Background

The article below has a collection of reliable and updated guideline / Checklist to perform an Active Directory Health Check !

This as a "living" article, so please feel free to update, extend this article !

Your own risk

Neither Microsoft, nor the authors do not provide any guarantee.

Although i have been working with the following cmdlets and scripts in this checklist, please use with caution and at your own risk!

1. Clean-Up Domain groups

Clean-Up the following domain groups by removing orphaned Accounts or Accounts that do not need the permission anymore.

  1. Domain-Admins
  2.  Entreprise-Admins (in german "Organisations-Admins")
  3.  Schema-Admins
  4. all further Domain-Builtin-Administrator groups

If you have created custom security groups, it is required to clean them up as well.

2. Check existing Service Accounts

Speaking of User-Accounts you also need to check your Service Accounts. You can list them with the following cmdlet:

get-aduser -filter {ServicePrincipalName -like “*”} -Properties PasswordLastSet,LastLogonDate,TrustedForDelegation,ServicePrincipalName

In this case, you can also have a look at gmsa (so called 'group managed service accounts')

https://docs.microsoft.com/de-de/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview

3. List all Service Principal Names (SPN) in your domain

https://gallery.technet.microsoft.com/List-all-SPNs-Used-in-your-e0c6267a

4. Clean-Up SYSVOL-Share

Make sure the SYSVOL-Share does only contain data which is really needed. So far i have seen SYSVOL-Shares containing and replicating many of unnecessary and unneeded files, e.g. expired certifications, different kinds of zipped-files, multiple installer-files of the same application, etc.

5. Check SYSVOL-Replication Health-State

In common infrastructures with Windows Server 2012+ DOmain-Controllers you should already use DFS-R for SYSVOL-Replication.

To check the Health Check you can use the dfs management Tool and run propagation test, propagation report and a general health report.

In Addition check the DFS Replication Log in the eventviewer on the domain-controllers!

If you still run older OS´ and use FRS for SYSVOL-replication, please check the FRS / File Replication Log in the eventviewer.

6. Check the Domain / Forest Functional Level

Most of todays technologies require an update of the domain / forest functional level. In this case you need to check your Functional Level.

https://docs.microsoft.com/de-de/windows-server/identity/ad-ds/active-directory-functional-levels

7. Password Policy in Default Domain Policy / Domain Controllers Policy

https://activedirectorypro.com/how-to-configure-a-domain-password-policy/

8. OU-Permissions

Several Infrastructure use delegated Rights on OU´s. So in this case, make sure:

  1. delegated Rights on OU-Structure is still needed
  2. delegated Rights are provided only to User-Groups, not to single-users

9. Windows Security Baseline for Windows Server

To improve your OS´ security you can check the Microsoft recommended Windows Security Baseline for WIndows Server Systems and enable features that do fit your configuration!

https://docs.microsoft.com/de-de/windows/security/threat-protection/windows-security-baselines

10. Active Directory Recycle bin

Check if the Recycle bin is enabled - it is recommended to use it with Office365.

11. Kerberos Maxtokensize

Here is a link to a PS Gallery Link for a Script to check the Maxtoken Size of an user:

https://gallery.technet.microsoft.com/scriptcenter/Check-for-MaxTokenSize-520e51e5

Here is an article for troubleshooting authentication issues when the maxtokensize is too high:

https://support.microsoft.com/en-us/help/327825/problems-with-kerberos-authentication-when-a-user-belongs-to-many-grou