
function Compare-MultipleObjects { 
        [System.Collections.IList] $Objects,
        [Array] $ObjectsName = @(),
        [switch] $CompareSorted,
        [switch] $FormatOutput,
        [switch] $FormatDifferences,
        [switch] $Summary,
        [string] $Splitter = ', ',
        [string[]] $Property,
        [string[]] $ExcludeProperty,
        [switch] $AllProperties,
        [switch] $SkipProperties,
        [int] $First,
        [int] $Last,
        [Array] $Replace,
        [switch] $FlattenObject
    if ($null -eq $Objects -or $Objects.Count -eq 1) {
        Write-Warning "Compare-MultipleObjects - Unable to compare objects. Not enough objects to compare ($($Objects.Count))."
    if (-not $ObjectsName) {
        $ObjectsName = @()
    if ($ObjectsName.Count -gt 0 -and $Objects.Count -gt $ObjectsName.Count) {

        Write-Warning -Message "Compare-MultipleObjects - Unable to rename objects. ObjectsName small then amount of Objects ($($Objects.Count))."

    function Compare-TwoArrays {
            [string] $FieldName,
            [Array] $Object1,
            [Array] $Object2,
            [Array] $Replace
        $Result = [ordered] @{
            Status = $false
            Same   = [System.Collections.Generic.List[string]]::new()
            Add    = [System.Collections.Generic.List[string]]::new()
            Remove = [System.Collections.Generic.List[string]]::new()

        if ($Replace) {
            foreach ($R in $Replace) {

                if (($($R.Keys[0]) -eq '') -or ($($R.Keys[0]) -eq $FieldName)) {
                    if ($null -ne $Object1) {
                        $Object1 = $Object1 -replace $($R.Values)[0], $($R.Values)[1]
                    if ($null -ne $Object2) {
                        $Object2 = $Object2 -replace $($R.Values)[0], $($R.Values)[1]

        if ($null -eq $Object1 -and $null -eq $Object2) {
            $Result['Status'] = $true
        elseif (($null -eq $Object1) -or ($null -eq $Object2)) {
            $Result['Status'] = $false
            foreach ($O in $Object1) {
            foreach ($O in $Object2) {
        else {
            $ComparedObject = Compare-Object -ReferenceObject $Object1 -DifferenceObject $Object2 -IncludeEqual
            foreach ($_ in $ComparedObject) {
                if ($_.SideIndicator -eq '==') {
                elseif (($_.SideIndicator -eq '<=')) {
                elseif (($_.SideIndicator -eq '=>')) {
            IF ($Result['Add'].Count -eq 0 -and $Result['Remove'].Count -eq 0) {
                $Result['Status'] = $true
            else {
                $Result['Status'] = $false

    if ($ObjectsName[0]) {
        $ValueSourceName = $ObjectsName[0]
    else {
        $ValueSourceName = "Source"

    [Array] $Objects = foreach ($Object in $Objects) {
        if ($null -eq $Object) {
            [PSCustomObject] @{}
        else {

    if ($FlattenObject) {
        try {
            [Array] $Objects = ConvertTo-FlatObject -Objects $Objects -ExcludeProperty $ExcludeProperty
        catch {
            Write-Warning "Compare-MultipleObjects - Unable to flatten objects. ($($_.Exception.Message))"

    if ($First -or $Last) {
        [int] $TotalCount = $First + $Last
        if ($TotalCount -gt 1) {
            $Objects = $Objects | Select-Object -First $First -Last $Last
        else {
            Write-Warning "Compare-MultipleObjects - Unable to compare objects. Not enough objects to compare ($TotalCount)."
    $ReturnValues = @(
        $FirstElement = [ordered] @{ }
        $FirstElement['Name'] = 'Properties'
        if ($Summary) {
            $FirstElement['Same'] = $null
            $FirstElement['Different'] = $null
        $FirstElement['Status'] = $false

        $FirstObjectProperties = Select-Properties -Objects $Objects -Property $Property -ExcludeProperty $ExcludeProperty -AllProperties:$AllProperties
        if (-not $SkipProperties) {
            if ($FormatOutput) {
                $FirstElement[$ValueSourceName] = $FirstObjectProperties -join $Splitter
            else {
                $FirstElement[$ValueSourceName] = $FirstObjectProperties
            [Array] $IsSame = for ($i = 1; $i -lt $Objects.Count; $i++) {
                if ($ObjectsName[$i]) {
                    $ValueToUse = $ObjectsName[$i]
                else {
                    $ValueToUse = $i
                if ($Objects[0] -is [System.Collections.IDictionary]) {
                    [string[]] $CompareObjectProperties = $Objects[$i].Keys
                else {
                    [string[]] $CompareObjectProperties = $Objects[$i].PSObject.Properties.Name
                    [string[]] $CompareObjectProperties = Select-Properties -Objects $Objects[$i] -Property $Property -ExcludeProperty $ExcludeProperty -AllProperties:$AllProperties

                if ($FormatOutput) {
                    $FirstElement["$ValueToUse"] = $CompareObjectProperties -join $Splitter
                else {
                    $FirstElement["$ValueToUse"] = $CompareObjectProperties
                if ($CompareSorted) {
                    $Value1 = $FirstObjectProperties | Sort-Object
                    $Value2 = $CompareObjectProperties | Sort-Object
                else {
                    $Value1 = $FirstObjectProperties
                    $Value2 = $CompareObjectProperties

                $Status = Compare-TwoArrays -FieldName 'Properties' -Object1 $Value1 -Object2 $Value2 -Replace $Replace
                if ($FormatDifferences) {
                    $FirstElement["$ValueToUse-Add"] = $Status['Add'] -join $Splitter
                    $FirstElement["$ValueToUse-Remove"] = $Status['Remove'] -join $Splitter
                    $FirstElement["$ValueToUse-Same"] = $Status['Same'] -join $Splitter
                else {
                    $FirstElement["$ValueToUse-Add"] = $Status['Add']
                    $FirstElement["$ValueToUse-Remove"] = $Status['Remove']
                    $FirstElement["$ValueToUse-Same"] = $Status['Same']
            if ($IsSame.Status -notcontains $false) {
                $FirstElement['Status'] = $true
            else {
                $FirstElement['Status'] = $false
            if ($Summary) {
                [Array] $Collection = (0..($IsSame.Count - 1)).Where( { $IsSame[$_].Status -eq $true }, 'Split')
                if ($FormatDifferences) {
                    $FirstElement['Same'] = ($Collection[0] | ForEach-Object {
                            $Count = $_ + 1
                            if ($ObjectsName[$Count]) {
                            else {
                    ) -join $Splitter
                    $FirstElement['Different'] = ($Collection[1] | ForEach-Object {
                            $Count = $_ + 1
                            if ($ObjectsName[$Count]) {
                            else {
                    ) -join $Splitter
                else {
                    $FirstElement['Same'] = $Collection[0] | ForEach-Object {
                        $Count = $_ + 1
                        if ($ObjectsName[$Count]) {
                        else {
                    $FirstElement['Different'] = $Collection[1] | ForEach-Object {
                        $Count = $_ + 1
                        if ($ObjectsName[$Count]) {
                        else {
            [PSCustomObject] $FirstElement

        foreach ($NameProperty in $FirstObjectProperties) {
            $EveryOtherElement = [ordered] @{ }
            $EveryOtherElement['Name'] = $NameProperty
            if ($Summary) {
                $EveryOtherElement['Same'] = $null
                $EveryOtherElement['Different'] = $null
            $EveryOtherElement.Status = $false

            if ($FormatOutput) {
                $EveryOtherElement[$ValueSourceName] = $Objects[0].$NameProperty -join $Splitter
            else {
                $EveryOtherElement[$ValueSourceName] = $Objects[0].$NameProperty

            [Array] $IsSame = for ($i = 1; $i -lt $Objects.Count; $i++) {
                $Skip = $false

                if ($ObjectsName[$i]) {
                    $ValueToUse = $ObjectsName[$i]
                else {
                    $ValueToUse = $i

                if ($Objects[$i] -is [System.Collections.IDictionary]) {
                    if ($Objects[$i].Keys -notcontains $NameProperty) {
                        $Status = [ordered] @{
                            Status = $false
                            Same   = @()
                            Add    = @()
                            Remove = @()
                        $Skip = $true
                elseif ($Objects[$i].PSObject.Properties.Name -notcontains $NameProperty) {
                    $Status = [ordered] @{
                        Status = $false;
                        Same   = @()
                        Add    = @()
                        Remove = @()
                    $Skip = $true

                if ($FormatOutput) {
                    $EveryOtherElement["$ValueToUse"] = $Objects[$i].$NameProperty -join $Splitter
                else {
                    $EveryOtherElement["$ValueToUse"] = $Objects[$i].$NameProperty

                if ($CompareSorted) {
                    $Value1 = $Objects[0].$NameProperty | Sort-Object
                    $Value2 = $Objects[$i].$NameProperty | Sort-Object
                else {
                    $Value1 = $Objects[0].$NameProperty
                    $Value2 = $Objects[$i].$NameProperty

                if ($Value1 -is [PSCustomObject]) {
                    [ordered] @{ Status = $null; Same = @(); Add = @(); Remove = @() }
                elseif ($Value1 -is [System.Collections.IDictionary]) {
                    [ordered] @{ Status = $null; Same = @(); Add = @(); Remove = @() }
                elseif ($Value1 -is [Array] -and $Value1.Count -ne 0 -and $Value1[0] -isnot [string]) {
                    [ordered] @{ Status = $null; Same = @(); Add = @(); Remove = @() }
                if (-not $Skip) {
                    $Status = Compare-TwoArrays -FieldName $NameProperty -Object1 $Value1 -Object2 $Value2 -Replace $Replace
                else {
                    $Status['Add'] = $Value1
                if ($FormatDifferences) {
                    $EveryOtherElement["$ValueToUse-Add"] = $Status['Add'] -join $Splitter
                    $EveryOtherElement["$ValueToUse-Remove"] = $Status['Remove'] -join $Splitter
                    $EveryOtherElement["$ValueToUse-Same"] = $Status['Same'] -join $Splitter
                else {
                    $EveryOtherElement["$ValueToUse-Add"] = $Status['Add']
                    $EveryOtherElement["$ValueToUse-Remove"] = $Status['Remove']
                    $EveryOtherElement["$ValueToUse-Same"] = $Status['Same']
            if ($null -eq $IsSame.Status) {
                $EveryOtherElement['Status'] = $null
            elseif ($IsSame.Status -notcontains $false) {
                $EveryOtherElement['Status'] = $true
            else {
                $EveryOtherElement['Status'] = $false

            if ($Summary) {
                [Array] $Collection = (0..($IsSame.Count - 1)).Where( { $IsSame[$_].Status -eq $true }, 'Split')
                if ($FormatDifferences) {
                    $EveryOtherElement['Same'] = ($Collection[0] | ForEach-Object {
                            $Count = $_ + 1
                            if ($ObjectsName[$Count]) {
                            else {
                    ) -join $Splitter
                    $EveryOtherElement['Different'] = ($Collection[1] | ForEach-Object {
                            $Count = $_ + 1
                            if ($ObjectsName[$Count]) {
                            else {
                    ) -join $Splitter
                else {
                    $EveryOtherElement['Same'] = $Collection[0] | ForEach-Object {
                        $Count = $_ + 1
                        if ($ObjectsName[$Count]) {
                        else {
                    $EveryOtherElement['Different'] = $Collection[1] | ForEach-Object {
                        $Count = $_ + 1
                        if ($ObjectsName[$Count]) {
                        else {
            [PSCuStomObject] $EveryOtherElement
    if ($ReturnValues.Count -eq 1) {
        return , $ReturnValues
    else {
        return $ReturnValues
function ConvertTo-FlatObject { 
    Flattends a nested object into a single level object.
    Flattends a nested object into a single level object.
    .PARAMETER Objects
    The object (or objects) to be flatten.
    .PARAMETER Separator
    The separator used between the recursive property names
    The first index name of an embedded array:
    - 1, arrays will be 1 based: <Parent>.1, <Parent>.2, <Parent>.3, …
    - 0, arrays will be 0 based: <Parent>.0, <Parent>.1, <Parent>.2, …
    - "", the first item in an array will be unnamed and than followed with 1: <Parent>, <Parent>.1, <Parent>.2, …
    .PARAMETER Depth
    The maximal depth of flattening a recursive property. Any negative value will result in an unlimited depth and could cause a infinitive loop.
    .PARAMETER Uncut
    The maximal depth of flattening a recursive property. Any negative value will result in an unlimited depth and could cause a infinitive loop.
    .PARAMETER ExcludeProperty
    The propertys to be excluded from the output.
    $Object3 = [PSCustomObject] @{
        "Name" = "Przemyslaw Klys"
        "Age" = "30"
        "Address" = @{
            "Street" = "Kwiatowa"
            "City" = "Warszawa"
            "Country" = [ordered] @{
                "Name" = "Poland"
            List = @(
                [PSCustomObject] @{
                    "Name" = "Adam Klys"
                    "Age" = "32"
                [PSCustomObject] @{
                    "Name" = "Justyna Klys"
                    "Age" = "33"
                [PSCustomObject] @{
                    "Name" = "Justyna Klys"
                    "Age" = 30
                [PSCustomObject] @{
                    "Name" = "Justyna Klys"
                    "Age" = $null
        ListTest = @(
            [PSCustomObject] @{
                "Name" = "SÅ‚awa Klys"
                "Age" = "33"
    $Object3 | ConvertTo-FlatObject
    Based on https://powersnippets.com/convertto-flatobject/

    Param (
        [String]$Separator = ".",
        [ValidateSet("", 0, 1)]$Base = 1,
        [int]$Depth = 5,
        [string[]] $ExcludeProperty,
        [Parameter(DontShow)][System.Collections.IDictionary] $OutputObject
    Begin {
        $InputObjects = [System.Collections.Generic.List[Object]]::new()
    Process {
        foreach ($O in $Objects) {
            if ($null -ne $O) {
    End {
        If ($PSBoundParameters.ContainsKey("OutputObject")) {
            $Object = $InputObjects[0]
            $Iterate = [ordered] @{}
            if ($null -eq $Object) {
            elseif ($Object.GetType().Name -in 'String', 'DateTime', 'TimeSpan', 'Version', 'Enum') {
                $Object = $Object.ToString()
            elseif ($Depth) {
                If ($Object -is [System.Collections.IDictionary]) {
                    $Iterate = $Object
                elseif ($Object -is [Array] -or $Object -is [System.Collections.IEnumerable]) {
                    $i = $Base
                    foreach ($Item in $Object.GetEnumerator()) {
                        $NewObject = [ordered] @{}
                        If ($Item -is [System.Collections.IDictionary]) {
                            foreach ($Key in $Item.Keys) {
                                if ($Key -notin $ExcludeProperty) {
                                    $NewObject[$Key] = $Item[$Key]
                        elseif ($Item -isnot [Array] -and $Item -isnot [System.Collections.IEnumerable]) {
                            foreach ($Prop in $Item.PSObject.Properties) {
                                if ($Prop.IsGettable -and $Prop.Name -notin $ExcludeProperty) {
                                    $NewObject["$($Prop.Name)"] = $Item.$($Prop.Name)
                        else {
                            $NewObject = $Item
                        $Iterate["$i"] = $NewObject
                        $i += 1
                else {
                    foreach ($Prop in $Object.PSObject.Properties) {
                        if ($Prop.IsGettable -and $Prop.Name -notin $ExcludeProperty) {
                            $Iterate["$($Prop.Name)"] = $Object.$($Prop.Name)
            If ($Iterate.Keys.Count) {
                foreach ($Key in $Iterate.Keys) {
                    if ($Key -notin $ExcludeProperty) {
                        ConvertTo-FlatObject -Objects @(, $Iterate["$Key"]) -Separator $Separator -Base $Base -Depth $Depth -Path ($Path + $Key) -OutputObject $OutputObject -ExcludeProperty $ExcludeProperty
            else {
                $Property = $Path -Join $Separator
                if ($Property) {

                    if ($Object -is [System.Collections.IDictionary] -and $Object.Keys.Count -eq 0) {
                        $OutputObject[$Property] = $null
                    else {
                        $OutputObject[$Property] = $Object
        elseif ($InputObjects.Count -gt 0) {
            foreach ($ItemObject in $InputObjects) {
                $OutputObject = [ordered]@{}
                ConvertTo-FlatObject -Objects @(, $ItemObject) -Separator $Separator -Base $Base -Depth $Depth -Path $Path -OutputObject $OutputObject -ExcludeProperty $ExcludeProperty
                [PSCustomObject] $OutputObject
function Get-ComputerDiskLogical { 
    Getting drive space
    Long description
    .PARAMETER ComputerName
    Parameter description
    .PARAMETER Protocol
    Parameter description
    .PARAMETER RoundingPlaceRoundingPlace
    .PARAMETER RoundingPlace
    .PARAMETER OnlyLocalDisk
    Parameter description
    Parameter description
    Get-ComputerDiskLogical -ComputerName AD1, AD2, EVOWIN -OnlyLocalDisk | ft -AutoSize
    ComputerName DeviceID DriveType ProviderName FreeSpace UsedSpace TotalSpace FreePercent UsedPercent VolumeName
    ------------ -------- --------- ------------ --------- --------- ---------- ----------- ----------- ----------
    AD2 C: Local Disk 96,96 29,49 126,45 76,68 23,32
    AD1 C: Local Disk 103,17 23,28 126,45 81,59 18,41
    EVOWIN C: Local Disk 133,31 343,03 476,34 27,99 72,01
    EVOWIN D: Local Disk 2433 361,4 2794,39 87,07 12,93 Media
    EVOWIN E: Local Disk 66,05 399,7 465,75 14,18 85,82 Testing Environment
    General notes

        [string[]] $ComputerName = $Env:COMPUTERNAME,
        [ValidateSet('Default', 'Dcom', 'Wsman')][string] $Protocol = 'Default',
        [string][ValidateSet('GB', 'TB', 'MB')] $Size = 'GB',
        [int] $RoundingPlace = 2,
        [int] $RoundingPlacePercent = 2,
        [switch] $OnlyLocalDisk,
        [switch] $All
    [string] $Class = 'win32_logicalDisk'
    if ($All) {
        [string] $Properties = '*'
    else {
        [string[]] $Properties = 'DeviceID', 'DriveType', 'ProviderName', 'FreeSpace', 'Size', 'VolumeName', 'PSComputerName'

    $DriveType = @{
        '0' = 'Unknown'
        '1' = 'No Root Directory'
        '2' = 'Removable Disk'
        '3' = 'Local Disk'
        '4' = 'Network Drive'
        '5' = 'Compact Disc'
        '6' = 'RAM Disk'

    $Divider = "1$Size"

    $Information = Get-CimData -ComputerName $ComputerName -Protocol $Protocol -Class $Class -Properties $Properties
    if ($All) {
    else {
        $Output = foreach ($Info in $Information) {
            foreach ($Data in $Info) {

                [PSCustomObject] @{
                    ComputerName = if ($Data.PSComputerName) {
                    else {
                    DeviceID     = $Data.DeviceID
                    DriveType    = $DriveType["$($Data.DriveType)"]
                    ProviderName = $Data.ProviderName

                    FreeSpace    = [Math]::Round($Data.FreeSpace / $Divider, $RoundingPlace)
                    UsedSpace    = [Math]::Round(($Data.Size - $Data.FreeSpace) / $Divider, $RoundingPlace)
                    TotalSpace   = [Math]::Round($Data.Size / $Divider, $RoundingPlace)

                    FreePercent  = if ($Data.Size -gt 0 ) {
                        [Math]::round(($Data.FreeSpace / $Data.Size) * 100, $RoundingPlacePercent) 
                    else {
                    UsedPercent  = if ($Data.Size -gt 0 ) {
                        [Math]::round((($Data.Size - $Data.FreeSpace) / $Data.Size) * 100, $RoundingPlacePercent) 
                    else {
                    VolumeName   = $Data.VolumeName
        if ($OnlyLocalDisk) {
            $Output | Where-Object { $_.DriveType -eq 'Local Disk' }
        else {
function Get-ComputerNetwork { 
    Long description
    .PARAMETER ComputerName
    Parameter description
    .PARAMETER NetworkFirewallOnly
    Parameter description
    .PARAMETER NetworkFirewallSummaryOnly
    Parameter description
    Get-ComputerNetworkCard -ComputerName AD1, AD2, AD3
    Name NetworkCardName NetworkCardIndex FirewallProfile FirewallStatus IPv4Connectivity IPv6Connectivity Caption Description ElementName DefaultInboundAction DefaultOutboundAction AllowInboundRules AllowLocalFirewallRules AllowLocalIPsecRules AllowUserApps AllowUserPorts AllowUnicastResponseToMulticast NotifyOnListen EnableStealthModeForIPsec LogFileName LogMaxSizeKilobytes LogAllowed LogBlo
    ---- --------------- ---------------- --------------- -------------- ---------------- ---------------- ------- ----------- ----------- -------------------- --------------------- ----------------- ----------------------- -------------------- ------------- -------------- ------------------------------- -------------- ------------------------- ----------- ------------------- ---------- ------
    ad.evotec.xyz vEthernet (External Switch) 13 DomainAuthenticated True Internet NoTraffic NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured True NotConfigured %systemroot%\system32\LogFiles\Firewall\pfirewall.log 4096 False False
    Network 2 Ethernet 2 2 Private True Internet NoTraffic Block Allow NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured False NotConfigured %systemroot%\system32\LogFiles\Firewall\pfirewall.log 4096 False False
    Network Ethernet 2 Private True LocalNetwork NoTraffic NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured False NotConfigured %systemroot%\system32\LogFiles\Firewall\pfirewall.log 4096 False False
    ad.evotec.xyz Ethernet 5 3 DomainAuthenticated False Internet NoTraffic NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured False NotConfigured %systemroot%\system32\LogFiles\Firewall\pfirewall.log 4096 False False
    Network 2 Ethernet 4 12 Private False LocalNetwork NoTraffic NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured False NotConfigured %systemroot%\system32\LogFiles\Firewall\pfirewall.log 4096 False False
    Get-ComputerNetworkCard -ComputerName EVOWIN -NetworkFirewallOnly
    PSComputerName Profile Enabled DefaultInboundAction DefaultOutboundAction AllowInboundRules AllowLocalFirewallRules AllowLocalIPsecRules AllowUserApps AllowUserPorts AllowUnicastResponseToMulticast NotifyOnListen EnableStealthModeForIPsec LogMaxSizeKilobytes LogAllowed LogBlocked LogIgnored Caption Description ElementName InstanceID DisabledInterfaceAliases LogFileName Name CimClass
    -------------- ------- ------- -------------------- --------------------- ----------------- ----------------------- -------------------- ------------- -------------- ------------------------------- -------------- ------------------------- ------------------- ---------- ---------- ---------- ------- ----------- ----------- ---------- ------------------------ ----------- ---- --------
    EVOWIN Domain True NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured True NotConfigured 4096 False False NotConfigured MSFT|FW|FirewallProfile|Domain {NotConfigured} %systemroot%\system32\LogFiles\Firewall\pfirewall.log Domain root/stand...
    EVOWIN Private True NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured True NotConfigured 4096 False False NotConfigured MSFT|FW|FirewallProfile|Private {NotConfigured} %systemroot%\system32\LogFiles\Firewall\pfirewall.log Private root/stand...
    EVOWIN Public True NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured NotConfigured True NotConfigured 4096 False False NotConfigured MSFT|FW|FirewallProfile|Public {NotConfigured} %systemroot%\system32\LogFiles\Firewall\pfirewall.log Public root/stand...
    General notes

        [string[]] $ComputerName = $Env:COMPUTERNAME,
        [switch] $NetworkFirewallOnly,
        [switch] $NetworkFirewallSummaryOnly,
        [alias('Joiner')][string] $Splitter
    [Array] $CollectionComputers = $ComputerName.Where( { $_ -eq $Env:COMPUTERNAME }, 'Split')

    $Firewall = @{ }
    $NetworkFirewall = @(
        if ($CollectionComputers[0].Count -gt 0) {
            $Firewall[$Env:COMPUTERNAME] = @{ }
            $Output = Get-NetFirewallProfile
            foreach ($_ in $Output) {
                Add-Member -InputObject $_ -Name 'PSComputerName' -Value $Env:COMPUTERNAME -Type NoteProperty -Force
                if ($_.Name -eq 'Domain') {
                    $Firewall[$Env:COMPUTERNAME]['DomainAuthenticated'] = $_
                else {
                    $Firewall[$Env:COMPUTERNAME][$($_.Name)] = $_
        if ($CollectionComputers[1].Count -gt 0) {
            foreach ($_ in $CollectionComputers[1]) {
                $Firewall[$_] = @{ }
            $Output = Get-NetFirewallProfile -CimSession $CollectionComputers[1]
            foreach ($_ in $Output) {
                if ($_.Name -eq 'Domain') {
                    $Firewall[$_.PSComputerName]['DomainAuthenticated'] = $_
                else {
                    $Firewall[$_.PSComputerName][$($_.Name)] = $_
    if ($NetworkFirewallOnly) {
        return $NetworkFirewall
    if ($NetworkFirewallSummaryOnly) {

        return $Firewall
    $NetworkCards = @(
        if ($CollectionComputers[0].Count -gt 0) {
            $Output = Get-NetConnectionProfile
            foreach ($_ in $Output) {
                Add-Member -InputObject $_ -Name 'PSComputerName' -Value $Env:COMPUTERNAME -Type NoteProperty -Force
        if ($CollectionComputers[1].Count -gt 0) {
            Get-NetConnectionProfile -CimSession $CollectionComputers[1]
    foreach ($_ in $NetworkCards) {

