Add Audit-SPNAccounts.ps1

2025-07-03 07:31:03 +00:00
commit 66fd27211f
1 changed files with 31 additions and 0 deletions
--- a/Audit-SPNAccounts.ps1
+++ b/Audit-SPNAccounts.ps1
@ -0,0 +1,31 @@
+# Requires: RSAT (ActiveDirectory module)
+
+# Define password age threshold (in days)
+$MaxPasswordAgeDays = 365
+$Now = Get-Date
+
+# Get all users with an SPN set
+$spnAccounts = Get-ADUser -Filter {ServicePrincipalName -like "*"} `
+    -Properties ServicePrincipalName, PasswordLastSet, DoesNotRequirePreAuth
+
+$results = foreach ($acct in $spnAccounts) {
+    $passwordAge = ($Now - $acct.PasswordLastSet).Days
+
+    [PSCustomObject]@{
+        Name                     = $acct.SamAccountName
+        SPNs                     = ($acct.ServicePrincipalName -join ", ")
+        PasswordLastSet          = $acct.PasswordLastSet
+        PasswordAgeDays          = $passwordAge
+        RequiresPreAuth          = -not $acct.DoesNotRequirePreAuth
+        PasswordStale            = $passwordAge -gt $MaxPasswordAgeDays
+        Risky_NoPreAuth          = $acct.DoesNotRequirePreAuth
+    }
+}
+
+# Output as table
+$results | Sort-Object PasswordAgeDays -Descending | Format-Table -AutoSize
+
+# Optional: Export to CSV for further review
+$results | Export-Csv -Path ".\SPN_Audit_Report.csv" -NoTypeInformation
+
+Write-Host "`nAudit complete. Results saved to SPN_Audit_Report.csv." -ForegroundColor Green