Assessing new domain environment
Active Directory

Assessing new domain environment

I had a free day yesterday, and I always love to spend my free time on the Xbox or PlayStation, depends on the mood. So while I’m rushing and jumping all over Australia with my Lamborghini, I got a phone call, my first instinct was to mute it and continue with my race, but it was a good friend.. so I muted it anyway 😶. When I finished the race, I called him back (yes, I’m a good friend😜). after a quick chit chat, he told me that he needs help to assess a new domain environment he need to work on.

Can you blame me for not answering the phone?

He told me that he needs to get some basic information about those topics:

  • Forest information
  • Domain information
  • GPO information
  • DHCP authorized server information
  • Users information
  • Group information

I asked him to prepare a computer in the domain with Remote Server Administration Tools (RSAT) and get a user credentials in the domain (no special privilege) while I’m writing him a guide.

Forest information:

When we install the RSAT, we get lot of new Powershell cmdlet. One of them is Get-ADForest cmdlet. Using this command we can get information about the active directory forest (surprised?)

$ForestInformation = Get-ADForest

Each cmdlet can give us lot of information, and we don’t want to get lost, so in each cmdlet, We will focus on the information I think most relevant, I encourage you to investigate every cmdlet you see here if you don’t familiar with.

We would like to get information about the forest functional level, the domains in the forest, the root domain and schema master dc:

$ForestInformation | Select-Object ForestMode,Domains,RootDomain,SchemaMaster | Format-List
ForestMode   : Windows2008R2Forest
Domains      : {}
RootDomain   :
SchemaMaster :

* the reason we put it into a variable first is because we will use it later.

Domain information:

In this part we will use two cmdlets, Get-ADDomain and Get-ADDomainController. we will use those cmdlets to find the functional level of the domains, the PDC and RID master, and information about the domain controllers.

First we will use the Get-ADDomain, we will use it to get the following information: Name,Child Domains,Domain functional level,Infrastructure Master, PDC Emulator, RID Master

# Single Domain Forest
Get-ADDomain | Select-Object Name,DomainMode,InfrastructureMaster,PDCEmulator,RIDMaster | Format-List
# Multi Domain Forest
($ForestInformation).Domains | Get-ADDomain | Select-Object Name,ChildDomains,DomainMode,InfrastructureMaster,PDCEmulator,RIDMaster | Format-List

Now we will use the Get-ADDomainController to get information about the Domain Controllers in each domain, it will be useful to get information about: Hostname, IPv4Address, Operating System, the LDAP and SSL Ports, and which site it belong to:

# Single Domain Forest
Get-ADDomainController -Filter * -Server  | Select-Object Hostname,IPv4Address,OperatingSystem,LDAPport,sslport,site | Format-List
# Multi Domain Forest
($ForestInformation).Domains | Get-ADDomainController -Filter * -Server $_  | Select-Object Domain,Hostname,IPv4Address,OperatingSystem,LDAPport,SSLport,site | Format-List

This will give us a nice list:

Hostname    :
IPv4Address :
OperatingSystem : Windows Server 2012 R2 Standard
LDAPport    : 389
sslport     : 636
site        : Lab

GPO information

Now GPO is super important, and every Domain Services guy will tell you, it can make or break your environment. When we start working on a new environment, We would like to know how many GPO we got and how many of them are not in use.

To get the GPO’s quantity, we can just run:

$GPOs = Get-GPO -All

To get the unlinked GPO’s we can use the following script:

import-module GroupPolicy
$unlinkedGPOs = @()
$GPOs = Get-GPO -All  
ForEach($gpo  in $GPOs){ 
    [xml]$GPOXMLReport = $gpo | Get-GPOReport -ReportType xml 
    if ($GPOXMLReport.GPO.LinksTo -eq $null){ 
        $unlinkedGPOs += $gpo 

When its done, we can get the information from the $unlinkedGPOs variable.

DisplayName      : Test GPO
DomainName       :
Owner            : saggiehaim\Domain Admins
Id               : eb9bf117-81c1-40f9-813a-ce211796189d
GpoStatus        : AllSettingsEnabled
Description      : 
CreationTime     : 9/23/2018 12:38:02 PM
ModificationTime : 9/23/2018 12:40:56 PM
UserVersion      : AD Version: 3, SysVol Version: 3
ComputerVersion  : AD Version: 0, SysVol Version: 0
WmiFilter        : 

DHCP authorised server information

DHCP can be a vulnerability, and its something we want to control, we don’t want rogue DHCP servers that will serve wrong IP’s or worst, won’t be sync with the rest and will serve duplicated IP’s.

To get the list of the authorised DHCP Servers we can use the cmdlet:


That easy!

Users information

It’s all about the users, the most critical resource we have in our environment. There are so many things we want to know about them, but we will limit it to the most important in my opinion:

  • Number of users:
$users = Get-ADUser -Filter *
  • Count Number of active users:
($users | where {$_.Enabled -eq $true}).count
  • Get Number of locker out users:
(Search-ADAccount -LockedOut).count

Group information

Groups can often be a pain, and it easy to lose control over them, those cmdlets will help us get some control over them:

  • Number of groups:
(Get-ADGroup -Filter *).count
  • Getting all empty groups:
Get-ADGroup -Properties Members -Filter * | Where-Object {$_.Members.Count -eq 0 } | Select-Object Name,DistinguishedName | Format-List

Today security is everywhere, and we all share the responsibility to keep our environment secure, we also like to get all the members of the Domain Admins and Enterprise Admins groups, we will ask questions about every member.

# Get Domain Admins members
(Get-ADGroup -Properties Members -Identity 'Domain Admins').Members
# Get Enterprise Admins members
(Get-ADGroup -Properties Members -Identity 'Enterprise Admins').Members

Don’t take it lightly. I once saw a company with Domain Users in the Domain Admins group…


One of the most challenging tasks in my job is taking over a domain environment. It can be very complicated, and it can take so much time just to understand what’s going on. There is a lot more information to look for, and lot more topics to investigate, but I think I gave you a nice head start and something to start with.

How will you counter this task? I would love to hear about it!

Share Tweet Send