        $NetworkCardsConfiguration = Get-CimData -ComputerName $ComputerName -Class 'Win32_NetworkAdapterConfiguration'
        $CurrentCard = foreach ($Configuration in $NetworkCardsConfiguration) {
            if ($_.PSComputerName -eq $Configuration.PSComputerName) {
                if ($Configuration.InterfaceIndex -eq $_.InterfaceIndex) {

        $NetbiosTCPIP = @{
            '0' = 'Default'
            '1' = 'Enabled'
            '2' = 'Disabled'

        [PSCustomObject] @{
            Name                            = $_.Name
            NetworkCardName                 = $_.InterfaceAlias
            NetworkCardIndex                = $_.InterfaceIndex
            FirewallProfile                 = $_.NetworkCategory
            FirewallStatus                  = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].'Enabled'

            IPAddress                       = $CurrentCard.IPAddress
            IPGateway                       = $CurrentCard.DefaultIPGateway
            IPSubnet                        = $CurrentCard.IPSubnet
            IPv4Connectivity                = $_.IPv4Connectivity
            IPv6Connectivity                = $_.IPv6Connectivity
            DNSServerSearchOrder            = $CurrentCard.DNSServerSearchOrder
            DNSDomainSuffixSearchOrder      = $CurrentCard.DNSDomainSuffixSearchOrder
            FullDNSRegistrationEnabled      = $CurrentCard.FullDNSRegistrationEnabled
            DHCPEnabled                     = $CurrentCard.DHCPEnabled
            DHCPServer                      = $CurrentCard.DHCPServer
            DHCPLeaseObtained               = $CurrentCard.DHCPLeaseObtained
            NetBIOSOverTCPIP                = $NetBiosTCPIP["$($CurrentCard.TcpipNetbiosOptions)"]
            Caption                         = $_.Caption
            Description                     = $_.Description
            ElementName                     = $_.ElementName

            DefaultInboundAction            = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].DefaultInboundAction
            DefaultOutboundAction           = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].DefaultOutboundAction
            AllowInboundRules               = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].AllowInboundRules
            AllowLocalFirewallRules         = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].AllowLocalFirewallRules
            AllowLocalIPsecRules            = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].AllowLocalIPsecRules
            AllowUserApps                   = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].AllowUserApps
            AllowUserPorts                  = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].AllowUserPorts
            AllowUnicastResponseToMulticast = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].AllowUnicastResponseToMulticast
            NotifyOnListen                  = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].NotifyOnListen
            EnableStealthModeForIPsec       = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].EnableStealthModeForIPsec
            LogFileName                     = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].LogFileName
            LogMaxSizeKilobytes             = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].LogMaxSizeKilobytes
            LogAllowed                      = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].LogAllowed
            LogBlocked                      = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].LogBlocked
            LogIgnored                      = $Firewall[$_.PSComputerName]["$($_.NetworkCategory)"].LogIgnored
            ComputerName                    = $_.PSComputerName
function Get-ComputerOperatingSystem { 
        [string[]] $ComputerName = $Env:COMPUTERNAME,
        [ValidateSet('Default', 'Dcom', 'Wsman')][string] $Protocol = 'Default',
        [switch] $All
    [string] $Class = 'win32_operatingsystem'
    if ($All) {
        [string] $Properties = '*'
    else {
        [string[]] $Properties = 'Caption', 'Manufacturer', 'InstallDate', 'OSArchitecture', 'Version', 'SerialNumber', 'BootDevice', 'WindowsDirectory', 'CountryCode', 'OSLanguage', 'OSProductSuite', 'PSComputerName', 'LastBootUpTime', 'LocalDateTime'
    $Information = Get-CimData -ComputerName $ComputerName -Protocol $Protocol -Class $Class -Properties $Properties
    if ($All) {
    else {
        foreach ($Info in $Information) {
            foreach ($Data in $Info) {

                [PSCustomObject] @{
                    ComputerName           = if ($Data.PSComputerName) {
                    else {
                    OperatingSystem        = $Data.Caption
                    OperatingSystemVersion = ConvertTo-OperatingSystem -OperatingSystem $Data.Caption -OperatingSystemVersion $Data.Version
                    OperatingSystemBuild   = $Data.Version
                    Manufacturer           = $Data.Manufacturer
                    OSArchitecture         = $Data.OSArchitecture
                    OSLanguage             = ConvertFrom-LanguageCode -LanguageCode $Data.OSLanguage
                    OSProductSuite         = [Microsoft.PowerShell.Commands.OSProductSuite] $($Data.OSProductSuite)
                    InstallDate            = $Data.InstallDate
                    LastBootUpTime         = $Data.LastBootUpTime
                    LocalDateTime          = $Data.LocalDateTime
                    SerialNumber           = $Data.SerialNumber
                    BootDevice             = $Data.BootDevice
                    WindowsDirectory       = $Data.WindowsDirectory
                    CountryCode            = $Data.CountryCode
function Get-ComputerRDP { 
        [string[]] $ComputerName

    $Output = Get-CimData -Class 'Win32_TSGeneralSetting' -NameSpace 'root\cimv2\terminalservices' -ComputerName $ComputerName
    foreach ($_ in $Output) {

        $EncryptionLevels = @{
            '1' = 'Low'
            '2' = 'Medium / Client Compatible'
            '3' = 'High'
            '4' = 'FIPS Compliant'

        $PolicyConfiguredBy = @{
            '0' = 'Server'
            '1' = 'Group policy'
            '2' = 'Default'

        $SecurityLayers = @{
            '1' = 'RDP Security Layer' 
            '2' = 'Negotiate' 
            '3' = 'SSL' 
            '4' = 'NEWTBD' 

        $HashType = @{
            '0' = 'Not valid'
            '1' = 'Self-signed'
            '2' = 'Custom'

        $Connectivity = Test-ComputerPort -ComputerName $_.PSComputerName -PortTCP 3389 -WarningAction SilentlyContinue

        [PSCustomObject] @{
            ComputerName                           = $_.PSComputerName
            Name                                   = $_.TerminalName
            Connectivity                           = $Connectivity.Status
            ConnectivitySummary                    = $Connectivity.Summary
            SecurityLayer                          = $SecurityLayers["$($_.SecurityLayer)"]
            MinimalEncryptionLevel                 = $EncryptionLevels["$($_.MinEncryptionLevel)"]
            MinimalEncryptionLevelValue            = $_.MinEncryptionLevel
            PolicySourceUserAuthenticationRequired = $PolicyConfiguredBy["$($_.PolicySourceUserAuthenticationRequired)"]
            PolicySourceMinimalEncryptionLevel     = $PolicyConfiguredBy["$($_.PolicySourceMinEncryptionLevel)"]
            PolicySourceSecurityLayer              = $PolicyConfiguredBy["$($_.PolicySourceSecurityLayer)"]
            CertificateName                        = $_.CertificateName
            CertificateThumbprint                  = $_.SSLCertificateSHA1Hash
            CertificateType                        = $HashType["$($_.SSLCertificateSHA1HashType)"]
            Transport                              = $_.Transport
            Protocol                               = $_.TerminalProtocol

            UserAuthenticationRequired             = [bool] $_.UserAuthenticationRequired

            WindowsAuthentication                  = [bool] $_.WindowsAuthentication
function Get-ComputerSMB { 
    Short description
    Long description
    .PARAMETER ComputerName
    Parameter description
    Get-ComputerSMB -ComputerName $ENV:COMPUTERNAME
    General notes

        [string[]] $ComputerName

    [Array] $CollectionComputers = $ComputerName.Where( { $_ -eq $Env:COMPUTERNAME }, 'Split')
    $SMB = @(
        if ($CollectionComputers[0].Count -gt 0) {
            $Output = Get-SmbServerConfiguration
            foreach ($_ in $Output) {
                [PSCustomObject] @{
                    ComputerName                    = $Env:COMPUTERNAME
                    AnnounceComment                 = $_.AnnounceComment
                    AnnounceServer                  = $_.AnnounceServer
                    AsynchronousCredits             = $_.AsynchronousCredits
                    AuditSmb1Access                 = $_.AuditSmb1Access
                    AutoDisconnectTimeout           = $_.AutoDisconnectTimeout
                    AutoShareServer                 = $_.AutoShareServer
                    AutoShareWorkstation            = $_.AutoShareWorkstation
                    CachedOpenLimit                 = $_.CachedOpenLimit
                    DurableHandleV2TimeoutInSeconds = $_.DurableHandleV2TimeoutInSeconds
                    EnableAuthenticateUserSharing   = $_.EnableAuthenticateUserSharing
                    EnableDownlevelTimewarp         = $_.EnableDownlevelTimewarp
                    EnableForcedLogoff              = $_.EnableForcedLogoff
                    EnableLeasing                   = $_.EnableLeasing
                    EnableMultiChannel              = $_.EnableMultiChannel
                    EnableOplocks                   = $_.EnableOplocks
                    EnableSecuritySignature         = $_.EnableSecuritySignature
                    EnableSMB1Protocol              = $_.EnableSMB1Protocol
                    EnableSMB2Protocol              = $_.EnableSMB2Protocol
                    EnableStrictNameChecking        = $_.EnableStrictNameChecking
                    EncryptData                     = $_.EncryptData
                    IrpStackSize                    = $_.IrpStackSize
                    KeepAliveTime                   = $_.KeepAliveTime
                    MaxChannelPerSession            = $_.MaxChannelPerSession
                    MaxMpxCount                     = $_.MaxMpxCount
                    MaxSessionPerConnection         = $_.MaxSessionPerConnection
                    MaxThreadsPerQueue              = $_.MaxThreadsPerQueue
                    MaxWorkItems                    = $_.MaxWorkItems
                    NullSessionPipes                = $_.NullSessionPipes
                    NullSessionShares               = $_.NullSessionShares
                    OplockBreakWait                 = $_.OplockBreakWait
                    PendingClientTimeoutInSeconds   = $_.PendingClientTimeoutInSeconds
                    RejectUnencryptedAccess         = $_.RejectUnencryptedAccess
                    RequireSecuritySignature        = $_.RequireSecuritySignature
                    ServerHidden                    = $_.ServerHidden
                    Smb2CreditsMax                  = $_.Smb2CreditsMax
                    Smb2CreditsMin                  = $_.Smb2CreditsMin
                    SmbServerNameHardeningLevel     = $_.SmbServerNameHardeningLevel
                    TreatHostAsStableStorage        = $_.TreatHostAsStableStorage
                    ValidateAliasNotCircular        = $_.ValidateAliasNotCircular
                    ValidateShareScope              = $_.ValidateShareScope
                    ValidateShareScopeNotAliased    = $_.ValidateShareScopeNotAliased
                    ValidateTargetName              = $_.ValidateTargetName
        if ($CollectionComputers[1].Count -gt 0) {
            $Output = Get-SmbServerConfiguration -CimSession $CollectionComputers[1]
            foreach ($_ in $Output) {
                [PSCustomObject] @{
                    ComputerName                    = $_.PSComputerName
                    AnnounceComment                 = $_.AnnounceComment
                    AnnounceServer                  = $_.AnnounceServer
                    AsynchronousCredits             = $_.AsynchronousCredits
                    AuditSmb1Access                 = $_.AuditSmb1Access
                    AutoDisconnectTimeout           = $_.AutoDisconnectTimeout
                    AutoShareServer                 = $_.AutoShareServer
                    AutoShareWorkstation            = $_.AutoShareWorkstation
                    CachedOpenLimit                 = $_.CachedOpenLimit
                    DurableHandleV2TimeoutInSeconds = $_.DurableHandleV2TimeoutInSeconds
                    EnableAuthenticateUserSharing   = $_.EnableAuthenticateUserSharing
                    EnableDownlevelTimewarp         = $_.EnableDownlevelTimewarp
                    EnableForcedLogoff              = $_.EnableForcedLogoff
                    EnableLeasing                   = $_.EnableLeasing
                    EnableMultiChannel              = $_.EnableMultiChannel
                    EnableOplocks                   = $_.EnableOplocks
                    EnableSecuritySignature         = $_.EnableSecuritySignature
                    EnableSMB1Protocol              = $_.EnableSMB1Protocol
                    EnableSMB2Protocol              = $_.EnableSMB2Protocol
                    EnableStrictNameChecking        = $_.EnableStrictNameChecking
                    EncryptData                     = $_.EncryptData
                    IrpStackSize                    = $_.IrpStackSize
                    KeepAliveTime                   = $_.KeepAliveTime
                    MaxChannelPerSession            = $_.MaxChannelPerSession
                    MaxMpxCount                     = $_.MaxMpxCount
                    MaxSessionPerConnection         = $_.MaxSessionPerConnection
                    MaxThreadsPerQueue              = $_.MaxThreadsPerQueue
                    MaxWorkItems                    = $_.MaxWorkItems
                    NullSessionPipes                = $_.NullSessionPipes
                    NullSessionShares               = $_.NullSessionShares
                    OplockBreakWait                 = $_.OplockBreakWait
                    PendingClientTimeoutInSeconds   = $_.PendingClientTimeoutInSeconds
                    RejectUnencryptedAccess         = $_.RejectUnencryptedAccess
                    RequireSecuritySignature        = $_.RequireSecuritySignature
                    ServerHidden                    = $_.ServerHidden
                    Smb2CreditsMax                  = $_.Smb2CreditsMax
                    Smb2CreditsMin                  = $_.Smb2CreditsMin
                    SmbServerNameHardeningLevel     = $_.SmbServerNameHardeningLevel
                    TreatHostAsStableStorage        = $_.TreatHostAsStableStorage
                    ValidateAliasNotCircular        = $_.ValidateAliasNotCircular
                    ValidateShareScope              = $_.ValidateShareScope
                    ValidateShareScopeNotAliased    = $_.ValidateShareScopeNotAliased
                    ValidateTargetName              = $_.ValidateTargetName
function Get-ComputerSMBShare { 
        [string[]] $ComputerName,
        [switch] $Translated
    [Array] $CollectionComputers = Get-ComputerSplit -ComputerName $ComputerName

    if ($CollectionComputers[0].Count -gt 0) {
        $Output = Get-SmbShare
        foreach ($O in $Output) {
            if (-not $Translated) {
                Add-Member -InputObject $_ -Name 'PSComputerName' -Value $Env:COMPUTERNAME -MemberType NoteProperty -Force
            else {
                [PSCustomObject] @{
                    Name                  = $O.Name                   
                    ScopeName             = $O.ScopeName              
                    Path                  = $O.Path                   
                    Description           = $O.Description            
                    ComputerName          = $O.PSComputerName         
                    PresetPathAcl         = $O.PresetPathAcl          
                    ShareState            = $O.ShareState.ToString()             
                    AvailabilityType      = $O.AvailabilityType.ToString()       
                    ShareType             = $O.ShareType.ToString()              
                    FolderEnumerationMode = $O.FolderEnumerationMode.ToString()  
                    CachingMode           = $O.CachingMode.ToString()            
                    LeasingMode           = $O.LeasingMode.ToString()            
                    QoSFlowScope          = $O.QoSFlowScope           
                    SmbInstance           = $O.SmbInstance.ToString()            
                    CATimeout             = $O.CATimeout              
                    ConcurrentUserLimit   = $O.ConcurrentUserLimit    
                    ContinuouslyAvailable = $O.ContinuouslyAvailable  
                    CurrentUsers          = $O.CurrentUsers           
                    EncryptData           = $O.EncryptData            
                    Scoped                = $O.Scoped                 
                    SecurityDescriptor    = $O.SecurityDescriptor     
                    ShadowCopy            = $O.ShadowCopy             
                    Special               = $O.Special                
                    Temporary             = $O.Temporary              
                    Volume                = $O.Volume                 
    if ($CollectionComputers[1].Count -gt 0) {
        $Output = Get-SmbShare -CimSession $CollectionComputers[1]
        foreach ($O in $Output) {
            if (-not $Translated) {
            else {
                [PSCustomObject] @{
                    Name                  = $O.Name                   
                    ScopeName             = $O.ScopeName              
                    Path                  = $O.Path                   
                    Description           = $O.Description            
                    ComputerName          = $O.PSComputerName         
                    PresetPathAcl         = $O.PresetPathAcl          
                    ShareState            = $O.ShareState.ToString()             
                    AvailabilityType      = $O.AvailabilityType.ToString()       
                    ShareType             = $O.ShareType.ToString()              
                    FolderEnumerationMode = $O.FolderEnumerationMode.ToString()  
                    CachingMode           = $O.CachingMode.ToString()            
                    LeasingMode           = $O.LeasingMode 
                    QoSFlowScope          = $O.QoSFlowScope           
                    SmbInstance           = $O.SmbInstance.ToString()            
                    CATimeout             = $O.CATimeout              
                    ConcurrentUserLimit   = $O.ConcurrentUserLimit    
                    ContinuouslyAvailable = $O.ContinuouslyAvailable  
                    CurrentUsers          = $O.CurrentUsers           
                    EncryptData           = $O.EncryptData            
                    Scoped                = $O.Scoped                 
                    SecurityDescriptor    = $O.SecurityDescriptor     
                    ShadowCopy            = $O.ShadowCopy             
                    Special               = $O.Special                
                    Temporary             = $O.Temporary              
                    Volume                = $O.Volume                 
function Get-ComputerSMBSharePermissions { 
        [string[]] $ComputerName,
        [Parameter(Mandatory = $true)][alias('Name')][string[]] $ShareName,
        [switch] $Translated
    [Array] $Computers = Get-ComputerSplit -ComputerName $ComputerName
    if ($Computers[0].Count -gt 0) {
        foreach ($Share in $ShareName) {
            try {
                $Output = Get-SmbShareAccess -Name $Share -ErrorAction Stop
            catch {
                $ErrorMessage = $_.Exception.Message
                Write-Warning -Message "Get-ComputerSMBSharePermissions - Computer $Env:COMPUTERNAME, Share $Share, Error: $ErrorMessage"
            foreach ($O in $Output) {
                if (-not $Translated) {
                    $O | Add-Member -Name 'PSComputerName' -Value $Env:COMPUTERNAME -MemberType NoteProperty -Force
                else {
                    [PSCustomObject] @{
                        Name              = $O.Name              
                        ScopeName         = $O.ScopeName         
                        AccountName       = $O.AccountName.ToString()       
                        AccessControlType = $O.AccessControlType.ToString() 
                        AccessRight       = $O.AccessRight.ToString()       
                        ComputerName      = $Env:COMPUTERNAME    
    if ($Computers[1].Count -gt 0) {
        foreach ($Share in $ShareName) {
            try {
                $Output = Get-SmbShareAccess -CimSession $Computers[1] -Name $Share -ErrorAction Stop
            catch {
                $ErrorMessage = $_.Exception.Message
                Write-Warning -Message "Get-ComputerSMBSharePermissions - Computer $($Computers[1]), Share $Share, Error: $ErrorMessage"
            foreach ($O in $Output) {
                if (-not $Translated) {
                else {
                    [PSCustomObject] @{
                        Name              = $O.Name              
                        ScopeName         = $O.ScopeName         
                        AccountName       = $O.AccountName.ToString()       
                        AccessControlType = $O.AccessControlType.ToString() 
                        AccessRight       = $O.AccessRight.ToString()       
                        ComputerName      = $O.PSComputerName    
function Get-ComputerTime { 
    Gets time difference between computers and time source including boot time
    Gets time difference between computers and time source including boot time
    .PARAMETER TimeSource
    Parameter description
    .PARAMETER Domain
    Parameter description
    .PARAMETER TimeTarget
    Specifies computer on which you want to run the CIM operation. You can specify a fully qualified domain name (FQDN), a NetBIOS name, or an IP address. If you do not specify this parameter, the cmdlet performs the operation on the local computer using Component Object Model (COM).
    .PARAMETER Credential
    Specifies a user account that has permission to perform this action. The default is the current user.
    .PARAMETER ToLocal
    Get-ComputerTime -TimeTarget AD2, AD3, EVOWin | Format-Table -AutoSize
    Name LocalDateTime RemoteDateTime InstallTime LastBootUpTime TimeDifferenceMinutes TimeDifferenceSeconds TimeDifferenceMilliseconds TimeSourceName
    ---- ------------- -------------- ----------- -------------- --------------------- --------------------- -------------------------- --------------
    AD2 13.08.2019 23:40:26 13.08.2019 23:40:26 30.05.2018 18:30:48 09.08.2019 18:40:31 8,33333333333333E-05 0,005 5 AD1.ad.evotec.xyz
    AD3 13.08.2019 23:40:26 13.08.2019 17:40:26 26.05.2019 17:30:17 09.08.2019 18:40:30 0,000266666666666667 0,016 16 AD1.ad.evotec.xyz
    EVOWin 13.08.2019 23:40:26 13.08.2019 23:40:26 24.05.2019 22:46:45 09.08.2019 18:40:06 6,66666666666667E-05 0,004 4 AD1.ad.evotec.xyz
    Get-ComputerTime -TimeSource AD1 -TimeTarget AD2, AD3, EVOWin | Format-Table -AutoSize
    Get-ComputerTime -TimeSource 'pool.ntp.org' -TimeTarget AD2, AD3, EVOWin | Format-Table -AutoSize
    General notes

        [string] $TimeSource,
        [string] $Domain = $Env:USERDNSDOMAIN,
        [alias('ComputerName')][string[]] $TimeTarget = $ENV:COMPUTERNAME,
        [pscredential] $Credential,
        [switch] $ForceCIM
    if (-not $TimeSource) {
        $TimeSource = (Get-ADDomainController -Discover -Service PrimaryDC -DomainName $Domain).HostName

    if ($ForceCIM) {
        $TimeSourceInformation = Get-CimData -ComputerName $TimeSource -Class 'win32_operatingsystem' -Credential $Credential
        if ($TimeSourceInformation.LocalDateTime) {
            $TimeSourceInformation = $TimeSourceInformation.LocalDateTime
        else {
            $TimeSourceInformation = $null
    else {
        $TimeSourceInformation = Get-ComputerTimeNtp -Server $TimeSource -ToLocal

    $TimeTargetInformationCache = @{ }
    $TimeTargetInformation = Get-CimData -ComputerName $TimeTarget -Class 'win32_operatingsystem' -Credential $Credential
    foreach ($_ in $TimeTargetInformation) {
        $TimeTargetInformationCache[$_.PSComputerName] = $_
    $TimeLocalCache = @{ }
    $TimeLocal = Get-CimData -ComputerName $TimeTarget -Class 'Win32_LocalTime' -Credential $Credential
    foreach ($_ in $TimeLocal) {
        $TimeLocalCache[$_.PSComputerName] = $_

    $AllResults = foreach ($Computer in $TimeTarget) {
        $WMIComputerTime = $TimeLocalCache[$Computer]
        $WMIComputerTarget = $TimeTargetInformationCache[$Computer]

        if ($WMIComputerTime -and $WMIComputerTime.Year -and $WMIComputerTime.Month) {
            $RemoteDateTime = Get-Date -Year $WMIComputerTime.Year -Month $WMIComputerTime.Month -Day $WMIComputerTime.Day -Hour $WMIComputerTime.Hour -Minute $WMIComputerTime.Minute -Second $WMIComputerTime.Second
        else {
            $RemoteDateTIme = ''

        if ($WMIComputerTarget.LocalDateTime -and $TimeSourceInformation) {
            $Result = New-TimeSpan -Start $TimeSourceInformation -End $WMIComputerTarget.LocalDateTime
            $ResultFromBoot = New-TimeSpan -Start $WMIComputerTarget.LastBootUpTime -End $WMIComputerTarget.LocalDateTime

            [PSCustomObject] @{
                Name                       = $Computer
                LocalDateTime              = $WMIComputerTarget.LocalDateTime
                RemoteDateTime             = $RemoteDateTime
                InstallTime                = $WMIComputerTarget.InstallDate
                LastBootUpTime             = $WMIComputerTarget.LastBootUpTime
                LastBootUpTimeInDays       = [math]::Round($ResultFromBoot.TotalDays, 2)
                TimeDifferenceMinutes      = if ($Result.TotalMinutes -lt 0) {
 ($Result.TotalMinutes * -1) 
                else {
                TimeDifferenceSeconds      = if ($Result.TotalSeconds -lt 0) {
 ($Result.TotalSeconds * -1) 
                else {
                TimeDifferenceMilliseconds = if ($Result.TotalMilliseconds -lt 0) {
 ($Result.TotalMilliseconds * -1) 
                else {
                TimeSourceName             = $TimeSource
                Status                     = ''
        else {
            if ($WMIComputerTarget.LastBootUpTime) {
                $ResultFromBoot = New-TimeSpan -Start $WMIComputerTarget.LastBootUpTime -End $WMIComputerTarget.LocalDateTime
            else {
                $ResultFromBoot = ''
            [PSCustomObject] @{
                Name                       = $Computer
                LocalDateTime              = $WMIComputerTarget.LocalDateTime
                RemoteDateTime             = $RemoteDateTime
                InstallTime                = $WMIComputerTarget.InstallDate
                LastBootUpTime             = $WMIComputerTarget.LastBootUpTime
                LastBootUpTimeInDays       = [math]::Round($ResultFromBoot.TotalDays, 2)
                TimeDifferenceMinutes      = $null
                TimeDifferenceSeconds      = $null
                TimeDifferenceMilliseconds = $null
                TimeSourceName             = $TimeSource
                Status                     = 'Unable to get time difference.'
function Get-FileName { 
    Short description
    Long description
    .PARAMETER Extension
    Parameter description
    .PARAMETER Temporary
    Parameter description
    .PARAMETER TemporaryFileOnly
    Parameter description
    Get-FileName -Temporary
    Output: 3ymsxvav.tmp
    Get-FileName -Temporary
    Output: C:\Users\pklys\AppData\Local\Temp\tmpD74C.tmp
    Get-FileName -Temporary -Extension 'xlsx'
    Output: C:\Users\pklys\AppData\Local\Temp\tmp45B6.xlsx
    General notes

