" -DomainName "corp.local"
# Check log files for detailed error information
Get-Content "$env:TEMP\AD_Audit_Reports_*\audit.log" | Select-String "ERROR"# Optimize for large environments
.\remy-ad-audit.ps1 `
-DomainController "dc01.corp.local" `
-DomainName "corp.local" `
-Threads 25 ` # Increase thread count
-Modules @('core','security') ` # Run fewer modules
-Format "JSON" ` # Use faster output format
-SkipPromptsWe welcome contributions from the security community! Here's how you can help:
- π Bug Reports: Report issues and provide reproduction steps
- π‘ Feature Requests: Suggest new modules or capabilities
- π§ Code Contributions: Submit pull requests with improvements
- π Documentation: Improve guides and examples
- π§ͺ Testing: Test in different environments and provide feedback
# Fork the repository
git clone https://github.com/javalogicuser/remy-AD.git
cd remy-ad-audit
# Create feature branch
git checkout -b feature/new-security-module
# Make changes and test
.\remy-ad-audit.ps1 -DomainController "testdc.lab.local" -DomainName "lab.local" -SkipPrompts
# Commit and push
git add .
git commit -m "Add new security module for XYZ analysis"
git push origin feature/new-security-module
# Create pull request- Follow PowerShell best practices and style guidelines
- Include comprehensive error handling
- Add detailed comments and documentation
- Include parameter validation and help text
- Test thoroughly in lab environments
For security vulnerabilities in the tool itself:
- Email: ethicalsoup@gmail.com
- Include detailed reproduction steps
- Allow 90 days for responsible disclosure
This project is licensed under the MIT License - see the LICENSE file for details.
MIT License
Copyright (c) 2024 Unified AD Audit Contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
- Microsoft Active Directory Team - For comprehensive AD documentation
- PowerShell Community - For excellent modules and best practices
- Security Research Community - For attack techniques and defense strategies
- Open Source Contributors - For inspiration and code examples
- Email: ethicalsoup@gmail.com
- β Star this repository to stay notified of updates
- π Watch releases for new versions and security updates
- π’ Follow on Twitter: @ethicalsoup
π Project Statistics: 
