Our Blog

InvokeADCheck – A PowerShell Module for Assessing Active Directory

Reading time ~5 min
Posted by niels.hofland@orangecyberdefense.com on 06 March 2025
Categories: Active directory, Automation, Powershell, Tool

Introduction

During an Active Directory (AD) assessment, I found myself struggling with a collection of individual PowerShell scripts and their formatting—or rather, the lack thereof. The various PowerShell scripts included public, as well as proprietary, scripts that were used for retrieving Active Directory objects and their attributes. Faced with resource and time constraints within the team, I proposed to try to come up with a better, more efficient way to conduct some of the checks that we do during an AD assessment. Inspired in part by the excellent work of Sean Metcalf, the author of Invoke-TrimarcADChecks, my colleague Justin (JustinP) and I (N1ck3nd) set out to develop what would ultimately become the InvokeADCheck PowerShell module.

InvokeADCheck is a PowerShell module designed to streamline the assessment of Active Directory environments. It performs various checks to identify potential security misconfigurations, weaknesses, and adherence to best practices. By running targeted checks through the PowerShell CLI, this module provides detailed results and actionable insights. It equips IT administrators and security professionals with the means to proactively identify and address potential security risks in AD environments.

Getting Started with InvokeADCheck

After downloading the PowerShell module and importing it into your session (or using our helpful installer), you can run comprehensive checks on your Active Directory domain. The module is flexible, allowing you to perform a single check, run multiple checks, or execute all available checks at once.

For a more detailed overview of the available checks, please visit: https://github.com/sensepost/InvokeADCheck/tree/main#featured-checks.

Execution of various InvokeADCheck checks after importing the PowerShell module.

Once the InvokeADCheck module completes its execution, it highlights various unsafe or default settings and configurations in red for easy identification. The results are displayed in the CLI by default, but you can also redirect the output to various file types, allowing you to save your findings or further process the data as needed.

As an example, you can gather information about user account health and export the results to Excel. To accomplish this, we utilised the ImportExcel PowerShell module.

Export user account health check results to XLSX and display them in the CLI.

The exported file will contain detailed information, including individual accounts and their corresponding attribute values, providing a comprehensive overview for further analysis.

View detailed user account health check results in the exported Excel file.

As you can see, the module provides actionable insights to help identify potential security risks, such as inactive accounts, or accounts with improper configurations. This detailed breakdown makes it easy to spot any inconsistencies and address them quickly. This will help secure your Active Directory environment and align it with industry best practices.

Creating the InvokeADCheck Module

The development of InvokeADCheck began with the use of a scaffolding framework, ModuleBuild, which helped organise the existing collection of scripts into individual private functions. Gradually, we started taking functions from the original collection and refactoring them to transform them into private functions for the module. Additionally, we wrote new private functions to handle tasks such as importing and installing dependencies, as well as formatting and printing output.

PS C:\InvokeADCheck\src\private> Get-ChildItem | Select-Object Name | Sort-Object -Property Name

Name
----
Enable-IADVirtualTerminal.ps1
Export-IADExcel.ps1
Get-CallerPreference.ps1
Get-IADADBackupStatus.ps1
Get-IADBuiltInGroupMembership.ps1
Get-IADDefaultAdministrator.ps1
Get-IADDefaultDomainPasswordPolicy.ps1
Get-IADDomainController.ps1
Get-IADDomainTrust.ps1
Get-IADFunctionalLevel.ps1
Get-IADGPO.ps1
Get-IADGPOPermission.ps1
Get-IADGPPPassword.ps1
Get-IADGuestAccount.ps1
Get-IADKerberosDelegation.ps1
Get-IADKerberosEncryptionType.ps1
Get-IADKerberosServiceAccount.ps1
Get-IADMSDSMachineQuota.ps1
Get-IADProtectedUsersGroup.ps1
Get-IADRootACL.ps1
Get-IADTombstoneLifetime.ps1
Get-IADUserAccountHealth.ps1
Import-IADADModule.ps1
Import-IADExcelModule.ps1
Import-IADGPOModule.ps1
Invoke-IADCheck.ps1
Update-IADOutputObjectColor.ps1
Write-IADAccountHealth.ps1
Write-IADChecksToCLI.ps1
Write-IADColor.ps1
Write-IADOutput.ps1

Listing of the private functions within the InvokeADCheck module, organised using the ModuleBuild framework.

In addition to the private functions, we developed a public function named ‘Invoke-ADCheck’ to handle parsing command-line arguments, performing prerequisite checks, executing the selected AD checks, and returning the results to the user in file format, directly in the command-line interface (CLI), or both. The module supports several different output types, allowing users to choose the format that best suits their needs.

We’ve tried to carefully acknowledge where we’ve used code from other projects in the NOTES section of each private module.

Final Considerations

Please note that InvokeADCheck is primarily intended for use in smaller Active Directory domains within a single AD forest. While it offers a streamlined and effective solution for basic assessments, it is important to keep in mind that it may not cover every scenario or configuration in more complex setups. The module is provided as-is, without any support or guarantees.

While the InvokeADCheck module is still a work in progress, feel free to try it out and contribute! The source code is available on GitHub at https://github.com/sensepost/InvokeADCheck.