In this script, this is what you get
Auto-discovery: Finds your forest/domain/DCs; detects AAD Connect, PTA, AD FS.
Health checks: FSMO, DC reachability, time snapshots, replication (repadmin), dcdiag per DC, DNS basics, SYSVOL/DFSR, GPO inventory.
Security checks: Privileged groups, adminCount=1, password never expires, DES-only, preauth disabled, unconstrained delegation (users/computers), users with SPNs (Kerberoast exposure), stale users/computers, trusts.
Hybrid: Summarizes ADSync scheduler, service states, PTA, AD FS properties.
Entra ID (optional): If Microsoft.Graph or AzureAD is present and you’re authenticated, it captures tenant + Global Admin count (least-privilege red flag). If not, it safely skips.
Reporting: Clean HTML dashboard + CSV for every section, and logs for dcdiag.
(Optional) Azure Log Analytics one-shot upload of the summary.
How to use this script
Open PowerShell as Administrator on a management server with RSAT/AD tools.
Save the script below as Full-AD-DeepAssessment.ps1.
Run:
Set-ExecutionPolicy RemoteSigned -Scope Process -Force
.\Full-AD-DeepAssessment.ps1 -OutputRoot "C:\AD-Assessment" -IncludeLogAnalytics:$falseOpen the HTML report it generates: C:\AD-Assessment\Report\AD-DeepAssessment.html.