        [string] $Extension = 'tmp',
        [switch] $Temporary,
        [switch] $TemporaryFileOnly

    if ($Temporary) {

        return [io.path]::Combine([System.IO.Path]::GetTempPath(), "$($([System.IO.Path]::GetRandomFileName()).Split('.')[0]).$Extension")
    if ($TemporaryFileOnly) {

        return "$($([System.IO.Path]::GetRandomFileName()).Split('.')[0]).$Extension"
function Get-GitHubLatestRelease { 
    Gets one or more releases from GitHub repository
    Gets one or more releases from GitHub repository
    Url to github repository
    Get-GitHubLatestRelease -Url "https://api.github.com/repos/evotecit/Testimo/releases" | Format-Table
    General notes

        [parameter(Mandatory)][alias('ReleasesUrl')][uri] $Url
    $ProgressPreference = 'SilentlyContinue'

    $Responds = Test-Connection -ComputerName $URl.Host -Quiet -Count 1
    if ($Responds) {
        Try {
            [Array] $JsonOutput = (Invoke-WebRequest -Uri $Url -ErrorAction Stop | ConvertFrom-Json)
            foreach ($JsonContent in $JsonOutput) {
                [PSCustomObject] @{
                    PublishDate = [DateTime]  $JsonContent.published_at
                    CreatedDate = [DateTime] $JsonContent.created_at
                    PreRelease  = [bool] $JsonContent.prerelease
                    Version     = [version] ($JsonContent.name -replace 'v', '')
                    Tag         = $JsonContent.tag_name
                    Branch      = $JsonContent.target_commitish
                    Errors      = ''
        catch {
            [PSCustomObject] @{
                PublishDate = $null
                CreatedDate = $null
                PreRelease  = $null
                Version     = $null
                Tag         = $null
                Branch      = $null
                Errors      = $_.Exception.Message
    else {
        [PSCustomObject] @{
            PublishDate = $null
            CreatedDate = $null
            PreRelease  = $null
            Version     = $null
            Tag         = $null
            Branch      = $null
            Errors      = "No connection (ping) to $($Url.Host)"
    $ProgressPreference = 'Continue'
function Get-OperatingSystem { 
        [string] $Version

    $ListOperatingSystems = [ordered] @{
        '10.0 (19043)' = [PSCustomObject] @{ Name = 'Windows 10 21H1'; Version = '10.0 (19043)'; CodeName = '21H1'; MarketingName = 'May 2021 Update'; BuildNumber = '19043';
            ReleaseDate = (Get-Date -Year 2021 -Month 5 -Day 18 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndPro = (Get-Date -Year 2022 -Month 12 -Day 13 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndEnterprise = (Get-Date -Year 2022 -Month 12 -Day 13 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); LTSC = $null
        '10.0 (19042)' = [PSCustomObject] @{ Name = 'Windows 10 20H2'; Version = '10.0 (19042)'; CodeName = '20H2'; MarketingName = 'October 2020 Update'; BuildNumber = '19042';
            ReleaseDate = (Get-Date -Year 2020 -Month 9 -Day 20 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndPro = (Get-Date -Year 2022 -Month 5 -Day 10 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndEnterprise = (Get-Date -Year 2023 -Month 5 -Day 9 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); LTSC = $null
        '10.0 (19041)' = [PSCustomObject] @{ Name = 'Windows 10 2004'; Version = '10.0 (19041)'; CodeName = '20H1'; MarketingName = 'May 2020 Update'; BuildNumber = '19041';
            ReleaseDate = (Get-Date -Year 2020 -Month 5 -Day 27 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndPro = (Get-Date -Year 2021 -Month 12 -Day 14 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndEnterprise = (Get-Date -Year 2021 -Month 12 -Day 14 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); LTSC = $null
        '10.0 (18363)' = [PSCustomObject] @{ Name = "Windows 10 1909"; Version = '10.0 (18363)'; CodeName = '19H2'; MarketingName = 'November 2019 Update'; BuildNumber = '18363';
            ReleaseDate = (Get-Date -Year 2019 -Month 11 -Day 12 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndPro = (Get-Date -Year 2021 -Month 5 -Day 11 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndEnterprise = (Get-Date -Year 2022 -Month 5 -Day 10 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); LTSC = $null
        '10.0 (18362)' = [PSCustomObject] @{ Name = "Windows 10 1903"; Version = '10.0 (18362)'; CodeName = '19H1'; MarketingName = 'May 2019 Update'; BuildNumber = '18362';
            ReleaseDate = (Get-Date -Year 2019 -Month 5 -Day 21 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndPro = (Get-Date -Year 2020 -Month 12 -Day 8 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndEnterprise = (Get-Date -Year 2020 -Month 12 -Day 8 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); LTSC = $null
        '10.0 (17763)' = [PSCustomObject] @{ Name = "Windows 10 1809"; Version = '10.0 (17763)'; CodeName = 'Redstone 5'; MarketingName = 'October 2018 Update'; BuildNumber = '17763';
            ReleaseDate = (Get-Date -Year 2018 -Month 11 -Day 13 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndPro = (Get-Date -Year 2020 -Month 11 -Day 10 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndEnterprise = (Get-Date -Year 2021 -Month 5 -Day 11 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); LTSC = (Get-Date -Year 2029 -Month 1 -Day 9 -Second 1 -Minute 1 -Hour 1 -Millisecond 1)
        '10.0 (17134)' = [PSCustomObject] @{ Name = "Windows 10 1803"; Version = '10.0 (17134)'; CodeName = 'Redstone 4'; MarketingName = 'April 2018 Update'; BuildNumber = '17134';
            ReleaseDate = (Get-Date -Year 2018 -Month 4 -Day 30 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndPro = (Get-Date -Year 2020 -Month 11 -Day 12 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndEnterprise = (Get-Date -Year 2021 -Month 5 -Day 11 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); LTSC = $null
        '10.0 (16299)' = [PSCustomObject] @{ Name = "Windows 10 1709"; Version = '10.0 (16299)'; CodeName = 'Redstone 3'; MarketingName = 'Fall Creators Update'; BuildNumber = '16299';
            ReleaseDate = (Get-Date -Year 2017 -Month 9 -Day 17 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndPro = (Get-Date -Year 2019 -Month 4 -Day 9 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndEnterprise = (Get-Date -Year 2020 -Month 10 -Day 13 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); ; LTSC = $null
        '10.0 (15063)' = [PSCustomObject] @{ Name = "Windows 10 1703"; Version = '10.0 (15063)'; CodeName = 'Redstone 2'; MarketingName = 'Creators Update'; BuildNumber = '15063';
            ReleaseDate = (Get-Date -Year 2017 -Month 4 -Day 5 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndPro = (Get-Date -Year 2018 -Month 10 -Day 9 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndEnterprise = (Get-Date -Year 2019 -Month 10 -Day 8 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); ; LTSC = $null
        '10.0 (14393)' = [PSCustomObject] @{ Name = "Windows 10 1607"; Version = '10.0 (14393)'; CodeName = 'Redstone 1'; MarketingName = 'Anniversary Update'; BuildNumber = '14393';
            ReleaseDate = (Get-Date -Year 2016 -Month 8 -Day 2 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndPro = (Get-Date -Year 2018 -Month 4 -Day 10 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndEnterprise = (Get-Date -Year 2019 -Month 4 -Day 9 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); LTSC = (Get-Date -Year 2026 -Month 10 -Day 13 -Second 1 -Minute 1 -Hour 1 -Millisecond 1)
        '10.0 (10586)' = [PSCustomObject] @{ Name = "Windows 10 1511"; Version = '10.0 (10586)'; CodeName = 'Threshold 2'; MarketingName = 'November Update'; BuildNumber = '10586';
            ReleaseDate = (Get-Date -Year 2015 -Month 11 -Day 10 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndPro = (Get-Date -Year 2017 -Month 10 -Day 10 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndEnterprise = (Get-Date -Year 2018 -Month 4 -Day 10 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); LTSC = $null
        '10.0 (10240)' = [PSCustomObject] @{ Name = "Windows 10 1507"; Version = '10.0 (10240)' ; CodeName = 'Threshold 1'; MarketingName = 'N/A'; BuildNumber = '10240';
            ReleaseDate = (Get-Date -Year 2015 -Month 7 -Day 29 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndPro = (Get-Date -Year 2017 -Month 5 -Day 9 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); SupportEndEnterprise = (Get-Date -Year 2017 -Month 5 -Day 9 -Second 1 -Minute 1 -Hour 1 -Millisecond 1); LTSC = (Get-Date -Year 2025 -Month 10 -Day 14 -Second 1 -Minute 1 -Hour 1 -Millisecond 1)
    if ($Version) {
    else {
function Get-PSRegistry { 
    Get registry key values.
    Get registry key values.
    .PARAMETER RegistryPath
    The registry path to get the values from.
    .PARAMETER ComputerName
    The computer to get the values from. If not specified, the local computer is used.
    .PARAMETER ExpandEnvironmentNames
    Expand environment names in the registry value.
    By default it doesn't do that. If you want to expand environment names, use this parameter.
    Get-PSRegistry -RegistryPath 'HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' -ComputerName AD1
    Get-PSRegistry -RegistryPath 'HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters'
    Get-PSRegistry -RegistryPath "HKLM\SYSTEM\CurrentControlSet\Services\DFSR\Parameters" -ComputerName AD1,AD2,AD3 | ft -AutoSize
    Get-PSRegistry -RegistryPath 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Directory Service'
    Get-PSRegistry -RegistryPath 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell' | Format-Table -AutoSize
    Get-PSRegistry -RegistryPath 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Directory Service' -ComputerName AD1 -Advanced
    Get-PSRegistry -RegistryPath "HKLM:\Software\Microsoft\Powershell\1\Shellids\Microsoft.Powershell\"
    # Get default key and it's value
    Get-PSRegistry -RegistryPath "HKEY_CURRENT_USER\Tests" -Key ""
    # Get default key and it's value (alternative)
    Get-PSRegistry -RegistryPath "HKEY_CURRENT_USER\Tests" -DefaultKey
    General notes

        [alias('Path')][string[]] $RegistryPath,
        [string[]] $ComputerName = $Env:COMPUTERNAME,
        [string] $Key,
        [switch] $Advanced,
        [switch] $DefaultKey,
        [switch] $ExpandEnvironmentNames,
        [Parameter(DontShow)][switch] $DoNotUnmount

    $RegistryPath = Resolve-PrivateRegistry -RegistryPath $RegistryPath

    [Array] $Computers = Get-ComputerSplit -ComputerName $ComputerName

    [Array] $RegistryTranslated = Get-PSConvertSpecialRegistry -RegistryPath $RegistryPath -Computers $ComputerName -HiveDictionary $Script:HiveDictionary -ExpandEnvironmentNames:$ExpandEnvironmentNames.IsPresent

    if ($PSBoundParameters.ContainsKey("Key") -or $DefaultKey) {
        [Array] $RegistryValues = Get-PSSubRegistryTranslated -RegistryPath $RegistryTranslated -HiveDictionary $Script:HiveDictionary -Key $Key
        foreach ($Computer in $Computers[0]) {
            foreach ($R in $RegistryValues) {
                Get-PSSubRegistry -Registry $R -ComputerName $Computer -ExpandEnvironmentNames:$ExpandEnvironmentNames.IsPresent
        foreach ($Computer in $Computers[1]) {
            foreach ($R in $RegistryValues) {
                Get-PSSubRegistry -Registry $R -ComputerName $Computer -Remote -ExpandEnvironmentNames:$ExpandEnvironmentNames.IsPresent
    else {
        [Array] $RegistryValues = Get-PSSubRegistryTranslated -RegistryPath $RegistryTranslated -HiveDictionary $Script:HiveDictionary
        foreach ($Computer in $Computers[0]) {
            foreach ($R in $RegistryValues) {

                Get-PSSubRegistryComplete -Registry $R -ComputerName $Computer -Advanced:$Advanced -ExpandEnvironmentNames:$ExpandEnvironmentNames.IsPresent
        foreach ($Computer in $Computers[1]) {
            foreach ($R in $RegistryValues) {
                Get-PSSubRegistryComplete -Registry $R -ComputerName $Computer -Remote -Advanced:$Advanced -ExpandEnvironmentNames:$ExpandEnvironmentNames.IsPresent
    if ($Script:CurrentGetCount -eq 0) {
        if (-not $DoNotUnmount) {
function Get-PSService { 
    Alternative way to Get-Service
    Alternative way to Get-Service which works using CIM queries
    .PARAMETER ComputerName
    ComputerName(s) to query for services
    .PARAMETER Protocol
    Protocol to use to gather services
    .PARAMETER Service
    Limit output to just few services
    Return all data without filtering
    .PARAMETER Extended
    Return more data
    Get-PSService -ComputerName AD1, AD2, AD3, AD4 -Service 'Dnscache', 'DNS', 'PeerDistSvc', 'WebClient', 'Netlogon'
    Get-PSService -ComputerName AD1, AD2 -Extended
    Get-PSService -Extended
    General notes

        [alias('Computer', 'Computers')][string[]] $ComputerName = $Env:COMPUTERNAME,
        [ValidateSet('Default', 'Dcom', 'Wsman')][string] $Protocol = 'Default',
        [alias('Services')][string[]] $Service,
        [switch] $All,
        [switch] $Extended
    [string] $Class = 'win32_service'
    [string] $Properties = '*'

    if ($Service) {
        $CachedServices = @{}
        foreach ($S in $Service) {
            $CachedServices[$S] = $true
    $Information = Get-CimData -ComputerName $ComputerName -Protocol $Protocol -Class $Class -Properties $Properties
    if ($All) {
        if ($Service) {
            foreach ($Entry in $Information) {
                if ($CachedServices[$Entry.Name]) {
        else {
    else {
        foreach ($Data in $Information) {

            if ($Service) {
                if (-not $CachedServices[$Data.Name]) {
            $OutputService = [ordered] @{
                ComputerName = if ($Data.PSComputerName) {
                else {
                Status       = $Data.State
                Name         = $Data.Name
                ServiceType  = $Data.ServiceType
                StartType    = $Data.StartMode
                DisplayName  = $Data.DisplayName
            if ($Extended) {
                $OutputServiceExtended = [ordered] @{
                    StatusOther             = $Data.Status
                    ExitCode                = $Data.ExitCode
                    DesktopInteract         = $Data.DesktopInteract
                    ErrorControl            = $Data.ErrorControl
                    PathName                = $Data.PathName
                    Caption                 = $Data.Caption
                    Description             = $Data.Description

                    Started                 = $Data.Started
                    SystemName              = $Data.SystemName
                    AcceptPause             = $Data.AcceptPause
                    AcceptStop              = $Data.AcceptStop
                    ServiceSpecificExitCode = $Data.ServiceSpecificExitCode
                    StartName               = $Data.StartName

                    TagId                   = $Data.TagId
                    CheckPoint              = $Data.CheckPoint
                    DelayedAutoStart        = $Data.DelayedAutoStart
                    ProcessId               = $Data.ProcessId
                    WaitHint                = $Data.WaitHint
                [PSCustomObject] ($OutputService + $OutputServiceExtended)
            else {
                [PSCustomObject] $OutputService
function Get-TimeSettings { 
        [string[]] $ComputerName,
        # [string] $Domain,
        [switch] $Formatted,
        [string] $Splitter

    $Types = @{
        NT5DS   = 'The time service synchronizes from the domain hierarchy.' 
        NTP     = 'The time service synchronizes from the servers specified in the NtpServer registry entry.'  
        ALLSync = 'The time service uses all the available synchronization mechanisms.'
        NoSync  = 'The time service does not synchronize with other sources.'

    enum NtpServerFlags {
        None = 0
        SpecialInterval = 0x1 
        UseAsFallbackOnly = 0x2 
        SymmetricActive = 0x4 
        Client = 0x8 

    $CrossSiteSyncFlags = @{
        '0' = 'None'
        '1' = 'PdcOnly'
        '2' = 'All'

    $AnnounceFlags = @{
        '0'  = 'Not a time server'
        '1'  = 'Always time server'
        '2'  = 'Automatic time server'
        '4'  = 'Always reliable time server'
        '8'  = 'Automatic reliable time server'
        '10' = 'The default value for domain members is 10. The default value for stand-alone clients and servers is 10.'

    foreach ($_ in $ComputerName) {
        [bool] $AppliedGPO = $false
        $TimeParameters = Get-PSRegistry -ComputerName $_ -RegistryPath "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\Parameters"
        if ($null -eq $TimeParameters.NtpServer) {
            $TimeParameters = Get-PSRegistry -ComputerName $_ -RegistryPath "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
            $AppliedGPO = $true

        $TimeConfig = Get-PSRegistry -ComputerName $_ -RegistryPath "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config"

        $TimeNTPClient = Get-PSRegistry -ComputerName $_ -RegistryPath "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient"
        if ($null -eq $TimeNTPClient.CrossSiteSyncFlags) {
            $TimeNTPClient = Get-PSRegistry -ComputerName $_ -RegistryPath "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NTPClient"
        $TimeNTPServer = Get-PSRegistry -ComputerName $_ -RegistryPath "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NTPServer"

        $TimeVMProvider = Get-PSRegistry -ComputerName $ComputerName -RegistryPath "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider"

        $NtpServers = $TimeParameters.NtpServer -split ' '
        $Ntp = foreach ($NtpServer in $NtpServers) {
            $SplitNTP = $NtpServer -split ','

            if ($SplitNTP.Count -eq 2) {

                if ($flagVal = $SplitNTP[1] -as [int]) {

                    if ($flags = $flagVal -as [NtpServerFlags]) {
                        $Intervals = $flags.ToString().Replace(', ', '+')
                    else {
                        Write-Warning -Message "Get-TimeSettings - NtpServer flag value `"$flagVal`" could not be converted to NtpServerFlags enum"
                        $Intervals = 'Incorrect'
                else {
                    Write-Warning -Message "Get-TimeSettings - NtpServer flag value `"$($SplitNTP[1])`" could not be parsed as an integer"
                    $Intervals = 'Incorrect'
            else {
                $Intervals = 'Missing'

            [PSCustomObject] @{
                NtpServer = $SplitNTP[0]
                Intervals = $Intervals

        [PSCustomObject] @{
            ComputerName                = $_

            NtpServer                   = if ($Splitter) {
                $Ntp.NtpServer -join $Splitter 
            else {
            NtpServerIntervals          = if ($Splitter) {
                $Ntp.Intervals -join $Splitter 
            else {
            NtpType                     = $TimeParameters.Type
            NtpTypeComment              = $Types["$($TimeParameters.Type)"]
            AppliedGPO                  = $AppliedGPO
            VMTimeProvider              = [bool] $TimeVMProvider.Enabled
            AnnounceFlags               = $TimeConfig.AnnounceFlags
            AnnounceFlagsComment        = $AnnounceFlags["$($TimeConfig.AnnounceFlags)"]
            NtpServerEnabled            = [bool]$TimeNTPServer.Enabled
            NtpServerInputProvider      = [bool]$TimeNTPServer.InputProvider
            MaxPosPhaseCorrection       = $TimeConfig.MaxPosPhaseCorrection
            MaxnegPhaseCorrection       = $TimeConfig.MaxnegPhaseCorrection
            MaxAllowedPhaseOffset       = $TimeConfig.MaxAllowedPhaseOffset
            MaxPollInterval             = $TimeConfig.MaxPollInterval
            MinPollInterval             = $TimeConfig.MinPollInterval
            UpdateInterval              = $TimeConfig.UpdateInterval
            ResolvePeerBackoffMinutes   = $TimeNTPClient.ResolvePeerBackoffMinutes
            ResolvePeerBackoffMaxTimes  = $TimeNTPClient.ResolvePeerBackoffMaxTimes
            SpecialPollInterval         = $TimeNTPClient.SpecialPollInterval
            EventLogFlags               = $TimeConfig.EventLogFlags
            NtpClientEnabled            = [bool] $TimeNTPClient.Enabled
            NtpClientCrossSiteSyncFlags = $CrossSiteSyncFlags["$($TimeNTPClient.CrossSiteSyncFlags)"]
            NtpClientInputProvider      = [bool] $TimeNTPClient.InputProvider
            TimeNTPClient               = $TimeNTPClient.SpecialPollInterval
function Get-WinADForestDetails { 
        [alias('ForestName')][string] $Forest,
        [string[]] $ExcludeDomains,
        [string[]] $ExcludeDomainControllers,
        [alias('Domain', 'Domains')][string[]] $IncludeDomains,
        [alias('DomainControllers', 'ComputerName')][string[]] $IncludeDomainControllers,
        [switch] $SkipRODC,
        [string] $Filter = '*',
        [switch] $TestAvailability,
        [ValidateSet('All', 'Ping', 'WinRM', 'PortOpen', 'Ping+WinRM', 'Ping+PortOpen', 'WinRM+PortOpen')] $Test = 'All',
        [int[]] $Ports = 135,
        [int] $PortsTimeout = 100,
        [int] $PingCount = 1,
        [switch] $PreferWritable,
        [switch] $Extended,
        [System.Collections.IDictionary] $ExtendedForestInformation
    if ($Global:ProgressPreference -ne 'SilentlyContinue') {
        $TemporaryProgress = $Global:ProgressPreference
        $Global:ProgressPreference = 'SilentlyContinue'

    if (-not $ExtendedForestInformation) {

        $Findings = [ordered] @{ }
        try {
            if ($Forest) {
                $ForestInformation = Get-ADForest -ErrorAction Stop -Identity $Forest
            else {
                $ForestInformation = Get-ADForest -ErrorAction Stop
        catch {
            Write-Warning "Get-WinADForestDetails - Error discovering DC for Forest - $($_.Exception.Message)"
        if (-not $ForestInformation) {
        $Findings['Forest'] = $ForestInformation
        $Findings['ForestDomainControllers'] = @()
        $Findings['QueryServers'] = @{ }
        $Findings['DomainDomainControllers'] = @{ }
        [Array] $Findings['Domains'] = foreach ($Domain in $ForestInformation.Domains) {
            if ($IncludeDomains) {
                if ($Domain -in $IncludeDomains) {

            if ($Domain -notin $ExcludeDomains) {

        [Array] $DomainsActive = foreach ($Domain in $Findings['Forest'].Domains) {
            try {
                $DC = Get-ADDomainController -DomainName $Domain -Discover -ErrorAction Stop -Writable:$PreferWritable.IsPresent

                $OrderedDC = [ordered] @{
                    Domain      = $DC.Domain
                    Forest      = $DC.Forest
                    HostName    = [Array] $DC.HostName
                    IPv4Address = $DC.IPv4Address
                    IPv6Address = $DC.IPv6Address
                    Name        = $DC.Name
                    Site        = $DC.Site
            catch {
                Write-Warning "Get-WinADForestDetails - Error discovering DC for domain $Domain - $($_.Exception.Message)"
            if ($Domain -eq $Findings['Forest']['Name']) {
                $Findings['QueryServers']['Forest'] = $OrderedDC
            $Findings['QueryServers']["$Domain"] = $OrderedDC


        [Array] $Findings['Domains'] = foreach ($Domain in $Findings['Domains']) {
            if ($Domain -notin $DomainsActive) {
                Write-Warning "Get-WinADForestDetails - Domain $Domain doesn't seem to be active (no DCs). Skipping."

