# Requires: RSAT (ActiveDirectory module)

# Define password age threshold (in days)
$MaxPasswordAgeDays = 365
$Now = Get-Date

# Get all users with an SPN set
$spnAccounts = Get-ADUser -Filter {ServicePrincipalName -like "*"} `
    -Properties ServicePrincipalName, PasswordLastSet, DoesNotRequirePreAuth

$results = foreach ($acct in $spnAccounts) {
    $passwordAge = ($Now - $acct.PasswordLastSet).Days

    [PSCustomObject]@{
        Name                     = $acct.SamAccountName
        SPNs                     = ($acct.ServicePrincipalName -join ", ")
        PasswordLastSet          = $acct.PasswordLastSet
        PasswordAgeDays          = $passwordAge
        RequiresPreAuth          = -not $acct.DoesNotRequirePreAuth
        PasswordStale            = $passwordAge -gt $MaxPasswordAgeDays
        Risky_NoPreAuth          = $acct.DoesNotRequirePreAuth
    }
}

# Output as table
$results | Sort-Object PasswordAgeDays -Descending | Format-Table -AutoSize

# Optional: Export to CSV for further review
$results | Export-Csv -Path ".\SPN_Audit_Report.csv" -NoTypeInformation

Write-Host "`nAudit complete. Results saved to SPN_Audit_Report.csv." -ForegroundColor Green