Select which hardening categories to include in the audit. Each category contains specific security checks aligned with CIS Benchmarks, NIST 800-53, and Microsoft security baselines.

Password Policy

Critical

Analyze domain password policies, fine-grained password policies (PSOs), and password complexity settings.

Default Domain Password Policy

Fine-Grained Password Policies (PSOs)

Accounts with non-expiring passwords

Accounts storing reversible encryption

Accounts with old passwords (threshold-based)

Privileged Access

Critical

Audit membership of high-privilege groups, nested group chains, and AdminSDHolder-protected accounts.

Domain Admins members

Enterprise Admins members

Schema Admins members

Builtin Administrators members

AdminSDHolder-protected objects

Service accounts in privileged groups

Kerberos Security

High

Detect Kerberoastable SPNs, AS-REP roastable accounts, unconstrained delegation, and weak encryption types.

Kerberoastable accounts (user SPNs)

AS-REP roastable accounts (no pre-auth)

Unconstrained delegation

Constrained delegation (protocol transition)

Accounts using DES encryption

Stale & Inactive Objects

Medium

Find inactive user and computer accounts, stale service accounts, and orphaned objects.

Inactive user accounts

Inactive computer accounts

Disabled accounts still in groups

Accounts that never logged on

Trust Relationships

High

Enumerate domain and forest trusts, SID filtering status, and selective authentication settings.

All trust relationships

SID filtering / quarantine status

Selective authentication analysis

Group Policy Security

Medium

Audit GPOs for security settings, unlinked policies, and potentially dangerous configurations.

All GPOs with link status

Unlinked / orphan GPOs

GPOs with broad write permissions

LDAP & Protocol Security

High

Check LDAP signing requirements, channel binding, SMB signing, and NTLMv1 usage indicators.

LDAP signing enforcement

LDAP channel binding

Anonymous / null LDAP bind

Domain Controller Security

Critical

Audit DC OS versions, functional levels, SYSVOL replication, and KRBTGT account status.

Domain Controller inventory & OS versions

Domain & forest functional levels

KRBTGT account password age

Tombstone lifetime & AD Recycle Bin

Account Security Hygiene

Medium

Check locked-out accounts, accounts without manager, accounts with delegation allowed, and more.

Currently locked-out accounts

Accounts with no expiration date

Accounts with SID History

Accounts with "password not required" flag

DNS Security

Low

Enumerate AD-integrated DNS zones, check dynamic update settings, and aging/scavenging configuration.

AD-integrated DNS zones

DNS aging & scavenging status

AD Hardening Audit Generator

Configuration

Audit Categories

Invoke-ADHardeningAudit.ps1

Continuous AD hardening monitoring with OnePAM