        [Array] $Findings['ForestDomainControllers'] = foreach ($Domain in $Findings.Domains) {
            $QueryServer = $Findings['QueryServers'][$Domain]['HostName'][0]

            [Array] $AllDC = try {
                try {
                    $DomainControllers = Get-ADDomainController -Filter $Filter -Server $QueryServer -ErrorAction Stop
                catch {
                    Write-Warning "Get-WinADForestDetails - Error listing DCs for domain $Domain - $($_.Exception.Message)"
                foreach ($S in $DomainControllers) {
                    if ($IncludeDomainControllers.Count -gt 0) {
                        If (-not $IncludeDomainControllers[0].Contains('.')) {
                            if ($S.Name -notin $IncludeDomainControllers) {
                        else {
                            if ($S.HostName -notin $IncludeDomainControllers) {
                    if ($ExcludeDomainControllers.Count -gt 0) {
                        If (-not $ExcludeDomainControllers[0].Contains('.')) {
                            if ($S.Name -in $ExcludeDomainControllers) {
                        else {
                            if ($S.HostName -in $ExcludeDomainControllers) {
                    $Server = [ordered] @{
                        Domain                 = $Domain
                        HostName               = $S.HostName
                        Name                   = $S.Name
                        Forest                 = $ForestInformation.RootDomain
                        Site                   = $S.Site
                        IPV4Address            = $S.IPV4Address
                        IPV6Address            = $S.IPV6Address
                        IsGlobalCatalog        = $S.IsGlobalCatalog
                        IsReadOnly             = $S.IsReadOnly
                        IsSchemaMaster         = ($S.OperationMasterRoles -contains 'SchemaMaster')
                        IsDomainNamingMaster   = ($S.OperationMasterRoles -contains 'DomainNamingMaster')
                        IsPDC                  = ($S.OperationMasterRoles -contains 'PDCEmulator')
                        IsRIDMaster            = ($S.OperationMasterRoles -contains 'RIDMaster')
                        IsInfrastructureMaster = ($S.OperationMasterRoles -contains 'InfrastructureMaster')
                        OperatingSystem        = $S.OperatingSystem
                        OperatingSystemVersion = $S.OperatingSystemVersion
                        OperatingSystemLong    = ConvertTo-OperatingSystem -OperatingSystem $S.OperatingSystem -OperatingSystemVersion $S.OperatingSystemVersion
                        LdapPort               = $S.LdapPort
                        SslPort                = $S.SslPort
                        DistinguishedName      = $S.ComputerObjectDN
                        Pingable               = $null
                        WinRM                  = $null
                        PortOpen               = $null
                        Comment                = ''
                    if ($TestAvailability) {
                        if ($Test -eq 'All' -or $Test -like 'Ping*') {
                            $Server.Pingable = Test-Connection -ComputerName $Server.IPV4Address -Quiet -Count $PingCount
                        if ($Test -eq 'All' -or $Test -like '*WinRM*') {
                            $Server.WinRM = (Test-WinRM -ComputerName $Server.HostName).Status
                        if ($Test -eq 'All' -or '*PortOpen*') {
                            $Server.PortOpen = (Test-ComputerPort -Server $Server.HostName -PortTCP $Ports -Timeout $PortsTimeout).Status
                    [PSCustomObject] $Server
            catch {
                    Domain                   = $Domain
                    HostName                 = ''
                    Name                     = ''
                    Forest                   = $ForestInformation.RootDomain
                    IPV4Address              = ''
                    IPV6Address              = ''
                    IsGlobalCatalog          = ''
                    IsReadOnly               = ''
                    Site                     = ''
                    SchemaMaster             = $false
                    DomainNamingMasterMaster = $false
                    PDCEmulator              = $false
                    RIDMaster                = $false
                    InfrastructureMaster     = $false
                    LdapPort                 = ''
                    SslPort                  = ''
                    DistinguishedName        = ''
                    Pingable                 = $null
                    WinRM                    = $null
                    PortOpen                 = $null
                    Comment                  = $_.Exception.Message -replace "`n", " " -replace "`r", " "
            if ($SkipRODC) {
                [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC | Where-Object { $_.IsReadOnly -eq $false }
            else {
                [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC

            if ($null -ne $Findings['DomainDomainControllers'][$Domain]) {
                [Array] $Findings['DomainDomainControllers'][$Domain]
        if ($Extended) {
            $Findings['DomainsExtended'] = @{ }
            $Findings['DomainsExtendedNetBIOS'] = @{ }
            foreach ($DomainEx in $Findings['Domains']) {
                try {

                    $Findings['DomainsExtended'][$DomainEx] = Get-ADDomain -Server $Findings['QueryServers'][$DomainEx].HostName[0] | ForEach-Object {

                        [ordered] @{
                            AllowedDNSSuffixes                 = $_.AllowedDNSSuffixes | ForEach-Object -Process { $_ }                
                            ChildDomains                       = $_.ChildDomains | ForEach-Object -Process { $_ }                      
                            ComputersContainer                 = $_.ComputersContainer                 
                            DeletedObjectsContainer            = $_.DeletedObjectsContainer            
                            DistinguishedName                  = $_.DistinguishedName                  
                            DNSRoot                            = $_.DNSRoot                            
                            DomainControllersContainer         = $_.DomainControllersContainer         
                            DomainMode                         = $_.DomainMode                         
                            DomainSID                          = $_.DomainSID.Value                        
                            ForeignSecurityPrincipalsContainer = $_.ForeignSecurityPrincipalsContainer 
                            Forest                             = $_.Forest                             
                            InfrastructureMaster               = $_.InfrastructureMaster               
                            LastLogonReplicationInterval       = $_.LastLogonReplicationInterval       
                            LinkedGroupPolicyObjects           = $_.LinkedGroupPolicyObjects | ForEach-Object -Process { $_ }           
                            LostAndFoundContainer              = $_.LostAndFoundContainer              
                            ManagedBy                          = $_.ManagedBy                          
                            Name                               = $_.Name                               
                            NetBIOSName                        = $_.NetBIOSName                        
                            ObjectClass                        = $_.ObjectClass                        
                            ObjectGUID                         = $_.ObjectGUID                         
                            ParentDomain                       = $_.ParentDomain                       
                            PDCEmulator                        = $_.PDCEmulator                        
                            PublicKeyRequiredPasswordRolling   = $_.PublicKeyRequiredPasswordRolling | ForEach-Object -Process { $_ }   
                            QuotasContainer                    = $_.QuotasContainer                    
                            ReadOnlyReplicaDirectoryServers    = $_.ReadOnlyReplicaDirectoryServers | ForEach-Object -Process { $_ }    
                            ReplicaDirectoryServers            = $_.ReplicaDirectoryServers | ForEach-Object -Process { $_ }           
                            RIDMaster                          = $_.RIDMaster                          
                            SubordinateReferences              = $_.SubordinateReferences | ForEach-Object -Process { $_ }            
                            SystemsContainer                   = $_.SystemsContainer                   
                            UsersContainer                     = $_.UsersContainer                     

                    $NetBios = $Findings['DomainsExtended'][$DomainEx]['NetBIOSName']
                    $Findings['DomainsExtendedNetBIOS'][$NetBios] = $Findings['DomainsExtended'][$DomainEx]
                catch {
                    Write-Warning "Get-WinADForestDetails - Error gathering Domain Information for domain $DomainEx - $($_.Exception.Message)"

        if ($TemporaryProgress) {
            $Global:ProgressPreference = $TemporaryProgress

    else {

        $Findings = Copy-DictionaryManual -Dictionary $ExtendedForestInformation
        [Array] $Findings['Domains'] = foreach ($_ in $Findings.Domains) {
            if ($IncludeDomains) {
                if ($_ -in $IncludeDomains) {

            if ($_ -notin $ExcludeDomains) {

        foreach ($_ in [string[]] $Findings.DomainDomainControllers.Keys) {
            if ($_ -notin $Findings.Domains) {

        foreach ($_ in [string[]] $Findings.DomainsExtended.Keys) {
            if ($_ -notin $Findings.Domains) {
                $NetBiosName = $Findings.DomainsExtended.$_.'NetBIOSName'
                if ($NetBiosName) {
        [Array] $Findings['ForestDomainControllers'] = foreach ($Domain in $Findings.Domains) {
            [Array] $AllDC = foreach ($S in $Findings.DomainDomainControllers["$Domain"]) {
                if ($IncludeDomainControllers.Count -gt 0) {
                    If (-not $IncludeDomainControllers[0].Contains('.')) {
                        if ($S.Name -notin $IncludeDomainControllers) {
                    else {
                        if ($S.HostName -notin $IncludeDomainControllers) {
                if ($ExcludeDomainControllers.Count -gt 0) {
                    If (-not $ExcludeDomainControllers[0].Contains('.')) {
                        if ($S.Name -in $ExcludeDomainControllers) {
                    else {
                        if ($S.HostName -in $ExcludeDomainControllers) {
            if ($SkipRODC) {
                [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC | Where-Object { $_.IsReadOnly -eq $false }
            else {
                [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC

            [Array] $Findings['DomainDomainControllers'][$Domain]
function Invoke-CommandCustom { 
        [scriptblock] $ScriptBlock,
        [System.Collections.IDictionary] $Parameter,
        [array] $Argument,
        [switch] $ReturnVerbose,
        [switch] $ReturnError,
        [switch] $ReturnWarning,
        [switch] $AddParameter
    $Output = [ordered]@{}
    $ps = [PowerShell]::Create()
    if ($ReturnVerbose) {
        $null = $ps.AddScript('$VerbosePreference = "Continue"').AddStatement()
    if ($ScriptBlock) {
        if ($Parameter -and $AddParameter) {
            $Count = 0
            [string] $ScriptBlockParams = @(
                foreach ($Key in $Parameter.Keys) {
                    if ($Count -eq $Parameter.Keys.Count) {
                    else {
            $ScriptBlockScript = [scriptblock]::Create($ScriptBlockParams)
            $null = $ps.AddScript($ScriptBlockScript)
        else {
            $null = $ps.AddScript($ScriptBlock)
    if ($Parameter) {
        foreach ($Key in $Parameter.Keys) {
            $null = $ps.AddParameter($Key, $Parameter[$Key])
    if ($Argument) {
        foreach ($Arg in $Argument) {
            $null = $ps.AddArgument($Arg)
    $ErrorCaught = $null
    try {
        $InvokedCommand = $ps.Invoke()
    catch {
        $ErrorCaught = $_
    if ($InvokedCommand) {
        $Output['Output'] = $InvokedCommand
    if ($ReturnVerbose) {
        if ($Ps.Streams.Verbose) {
            $Output['Verbose'] = $ps.Streams.Verbose
    if ($ReturnWarning) {
        if ($ps.Streams.Warning) {
            $Output['Warning'] = $ps.Streams.Warning
    if ($ReturnError) {
        if ($ErrorCaught) {
            $Output['Error'] = $ErrorCaught
        else {
            if ($Ps.Streams.Error) {
                $Output['Error'] = $ps.Streams.Error
    if ($ReturnError -or $ReturnVerbose -or $ReturnWarning) {
    else {
function Start-TimeLog { 
function Stop-TimeLog { 
    param (
        [Parameter(ValueFromPipeline = $true)][System.Diagnostics.Stopwatch] $Time,
        [ValidateSet('OneLiner', 'Array')][string] $Option = 'OneLiner',
        [switch] $Continue
    Begin {
    Process {
        if ($Option -eq 'Array') {
            $TimeToExecute = "$($Time.Elapsed.Days) days", "$($Time.Elapsed.Hours) hours", "$($Time.Elapsed.Minutes) minutes", "$($Time.Elapsed.Seconds) seconds", "$($Time.Elapsed.Milliseconds) milliseconds"
        else {
            $TimeToExecute = "$($Time.Elapsed.Days) days, $($Time.Elapsed.Hours) hours, $($Time.Elapsed.Minutes) minutes, $($Time.Elapsed.Seconds) seconds, $($Time.Elapsed.Milliseconds) milliseconds"
    End {
        if (-not $Continue) {
        return $TimeToExecute
function Test-ComputerPort { 
    param (
        [alias('Server')][string[]] $ComputerName,
        [int[]] $PortTCP,
        [int[]] $PortUDP,
        [int]$Timeout = 5000
    begin {
        if ($Global:ProgressPreference -ne 'SilentlyContinue') {
            $TemporaryProgress = $Global:ProgressPreference
            $Global:ProgressPreference = 'SilentlyContinue'
    process {
        foreach ($Computer in $ComputerName) {
            foreach ($P in $PortTCP) {
                $Output = [ordered] @{
                    'ComputerName' = $Computer
                    'Port'         = $P
                    'Protocol'     = 'TCP'
                    'Status'       = $null
                    'Summary'      = $null
                    'Response'     = $null

                $TcpClient = Test-NetConnection -ComputerName $Computer -Port $P -InformationLevel Detailed -WarningAction SilentlyContinue
                if ($TcpClient.TcpTestSucceeded) {
                    $Output['Status'] = $TcpClient.TcpTestSucceeded
                    $Output['Summary'] = "TCP $P Successful"
                else {
                    $Output['Status'] = $false
                    $Output['Summary'] = "TCP $P Failed"
                    $Output['Response'] = $Warnings
            foreach ($P in $PortUDP) {
                $Output = [ordered] @{
                    'ComputerName' = $Computer
                    'Port'         = $P
                    'Protocol'     = 'UDP'
                    'Status'       = $null
                    'Summary'      = $null
                $UdpClient = [System.Net.Sockets.UdpClient]::new($Computer, $P)
                $UdpClient.Client.ReceiveTimeout = $Timeout

                $Encoding = [System.Text.ASCIIEncoding]::new()
                $byte = $Encoding.GetBytes("Evotec")
                [void]$UdpClient.Send($byte, $byte.length)
                $RemoteEndpoint = [System.Net.IPEndPoint]::new([System.Net.IPAddress]::Any, 0)
                try {
                    $Bytes = $UdpClient.Receive([ref]$RemoteEndpoint)
                    [string]$Data = $Encoding.GetString($Bytes)
                    If ($Data) {
                        $Output['Status'] = $true
                        $Output['Summary'] = "UDP $P Successful"
                        $Output['Response'] = $Data
                catch {
                    $Output['Status'] = $false
                    $Output['Summary'] = "UDP $P Failed"
                    $Output['Response'] = $_.Exception.Message
    end {

        if ($TemporaryProgress) {
            $Global:ProgressPreference = $TemporaryProgress
function Test-WinRM { 
    param (
        [alias('Server')][string[]] $ComputerName
    $Output = foreach ($Computer in $ComputerName) {
        $Test = [PSCustomObject] @{
            Output       = $null
            Status       = $null
            ComputerName = $Computer
        try {
            $Test.Output = Test-WSMan -ComputerName $Computer -ErrorAction Stop
            $Test.Status = $true
        catch {
            $Test.Status = $false
function Write-Color { 
    Write-Color is a wrapper around Write-Host delivering a lot of additional features for easier color options.
    Write-Color is a wrapper around Write-Host delivering a lot of additional features for easier color options.
    It provides:
    - Easy manipulation of colors,
    - Logging output to file (log)
    - Nice formatting options out of the box.
    - Ability to use aliases for parameters
    Text to display on screen and write to log file if specified.
    Accepts an array of strings.
    .PARAMETER Color
    Color of the text. Accepts an array of colors. If more than one color is specified it will loop through colors for each string.
    If there are more strings than colors it will start from the beginning.
    Available colors are: Black, DarkBlue, DarkGreen, DarkCyan, DarkRed, DarkMagenta, DarkYellow, Gray, DarkGray, Blue, Green, Cyan, Red, Magenta, Yellow, White
    .PARAMETER BackGroundColor
    Color of the background. Accepts an array of colors. If more than one color is specified it will loop through colors for each string.
    If there are more strings than colors it will start from the beginning.
    Available colors are: Black, DarkBlue, DarkGreen, DarkCyan, DarkRed, DarkMagenta, DarkYellow, Gray, DarkGray, Blue, Green, Cyan, Red, Magenta, Yellow, White
    .PARAMETER StartTab
    Number of tabs to add before text. Default is 0.
    .PARAMETER LinesBefore
    Number of empty lines before text. Default is 0.
    .PARAMETER LinesAfter
    Number of empty lines after text. Default is 0.
    .PARAMETER StartSpaces
    Number of spaces to add before text. Default is 0.
    .PARAMETER LogFile
    Path to log file. If not specified no log file will be created.
    .PARAMETER DateTimeFormat
    Custom date and time format string. Default is yyyy-MM-dd HH:mm:ss
    .PARAMETER LogTime
    If set to $true it will add time to log file. Default is $true.
    .PARAMETER LogRetry
    Number of retries to write to log file, in case it can't write to it for some reason, before skipping. Default is 2.
    .PARAMETER Encoding
    Encoding of the log file. Default is Unicode.
    .PARAMETER ShowTime
    Switch to add time to console output. Default is not set.
    .PARAMETER NoNewLine
    Switch to not add new line at the end of the output. Default is not set.
    .PARAMETER NoConsoleOutput
    Switch to not output to console. Default all output goes to console.
    Write-Color -Text "Red ", "Green ", "Yellow " -Color Red,Green,Yellow
    Write-Color -Text "This is text in Green ",
                      "followed by red ",
                      "and then we have Magenta... ",
                      "isn't it fun? ",
                      "Here goes DarkCyan" -Color Green,Red,Magenta,White,DarkCyan
    Write-Color -Text "This is text in Green ",
                      "followed by red ",
                      "and then we have Magenta... ",
                      "isn't it fun? ",
                      "Here goes DarkCyan" -Color Green,Red,Magenta,White,DarkCyan -StartTab 3 -LinesBefore 1 -LinesAfter 1
    Write-Color "1. ", "Option 1" -Color Yellow, Green
    Write-Color "2. ", "Option 2" -Color Yellow, Green
    Write-Color "3. ", "Option 3" -Color Yellow, Green
    Write-Color "4. ", "Option 4" -Color Yellow, Green
    Write-Color "9. ", "Press 9 to exit" -Color Yellow, Gray -LinesBefore 1
    Write-Color -LinesBefore 2 -Text "This little ","message is ", "written to log ", "file as well." `
                -Color Yellow, White, Green, Red, Red -LogFile "C:\testing.txt" -TimeFormat "yyyy-MM-dd HH:mm:ss"
    Write-Color -Text "This can get ","handy if ", "want to display things, and log actions to file ", "at the same time." `
                -Color Yellow, White, Green, Red, Red -LogFile "C:\testing.txt"
    Write-Color -T "My text", " is ", "all colorful" -C Yellow, Red, Green -B Green, Green, Yellow
    Write-Color -t "my text" -c yellow -b green
    Write-Color -text "my text" -c red
    Write-Color -Text "TestujÄ™ czy siÄ™ Å‚adnie zapisze, czy bÄ™dÄ… problemy" -Encoding unicode -LogFile 'C:\temp\testinggg.txt' -Color Red -NoConsoleOutput
    Understanding Custom date and time format strings: https://learn.microsoft.com/en-us/dotnet/standard/base-types/custom-date-and-time-format-strings
    Project support: https://github.com/EvotecIT/PSWriteColor
    Original idea: Josh (https://stackoverflow.com/users/81769/josh)

    param (
        [alias ('T')] [String[]]$Text,
        [alias ('C', 'ForegroundColor', 'FGC')] [ConsoleColor[]]$Color = [ConsoleColor]::White,
        [alias ('B', 'BGC')] [ConsoleColor[]]$BackGroundColor = $null,
        [alias ('Indent')][int] $StartTab = 0,
        [int] $LinesBefore = 0,
        [int] $LinesAfter = 0,
        [int] $StartSpaces = 0,
        [alias ('L')] [string] $LogFile = '',
        [Alias('DateFormat', 'TimeFormat')][string] $DateTimeFormat = 'yyyy-MM-dd HH:mm:ss',
        [alias ('LogTimeStamp')][bool] $LogTime = $true,
        [int] $LogRetry = 2,
        [ValidateSet('unknown', 'string', 'unicode', 'bigendianunicode', 'utf8', 'utf7', 'utf32', 'ascii', 'default', 'oem')][string]$Encoding = 'Unicode',
        [switch] $ShowTime,
        [switch] $NoNewLine,
        [alias('HideConsole')][switch] $NoConsoleOutput
    if (-not $NoConsoleOutput) {
        $DefaultColor = $Color[0]
        if ($null -ne $BackGroundColor -and $BackGroundColor.Count -ne $Color.Count) {
            Write-Error "Colors, BackGroundColors parameters count doesn't match. Terminated."
        if ($LinesBefore -ne 0) {
            for ($i = 0; $i -lt $LinesBefore; $i++) {
                Write-Host -Object "`n" -NoNewline 
        } # Add empty line before
        if ($StartTab -ne 0) {
            for ($i = 0; $i -lt $StartTab; $i++) {
                Write-Host -Object "`t" -NoNewline 
        }  # Add TABS before text
        if ($StartSpaces -ne 0) {
            for ($i = 0; $i -lt $StartSpaces; $i++) {
                Write-Host -Object ' ' -NoNewline 
        }  # Add SPACES before text
        if ($ShowTime) {
            Write-Host -Object "[$([datetime]::Now.ToString($DateTimeFormat))] " -NoNewline 
        } # Add Time before output
        if ($Text.Count -ne 0) {
            if ($Color.Count -ge $Text.Count) {
                # the real deal coloring
                if ($null -eq $BackGroundColor) {
                    for ($i = 0; $i -lt $Text.Length; $i++) {
                        Write-Host -Object $Text[$i] -ForegroundColor $Color[$i] -NoNewline 
                else {
                    for ($i = 0; $i -lt $Text.Length; $i++) {
                        Write-Host -Object $Text[$i] -ForegroundColor $Color[$i] -BackgroundColor $BackGroundColor[$i] -NoNewline 
            else {
                if ($null -eq $BackGroundColor) {
                    for ($i = 0; $i -lt $Color.Length ; $i++) {
                        Write-Host -Object $Text[$i] -ForegroundColor $Color[$i] -NoNewline 
                    for ($i = $Color.Length; $i -lt $Text.Length; $i++) {
                        Write-Host -Object $Text[$i] -ForegroundColor $DefaultColor -NoNewline 
                else {
                    for ($i = 0; $i -lt $Color.Length ; $i++) {
                        Write-Host -Object $Text[$i] -ForegroundColor $Color[$i] -BackgroundColor $BackGroundColor[$i] -NoNewline 
                    for ($i = $Color.Length; $i -lt $Text.Length; $i++) {
                        Write-Host -Object $Text[$i] -ForegroundColor $DefaultColor -BackgroundColor $BackGroundColor[0] -NoNewline 
        if ($NoNewLine -eq $true) {
            Write-Host -NoNewline 
        else {
        } # Support for no new line
        if ($LinesAfter -ne 0) {
            for ($i = 0; $i -lt $LinesAfter; $i++) {
                Write-Host -Object "`n" -NoNewline 
        }  # Add empty line after
    if ($Text.Count -and $LogFile) {
        # Save to file
        $TextToFile = ""
        for ($i = 0; $i -lt $Text.Length; $i++) {
            $TextToFile += $Text[$i]
        $Saved = $false
        $Retry = 0
        Do {
            try {
                if ($LogTime) {
                    "[$([datetime]::Now.ToString($DateTimeFormat))] $TextToFile" | Out-File -FilePath $LogFile -Encoding $Encoding -Append -ErrorAction Stop -WhatIf:$false
                else {
                    "$TextToFile" | Out-File -FilePath $LogFile -Encoding $Encoding -Append -ErrorAction Stop -WhatIf:$false
                $Saved = $true
            catch {
                if ($Saved -eq $false -and $Retry -eq $LogRetry) {
                    Write-Warning "Write-Color - Couldn't write to log file $($_.Exception.Message). Tried ($Retry/$LogRetry))"
                else {
                    Write-Warning "Write-Color - Couldn't write to log file $($_.Exception.Message). Retrying... ($Retry/$LogRetry)"
        } Until ($Saved -eq $true -or $Retry -ge $LogRetry)
function ConvertFrom-LanguageCode { 
        [string] $LanguageCode
    $LanguageCodeDictionary = @{
        '1'     = "Arabic"
        '4'     = "Chinese (Simplified)?? China"
        '9'     = "English"
        '1025'  = "Arabic (Saudi Arabia)"
        '1026'  = "Bulgarian"
        '1027'  = "Catalan"
        '1028'  = "Chinese (Traditional) Taiwan"
        '1029'  = "Czech"
        '1030'  = "Danish"
        '1031'  = "German (Germany)"
        '1032'  = "Greek"
        '1033'  = "English (United States)"
        '1034'  = "Spanish (Traditional Sort)"
        '1035'  = "Finnish"
        '1036'  = "French (France)"
        '1037'  = "Hebrew"
        '1038'  = "Hungarian"
        '1039'  = "Icelandic"
        '1040'  = "Italian (Italy)"
        '1041'  = "Japanese"
        '1042'  = "Korean"
        '1043'  = "Dutch (Netherlands)"
        '1044'  = "Norwegian (Bokmal)"
        '1045'  = "Polish"
        '1046'  = "Portuguese (Brazil)"
        '1047'  = "Rhaeto-Romanic"
        '1048'  = "Romanian"
        '1049'  = "Russian"
        '1050'  = "Croatian"
        '1051'  = "Slovak"
        '1052'  = "Albanian"
        '1053'  = "Swedish"
        '1054'  = "Thai"
        '1055'  = "Turkish"
        '1056'  = "Urdu"
        '1057'  = "Indonesian"
        '1058'  = "Ukrainian"
        '1059'  = "Belarusian"
        '1060'  = "Slovenian"
        '1061'  = "Estonian"
        '1062'  = "Latvian"
        '1063'  = "Lithuanian"
        '1065'  = "Persian"
        '1066'  = "Vietnamese"
        '1069'  = "Basque (Basque)"
        '1070'  = "Serbian"
        '1071'  = "Macedonian (FYROM)"
        '1072'  = "Sutu"
        '1073'  = "Tsonga"
        '1074'  = "Tswana"
        '1076'  = "Xhosa"
        '1077'  = "Zulu"
        '1078'  = "Afrikaans"
        '1080'  = "Faeroese"
        '1081'  = "Hindi"
        '1082'  = "Maltese"
        '1084'  = "Scottish Gaelic (United Kingdom)"
        '1085'  = "Yiddish"
        '1086'  = "Malay (Malaysia)"
        '2049'  = "Arabic (Iraq)"
        '2052'  = "Chinese (Simplified) PRC"
        '2055'  = "German (Switzerland)"
        '2057'  = "English (United Kingdom)"
        '2058'  = "Spanish (Mexico)"
        '2060'  = "French (Belgium)"
        '2064'  = "Italian (Switzerland)"
        '2067'  = "Dutch (Belgium)"
        '2068'  = "Norwegian (Nynorsk)"
        '2070'  = "Portuguese (Portugal)"
        '2072'  = "Romanian (Moldova)"
        '2073'  = "Russian (Moldova)"
        '2074'  = "Serbian (Latin)"
        '2077'  = "Swedish (Finland)"
        '3073'  = "Arabic (Egypt)"
        '3076'  = "Chinese Traditional (Hong Kong SAR)"
        '3079'  = "German (Austria)"
        '3081'  = "English (Australia)"
        '3082'  = "Spanish (International Sort)"
        '3084'  = "French (Canada)"
        '3098'  = "Serbian (Cyrillic)"
        '4097'  = "Arabic (Libya)"
        '4100'  = "Chinese Simplified (Singapore)"
        '4103'  = "German (Luxembourg)"
        '4105'  = "English (Canada)"
        '4106'  = "Spanish (Guatemala)"
        '4108'  = "French (Switzerland)"
        '5121'  = "Arabic (Algeria)"
        '5127'  = "German (Liechtenstein)"
        '5129'  = "English (New Zealand)"
        '5130'  = "Spanish (Costa Rica)"
        '5132'  = "French (Luxembourg)"
        '6145'  = "Arabic (Morocco)"
        '6153'  = "English (Ireland)"
        '6154'  = "Spanish (Panama)"
        '7169'  = "Arabic (Tunisia)"
        '7177'  = "English (South Africa)"
        '7178'  = "Spanish (Dominican Republic)"
        '8193'  = "Arabic (Oman)"
        '8201'  = "English (Jamaica)"
        '8202'  = "Spanish (Venezuela)"
        '9217'  = "Arabic (Yemen)"
        '9226'  = "Spanish (Colombia)"
        '10241' = "Arabic (Syria)"
        '10249' = "English (Belize)"
        '10250' = "Spanish (Peru)"
        '11265' = "Arabic (Jordan)"
        '11273' = "English (Trinidad)"
        '11274' = "Spanish (Argentina)"
        '12289' = "Arabic (Lebanon)"
        '12298' = "Spanish (Ecuador)"
        '13313' = "Arabic (Kuwait)"
        '13322' = "Spanish (Chile)"
        '14337' = "Arabic (U.A.E.)"
        '14346' = "Spanish (Uruguay)"
        '15361' = "Arabic (Bahrain)"
        '15370' = "Spanish (Paraguay)"
        '16385' = "Arabic (Qatar)"
        '16394' = "Spanish (Bolivia)"
        '17418' = "Spanish (El Salvador)"
        '18442' = "Spanish (Honduras)"
        '19466' = "Spanish (Nicaragua)"
        '20490' = "Spanish (Puerto Rico)"
    $Output = $LanguageCodeDictionary[$LanguageCode]
    if ($Output) {
    else {
        "Unknown (Undocumented)"
function ConvertTo-OperatingSystem { 
    Allows easy conversion of OperatingSystem, Operating System Version to proper Windows 10 naming based on WMI or AD
    Allows easy conversion of OperatingSystem, Operating System Version to proper Windows 10 naming based on WMI or AD
    .PARAMETER OperatingSystem
    Operating System as returned by Active Directory
    .PARAMETER OperatingSystemVersion
    Operating System Version as returned by Active Directory
    $Computers = Get-ADComputer -Filter * -Properties OperatingSystem, OperatingSystemVersion | ForEach-Object {
        $OPS = ConvertTo-OperatingSystem -OperatingSystem $_.OperatingSystem -OperatingSystemVersion $_.OperatingSystemVersion
        Add-Member -MemberType NoteProperty -Name 'OperatingSystemTranslated' -Value $OPS -InputObject $_ -Force
    $Computers | Select-Object DNS*, Name, SamAccountName, Enabled, OperatingSystem*, DistinguishedName | Format-Table
    $Registry = Get-PSRegistry -ComputerName 'AD1' -RegistryPath 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    ConvertTo-OperatingSystem -OperatingSystem $Registry.ProductName -OperatingSystemVersion $Registry.CurrentBuildNumber
    General notes

