-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathGet-VulnerableUserAccounts.ps1
More file actions
40 lines (34 loc) · 2.64 KB
/
Get-VulnerableUserAccounts.ps1
File metadata and controls
40 lines (34 loc) · 2.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# PowerShell script authored by Sean Metcalf (@PyroTek3)
# 2025-09-12
# Script provided as-is
Param
(
$Domain = $env:userdnsdomain
)
$DomainDC = (Get-ADDomainController -Discover -DomainName $Domain).Name
$DomainInfo = Get-ADDomain -Server $DomainDC
$LastLoggedOnDate = $(Get-Date) - $(New-TimeSpan -days 180)
$PasswordStaleDate = $(Get-Date) - $(New-TimeSpan -days 180)
$ADLimitedProperties = @("Name","Enabled","SAMAccountname","DisplayName","Enabled","LastLogonDate","PasswordLastSet",
"PasswordNeverExpires","PasswordNotRequired","PasswordExpired","SmartcardLogonRequired","AccountExpirationDate",
"AdminCount","Created","Modified","LastBadPasswordAttempt","badpwdcount","mail","CanonicalName","DistinguishedName",
"ServicePrincipalName","SIDHistory","PrimaryGroupID","UserAccountControl","DoesNotRequirePreAuth")
[array]$DomainUsers = Get-ADUser -Filter * -Property $ADLimitedProperties -Server $DomainDC
[array]$DomainEnabledUsers = $DomainUsers | Where {$_.Enabled -eq $True }
[array]$DomainEnabledInactiveUsers = $DomainEnabledUsers | Where { ($_.LastLogonDate -le $LastLoggedOnDate) -AND ($_.PasswordLastSet -le $PasswordStaleDate) }
[array]$DomainUsersWithReversibleEncryptionPasswordArray = $DomainUsers | Where { $_.UserAccountControl -band 0x0080 }
[array]$DomainUserPasswordNotRequiredArray = $DomainUsers | Where {$_.PasswordNotRequired -eq $True}
[array]$DomainUserPasswordNeverExpiresArray = $DomainUsers | Where {$_.PasswordNeverExpires -eq $True}
[array]$DomainKerberosDESUsersArray = $DomainUsers | Where { $_.UserAccountControl -band 0x200000 }
[array]$DomainUserDoesNotRequirePreAuthArray = $DomainUsers | Where {$_.DoesNotRequirePreAuth -eq $True}
[array]$DomainUsersWithSIDHistoryArray = $DomainUsers | Where {$_.SIDHistory -like "*"}
Write-Host "Total Users: $($DomainUsers.Count)"
Write-Host "Enabled Users: $($DomainEnabledUsers.Count)"
Write-Host "`nEnabled Users Identified as Inactive: $($DomainEnabledInactiveUsers.Count)"
Write-Host "Enabled Users With Reversible Encryption Password: $($DomainUsersWithReversibleEncryptionPasswordArray.Count)"
Write-Host "Enabled Users With Password Not Required: $($DomainUserPasswordNotRequiredArray.Count)"
Write-Host "Enabled Users With Password Never Expires: $($DomainUserPasswordNeverExpiresArray.Count)"
Write-Host "Enabled Users With Kerberos DES: $($DomainKerberosDESUsersArray.Count)"
Write-Host "Enabled Users That Do Not Require Kerberos Pre-Authentication: $($DomainUserDoesNotRequirePreAuthArray.Count)"
Write-Host "Enabled Users With SID History: $($DomainUsersWithSIDHistoryArray.Count)"
Write-Host "`nReview & clean up as appropriate"