31 lines
1.2 KiB
PowerShell
31 lines
1.2 KiB
PowerShell
# Requires: RSAT (ActiveDirectory module)
|
|
|
|
# Define password age threshold (in days)
|
|
$MaxPasswordAgeDays = 365
|
|
$Now = Get-Date
|
|
|
|
# Get all users with an SPN set
|
|
$spnAccounts = Get-ADUser -Filter {ServicePrincipalName -like "*"} `
|
|
-Properties ServicePrincipalName, PasswordLastSet, DoesNotRequirePreAuth
|
|
|
|
$results = foreach ($acct in $spnAccounts) {
|
|
$passwordAge = ($Now - $acct.PasswordLastSet).Days
|
|
|
|
[PSCustomObject]@{
|
|
Name = $acct.SamAccountName
|
|
SPNs = ($acct.ServicePrincipalName -join ", ")
|
|
PasswordLastSet = $acct.PasswordLastSet
|
|
PasswordAgeDays = $passwordAge
|
|
RequiresPreAuth = -not $acct.DoesNotRequirePreAuth
|
|
PasswordStale = $passwordAge -gt $MaxPasswordAgeDays
|
|
Risky_NoPreAuth = $acct.DoesNotRequirePreAuth
|
|
}
|
|
}
|
|
|
|
# Output as table
|
|
$results | Sort-Object PasswordAgeDays -Descending | Format-Table -AutoSize
|
|
|
|
# Optional: Export to CSV for further review
|
|
$results | Export-Csv -Path ".\SPN_Audit_Report.csv" -NoTypeInformation
|
|
|
|
Write-Host "`nAudit complete. Results saved to SPN_Audit_Report.csv." -ForegroundColor Green |