        [string] $OperatingSystem,
        [string] $OperatingSystemVersion

    if ($OperatingSystem -like 'Windows 10*' -or $OperatingSystem -like 'Windows 11*') {
        $Systems = @{

            '10.0 (22621)' = 'Windows 11 22H2'
            '10.0 (22000)' = 'Windows 11 21H2'
            '10.0 (19045)' = 'Windows 10 22H2'
            '10.0 (19044)' = 'Windows 10 21H2'
            '10.0 (19043)' = 'Windows 10 21H1'
            '10.0 (19042)' = 'Windows 10 20H2'
            '10.0 (19041)' = 'Windows 10 2004'
            '10.0 (18898)' = 'Windows 10 Insider Preview'
            '10.0 (18363)' = "Windows 10 1909"
            '10.0 (18362)' = "Windows 10 1903"
            '10.0 (17763)' = "Windows 10 1809"
            '10.0 (17134)' = "Windows 10 1803"
            '10.0 (16299)' = "Windows 10 1709"
            '10.0 (15063)' = "Windows 10 1703"
            '10.0 (14393)' = "Windows 10 1607"
            '10.0 (10586)' = "Windows 10 1511"
            '10.0 (10240)' = "Windows 10 1507"

            '10.0.22621'   = 'Windows 11 22H2'
            '10.0.22000'   = 'Windows 11 21H2'
            '10.0.19045'   = 'Windows 10 22H2'
            '10.0.19044'   = 'Windows 10 21H2'
            '10.0.19043'   = 'Windows 10 21H1'
            '10.0.19042'   = 'Windows 10 20H2'
            '10.0.19041'   = 'Windows 10 2004'
            '10.0.18898'   = 'Windows 10 Insider Preview'
            '10.0.18363'   = "Windows 10 1909"
            '10.0.18362'   = "Windows 10 1903"
            '10.0.17763'   = "Windows 10 1809"
            '10.0.17134'   = "Windows 10 1803"
            '10.0.16299'   = "Windows 10 1709"
            '10.0.15063'   = "Windows 10 1703"
            '10.0.14393'   = "Windows 10 1607"
            '10.0.10586'   = "Windows 10 1511"
            '10.0.10240'   = "Windows 10 1507"

            '22621'        = 'Windows 11 22H2'
            '22000'        = 'Windows 11 21H2'
            '19045'        = 'Windows 10 22H2'
            '19044'        = 'Windows 10 21H2'
            '19043'        = 'Windows 10 21H1'
            '19042'        = 'Windows 10 20H2'
            '19041'        = 'Windows 10 2004'
            '18898'        = 'Windows 10 Insider Preview'
            '18363'        = "Windows 10 1909"
            '18362'        = "Windows 10 1903"
            '17763'        = "Windows 10 1809"
            '17134'        = "Windows 10 1803"
            '16299'        = "Windows 10 1709"
            '15063'        = "Windows 10 1703"
            '14393'        = "Windows 10 1607"
            '10586'        = "Windows 10 1511"
            '10240'        = "Windows 10 1507"
        $System = $Systems[$OperatingSystemVersion]
        if (-not $System) {
            $System = $OperatingSystemVersion
    elseif ($OperatingSystem -like 'Windows Server*') {

        $Systems = @{

            '10.0 (20348)' = 'Windows Server 2022'
            '10.0 (19042)' = 'Windows Server 2019 20H2'
            '10.0 (19041)' = 'Windows Server 2019 2004'
            '10.0 (18363)' = 'Windows Server 2019 1909'
            '10.0 (18362)' = "Windows Server 2019 1903" 
            '10.0 (17763)' = "Windows Server 2019 1809" 
            '10.0 (17134)' = "Windows Server 2016 1803" 
            '10.0 (14393)' = "Windows Server 2016 1607"
            '6.3 (9600)'   = 'Windows Server 2012 R2'
            '6.1 (7601)'   = 'Windows Server 2008 R2'
            '5.2 (3790)'   = 'Windows Server 2003'

            '10.0.20348'   = 'Windows Server 2022'
            '10.0.19042'   = 'Windows Server 2019 20H2'
            '10.0.19041'   = 'Windows Server 2019 2004'
            '10.0.18363'   = 'Windows Server 2019 1909'
            '10.0.18362'   = "Windows Server 2019 1903" 
            '10.0.17763'   = "Windows Server 2019 1809"  
            '10.0.17134'   = "Windows Server 2016 1803" 
            '10.0.14393'   = "Windows Server 2016 1607"
            '6.3.9600'     = 'Windows Server 2012 R2'
            '6.1.7601'     = 'Windows Server 2008 R2' 
            '5.2.3790'     = 'Windows Server 2003' 

            '20348'        = 'Windows Server 2022'
            '19042'        = 'Windows Server 2019 20H2'
            '19041'        = 'Windows Server 2019 2004'
            '18363'        = 'Windows Server 2019 1909'
            '18362'        = "Windows Server 2019 1903" 
            '17763'        = "Windows Server 2019 1809" 
            '17134'        = "Windows Server 2016 1803" 
            '14393'        = "Windows Server 2016 1607"
            '9600'         = 'Windows Server 2012 R2'
            '7601'         = 'Windows Server 2008 R2'
            '3790'         = 'Windows Server 2003'
        $System = $Systems[$OperatingSystemVersion]
        if (-not $System) {
            $System = $OperatingSystemVersion
    else {
        $System = $OperatingSystem
    if ($System) {
    else {
function Copy-DictionaryManual { 
        [System.Collections.IDictionary] $Dictionary

    $clone = [ordered] @{}
    foreach ($Key in $Dictionary.Keys) {
        $value = $Dictionary.$Key

        $clonedValue = switch ($Dictionary.$Key) {
            { $null -eq $_ } {
            { $_ -is [System.Collections.IDictionary] } {
                Copy-DictionaryManual -Dictionary $_
                $type = $_.GetType()
                $type.IsPrimitive -or $type.IsValueType -or $_ -is [string]
            } {
            default {
                $_ | Select-Object -Property *

        if ($value -is [System.Collections.IList]) {
            $clone[$Key] = @($clonedValue)
        else {
            $clone[$Key] = $clonedValue

function Get-CimData { 
    Helper function for retreiving CIM data from local and remote computers
    Helper function for retreiving CIM data from local and remote computers
    .PARAMETER ComputerName
    Specifies computer on which you want to run the CIM operation. You can specify a fully qualified domain name (FQDN), a NetBIOS name, or an IP address. If you do not specify this parameter, the cmdlet performs the operation on the local computer using Component Object Model (COM).
    .PARAMETER Protocol
    Specifies the protocol to use. The acceptable values for this parametDer are: DCOM, Default, or Wsman.
    .PARAMETER Class
    Specifies the name of the CIM class for which to retrieve the CIM instances. You can use tab completion to browse the list of classes, because PowerShell gets a list of classes from the local WMI server to provide a list of class names.
    .PARAMETER Properties
    Specifies a set of instance properties to retrieve. Use this parameter when you need to reduce the size of the object returned, either in memory or over the network. The object returned also contains the key properties even if you have not listed them using the Property parameter. Other properties of the class are present but they are not populated.
    .PARAMETER NameSpace
    Specifies the namespace for the CIM operation. The default namespace is root\cimv2. You can use tab completion to browse the list of namespaces, because PowerShell gets a list of namespaces from the local WMI server to provide a list of namespaces.
    .PARAMETER Credential
    Specifies a user account that has permission to perform this action. The default is the current user.
    Get-CimData -Class 'win32_bios' -ComputerName AD1,EVOWIN
    Get-CimData -Class 'win32_bios'
    Get-CimClass to get all classes
    General notes

        [parameter(Mandatory)][string] $Class,
        [string] $NameSpace = 'root\cimv2',
        [string[]] $ComputerName = $Env:COMPUTERNAME,
        [ValidateSet('Default', 'Dcom', 'Wsman')][string] $Protocol = 'Default',
        [pscredential] $Credential,
        [string[]] $Properties = '*'
    $ExcludeProperties = 'CimClass', 'CimInstanceProperties', 'CimSystemProperties', 'SystemCreationClassName', 'CreationClassName'

    [Array] $ComputersSplit = Get-ComputerSplit -ComputerName $ComputerName

    $CimObject = @(

        [string[]] $PropertiesOnly = $Properties | Where-Object { $_ -ne 'PSComputerName' }

        $Computers = $ComputersSplit[1]
        if ($Computers.Count -gt 0) {
            if ($Protocol -eq 'Default' -and $null -eq $Credential) {
                Get-CimInstance -ClassName $Class -ComputerName $Computers -ErrorAction SilentlyContinue -Property $PropertiesOnly -Namespace $NameSpace -Verbose:$false -ErrorVariable ErrorsToProcess | Select-Object -Property $Properties -ExcludeProperty $ExcludeProperties
            else {
                $Option = New-CimSessionOption -Protocol $Protocol
                $newCimSessionSplat = @{
                    ComputerName  = $Computers
                    SessionOption = $Option
                    ErrorAction   = 'SilentlyContinue'
                if ($Credential) {
                    $newCimSessionSplat['Credential'] = $Credential
                $Session = New-CimSession @newCimSessionSplat -Verbose:$false
                if ($Session) {
                    Try {
                        $Info = Get-CimInstance -ClassName $Class -CimSession $Session -ErrorAction Stop -Property $PropertiesOnly -Namespace $NameSpace -Verbose:$false -ErrorVariable ErrorsToProcess | Select-Object -Property $Properties -ExcludeProperty $ExcludeProperties
                    catch {
                        Write-Warning -Message "Get-CimData - No data for computer $($E.OriginInfo.PSComputerName). Failed with errror: $($E.Exception.Message)"
                    try {
                        $null = Remove-CimSession -CimSession $Session -ErrorAction SilentlyContinue
                    catch {
                        Write-Warning -Message "Get-CimData - Failed to remove CimSession $($Session). Failed with errror: $($E.Exception.Message)"
                else {
                    Write-Warning -Message "Get-CimData - Failed to create CimSession for $($Computers). Problem with credentials?"
            foreach ($E in $ErrorsToProcess) {
                Write-Warning -Message "Get-CimData - No data for computer $($E.OriginInfo.PSComputerName). Failed with errror: $($E.Exception.Message)"
        else {

            $Computers = $ComputersSplit[0]
            if ($Computers.Count -gt 0) {
                $Info = Get-CimInstance -ClassName $Class -ErrorAction SilentlyContinue -Property $PropertiesOnly -Namespace $NameSpace -Verbose:$false -ErrorVariable ErrorsLocal | Select-Object -Property $Properties -ExcludeProperty $ExcludeProperties
                $Info | Add-Member -Name 'PSComputerName' -Value $Computers -MemberType NoteProperty -Force
            foreach ($E in $ErrorsLocal) {
                Write-Warning -Message "Get-CimData - No data for computer $($Env:COMPUTERNAME). Failed with errror: $($E.Exception.Message)"
function Get-ComputerSplit { 
        [string[]] $ComputerName
    if ($null -eq $ComputerName) {
        $ComputerName = $Env:COMPUTERNAME
    try {
        $LocalComputerDNSName = [System.Net.Dns]::GetHostByName($Env:COMPUTERNAME).HostName
    catch {
        $LocalComputerDNSName = $Env:COMPUTERNAME
    $ComputersLocal = $null
    [Array] $Computers = foreach ($Computer in $ComputerName) {
        if ($Computer -eq '' -or $null -eq $Computer) {
            $Computer = $Env:COMPUTERNAME
        if ($Computer -ne $Env:COMPUTERNAME -and $Computer -ne $LocalComputerDNSName) {
        else {
            $ComputersLocal = $Computer
    , @($ComputersLocal, $Computers)
function Get-ComputerTimeNtp { 
        Gets (Simple) Network Time Protocol time (SNTP/NTP, rfc-1305, rfc-2030) from a specified server
        This function connects to an NTP server on UDP port 123 and retrieves the current NTP time.
        Selected components of the returned time information are decoded and returned in a PSObject.
        .PARAMETER Server
        The NTP Server to contact. Uses pool.ntp.org by default.
        Get-NtpTime uk.pool.ntp.org
        Gets time from the specified server.
        Get-NtpTime | fl *
        Get time from default server (pool.ntp.org) and displays all output object attributes.
        Gets NTP time from a specified server.
        Author https://github.com/ChrisWarwick/PowerShell-NTP-Time
        Slightly simplified for different usage scenarios

    Param (
        [String]$Server = 'pool.ntp.org',

    $StartOfEpoch = New-Object DateTime(1900, 1, 1, 0, 0, 0, [DateTimeKind]::Utc)

    [Byte[]]$NtpData = , 0 * 48
    $NtpData[0] = 0x1B    

    $Socket = [Net.Sockets.Socket]::new([Net.Sockets.AddressFamily]::InterNetwork, [Net.Sockets.SocketType]::Dgram, [Net.Sockets.ProtocolType]::Udp)
    $Socket.SendTimeOut = 2000  
    $Socket.ReceiveTimeOut = 2000   

    Try {
        $Socket.Connect($Server, 123)
    Catch {
        Write-Warning "Get-ComputerTimeNtp - Failed to connect to server $Server"

    $t1 = Get-Date    

    Try {
    Catch {
        Write-Warning "Get-ComputerTimeNtp - Failed to communicate with server $Server"

    $t4 = Get-Date    


    $LI = ($NtpData[0] -band 0xC0) -shr 6    
    If ($LI -eq 3) {
        Write-Warning 'Get-ComputerTimeNtp - Alarm condition from server (clock not synchronized)'

    $IntPart = [BitConverter]::ToUInt32($NtpData[43..40], 0)
    $FracPart = [BitConverter]::ToUInt32($NtpData[47..44], 0)

    $t3ms = $IntPart * 1000 + ($FracPart * 1000 / 0x100000000)

    $IntPart = [BitConverter]::ToUInt32($NtpData[35..32], 0)
    $FracPart = [BitConverter]::ToUInt32($NtpData[39..36], 0)
    $t2ms = $IntPart * 1000 + ($FracPart * 1000 / 0x100000000)

    $t1ms = ([TimeZoneInfo]::ConvertTimeToUtc($t1) - $StartOfEpoch).TotalMilliseconds
    $t4ms = ([TimeZoneInfo]::ConvertTimeToUtc($t4) - $StartOfEpoch).TotalMilliseconds

    $Offset = (($t2ms - $t1ms) + ($t3ms - $t4ms)) / 2

    [DateTime] $NTPDateTime = $StartOfEpoch.AddMilliseconds($t4ms + $Offset)

    if ($ToLocal) {
    else {
function Get-PSConvertSpecialRegistry { 
        [Array] $RegistryPath,
        [Array] $Computers,
        [System.Collections.IDictionary] $HiveDictionary,
        [switch] $ExpandEnvironmentNames
    $FixedPath = foreach ($R in $RegistryPath) {
        foreach ($DictionaryKey in $HiveDictionary.Keys) {
            $SplitParts = $R.Split("\")
            $FirstPart = $SplitParts[0]
            if ($FirstPart -eq $DictionaryKey) {

                if ($HiveDictionary[$DictionaryKey] -in 'All', 'All+Default', 'Default', 'AllDomain+Default', 'AllDomain', 'AllDomain+Other', 'AllDomain+Other+Default') {
                    foreach ($Computer in $Computers) {
                        $SubKeys = Get-PSRegistry -RegistryPath "HKEY_USERS" -ComputerName $Computer -ExpandEnvironmentNames:$ExpandEnvironmentNames.IsPresent -DoNotUnmount
                        if ($SubKeys.PSSubKeys) {
                            $RegistryKeys = ConvertTo-HKeyUser -SubKeys ($SubKeys.PSSubKeys | Sort-Object) -HiveDictionary $HiveDictionary -DictionaryKey $DictionaryKey -RegistryPath $R
                            foreach ($S in $RegistryKeys) {
                                [PSCustomObject] @{
                                    ComputerName = $Computer
                                    RegistryPath = $S
                                    Error        = $null
                                    ErrorMessage = $null
                        else {
                            [PSCustomObject] @{
                                ComputerName = $Computer
                                RegistryPath = $R
                                Error        = $true
                                ErrorMessage = "Couldn't connect to $Computer to list HKEY_USERS"
                elseif ($FirstPart -in 'Users', 'HKEY_USERS', 'HKU' -and $SplitParts[1] -and $SplitParts[1] -like "Offline_*") {

                    foreach ($Computer in $Computers) {
                        $SubKeys = Get-PSRegistry -RegistryPath "HKEY_USERS" -ComputerName $Computer -ExpandEnvironmentNames:$ExpandEnvironmentNames.IsPresent -DoNotUnmount
                        if ($SubKeys.PSSubKeys) {
                            $RegistryKeys = ConvertTo-HKeyUser -SubKeys ($SubKeys.PSSubKeys + $SplitParts[1] | Sort-Object) -HiveDictionary $HiveDictionary -DictionaryKey $DictionaryKey -RegistryPath $R
                            foreach ($S in $RegistryKeys) {
                                [PSCustomObject] @{
                                    ComputerName = $Computer
                                    RegistryPath = $S
                                    Error        = $null
                                    ErrorMessage = $null
                        else {
                            [PSCustomObject] @{
                                ComputerName = $Computer
                                RegistryPath = $R
                                Error        = $true
                                ErrorMessage = "Couldn't connect to $Computer to list HKEY_USERS"
                else {
function Get-PSRegistryDictionaries { 
    if ($Script:Dictionary) {
    $Script:Dictionary = @{

        'HKUA:'    = 'HKEY_ALL_USERS' 
        'HKUD:'    = 'HKEY_DEFAULT_USER' 




        'HKCR:'    = 'HKEY_CLASSES_ROOT'
        'HKCU:'    = 'HKEY_CURRENT_USER'
        'HKLM:'    = 'HKEY_LOCAL_MACHINE'
        'HKU:'     = 'HKEY_USERS'
        'HKCC:'    = 'HKEY_CURRENT_CONFIG'
        'HKDD:'    = 'HKEY_DYN_DATA'

    $Script:HiveDictionary = [ordered] @{

        'HKEY_ALL_USERS_DEFAULT'              = 'All+Default'
        'HKUAD'                               = 'All+Default'
        'HKEY_ALL_USERS'                      = 'All'
        'HKUA'                                = 'All'
        'HKEY_ALL_DOMAIN_USERS_DEFAULT'       = 'AllDomain+Default'
        'HKUDUD'                              = 'AllDomain+Default'
        'HKEY_ALL_DOMAIN_USERS'               = 'AllDomain'
        'HKUDU'                               = 'AllDomain'
        'HKEY_DEFAULT_USER'                   = 'Default'
        'HKUD'                                = 'Default'
        'HKEY_ALL_DOMAIN_USERS_OTHER'         = 'AllDomain+Other'
        'HKUDUO'                              = 'AllDomain+Other'
        'HKUDUDO'                             = 'AllDomain+Other+Default'
        'HKEY_ALL_DOMAIN_USERS_OTHER_DEFAULT' = 'AllDomain+Other+Default'

        'HKEY_CLASSES_ROOT'                   = 'ClassesRoot'
        'HKCR'                                = 'ClassesRoot'
        'ClassesRoot'                         = 'ClassesRoot'
        'HKCU'                                = 'CurrentUser'
        'HKEY_CURRENT_USER'                   = 'CurrentUser'
        'CurrentUser'                         = 'CurrentUser'
        'HKLM'                                = 'LocalMachine'
        'HKEY_LOCAL_MACHINE'                  = 'LocalMachine'
        'LocalMachine'                        = 'LocalMachine'
        'HKU'                                 = 'Users'
        'HKEY_USERS'                          = 'Users'
        'Users'                               = 'Users'
        'HKCC'                                = 'CurrentConfig'
        'HKEY_CURRENT_CONFIG'                 = 'CurrentConfig'
        'CurrentConfig'                       = 'CurrentConfig'
        'HKDD'                                = 'DynData'
        'HKEY_DYN_DATA'                       = 'DynData'
        'DynData'                             = 'DynData'
        'HKPD'                                = 'PerformanceData'
        'HKEY_PERFORMANCE_DATA '              = 'PerformanceData'
        'PerformanceData'                     = 'PerformanceData'

    $Script:ReverseTypesDictionary = [ordered] @{
        'REG_SZ'        = 'string'
        'REG_NONE'      = 'none'
        'REG_EXPAND_SZ' = 'expandstring'
        'REG_BINARY'    = 'binary'
        'REG_DWORD'     = 'dword'
        'REG_MULTI_SZ'  = 'multistring'
        'REG_QWORD'     = 'qword'
        'string'        = 'string'
        'expandstring'  = 'expandstring'
        'binary'        = 'binary'
        'dword'         = 'dword'
        'multistring'   = 'multistring'
        'qword'         = 'qword'
        'none'          = 'none'
function Get-PSSubRegistry { 
        [System.Collections.IDictionary] $Registry,
        [string] $ComputerName,
        [switch] $Remote,
        [switch] $ExpandEnvironmentNames
    if ($Registry.ComputerName) {
        if ($Registry.ComputerName -ne $ComputerName) {
    if (-not $Registry.Error) {
        try {
            if ($Remote) {
                $BaseHive = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($Registry.HiveKey, $ComputerName, 0 )
            else {
                $BaseHive = [Microsoft.Win32.RegistryKey]::OpenBaseKey($Registry.HiveKey, 0 )
            $PSConnection = $true
            $PSError = $null
        catch {
            $PSConnection = $false
            $PSError = $($_.Exception.Message)
    else {

