The PowerShell command targets the Administrators group (or any privileged group you define) and extracts critical security-related properties for each member.
1. Account Identification and Verification
| Audit Check | Script Output Relevance | Interpretation & Action |
| Associated with expected people? | SamAccountName | You must manually cross-reference this list against a list of authorized personnel. Identify and remove any unexpected accounts. |
| Service accounts that shouldn't require AD admin rights? | SamAccountName | Look for names like VMware, Exchange, LDAP, VPN, or Sharepoint. These are application service accounts and should use the principle of least privilege, requiring only the specific permissions needed for their function, not full AD Admin rights. Action: Remove them from the Administrators group. |
2. Password and Logon Hygiene
| Audit Check | Script Output Relevance | Interpretation & Action |
| Passwords current? Expected/outliers? | PasswordLastSet | Examine this date column. Any outliers (like one being 10 years old while others are within two years) is a major red flag. Action: Force immediate password change on non-compliant accounts. |
Default Administrator account logged on recently? | LastLogonDate for the account named Administrator | If the default account has a recent LastLogonDate, it is a significant concern. The built-in Administrator account should generally be renamed, and its usage should be strictly controlled or disabled if not needed for specific recovery purposes. Action: Investigate the activity immediately and review the security policy for this account. |
| Are there passwords in user attributes? | (Manual Check) | This is not visible in the provided script output but is a crucial security check. You must run a separate command (e.g., Get-ADUser -Filter * -Properties Description, info, customAttribute*) and manually search the results for plaintext passwords stored in visible fields. |
3. Kerberos and Account Settings
| Audit Check | Script Output Relevance | Interpretation & Action |
| Are all accounts enabled? | Enabled | All AD admin accounts must be True. If an account is False (Disabled), it cannot be used but should still be removed from the highly privileged group to clean up group membership. |
| Do all accounts require Kerberos preauthentication? | DoesNotRequirePreAuth | The value for an admin account must be False. If it is True, the account is vulnerable to AS-REPRoasting, a serious credential-theft attack. Action: Uncheck the "Do not require Kerberos preauthentication" option for any admin account where this is True. |
| Do any use Kerberos DES? | UseDESKeyOnly | The value must be False. DES is an outdated and weak encryption standard. Action: Uncheck the "Use Kerberos DES encryption types for this account" option for any admin account where this is True. |
| Are any set to never expire their password? | PasswordNeverExpires | The value must be False. Allowing passwords to never expire drastically increases the risk of credential compromise. Action: Enforce password expiry immediately and force a password change. |
