Active Directory PowerShell Scripts

Purpose of these PowerShell Scripts, is to get Notable Active Directory Accounts or high value objects:

1. Potential weak accounts target by malicious actors with weak passwords
2. Notable AD User Accounts that have not change their passwords and did not logon since given date. - Dormant
3. List all possible accounts with SPN values kerberoastable from Active Directory.
4. High value AD Computers
5. Get the current user running permissions for all objects ACL
6. Password Spray single password against list of usernames.

---

Potential Weak Targets

PowerShell active directory script to Identify accounts targeted by malicious actors that gain internal network access:

• Enabled accounts
• Account created over 2 years ago
• password last set older than 1 year
• password never expires flag enabled

Remediation:

• change to use strong complex passwords
• AD user Account with no recent logon history for last 6 months must be disabled
• Cleanup by removing all group membership and permissions

Potential-weak-target-accounts.ps1

---

Notable Dormant AD Users

PowerShell Script: GET_ADUsers-Password_last_set_sinceDate1.ps1

Provide number of days to calculate a date since password for user accounts in Active Directory was last changed and when last account logged on.

Obtain the search base Distinguished name field "distinguishedName", value from active directory, using attribute editor in Active Directory Users and Computers MMC.

Output from the PowerShell Script with random user account last logon date and last password set date to verify.

This can be used during redteam or penetration test security assessment.

---

Status of AD Group Members

Get the status of group members in group for their last logon, enabled, description, password last set dates:

# Define the Active Directory group name
$GroupName = "Group Finance Users SG"

# Define the output CSV file path
$OutputCSV = "D:\Temp\FinanceSG_Members.csv"

# Import the Active Directory module (ensure RSAT is installed)
Import-Module ActiveDirectory

# Get members of the AD group
$Members = Get-ADGroupMember -Identity $GroupName -Recursive | Where-Object { $_.objectClass -eq "user" }

# Retrieve user properties
$UserDetails = $Members | ForEach-Object {
    $User = Get-ADUser -Identity $_.SamAccountName -Properties SamAccountName, Description, Enabled, LastLogonDate, PasswordLastSet, PasswordNeverExpires, LastLogon, LastLogonTimestamp
    
    # Convert LastLogon and LastLogonTimestamp to readable date format
    $LastLogonReadable = if ($User.LastLogon -gt 0) { [datetime]::FromFileTime($User.LastLogon) } else { $null }
    $LastLogonTimestampReadable = if ($User.LastLogonTimestamp -gt 0) { [datetime]::FromFileTime($User.LastLogonTimestamp) } else { $null }

    # Construct output object
    [PSCustomObject]@{
        SamAccountName      = $User.SamAccountName
        Description         = $User.Description
        Enabled             = $User.Enabled
        LastLogonDate       = $User.LastLogonDate
        PasswordLastSet     = $User.PasswordLastSet
        PasswordNeverExpires= $User.PasswordNeverExpires
        LastLogon           = $LastLogonReadable
        LastLogonTimestamp  = $LastLogonTimestampReadable
    }
}

# Export to CSV
$UserDetails | Export-Csv -Path $OutputCSV -NoTypeInformation

Write-Output "Export completed: $OutputCSV"

---

Kerberoasting

PowerShell Script: get-kerberoastable-user-info.ps1

Get AD user accounts with SPN set and as result vulnerable to Kerberoasting attacks offline password cracking.

get-kerberoastable-user-info.ps1
Get-Content C:\temp\KerberoastingVulnerableAccounts.csv

---

High Value Computes

Get list of AD computers where name contain string of possible crown jewels high value targets:

Get-ADComputer -Filter * -Properties LastLogonDate | 
    Where-Object { $_.Name -like "*hr*" } | 
    Select-Object Name, LastLogonDate | 
    Export-Csv -Path "D:\Support\servers\pay-servers-list-2025.csv" -NoTypeInformation -Force

List the results from CSV output: Get-Content D:\Support\servers\pay-servers-list-2025.csv

---

AD Account Activity

PowerShell Script: AD-account-activity-status.ps1

Providing an input file of user accounts to report on their, LastLogonTimestamp, if Account Enabled, When Password Last Set, If Password is set to Never Expires and value of Description field.

---

Current user AD permissions on Objects

PowerShell Script: Get-user-permissions-objects-ACL.ps1

List the Active Directory objects that the currently logged-on user has write, modify, or full access permissions to edit.

---

Password Policy & Spray

AD accounts with weak or old passwords are a security risk to an organization,
as their passwords may not comply to latest domain password policy and has been dormant.
Malicious actors finding these accounts can use it to gain read access to Active Directory.

Get the AD Password Policy:

# Specify the trusted domain name
$trustedDomain = "target.int"

# Get password policy details for the trusted domain
$passwordPolicy = Get-ADDefaultDomainPasswordPolicy -Server $trustedDomain

# Display the password policy details
$passwordPolicy | Select-Object *

Attack using a password spray attack using nxc.

nxc -t 1 smb domaincontroller.domain.internal -u userlist.txt -p password --continue-on-success

Above is nxc command to spray the password of password using list of possible Active Directory user accounts.