        $PSConnection = $false
        $PSError = $($Registry.ErrorMessage)
    if ($PSError) {
        [PSCustomObject] @{
            PSComputerName = $ComputerName
            PSConnection   = $PSConnection
            PSError        = $true
            PSErrorMessage = $PSError
            PSPath         = $Registry.Registry
            PSKey          = $Registry.Key
            PSValue        = $null
            PSType         = $null
    else {
        try {
            $SubKey = $BaseHive.OpenSubKey($Registry.SubKeyName, $false)
            if ($null -ne $SubKey) {
                [PSCustomObject] @{
                    PSComputerName = $ComputerName
                    PSConnection   = $PSConnection
                    PSError        = $false
                    PSErrorMessage = $null
                    PSPath         = $Registry.Registry
                    PSKey          = $Registry.Key
                    PSValue        = if (-not $ExpandEnvironmentNames) {
                        $SubKey.GetValue($Registry.Key, $null, [Microsoft.Win32.RegistryValueOptions]::DoNotExpandEnvironmentNames)
                    else {
                    PSType         = $SubKey.GetValueKind($Registry.Key)
            else {
                [PSCustomObject] @{
                    PSComputerName = $ComputerName
                    PSConnection   = $PSConnection
                    PSError        = $true
                    PSErrorMessage = "Registry path $($Registry.Registry) doesn't exists."
                    PSPath         = $Registry.Registry
                    PSKey          = $Registry.Key
                    PSValue        = $null
                    PSType         = $null
        catch {
            [PSCustomObject] @{
                PSComputerName = $ComputerName
                PSConnection   = $PSConnection
                PSError        = $true
                PSErrorMessage = $_.Exception.Message
                PSPath         = $Registry.Registry
                PSKey          = $Registry.Key
                PSValue        = $null
                PSType         = $null
    if ($null -ne $SubKey) {
    if ($null -ne $BaseHive) {
function Get-PSSubRegistryComplete { 
        [System.Collections.IDictionary] $Registry,
        [string] $ComputerName,
        [switch] $Remote,
        [switch] $Advanced,
        [switch] $ExpandEnvironmentNames
    if ($Registry.ComputerName) {
        if ($Registry.ComputerName -ne $ComputerName) {
    if (-not $Registry.Error) {
        try {
            if ($Remote) {
                $BaseHive = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($Registry.HiveKey, $ComputerName, 0 )
            else {
                $BaseHive = [Microsoft.Win32.RegistryKey]::OpenBaseKey($Registry.HiveKey, 0 )
            $PSConnection = $true
            $PSError = $null
        catch {
            $PSConnection = $false
            $PSError = $($_.Exception.Message)
    else {

        $PSConnection = $false
        $PSError = $($Registry.ErrorMessage)
    if ($PSError) {
        [PSCustomObject] @{
            PSComputerName = $ComputerName
            PSConnection   = $PSConnection
            PSError        = $true
            PSErrorMessage = $PSError
            PSSubKeys      = $null
            PSPath         = $Registry.Registry
            PSKey          = $Registry.Key
    else {
        try {
            $SubKey = $BaseHive.OpenSubKey($Registry.SubKeyName, $false)
            if ($null -ne $SubKey) {
                $Object = [ordered] @{
                    PSComputerName = $ComputerName
                    PSConnection   = $PSConnection
                    PSError        = $false
                    PSErrorMessage = $null
                    PSSubKeys      = $SubKey.GetSubKeyNames()
                    PSPath         = $Registry.Registry
                $Keys = $SubKey.GetValueNames()
                foreach ($K in $Keys) {
                    if ($K -eq "") {
                        if ($Advanced) {
                            $Object['DefaultKey'] = [ordered] @{
                                Value = if (-not $ExpandEnvironmentNames) {
                                    $SubKey.GetValue($K, $null, [Microsoft.Win32.RegistryValueOptions]::DoNotExpandEnvironmentNames)
                                else {
                                Type  = $SubKey.GetValueKind($K)
                        else {
                            $Object['DefaultKey'] = $SubKey.GetValue($K)
                    else {
                        if ($Advanced) {
                            $Object[$K] = [ordered] @{
                                Value = if (-not $ExpandEnvironmentNames) {
                                    $SubKey.GetValue($K, $null, [Microsoft.Win32.RegistryValueOptions]::DoNotExpandEnvironmentNames)
                                else {
                                Type  = $SubKey.GetValueKind($K)
                        else {
                            $Object[$K] = if (-not $ExpandEnvironmentNames) {
                                $SubKey.GetValue($K, $null, [Microsoft.Win32.RegistryValueOptions]::DoNotExpandEnvironmentNames)
                            else {
                [PSCustomObject] $Object
            else {
                [PSCustomObject] @{
                    PSComputerName = $ComputerName
                    PSConnection   = $PSConnection
                    PSError        = $true
                    PSErrorMessage = "Registry path $($Registry.Registry) doesn't exists."
                    PSSubKeys      = $null
                    PSPath         = $Registry.Registry
        catch {
            [PSCustomObject] @{
                PSComputerName = $ComputerName
                PSConnection   = $PSConnection
                PSError        = $true
                PSErrorMessage = $_.Exception.Message
                PSSubKeys      = $null
                PSPath         = $Registry.Registry
    if ($null -ne $SubKey) {
    if ($null -ne $BaseHive) {
function Get-PSSubRegistryTranslated { 
        [Array] $RegistryPath,
        [System.Collections.IDictionary] $HiveDictionary,
        [string] $Key
    foreach ($Registry in $RegistryPath) {

        if ($Registry -is [string]) {
            $Registry = $Registry.Replace("\\", "\").Replace("\\", "\").TrimStart("\").TrimEnd("\")
            $FirstPartSplit = $Registry -split "\\"
            $FirstPart = $FirstPartSplit[0]
        else {
            $Registry.RegistryPath = $Registry.RegistryPath.Replace("\\", "\").Replace("\\", "\").TrimStart("\").TrimEnd("\")
            $FirstPartSplit = $Registry.RegistryPath -split "\\"
            $FirstPart = $FirstPartSplit[0]

        foreach ($Hive in $HiveDictionary.Keys) {
            if ($Registry -is [string] -and $FirstPart -eq $Hive) {

                if ($Hive.Length -eq $Registry.Length) {
                    [ordered] @{
                        Registry     = $Registry
                        HiveKey      = $HiveDictionary[$Hive]
                        SubKeyName   = $null
                        Key          = if ($Key -eq "") {
                        else {
                        Error        = $null
                        ErrorMessage = $null
                else {
                    [ordered] @{
                        Registry     = $Registry
                        HiveKey      = $HiveDictionary[$Hive]
                        SubKeyName   = $Registry.substring($Hive.Length + 1)
                        Key          = if ($Key -eq "") {
                        else {
                        Error        = $null
                        ErrorMessage = $null
            elseif ($Registry -isnot [string] -and $FirstPart -eq $Hive) {

                if ($Hive.Length -eq $Registry.RegistryPath.Length) {
                    [ordered] @{
                        ComputerName = $Registry.ComputerName
                        Registry     = $Registry.RegistryPath
                        HiveKey      = $HiveDictionary[$Hive]
                        SubKeyName   = $null
                        Key          = if ($Key -eq "") {
                        else {
                        Error        = $Registry.Error
                        ErrorMessage = $Registry.ErrorMessage
                else {
                    [ordered] @{
                        ComputerName = $Registry.ComputerName
                        Registry     = $Registry.RegistryPath
                        HiveKey      = $HiveDictionary[$Hive]
                        SubKeyName   = $Registry.RegistryPath.substring($Hive.Length + 1)
                        Key          = if ($Key -eq "") {
                        else {
                        Error        = $Registry.Error
                        ErrorMessage = $Registry.ErrorMessage
function Resolve-PrivateRegistry { 
        [alias('Path')][string[]] $RegistryPath
    foreach ($R in $RegistryPath) {

        $R = $R.Replace("\\", "\").Replace("\\", "\")

        If ($R.StartsWith("Users\.DEFAULT_USER") -or $R.StartsWith('HKEY_USERS\.DEFAULT_USER')) {
            $R = $R.Replace("Users\.DEFAULT_USER", "HKUD")
            $R.Replace('HKEY_USERS\.DEFAULT_USER', "HKUD")
        elseif ($R -like '*:*') {
            $Found = $false

            foreach ($DictionaryKey in $Script:Dictionary.Keys) {
                $SplitParts = $R.Split("\")
                $FirstPart = $SplitParts[0]
                if ($FirstPart -eq $DictionaryKey) {
                    $R -replace $DictionaryKey, $Script:Dictionary[$DictionaryKey]
                    $Found = $true

            if (-not $Found) {
                $R.Replace(":", "")
        else {

function Select-Properties { 
    Allows for easy selecting property names from one or multiple objects
    Allows for easy selecting property names from one or multiple objects. This is especially useful with using AllProperties parameter where we want to make sure to get all properties from all objects.
    .PARAMETER Objects
    One or more objects
    .PARAMETER Property
    Properties to include
    .PARAMETER ExcludeProperty
    Properties to exclude
    .PARAMETER AllProperties
    All unique properties from all objects
    .PARAMETER PropertyNameReplacement
    Default property name when object has no properties
    $Object1 = [PSCustomobject] @{
        Name1 = '1'
        Name2 = '3'
        Name3 = '5'
    $Object2 = [PSCustomobject] @{
        Name4 = '2'
        Name5 = '6'
        Name6 = '7'
    Select-Properties -Objects $Object1, $Object2 -AllProperties
    $Object1, $Object2 | Select-Properties -AllProperties -ExcludeProperty Name6 -Property Name3
    $Object3 = [Ordered] @{
        Name1 = '1'
        Name2 = '3'
        Name3 = '5'
    $Object4 = [Ordered] @{
        Name4 = '2'
        Name5 = '6'
        Name6 = '7'
    Select-Properties -Objects $Object3, $Object4 -AllProperties
    $Object3, $Object4 | Select-Properties -AllProperties
    General notes

        [Array][Parameter(Position = 0, ValueFromPipeline, ValueFromPipelineByPropertyName)] $Objects,
        [string[]] $Property,
        [string[]] $ExcludeProperty,
        [switch] $AllProperties,
        [string] $PropertyNameReplacement = '*'
    Begin {
        function Select-Unique {
                [System.Collections.IList] $Object
            [Array] $CleanedList = foreach ($O in $Object) {
                if ($null -ne $O) {
            $New = $CleanedList.ToLower() | Select-Object -Unique
            $Selected = foreach ($_ in $New) {
                $Index = $Object.ToLower().IndexOf($_)
                if ($Index -ne -1) {
        $ObjectsList = [System.Collections.Generic.List[Object]]::new()
    Process {
        foreach ($Object in $Objects) {
    End {
        if ($ObjectsList.Count -eq 0) {
            Write-Warning 'Select-Properties - Unable to process. Objects count equals 0.'
        if ($ObjectsList[0] -is [System.Collections.IDictionary]) {
            if ($AllProperties) {
                [Array] $All = foreach ($_ in $ObjectsList) {

                $FirstObjectProperties = Select-Unique -Object $All
            else {
                $FirstObjectProperties = $ObjectsList[0].Keys
            if ($Property.Count -gt 0 -and $ExcludeProperty.Count -gt 0) {

                $FirstObjectProperties = foreach ($_ in $FirstObjectProperties) {
                    if ($Property -contains $_ -and $ExcludeProperty -notcontains $_) {
            elseif ($Property.Count -gt 0) {

                $FirstObjectProperties = foreach ($_ in $FirstObjectProperties) {
                    if ($Property -contains $_) {
            elseif ($ExcludeProperty.Count -gt 0) {

                $FirstObjectProperties = foreach ($_ in $FirstObjectProperties) {
                    if ($ExcludeProperty -notcontains $_) {
        elseif ($ObjectsList[0].GetType().Name -match 'bool|byte|char|datetime|decimal|double|ExcelHyperLink|float|int|long|sbyte|short|string|timespan|uint|ulong|URI|ushort') {
            $FirstObjectProperties = $PropertyNameReplacement
        else {
            if ($Property.Count -gt 0 -and $ExcludeProperty.Count -gt 0) {
                $ObjectsList = $ObjectsList | Select-Object -Property $Property -ExcludeProperty $ExcludeProperty
            elseif ($Property.Count -gt 0) {
                $ObjectsList = $ObjectsList | Select-Object -Property $Property 
            elseif ($ExcludeProperty.Count -gt 0) {
                $ObjectsList = $ObjectsList | Select-Object -Property '*' -ExcludeProperty $ExcludeProperty
            if ($AllProperties) {
                [Array] $All = foreach ($_ in $ObjectsList) {
                    $ListProperties = $_.PSObject.Properties.Name
                    if ($null -ne $ListProperties) {

                $FirstObjectProperties = Select-Unique -Object $All
            else {
                $FirstObjectProperties = $ObjectsList[0].PSObject.Properties.Name
function Unregister-MountedRegistry { 

    if ($null -ne $Script:DefaultRegistryMounted) {
        Write-Verbose -Message "Unregister-MountedRegistry - Dismounting HKEY_USERS\.DEFAULT_USER"
        $null = Dismount-PSRegistryPath -MountPoint "HKEY_USERS\.DEFAULT_USER"
        $Script:DefaultRegistryMounted = $null
    if ($null -ne $Script:OfflineRegistryMounted) {
        foreach ($Key in $Script:OfflineRegistryMounted.Keys) {
            if ($Script:OfflineRegistryMounted[$Key].Status -eq $true) {
                Write-Verbose -Message "Unregister-MountedRegistry - Dismounting HKEY_USERS\$Key"
                $null = Dismount-PSRegistryPath -MountPoint "HKEY_USERS\$Key"
        $Script:OfflineRegistryMounted = $null
function ConvertTo-HkeyUser { 
        [System.Collections.IDictionary] $HiveDictionary,
        [Array] $SubKeys,
        [string] $DictionaryKey,
        [string] $RegistryPath
    $OutputRegistryKeys = foreach ($Sub in $Subkeys) {
        if ($HiveDictionary[$DictionaryKey] -eq 'All') {
            if ($Sub -notlike "*_Classes*" -and $Sub -ne '.DEFAULT') {
                $RegistryPath.Replace($DictionaryKey, "Users\$Sub")
        elseif ($HiveDictionary[$DictionaryKey] -eq 'All+Default') {
            if ($Sub -notlike "*_Classes*") {
                if (-not $Script:DefaultRegistryMounted) {
                    $Script:DefaultRegistryMounted = Mount-DefaultRegistryPath
                if ($Sub -eq '.DEFAULT') {
                    $RegistryPath.Replace($DictionaryKey, "Users\.DEFAULT_USER")
                else {
                    $RegistryPath.Replace($DictionaryKey, "Users\$Sub")
        elseif ($HiveDictionary[$DictionaryKey] -eq 'Default') {
            if ($Sub -eq '.DEFAULT') {
                if (-not $Script:DefaultRegistryMounted) {
                    $Script:DefaultRegistryMounted = Mount-DefaultRegistryPath
                $RegistryPath.Replace($DictionaryKey, "Users\.DEFAULT_USER")
        elseif ($HiveDictionary[$DictionaryKey] -eq 'AllDomain+Default') {
            if (($Sub.StartsWith("S-1-5-21") -and $Sub -notlike "*_Classes*") -or $Sub -eq '.DEFAULT') {
                if (-not $Script:DefaultRegistryMounted) {
                    $Script:DefaultRegistryMounted = Mount-DefaultRegistryPath
                if ($Sub -eq '.DEFAULT') {
                    $RegistryPath.Replace($DictionaryKey, "Users\.DEFAULT_USER")
                else {
                    $RegistryPath.Replace($DictionaryKey, "Users\$Sub")
        elseif ($HiveDictionary[$DictionaryKey] -eq 'AllDomain+Other') {
            if (($Sub.StartsWith("S-1-5-21") -and $Sub -notlike "*_Classes*")) {
                if (-not $Script:OfflineRegistryMounted) {
                    $Script:OfflineRegistryMounted = Mount-AllRegistryPath
                    foreach ($Key in $Script:OfflineRegistryMounted.Keys) {
                        $RegistryPath.Replace($DictionaryKey, "Users\$Key")
                $RegistryPath.Replace($DictionaryKey, "Users\$Sub")
        elseif ($HiveDictionary[$DictionaryKey] -eq 'AllDomain+Other+Default') {
            if (($Sub.StartsWith("S-1-5-21") -and $Sub -notlike "*_Classes*") -or $Sub -eq '.DEFAULT') {
                if (-not $Script:DefaultRegistryMounted) {
                    $Script:DefaultRegistryMounted = Mount-DefaultRegistryPath
                if (-not $Script:OfflineRegistryMounted) {
                    $Script:OfflineRegistryMounted = Mount-AllRegistryPath
                    foreach ($Key in $Script:OfflineRegistryMounted.Keys) {
                        $RegistryPath.Replace($DictionaryKey, "Users\$Key")
                if ($Sub -eq '.DEFAULT') {
                    $RegistryPath.Replace($DictionaryKey, "Users\.DEFAULT_USER")
                else {
                    $RegistryPath.Replace($DictionaryKey, "Users\$Sub")
        elseif ($HiveDictionary[$DictionaryKey] -eq 'AllDomain') {
            if ($Sub.StartsWith("S-1-5-21") -and $Sub -notlike "*_Classes*") {
                $RegistryPath.Replace($DictionaryKey, "Users\$Sub")
        elseif ($HiveDictionary[$DictionaryKey] -eq 'Users') {
            if ($Sub -like "Offline_*") {
                $Script:OfflineRegistryMounted = Mount-AllRegistryPath -MountUsers $Sub
                foreach ($Key in $Script:OfflineRegistryMounted.Keys) {
                    if ($Script:OfflineRegistryMounted[$Key].Status -eq $true) {
    $OutputRegistryKeys | Sort-Object -Unique
function Dismount-PSRegistryPath { 
        [Parameter(Mandatory)][string] $MountPoint,
        [switch] $Suppress


    $pinfo = [System.Diagnostics.ProcessStartInfo]::new()
    $pinfo.FileName = "reg.exe"
    $pinfo.RedirectStandardError = $true
    $pinfo.RedirectStandardOutput = $true
    $pinfo.UseShellExecute = $false
    $pinfo.Arguments = " unload $MountPoint"
    $pinfo.CreateNoWindow = $true
    $pinfo.WindowStyle = [System.Diagnostics.ProcessWindowStyle]::Hidden
    $p = [System.Diagnostics.Process]::new()
    $p.StartInfo = $pinfo
    $p.Start() | Out-Null
    $Output = $p.StandardOutput.ReadToEnd()
    $Errors = $p.StandardError.ReadToEnd()

    if ($Errors) {
        if ($PSBoundParameters.ErrorAction -eq 'Stop') {
            throw $Errors
        else {
            Write-Warning -Message "Dismount-PSRegistryPath - Couldn't unmount $MountPoint. $Errors"
    else {
        if ($Output -like "*operation completed*") {
            if (-not $Suppress) {
                return $true
    if (-not $Suppress) {
        return $false
function Mount-AllRegistryPath { 
        [string] $MountPoint = "HKEY_USERS\",
        [string] $MountUsers
    $AllProfiles = Get-OfflineRegistryProfilesPath
    foreach ($Profile in $AllProfiles.Keys) {
        if ($MountUsers) {
            if ($MountUsers -ne $Profile) {
        $WhereMount = "$MountPoint\$Profile".Replace("\\", "\")
        Write-Verbose -Message "Mount-OfflineRegistryPath - Mounting $WhereMount to $($AllProfiles[$Profile].FilePath)"
        $AllProfiles[$Profile].Status = Mount-PSRegistryPath -MountPoint $WhereMount -FilePath $AllProfiles[$Profile].FilePath
function Mount-DefaultRegistryPath { 
        [string] $MountPoint = "HKEY_USERS\.DEFAULT_USER"
    $DefaultRegistryPath = Get-PSRegistry -RegistryPath 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' -Key 'Default' -ExpandEnvironmentNames -DoNotUnmount
    if ($PSError -ne $true) {
        $PathToNTUser = [io.path]::Combine($DefaultRegistryPath.PSValue, 'NTUSER.DAT')
        Write-Verbose -Message "Mount-DefaultRegistryPath - Mounting $MountPoint to $PathToNTUser"
        Mount-PSRegistryPath -MountPoint $MountPoint -FilePath $PathToNTUser
    else {
        if ($PSBoundParameters.ErrorAction -eq 'Stop') {
            throw $PSErrorMessage
        else {
            Write-Warning -Message "Mount-DefaultRegistryPath - Couldn't execute. Error: $PSErrorMessage"
function Get-OfflineRegistryProfilesPath { 
    Short description
    Long description
    Name Value
    ---- -----
    Przemek {[FilePath, C:\Users\Przemek\NTUSER.DAT], [Status, ]}
    test.1 {[FilePath, C:\Users\test.1\NTUSER.DAT], [Status, ]}


    $Profiles = [ordered] @{}
    $CurrentMapping = (Get-PSRegistry -RegistryPath 'HKEY_USERS' -ExpandEnvironmentNames -DoNotUnmount).PSSubKeys
    $UsersInSystem = (Get-PSRegistry -RegistryPath 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' -ExpandEnvironmentNames -DoNotUnmount).PSSubKeys
    $MissingProfiles = foreach ($Profile in $UsersInSystem) {
        if ($Profile.StartsWith("S-1-5-21") -and $CurrentMapping -notcontains $Profile) {
            Get-PSRegistry -RegistryPath "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$Profile" -ExpandEnvironmentNames -DoNotUnmount
    foreach ($Profile in $MissingProfiles) {
        $PathToNTUser = [io.path]::Combine($Profile.ProfileImagePath, 'NTUSER.DAT')
        $ProfileName = [io.path]::GetFileName($Profile.ProfileImagePath)
        $StartPath = "Offline_$ProfileName"
        try {
            $PathExists = Test-Path -LiteralPath $PathToNTUser -ErrorAction Stop
            if ($PathExists) {
                $Profiles[$StartPath] = [ordered] @{
                    FilePath = $PathToNTUser
                    Status   = $null
        catch {
            Write-Warning -Message "Mount-OfflineRegistryPath - Couldn't execute. Error: $($_.Exception.Message)"
function Mount-PSRegistryPath { 
    Short description
    Long description
    .PARAMETER MountPoint
    Parameter description
    .PARAMETER FilePath
    Parameter description
    Mount-PSRegistryPath -MountPoint 'HKEY_USERS\.DEFAULT_USER111' -FilePath 'C:\Users\Default\NTUSER.DAT'
    General notes

        [Parameter(Mandatory)][string] $MountPoint,
        [Parameter(Mandatory)][string] $FilePath

    $pinfo = [System.Diagnostics.ProcessStartInfo]::new()
    $pinfo.FileName = "reg.exe"
    $pinfo.RedirectStandardError = $true
    $pinfo.RedirectStandardOutput = $true
    $pinfo.UseShellExecute = $false
    $pinfo.Arguments = " load $MountPoint $FilePath"
    $pinfo.CreateNoWindow = $true
    $pinfo.WindowStyle = [System.Diagnostics.ProcessWindowStyle]::Hidden
    $p = [System.Diagnostics.Process]::new()
    $p.StartInfo = $pinfo
    $p.Start() | Out-Null
    $Output = $p.StandardOutput.ReadToEnd()
    $Errors = $p.StandardError.ReadToEnd()
    if ($Errors) {
        if ($PSBoundParameters.ErrorAction -eq 'Stop') {
            throw $Errors
        else {
            Write-Warning -Message "Mount-PSRegistryPath - Couldn't mount $MountPoint. $Errors"
    else {
        if ($Output -like "*operation completed*") {
            if (-not $Suppress) {
                return $true
    if (-not $Suppress) {
        return $false
$ComputersUnsupported = @{
    Name   = 'DomainComputersUnsupported'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "Computers Unsupported"
        Data           = {
            $Computers = Get-ADComputer -Filter { (Get-operatingsystem -like "*xp*") -or (Get-operatingsystem -like "*vista*") -or (Get-operatingsystem -like "*Windows NT*") -or (Get-operatingsystem -like "*2000*") -or (Get-operatingsystem -like "*2003*") } -Property Name, OperatingSystem, OperatingSystemServicePack, lastlogontimestamp -Server $Domain
            $Computers | Select-Object Name, OperatingSystem, OperatingSystemServicePack, @{name = "lastlogontimestamp"; expression = { [datetime]::fromfiletime($_.lastlogontimestamp) } }
        Details        = [ordered] @{
            Area        = 'Cleanup'
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = 'Computers running an unsupported operating system.'
            Resolution  = 'Upgrade or remove computers from Domain.'
            Resources   = @(

        ExpectedOutput = $false
$ComputersUnsupportedMainstream = @{
    Name   = 'DomainComputersUnsupportedMainstream'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "Computers Unsupported Mainstream Only"
        Data           = {
            $Computers = Get-ADComputer -Filter { (Get-operatingsystem -like "*2008*") } -Property Name, OperatingSystem, OperatingSystemServicePack, lastlogontimestamp -Server $Domain
            $Computers | Select-Object Name, OperatingSystem, OperatingSystemServicePack, @{name = "lastlogontimestamp"; expression = { [datetime]::fromfiletime($_.lastlogontimestamp) } }
        Details        = [ordered] @{
            Area        = 'Cleanup'
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = 'Computers running an unsupported operating system, but with possibly Microsoft support.'
            Resolution  = 'Consider upgrading computers running Windows Server 2008 or Windows Server 2008 R2 to a version that still offers mainstream support from Microsoft.'
            Resources   = @(

