commit 66fd27211f6799dae181d2ba5492e05948605c9e
Author: shaun <shaun.batchie@googlemail.com>
Date:   Thu Jul 3 07:31:03 2025 +0000

    Add Audit-SPNAccounts.ps1

diff --git a/Audit-SPNAccounts.ps1 b/Audit-SPNAccounts.ps1
new file mode 100644
index 0000000..22572f3
--- /dev/null
+++ b/Audit-SPNAccounts.ps1
@@ -0,0 +1,31 @@
+# Requires: RSAT (ActiveDirectory module)
+
+# Define password age threshold (in days)
+$MaxPasswordAgeDays = 365
+$Now = Get-Date
+
+# Get all users with an SPN set
+$spnAccounts = Get-ADUser -Filter {ServicePrincipalName -like "*"} `
+    -Properties ServicePrincipalName, PasswordLastSet, DoesNotRequirePreAuth
+
+$results = foreach ($acct in $spnAccounts) {
+    $passwordAge = ($Now - $acct.PasswordLastSet).Days
+
+    [PSCustomObject]@{
+        Name                     = $acct.SamAccountName
+        SPNs                     = ($acct.ServicePrincipalName -join ", ")
+        PasswordLastSet          = $acct.PasswordLastSet
+        PasswordAgeDays          = $passwordAge
+        RequiresPreAuth          = -not $acct.DoesNotRequirePreAuth
+        PasswordStale            = $passwordAge -gt $MaxPasswordAgeDays
+        Risky_NoPreAuth          = $acct.DoesNotRequirePreAuth
+    }
+}
+
+# Output as table
+$results | Sort-Object PasswordAgeDays -Descending | Format-Table -AutoSize
+
+# Optional: Export to CSV for further review
+$results | Export-Csv -Path ".\SPN_Audit_Report.csv" -NoTypeInformation
+
+Write-Host "`nAudit complete. Results saved to SPN_Audit_Report.csv." -ForegroundColor Green
\ No newline at end of file