        ExpectedOutput = $false
$DHCPAuthorized = @{
    Name   = 'DomainDHCPAuthorized'
    Enable = $false
    Scope  = 'Domain'
    Source = @{
        Name           = "DHCP authorized in domain"
        Data           = {
            #$DomainInformation = Get-ADDomain -Identity 'ad.evotec.pl'
            $SearchBase = 'cn=configuration,{0}' -f $DomainInformation.DistinguishedName
            Get-ADObject -SearchBase $searchBase -Filter "objectclass -eq 'dhcpclass' -AND Name -ne 'dhcproot'" #| select name
        Requirements   = @{
           IsDomainRoot = $true
        Details        = [ordered] @{
            Area        = 'Configuration'
            Category    = 'DHCP'
            Severity    = ''
            Importance  = 0
            Description = ""
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        DHCPAuthorized = @{
            Enable     = $true
            Name       = 'At least 1 DHCP Server Authorized'
            Parameters = @{
                ExpectedCount = '1'
                OperationType = 'ge'

$DNSForwaders = @{
    Name   = 'DomainDNSForwaders'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "DNS Forwarders"
        Data           = {
            [Array] $Forwarders = Get-WinDnsServerForwarder -Forest $ForestName -Domain $Domain -WarningAction SilentlyContinue
            if ($Forwarders.Count -gt 1) {
                $Comparision = Compare-MultipleObjects -Objects $Forwarders -FormatOutput -CompareSorted:$true -ExcludeProperty GatheredFrom -SkipProperties -Property 'IpAddress' -WarningAction SilentlyContinue
                [PSCustomObject] @{
                    Source = $Comparision.Source -join ', '
                    Status = $Comparision.Status
            } elseif ($Forwarders.Count -eq 0) {
                [PSCustomObject] @{
                    # This code takes care of no forwarders
                    Source = 'No forwarders set'
                    Status = $false
            } else {
                # This code takes care of only 1 server within a domain. If there is 1 server available (as others may be dead/unavailable at the time it assumes Pass)
                [PSCustomObject] @{
                    Source = $Forwarders[0].IPAddress -join ', '
                    Status = $true
        Details        = [ordered] @{
            Area        = 'Configuration'
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = ''
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        SameForwarders = @{
            Enable      = $true
            Name        = 'Same DNS Forwarders'
            Parameters  = @{
                Property              = 'Status'
                ExpectedValue         = $true
                OperationType         = 'eq'
                PropertyExtendedValue = 'Source'
            Description = 'DNS forwarders within one domain should have identical setup'
$DNSScavengingForPrimaryDNSServer = @{
    Name   = 'DomainDNSScavengingForPrimaryDNSServer'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "DNS Scavenging - Primary DNS Server"
        Data           = {
            Get-WinDnsServerScavenging -Forest $ForestName -IncludeDomains $Domain
        Details        = [ordered] @{
            Area        = ''
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = ''
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        ScavengingCount      = @{
            Enable      = $true
            Name        = 'Scavenging DNS Servers Count'
            Parameters  = @{
                WhereObject   = { $null -ne $_.ScavengingInterval -and $_.ScavengingInterval -ne 0 }
                ExpectedCount = 1
                OperationType = 'eq'
            Description = 'Scavenging Count should be 1. There should be 1 DNS server per domain responsible for scavenging. If this returns false, every other test fails.'
        ScavengingInterval   = @{
            Enable     = $true
            Name       = 'Scavenging Interval'
            Parameters = @{
                WhereObject   = { $null -ne $_.ScavengingInterval -and $_.ScavengingInterval -ne 0 }
                Property      = 'ScavengingInterval', 'Days'
                ExpectedValue = 7
                OperationType = 'le'
        'Scavenging State'   = @{
            Enable                 = $true
            Name                   = 'Scavenging State'
            Parameters             = @{
                WhereObject   = { $null -ne $_.ScavengingInterval -and $_.ScavengingInterval -ne 0 }
                Property      = 'ScavengingState'
                ExpectedValue = $true
                OperationType = 'eq'
            Description            = 'Scavenging State is responsible for enablement of scavenging for all new zones created.'
            RecommendedValue       = $true
            DescriptionRecommended = 'It should be enabled so all new zones are subject to scavanging.'
            DefaultValue           = $false
        'Last Scavenge Time' = @{
            Enable     = $true
            Name       = 'Last Scavenge Time'
            Parameters = @{
                WhereObject   = { $null -ne $_.ScavengingInterval -and $_.ScavengingInterval -ne 0 }
                # this date should be the same as in Scavending Interval
                Property      = 'LastScavengeTime'
                # we need to use string which will be converted to ScriptBlock later on due to configuration export to JSON
                ExpectedValue = '(Get-Date).AddDays(-7)'
                OperationType = 'gt'
$DnsZonesAging = @{
    Name   = 'DomainDnsZonesAging'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "Aging primary DNS Zone"
        Data           = {
            Get-WinDnsServerZones -Forest $ForestName -ZoneName $Domain -IncludeDomains $Domain
        Details        = [ordered] @{
            Area        = ''
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = ''
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        EnabledAgingEnabledAndIdentical = @{
            Enable      = $true
            Name        = 'Zone DNS aging should be identical on all DCs'
            Parameters  = @{
                WhereObject   = { $_.AgingEnabled -eq $false }
                ExpectedCount = 0
            Description = 'Primary DNS zone should have aging enabled, on all DNS servers.'
$DNSZonesDomain0ADEL = @{
    Name   = 'DomainDNSZonesDomain0ADEL'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "DomainDNSZones should have proper FSMO Owner (0ADEL)"
        Data           = {
            #$DomainController = 'ad.evotec.pl'
            #$DomainInformation = Get-ADDomain -Server $DomainController
            $IdentityDomain = "CN=Infrastructure,DC=DomainDnsZones,$(($DomainInformation).DistinguishedName)"
            $FSMORoleOwner = (Get-ADObject -Identity $IdentityDomain -Properties fSMORoleOwner -Server $Domain)
        Details        = [ordered] @{
            Area        = 'Configuration'
            Category    = 'DNS'
            Severity    = ''
            Importance  = 0
            Description = ""
            Resolution  = ''
            Resources   = @(
        ExpectedOutput = $true
    Tests  = [ordered] @{
        DNSZonesDomain0ADEL = @{
            Enable     = $true
            Name       = 'DomainDNSZones should have proper FSMO Owner (0ADEL)'
            Parameters = @{
                ExpectedValue = '0ADEL:'
                Property      = 'fSMORoleOwner'
                OperationType = 'notmatch'
$DNSZonesForest0ADEL = @{
    Name   = 'DomainDNSZonesForest0ADEL'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "ForestDNSZones should have proper FSMO Owner (0ADEL)"
        Data           = {
            #$DomainController = 'ad.evotec.xyz'
            #$DomainInformation = Get-ADDomain -Server $DomainController
            $IdentityForest = "CN=Infrastructure,DC=ForestDnsZones,$(($DomainInformation).DistinguishedName)"
            $FSMORoleOwner = (Get-ADObject -Identity $IdentityForest -Properties fSMORoleOwner -Server $Domain)
        Requirements   = @{
            IsDomainRoot = $true
        Details        = [ordered] @{
            Area        = 'Configuration'
            Category    = 'DNS'
            Severity    = ''
            Importance  = 0
            Description = ""
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        DNSZonesForest0ADEL = @{
            Enable     = $true
            Name       = 'ForestDNSZones should have proper FSMO Owner (0ADEL)'
            Parameters = @{
                ExpectedValue = '0ADEL:'
                Property      = 'fSMORoleOwner'
                OperationType = 'notmatch'

$DomainDomainControllers = @{
    Name            = 'DomainDomainControllers'
    Enable          = $true
    Scope           = 'Domain'
    Source          = @{
        Name           = "Domain Controller Objects"
        Data           = {
            Get-WinADForestControllerInformation -Forest $ForestName -Domain $Domain
        Requirements   = @{}
        Details        = [ordered] @{
            Category    = 'Cleanup', 'Security'
            Importance  = 0
            ActionType  = 0
            Description = "Following test verifies Domain Controller status in Active Directory. It verifies critical aspects of Domain Controler such as Domain Controller Owner and Domain Controller Manager. It also checks if Domain Controller is enabled, ip address matches dns ip address, verifies whether LastLogonDate and LastPasswordDate are within thresholds. Those additional checks are there to find dead or offline DCs that could potentially impact Active Directory functionality. "
            Resources   = @(
                '[Domain member: Maximum machine account password age](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age)'
                '[Machine Account Password Process](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/machine-account-password-process/ba-p/396026)'
                '[How to Configure DNS on a Domain Controller with Two IP Addresses](https://petri.com/configure-dns-on-domain-controller-two-ip-addresses)'
                '[USN rollback](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/detect-and-recover-from-usn-rollback)'
                '[Active Directory Replication Overview & USN Rollback: What It Is & How It Happens](https://adsecurity.org/?p=515)'
            StatusTrue  = 0
            StatusFalse = 0
        ExpectedOutput = $true
    Tests           = [ordered] @{
        Enabled              = @{
            Enable     = $true
            Name       = 'DC object should be enabled'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.Enabled -ne $true }
            Details    = [ordered] @{
                Category    = 'Cleanup'
                Importance  = 0
                ActionType  = 0
                StatusTrue  = 1
                StatusFalse = 3

        OwnerType            = @{
            Enable     = $true
            Name       = 'DC OwnerType should be Administrative'
            Parameters = @{
                #ExpectedValue = 'Administrative'
                #Property = 'OwnerType'
                #OperationType = 'eq'
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.OwnerType -ne 'Administrative' }
            Details    = [ordered] @{
                Category    = 'Security'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
        ManagedBy            = @{
            Enable     = $true
            Name       = 'DC field ManagedBy should be empty'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.ManagerNotSet -ne $true }
            Details    = [ordered] @{
                Category    = 'Security'
                Importance  = 3
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 2
        DNSStatus            = @{
            Enable     = $true
            Name       = 'DNS should return IP Address for DC'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.DNSStatus -ne $true }
            Details    = [ordered] @{
                Category    = 'Cleanup'
                Importance  = 0
                ActionType  = 0
                StatusTrue  = 1
                StatusFalse = 2
        IPAddressStatusV4    = @{
            Enable     = $true
            Name       = 'DNS returned IPAddressV4 should match AD'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.IPAddressStatusV4 -ne $true }
            Details    = [ordered] @{
                Category    = 'Cleanup'
                Importance  = 0
                ActionType  = 0
                StatusTrue  = 1
                StatusFalse = 2
        IPAddressStatusV6    = @{
            Enable     = $true
            Name       = 'DNS returned IPAddressV6 should match AD'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.IPAddressStatusV6 -ne $true }
            Details    = [ordered] @{
                Category    = 'Cleanup'
                Importance  = 0
                ActionType  = 0
                StatusTrue  = 1
                StatusFalse = 2
        IPAddressSingleV4    = @{
            Enable     = $true
            Name       = 'There should be single IPv4 address set'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.IPAddressHasOneIpV4 -ne $true }
            Details    = [ordered] @{
                Category    = 'Cleanup'
                Importance  = 0
                ActionType  = 1
                StatusTrue  = 1
                StatusFalse = 2
        IPAddressSingleV6    = @{
            Enable     = $true
            Name       = 'There should be single IPv6 address set'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.IPAddressHasOneipV6 -ne $true }
            Details    = [ordered] @{
                Category    = 'Cleanup'
                Importance  = 0
                ActionType  = 1
                StatusTrue  = 1
                StatusFalse = 2
        PasswordNotRequired  = @{
            Enable     = $true
            Name       = "PasswordNotRequired shouldn't be set"
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.PasswordNotRequired -ne $false }
            Details    = [ordered] @{
                Category    = 'Security', 'Cleanup'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 4
        PasswordNeverExpires = @{
            Enable     = $true
            Name       = "PasswordNeverExpires shouldn't be set"
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.PasswordNeverExpires -ne $false }
            Details    = [ordered] @{
                Category    = 'Security', 'Cleanup'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 4
        PasswordLastChange   = @{
            Enable     = $true
            Name       = 'DC Password Change Less Than X days'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.PasswordLastChangedDays -ge 60 }
            Details    = [ordered] @{
                Category    = 'Cleanup'
                Importance  = 1
                ActionType  = 1
                StatusTrue  = 1
                StatusFalse = 4
        LastLogonDays        = @{
            Enable     = $true
            Name       = 'DC Last Logon Less Than X days'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.LastLogonDays -ge 15 }
            Details    = [ordered] @{
                Category    = 'Cleanup'
                Importance  = 1
                ActionType  = 1
                StatusTrue  = 1
                StatusFalse = 4
    DataInformation = {
        New-HTMLText -Text 'Explanation to table columns:' -FontSize 10pt
        New-HTMLList {
            New-HTMLListItem -FontWeight bold, normal -Text "Enabled", " - means Domain Controller is enabled. If it's disabled it should be removed using proper cleanup method and according to company operation procedures. "
            New-HTMLListItem -FontWeight bold, normal -Text "DNSStatus", " - means Domain Controller IP address is available in DNS. If it's not registrered this means DC may not be functioning properly. "
            New-HTMLListItem -FontWeight bold, normal -Text "IPAddressStatusV4", " - means Domain Controller IP matches the one returned by DNS for IPV4. "
            New-HTMLListItem -FontWeight bold, normal -Text "IPAddressStatusV6", " - means Domain Controller IP matches the one returned by DNS for IPV6. "
            New-HTMLListItem -FontWeight bold, normal -Text "IPAddressHasOneIpV4", " - means Domain Controller has only one 1 IPV4 ipaddress (or not set at all). If it has more than 1 it's bad. "
            New-HTMLListItem -FontWeight bold, normal -Text "IPAddressHasOneipV6", " - means Domain Controller has only one 1 IPV6 ipaddress (or not set at all). If it has more than 1 it's bad. "
            New-HTMLListItem -FontWeight bold, normal -Text "ManagerNotSet", " - means ManagedBy property is not set (as required). If it's set it's bad. "
            New-HTMLListItem -FontWeight bold, normal -Text "OwnerType", " - means Domain Controller Owner is of certain type. Required type is Administrative. If it's different that means there's security risk involved. "
            New-HTMLListItem -FontWeight bold, normal -Text "PasswordNotRequired", " - should not be set. If it's set it can affect replication and security of Domain Controller. "
            New-HTMLListItem -FontWeight bold, normal -Text "PasswordLastChangedDays", " - displays last password change by Domain Controller. If it's more than 60 days it usually means DC is down or otherwise affected. "
            New-HTMLListItem -FontWeight bold, normal -Text "LastLogonDays", " - display last logon days of DC. If it's more than 15 days it usually means DC is down or otherwise affected. "
        } -FontSize 10pt
    DataHighlights  = {
        New-HTMLTableCondition -Name 'Enabled' -ComparisonType string -BackgroundColor Salmon -Value $false
        New-HTMLTableCondition -Name 'Enabled' -ComparisonType string -BackgroundColor PaleGreen -Value $true
        New-HTMLTableCondition -Name 'DNSStatus' -ComparisonType string -BackgroundColor Salmon -Value $false
        New-HTMLTableCondition -Name 'DNSStatus' -ComparisonType string -BackgroundColor PaleGreen -Value $true
        New-HTMLTableCondition -Name 'ManagerNotSet' -ComparisonType string -BackgroundColor Salmon -Value $false
        New-HTMLTableCondition -Name 'ManagerNotSet' -ComparisonType string -BackgroundColor PaleGreen -Value $true
        New-HTMLTableCondition -Name 'IPAddressStatusV4' -ComparisonType string -BackgroundColor Salmon -Value $false
        New-HTMLTableCondition -Name 'IPAddressStatusV4' -ComparisonType string -BackgroundColor PaleGreen -Value $true
        New-HTMLTableCondition -Name 'IPAddressStatusV6' -ComparisonType string -BackgroundColor Salmon -Value $false
        New-HTMLTableCondition -Name 'IPAddressStatusV6' -ComparisonType string -BackgroundColor PaleGreen -Value $true
        New-HTMLTableCondition -Name 'IPAddressHasOneIpV4' -ComparisonType string -BackgroundColor Salmon -Value $false
        New-HTMLTableCondition -Name 'IPAddressHasOneIpV4' -ComparisonType string -BackgroundColor PaleGreen -Value $true
        New-HTMLTableCondition -Name 'IPAddressHasOneipV6' -ComparisonType string -BackgroundColor Salmon -Value $false
        New-HTMLTableCondition -Name 'IPAddressHasOneipV6' -ComparisonType string -BackgroundColor PaleGreen -Value $true
        New-HTMLTableCondition -Name 'OwnerType' -ComparisonType string -BackgroundColor Salmon -Value 'Administrative' -Operator ne
        New-HTMLTableCondition -Name 'OwnerType' -ComparisonType string -BackgroundColor PaleGreen -Value 'Administrative' -Operator eq
        New-HTMLTableCondition -Name 'ManagedBy' -ComparisonType string -Color Salmon -Value '' -Operator ne
        New-HTMLTableCondition -Name 'PasswordNotRequired' -ComparisonType string -BackgroundColor PaleGreen -Value $false -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'PasswordNeverExpires' -ComparisonType string -BackgroundColor PaleGreen -Value $false -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'PasswordLastChangedDays' -ComparisonType number -BackgroundColor PaleGreen -Value 40 -Operator le
        New-HTMLTableCondition -Name 'PasswordLastChangedDays' -ComparisonType number -BackgroundColor OrangePeel -Value 41 -Operator ge
        New-HTMLTableCondition -Name 'PasswordLastChangedDays' -ComparisonType number -BackgroundColor Crimson -Value 60 -Operator ge
        New-HTMLTableCondition -Name 'LastLogonDays' -ComparisonType number -BackgroundColor PaleGreen -Value 15 -Operator lt
        New-HTMLTableCondition -Name 'LastLogonDays' -ComparisonType number -BackgroundColor OrangePeel -Value 15 -Operator ge
        New-HTMLTableCondition -Name 'LastLogonDays' -ComparisonType number -BackgroundColor Crimson -Value 30 -Operator ge
    Solution        = {
        New-HTMLContainer {
            New-HTMLSpanStyle -FontSize 10pt {
                #New-HTMLText -Text 'Following steps will guide you how to fix permissions consistency'
                New-HTMLWizard {
                    New-HTMLWizardStep -Name 'Prepare environment' {
                        New-HTMLText -Text "To be able to execute actions in automated way please install required modules. Those modules will be installed straight from Microsoft PowerShell Gallery."
                        New-HTMLCodeBlock -Code {
                            Install-Module ADEssentials -Force
                            Import-Module ADEssentials -Force
                        } -Style powershell
                        New-HTMLText -Text "Using force makes sure newest version is downloaded from PowerShellGallery regardless of what is currently installed. Once installed you're ready for next step."
                    New-HTMLWizardStep -Name 'Prepare report' {
                        New-HTMLText -Text "Depending when this report was run you may want to prepare new report before proceeding fixing permissions inconsistencies. To generate new report please use:"
                        New-HTMLCodeBlock -Code {
                            Invoke-Testimo -FilePath $Env:UserProfile\Desktop\TestimoBefore.DomainDomainControllers.html -Type DomainDomainControllers
                        New-HTMLText -Text @(
                            "When executed it will take a while to generate all data and provide you with new report depending on size of environment."
                            "Once confirmed that data is still showing issues and requires fixing please proceed with next step."
                        New-HTMLText -Text "Alternatively if you prefer working with console you can run: "
                        New-HTMLCodeBlock -Code {
                            $Output = Get-WinADForestControllerInformation -IncludeDomains 'TargetDomain'
                            $Output | Format-Table # do your actions as desired
                        New-HTMLText -Text "It provides same data as you see in table above just doesn't prettify it for you."
                    New-HTMLWizardStep -Name 'Fix Domain Controller Owner' {
                        New-HTMLText -Text @(
                            "Domain Controller Owner should always be set to Domain Admins. "
                            "When non Domain Admin adds computer to domain that later on gets promoted to Domain Controller that person becomes the owner of the AD object. "
                            "This is very dangerous and requires fixing. "
                            "Following command when executed fixes domain controller owner. "
                            "It makes sure each DC is owned by Domain Admins. "
                            "If it's owned by Domain Admins already it will be skipped. "
                            "Make sure when running it for the first time to run it with ", "WhatIf", " parameter as shown below to prevent accidental overwrite."
                        ) -FontWeight normal, normal, normal, normal, normal, normal, normal, bold, normal -Color Black, Black, Black, Black, Black, Black, Black, Red, Black
                        New-HTMLText -Text "Make sure to fill in TargetDomain to match your Domain Admin permission account"

                        New-HTMLCodeBlock -Code {
                            Repair-WinADForestControllerInformation -Verbose -LimitProcessing 3 -Type Owner -IncludeDomains "TargetDomain" -WhatIf
                        New-HTMLText -TextBlock {
                            "After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be fixed matches expected data. Once happy with results please follow with command: "
                        New-HTMLCodeBlock -Code {
                            Repair-WinADForestControllerInformation -Verbose -LimitProcessing 3 -Type Owner -IncludeDomains "TargetDomain"
                        New-HTMLText -TextBlock {
                            "This command when executed repairs only first X domain controller owners. Use LimitProcessing parameter to prevent mass fixing and increase the counter when no errors occur. "
                            "Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly. "
                    New-HTMLWizardStep -Name 'Fix Domain Controller Manager' {
                        New-HTMLText -Text @(
                            "Domain Controller Manager should not be set. "
                            "There's no reason for anyone outside of Domain Admins group to be manager of Domain Controller object. "
                            "Since Domain Admins are by design Owners of Domain Controller object ManagedBy field should not be set. "
                            "Following command fixes this by clearing ManagedBy field. "
                        New-HTMLCodeBlock -Code {
                            Repair-WinADForestControllerInformation -Verbose -LimitProcessing 3 -Type Manager -IncludeDomains "TargetDomain" -WhatIf
                        New-HTMLText -TextBlock {
                            "After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be fixed matches expected data. Once happy with results please follow with command: "
                        New-HTMLCodeBlock -Code {
                            Repair-WinADForestControllerInformation -Verbose -LimitProcessing 3 -Type Manager -IncludeDomains "TargetDomain"
                        New-HTMLText -TextBlock {
                            "This command when executed repairs only first X domain controller managers. Use LimitProcessing parameter to prevent mass fixing and increase the counter when no errors occur. "
                            "Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly. "
                    New-HTMLWizardStep -Name 'Remaining Problems' {
                        New-HTMLText -Text @(
                            "If there are any Domain Controllers that are disabled, or last logon date or last password set are above thresholds those should be investigated if those are still up and running. "
                            "In Active Directory based domains, each device has an account and password. "
                            "By default, the domain members submit a password change every 30 days. "
                            "If last password change is above threshold that means DC may already be offline. "
                            "If last logon date is above threshold that also means DC may already be offline. "
                            "Bringing back DC to life after longer downtime period can cause serious issues when done improperly. "
                            "Please investigate and decide with other Domain Admins how to deal with dead/offline DC. "
                        New-HTMLText -LineBreak
                        New-HTMLText -Text @(
                            "Additionally DNS should return IP Address of DC when asked, and it should be the same IP Address as the one stored in Active Directory. "
                            "If those do not match or IP Address is not set/returned it needs investigation why is it so. "
                            "It's possible the DC is down/dead and should be safely removed from Active Directory to prevent potential issues. "
                            "Alternatively it's possible there are some network issues with it. "
                    New-HTMLWizardStep -Name 'Verification report' {
                        New-HTMLText -TextBlock {
                            "Once cleanup task was executed properly, we need to verify that report now shows no problems."
                        New-HTMLCodeBlock -Code {
                            Invoke-Testimo -FilePath $Env:UserProfile\Desktop\TestimoAfter.DomainDomainControllers.html -Type DomainDomainControllers
                        New-HTMLText -Text "If everything is healthy in the report you're done! Enjoy rest of the day!" -Color BlueDiamond
                } -RemoveDoneStepOnNavigateBack -Theme arrows -ToolbarButtonPosition center -EnableAllAnchors
$DomainFSMORoles = @{
    Name   = 'DomainRoles'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = 'Domain Roles Availability'
        Data           = {
            Test-ADRolesAvailability -Domain $Domain
        Details        = [ordered] @{
            Area        = ''
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = ''
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        PDCEmulator          = @{
            Enable     = $true
            Name       = 'PDC Emulator Availability'
            Parameters = @{
                ExpectedValue         = $true
                Property              = 'PDCEmulatorAvailability'
                OperationType         = 'eq'
                PropertyExtendedValue = 'PDCEmulator'
        RIDMaster            = @{
            Enable     = $true
            Name       = 'RID Master Availability'
            Parameters = @{
                ExpectedValue         = $true
                Property              = 'RIDMasterAvailability'
                OperationType         = 'eq'
                PropertyExtendedValue = 'RIDMaster'
        InfrastructureMaster = @{
            Enable     = $true
            Name       = 'Infrastructure Master Availability'
            Parameters = @{
                ExpectedValue         = $true
                Property              = 'InfrastructureMasterAvailability'
                OperationType         = 'eq'
                PropertyExtendedValue = 'InfrastructureMaster'
$DomainLDAP = @{
    Name            = 'DomainLDAP'
    Enable          = $true
    Scope           = 'Domain'
    Source          = @{
        Name           = 'LDAP Connectivity'
        Data           = {
            Test-LDAP -Forest $ForestName -IncludeDomains $Domain -SkipRODC:$SkipRODC -WarningAction SilentlyContinue -VerifyCertificate
        Details        = [ordered] @{
            Category    = 'Health'
            Description = 'Domain Controllers require certain ports to be open, and serving proper certificate for SSL connectivity. '
            Importance  = 0
            ActionType  = 0
            Resources   = @(
                "[Testing LDAP and LDAPS connectivity with PowerShell](https://evotec.xyz/testing-ldap-and-ldaps-connectivity-with-powershell/)"
                "[2020 LDAP channel binding and LDAP signing requirements for Windows](https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-ef185fb8-00f7-167d-744c-f299a66fc00a)"
            StatusTrue  = 0
            StatusFalse = 0
        ExpectedOutput = $true
    Tests           = [ordered] @{
        PortLDAP                 = @{
            Enable     = $true
            Name       = 'LDAP Port is Available'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.LDAP -eq $false }
            Details    = [ordered] @{
                Category    = 'Health'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 3
        PortLDAPS                = @{
            Enable     = $true
            Name       = 'LDAP SSL Port is Available'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.LDAPS -eq $false }
            Details    = [ordered] @{
                Category    = 'Health'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 4
        PortLDAP_GC              = @{
            Enable     = $true
            Name       = 'LDAP GC Port is Available'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.GlobalCatalogLDAP -eq $false }
            Details    = [ordered] @{
                Category    = 'Health'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 4
        PortLDAPS_GC             = @{
            Enable     = $true
            Name       = 'LDAP SSL GC Port is Available'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.GlobalCatalogLDAPS -eq $false }
            Details    = [ordered] @{
                Category    = 'Health'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 4
        BindLDAPS                = @{
            Enable     = $true
            Name       = 'LDAP SSL Bind available'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.LDAPSBind -eq $false }
            Details    = [ordered] @{
                Category    = 'Health'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 4
        BindLDAPS_GC             = @{
            Enable     = $true
            Name       = 'LDAP SSL GC Bind is Available'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.GlobalCatalogLDAPSBind -eq $false }
            Details    = [ordered] @{
                Category    = 'Health'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 4
        X509NotBeforeDays        = @{
            Enable     = $true
            Name       = 'Not Before Days should be less/equal 0'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.X509NotBeforeDays -gt 0 }
            Details    = [ordered] @{
                Category    = 'Health'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 4
        X509NotAfterDaysWarning  = @{
            Enable     = $true
            Name       = 'Not After Days should be more than 10 days'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.X509NotAfterDays -lt 10 }
            Details    = [ordered] @{
                Category    = 'Health'
                Importance  = 10
                ActionType  = 1
                StatusTrue  = 1
                StatusFalse = 4
        X509NotAfterDaysCritical = @{
            Enable     = $true
            Name       = 'Not After Days should be more than 0 days'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.X509NotAfterDays -lt 0 }
            Details    = [ordered] @{
                Category    = 'Health'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 4
    DataDescription = {
        New-HTMLSpanStyle -FontSize 10pt {
            New-HTMLText -Text @(
                'Domain Controllers require certain ports for LDAP connectivity to be open, and serving proper certificate for SSL connectivity. '
                'Following ports are required to be available: '
            New-HTMLList {
                New-HTMLListItem -Text 'LDAP port 389'
                New-HTMLListItem -Text 'LDAP SSL port 636'
                New-HTMLListItem -Text 'LDAP Global Catalog port 3268'
                New-HTMLListItem -Text 'LDAP Global Catalog SLL port 3269'
            New-HTMLText -Text @(
                "If any/all of those ports are unavailable for any of the Domain Controllers "
                "it means that either DC is not available from location it's getting tested from ("
                ") or those ports are down, or DC doesn't have a proper certificate installed. "
                "Please make sure to verify Domain Controllers that are reporting errors and talk to network team if required to make sure "
                "proper ports are open thru firewall. "
            ) -Color None, None, BilobaFlower, None, None, None
    DataHighlights  = {
        New-HTMLTableCondition -Name 'GlobalCatalogLDAP' -ComparisonType string -BackgroundColor PaleGreen -Value $true -Operator eq
        New-HTMLTableCondition -Name 'GlobalCatalogLDAP' -ComparisonType string -BackgroundColor Salmon -Value $false -Operator eq
        New-HTMLTableCondition -Name 'GlobalCatalogLDAPS' -ComparisonType string -BackgroundColor PaleGreen -Value $true -Operator eq
        New-HTMLTableCondition -Name 'GlobalCatalogLDAPS' -ComparisonType string -BackgroundColor Salmon -Value $false -Operator eq
        New-HTMLTableCondition -Name 'GlobalCatalogLDAPSBind' -ComparisonType string -BackgroundColor PaleGreen -Value $true -Operator eq
        New-HTMLTableCondition -Name 'GlobalCatalogLDAPSBind' -ComparisonType string -BackgroundColor Salmon -Value $false -Operator eq
        New-HTMLTableCondition -Name 'LDAP' -ComparisonType string -BackgroundColor PaleGreen -Value $true -Operator eq
        New-HTMLTableCondition -Name 'LDAP' -ComparisonType string -BackgroundColor Salmon -Value $false -Operator eq
        New-HTMLTableCondition -Name 'LDAPS' -ComparisonType string -BackgroundColor PaleGreen -Value $true -Operator eq
        New-HTMLTableCondition -Name 'LDAPS' -ComparisonType string -BackgroundColor Salmon -Value $false -Operator eq
        New-HTMLTableCondition -Name 'LDAPSBind' -ComparisonType string -BackgroundColor PaleGreen -Value $true -Operator eq
        New-HTMLTableCondition -Name 'LDAPSBind' -ComparisonType string -BackgroundColor Salmon -Value $false -Operator eq
        New-HTMLTableCondition -Name 'X509NotBeforeDays' -ComparisonType number -BackgroundColor PaleGreen -Value 0 -Operator le
        New-HTMLTableCondition -Name 'X509NotBeforeDays' -ComparisonType number -BackgroundColor Salmon -Value 0 -Operator gt
        New-HTMLTableCondition -Name 'X509NotAfterDays' -ComparisonType number -BackgroundColor PaleGreen -Value 0 -Operator gt
        New-HTMLTableCondition -Name 'X509NotAfterDays' -ComparisonType number -BackgroundColor Salmon -Value 0 -Operator lt
$DuplicateObjects = @{
    Name           = 'DomainDuplicateObjects'
    Enable         = $true
    Scope          = 'Domain'
    Source         = @{
        Name           = "Duplicate Objects: 0ACNF (Duplicate RDN)"
        <# Alternative: dsquery * forestroot -gc -attr distinguishedName -scope subtree -filter "(|(cn=*\0ACNF:*)(ou=*OACNF:*))" #>
        Data           = {
            Get-WinADDuplicateObject -IncludeDomains $Domain
        Details        = [ordered] @{
            Category    = 'Cleanup'
            Description = "When two objects are created with the same Relative Distinguished Name (RDN) in the same parent Organizational Unit or container, the conflict is recognized by the system when one of the new objects replicates to another domain controller. When this happens, one of the objects is renamed. Some sources say the RDN is mangled to make it unique. The new RDN will be <Old RDN>\0ACNF:<objectGUID>"
            Importance  = 5
            ActionType  = 2
            Resources   = @(
            StatusTrue  = 1
            StatusFalse = 2
        ExpectedOutput = $false
    DataHighlights = {

    Solution       = {
        New-HTMLContainer {
            New-HTMLSpanStyle -FontSize 10pt {
                New-HTMLWizard {
                    New-HTMLWizardStep -Name 'Prepare environment' {
                        New-HTMLText -Text "To be able to execute actions in automated way please install required modules. Those modules will be installed straight from Microsoft PowerShell Gallery."
                        New-HTMLCodeBlock -Code {
                            Install-Module ADEssentials -Force
                            Import-Module ADEssentials -Force
                        } -Style powershell
                        New-HTMLText -Text "Using force makes sure newest version is downloaded from PowerShellGallery regardless of what is currently installed. Once installed you're ready for next step."
                    New-HTMLWizardStep -Name 'Prepare report' {
                        New-HTMLText -Text "Depending when this report was run you may want to prepare new report before proceeding fixing permissions inconsistencies. To generate new report please use:"
                        New-HTMLCodeBlock -Code {
                            Invoke-Testimo -FilePath $Env:UserProfile\Desktop\TestimoBefore.DomainDuplicateObjects.html -Type DomainDuplicateObjects
                        New-HTMLText -Text @(
                            "When executed it will take a while to generate all data and provide you with new report depending on size of environment."
                            "Once confirmed that data is still showing issues and requires fixing please proceed with next step."
                        New-HTMLText -Text "Alternatively if you prefer working with console you can run: "
                        New-HTMLCodeBlock -Code {
                            $Output = Get-WinADDuplicateObject -IncludeDomains 'TargetDomain'
                            $Output | Format-Table # do your actions as desired
                        New-HTMLText -Text "It provides same data as you see in table above just doesn't prettify it for you."
                    New-HTMLWizardStep -Name 'Remove Domain Duplicate Objects' {
                        New-HTMLText -Text @(
                            "CNF objects, Conflict objects or Duplicate Objects are created in Active Directory when there is simultaneous creation of an AD object under the same container "
                            "on two separate Domain Controllers near about the same time or before the replication occurs. "
                            "This results in a conflict and the same is exhibited by a CNF (Duplicate) object. "
                            "While it doesn't nessecary has a huge impact on Active Directory it's important to keep Active Directory in proper, healthy state. "
                        ) -FontWeight normal, normal, normal, normal, normal, normal, normal, bold, normal -Color Black, Black, Black, Black, Black, Black, Black, Red, Black
                        New-HTMLText -Text "Make sure to fill in TargetDomain to match your Domain Admin permission account"

                        New-HTMLCodeBlock -Code {
                            Remove-WinADDuplicateObject -Verbose -LimitProcessing 1 -IncludeDomains "TargetDomain" -WhatIf
                        New-HTMLText -TextBlock {
                            "After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be fixed matches expected data. Once happy with results please follow with command: "
                        New-HTMLCodeBlock -Code {
                            Remove-WinADDuplicateObject -Verbose -LimitProcessing 1 -IncludeDomains "TargetDomain"
                        New-HTMLText -TextBlock {
                            "This command when executed removes only first X duplicate/CNF objects. Use LimitProcessing parameter to prevent mass remove and increase the counter when no errors occur. "
                            "Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly. "
                    New-HTMLWizardStep -Name 'Verification report' {
                        New-HTMLText -TextBlock {
                            "Once cleanup task was executed properly, we need to verify that report now shows no problems."
                        New-HTMLCodeBlock -Code {
                            Invoke-Testimo -FilePath $Env:UserProfile\Desktop\TestimoAfter.DomainDuplicateObjects.html -Type DomainDuplicateObjects
                        New-HTMLText -Text "If everything is healthy in the report you're done! Enjoy rest of the day!" -Color BlueDiamond
                } -RemoveDoneStepOnNavigateBack -Theme arrows -ToolbarButtonPosition center -EnableAllAnchors
$ExchangeUsers = @{
    Name   = 'DomainExchangeUsers'
    Enable = $false
    Scope  = 'Domain'
    Source = @{
        Name           = "Exchange Users: Missing MailNickName"
        Data           = {
            Get-ADUser -Filter { Mail -like '*' -and MailNickName -notlike '*' } -Properties mailNickName, mail -Server $Domain
        Details        = [ordered] @{
            Area        = ''
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = ''
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $false
$GroupPolicyAssessment = @{
    Name           = 'DomainGroupPolicyAssessment'
    Enable         = $true
    Scope          = 'Domain'
    Source         = @{
        Name           = "Group Policy Assessment"
        Data           = {
            Get-GPOZaurr -Forest $ForestName -IncludeDomains $Domain
        Implementation = {

        Details        = [ordered] @{
            Area        = 'Cleanup'
            Category    = 'Group Policy'
            Severity    = ''
            Importance  = 0
            Description = ""
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $true
    Tests          = [ordered] @{
        Empty           = @{
            Enable     = $true
            Name       = 'Group Policy Empty'
            Parameters = @{
                #Bundle = $true
                WhereObject   = { $_.Empty -eq $true }
                ExpectedCount = 0
        Linked          = @{
            Enable     = $true
            Name       = 'Group Policy Unlinked'
            Parameters = @{
                #Bundle = $true
                WhereObject   = { $_.Linked -eq $false }
                ExpectedCount = 0
        Enabled         = @{
            Enable     = $true
            Name       = 'Group Policy Disabled'
            Parameters = @{
                #Bundle = $true
                WhereObject   = { $_.Enabled -eq $false }
                ExpectedCount = 0
        Problem         = @{
            Enable     = $true
            Name       = 'Group Policy with Problem'
            Parameters = @{
                #Bundle = $true
                WhereObject   = { $_.Problem -eq $true }
                ExpectedCount = 0
        Optimized       = @{
            Enable     = $true
            Name       = 'Group Policy Not Optimized'
            Parameters = @{
                #Bundle = $true
                WhereObject   = { $_.Optimized -eq $false }
                ExpectedCount = 0
        ApplyPermission = @{
            Enable     = $true
            Name       = 'Group Policy No Apply Permission'
            Parameters = @{
                # Bundle = $true
                WhereObject   = { $_.ApplyPermissioon -eq $false }
                ExpectedCount = 0
    DataHighlights = {
        New-HTMLTableCondition -Name 'Empty' -ComparisonType string -BackgroundColor PaleGreen -Value $false -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'Linked' -ComparisonType string -BackgroundColor PaleGreen -Value $true -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'Enabled' -ComparisonType string -BackgroundColor PaleGreen -Value $true -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'Optimized' -ComparisonType string -BackgroundColor PaleGreen -Value $true -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'Problem' -ComparisonType string -BackgroundColor PaleGreen -Value $false -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'ApplyPermission' -ComparisonType string -BackgroundColor PaleGreen -Value $true -Operator eq -FailBackgroundColor Salmon
$GroupPolicyADM = @{
    Name   = 'DomainGroupPolicyADM'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = 'Group Policy Legacy ADM Files'
        Data           = {
            Get-GPOZaurrLegacyFiles -Forest $ForestName -IncludeDomains $Domain
        Implementation = {
            Remove-GPOZaurrLegacyFiles -Verbose -WhatIf
        Details        = [ordered] @{
            Area        = 'Cleanup'
            Category    = 'Group Policy'
            Severity    = ''
            Importance  = 0
            Description = ''
            Resolution  = ''
            Resources   = @(
        ExpectedOutput = $false
$GroupPolicyOwner = @{
    Name   = 'DomainGroupPolicyOwner'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "GPO: Owner"
        Data           = {
            Get-GPOZaurrOwner -Forest $ForestName -IncludeSysvol -IncludeDomains $Domain
        Details        = [ordered] @{
            Area        = 'Security'
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = ""
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        OwnerConsistent     = @{
            Enable     = $true
            Name       = 'GPO: Owner Consistent'
            Parameters = @{
                WhereObject    = { $_.IsOwnerConsistent -ne $true }
                ExpectedResult = $false # this tests things in bundle rather then per object of array

        OwnerAdministrative = @{
            Enable     = $true
            Name       = 'GPO: Owner Administrative'
            Parameters = @{
                WhereObject    = { $_.OwnerType -ne 'Administrative' -or $_.SysvolType -ne 'Administrative' }
                ExpectedResult = $false # this tests things in bundle rather then per object of array
ExpectedCount = 0,1,2,3 and so on
ExpectedValue = [object]
ExpectedResult = $true # just checks if there is result or there is not

$GroupPolicyPermissions = @{
    Name   = 'DomainGroupPolicyPermissions'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "Group Policy Required Permissions"
        Data           = {
            Get-GPOZaurrPermissionAnalysis -Forest $ForestName -Domain $Domain
        Details        = [ordered] @{
            Area        = 'Security'
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = "Group Policy permissions should always have Authenticated Users and Domain Computers gropup"
            Resolution  = 'Do not remove Authenticated Users, Domain Computers from Group Policies.'
            Resources   = @(
        ExpectedOutput = $true
    Tests  = [ordered] @{
        Administrative     = @{
            Enable     = $true
            Name       = 'GPO: Administrative Permissions'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.Administrative -eq $false }

        AuthenticatedUsers = @{
            Enable     = $true
            Name       = 'GPO: Authenticated Permissions'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.AuthenticatedUsers -eq $false }
        System             = @{
            Enable     = $true
            Name       = 'GPO: System Permissions'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.System -eq $false }
        Unknown            = @{
            Enable     = $true
            Name       = 'GPO: Unknown Permissions'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.Unknown -eq $true }
    <# Another way to do the same thing as above
    Tests = [ordered] @{
        Administrative = @{
            Enable = $true
            Name = 'GPO: Administrative Permissions'
            Parameters = @{
                Bundle = $true
                Property = 'Administrative'
                ExpectedValue = $false
                OperationType = 'notcontains'
                DisplayResult = $false
        AuthenticatedUsers = @{
            Enable = $true
            Name = 'GPO: Authenticated Permissions'
            Parameters = @{
                Bundle = $true
                Property = 'AuthenticatedUsers'
                ExpectedValue = $false
                OperationType = 'notcontains'
                DisplayResult = $false
        System = @{
            Enable = $true
            Name = 'GPO: System Permissions'
            Parameters = @{
                Bundle = $true
                Property = 'System'
                ExpectedValue = $false
                OperationType = 'notcontains'
                DisplayResult = $false
        Unknown = @{
            Enable = $true
            Name = 'GPO: Unknown Permissions'
            Parameters = @{
                Bundle = $true
                Property = 'Unknown'
                ExpectedValue = $false
                OperationType = 'notcontains'
                DisplayResult = $false


$GroupPolicyPermissionConsistency = @{
    Name   = 'DomainGroupPolicyPermissionConsistency'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "GPO: Permission Consistency"
        Data           = {
            Get-GPOZaurrPermissionConsistency -Forest $ForestName -VerifyInheritance -Type Inconsistent -IncludeDomains $Domain
        Details        = [ordered] @{
            Area        = 'Security'
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = "GPO Permissions are stored in Active Directory and SYSVOL at the same time. Setting up permissions for GPO should replicate itself to SYSVOL and those permissions should be consistent. However, sometimes this doesn't happen or is done on purpose."
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $false
$GroupPolicySysvol = @{
    Name   = 'DomainGroupPolicySysvol'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "GPO: Sysvol folder existance"
        Data           = {
            Get-GPOZaurrSysvol -Forest $ForestName -IncludeDomains $Domain
        Details        = [ordered] @{
            Area        = 'Security'
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = "GPO Permissions are stored in Active Directory and SYSVOL at the same time. Sometimes when deleting GPO or due to replication issues GPO becomes orphaned (no SYSVOL files) or SYSVOL files exists but no GPO."
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        SysvolExists = @{
            Enable     = $true
            Name       = 'GPO: Files on SYSVOL are not Orphaned'
            Parameters = @{
                WhereObject    = { $_.SysvolStatus -ne 'Exists' -or $_.Status -ne 'Exists' }
                ExpectedResult = $false # this tests things in bundle rather then per object of array

$MachineQuota = @{
    Name            = 'DomainMachineQuota'
    Enable          = $true
    Scope           = 'Domain'
    Source          = @{
        Name           = "Machine Quota: Gathering ms-DS-MachineAccountQuota"
        Data           = {
            Get-ADObject -Identity ((Get-ADDomain -Identity $Domain).distinguishedname) -Properties 'ms-DS-MachineAccountQuota' -Server $Domain | Select-Object DistinguishedName, Name, ObjectClass, ObjectGUID, ms-DS-MachineAccountQuota
        Details        = [ordered] @{
            Category    = 'Security'
            Importance  = 0
            Description = "By default, In the Microsoft Active Directory, members of the authenticated user group can join up to 10 computer accounts in the domain. This value is defined in the attribute ms-DS-MachineAccountQuota on the domain-DNS object for a domain."
            Resources   = @(
                "[MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory's Oddest Settings](https://www.netspi.com/blog/technical/network-penetration-testing/machineaccountquota-is-useful-sometimes/)"
                "[How to change the attribute ms-DS-MachineAccountQuota](https://www.jorgebernhardt.com/how-to-change-attribute-ms-ds-machineaccountquota/)"
                "[Default limit to number of workstations a user can join to the domain](https://docs.microsoft.com/pl-PL/troubleshoot/windows-server/identity/default-workstation-numbers-join-domain)"
            Tags        = 'Security', 'Configuration'
            StatusTrue  = 0
            StatusFalse = 0
        ExpectedOutput = $true
    Tests           = [ordered] @{
        MachineQuotaIsZero = @{
            Enable     = $true
            Name       = 'Machine Quota: Should be set to 0'
            Parameters = @{
                ExpectedValue = 0
                Property      = 'ms-DS-MachineAccountQuota'
                OperationType = 'eq'
            Details    = [ordered] @{
                Category    = 'Configuration'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
    DataDescription = {
        New-HTMLSpanStyle -FontSize 10pt {
            New-HTMLText -Text @(
                "By default, In the Microsoft Active Directory, members of the authenticated user group can join up to 10 computer accounts in the domain. "
                "This value is defined in the attribute "
                " on the domain-DNS object for a domain. "
                "This value should always be ",
                " and permissions to add computers to domain should be managed on Active Directory Delegation level."
            ) -FontWeight normal, normal, bold, normal
    DataHighlights  = {
        New-HTMLTableCondition -Name 'ms-DS-MachineAccountQuota' -ComparisonType number -BackgroundColor PaleGreen -Value 0 -Operator eq
        New-HTMLTableCondition -Name 'ms-DS-MachineAccountQuota' -ComparisonType number -BackgroundColor Salmon -Value 0 -Operator gt
    Solution        = {
        New-HTMLContainer {
            New-HTMLSpanStyle -FontSize 10pt {
                New-HTMLWizard {
                    New-HTMLWizard {
                        New-HTMLWizardStep -Name 'Gather information about ms-DS-MachineAccountQuota' {
                            New-HTMLText -Text @(
                                "ms-DS-MachineAccountQuota "
                                "should always be set to 0 to prevent any users adding computers to domain. This is security risk and should be fixed for all domains in a forest!"
                                "To make sure you can easily revert this setting if something goes wrong you should first get this information before doing any changes."
                            ) -FontWeight bold, normal
                            New-HTMLCodeBlock {
                                Get-ADObject -Identity ((Get-ADDomain -Identity $Domain).distinguishedname) -Properties 'ms-DS-MachineAccountQuota' -Server $Domain
                    } -RemoveDoneStepOnNavigateBack -Theme arrows -ToolbarButtonPosition center -EnableAllAnchors
                    New-HTMLWizardStep -Name 'Fix ms-DS-MachineAccountQuota' {
                        New-HTMLText -Text @(
                            "ms-DS-MachineAccountQuota "
                            "should always be set to 0 to prevent any users adding computers to domain. This is security risk and should be fixed for all domains in a forest!"
                            "This can be done using following cmdlet. Please make sure to use WhatIf to verify what will change."
                        ) -FontWeight bold, normal
                        New-HTMLCodeBlock {
                            Set-ADDomain -Identity $Domain -Replace @{"ms-DS-MachineAccountQuota" = "0" } -WhatIf
                } -RemoveDoneStepOnNavigateBack -Theme arrows -ToolbarButtonPosition center -EnableAllAnchors
$NetLogonOwner = @{
    Name   = 'DomainNetLogonOwner'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "NetLogon Owner"
        Data           = {
            Get-GPOZaurrNetLogon -Forest $ForestName -OwnerOnly -IncludeDomains $Domain
        Implementation = {

        Details        = [ordered] @{
            Area        = 'Cleanup'
            Category    = 'SYSVOL'
            Severity    = ''
            Importance  = 6
            Description = ""
            Resolution  = ''
            Resources   = @(

            Tags        = 'netlogon', 'grouppolicy', 'gpo', 'sysvol'
        ExpectedOutput = $null
    Tests  = [ordered] @{
        Empty = @{
            Enable     = $true
            Name       = 'Owner should be BUILTIN\Administrators'
            Parameters = @{
                #Bundle = $true
                WhereObject    = { $_.OwnerSid -ne 'S-1-5-32-544' }
                ExpectedCount  = 0
                ExpectedOutput = $true
$OrganizationalUnitsEmpty = @{
    Name   = 'DomainOrganizationalUnitsEmpty'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "Organizational Units: Orphaned/Empty"
        Data           = {
            <# We should replace it with better alternative
            ([adsisearcher]'(objectcategory=organizationalunit)').FindAll() | Where-Object {
            -not (-join $_.GetDirectoryEntry().psbase.children) }

            $OrganizationalUnits = Get-ADOrganizationalUnit -Filter * -Properties distinguishedname -Server $Domain | Select-Object -ExpandProperty distinguishedname
            $WellKnownContainers = Get-ADDomain | Select-Object *Container

            $AllUsedOU = Get-ADObject -Filter "ObjectClass -eq 'user' -or ObjectClass -eq 'computer' -or ObjectClass -eq 'group' -or ObjectClass -eq 'contact'" -Server $Domain | `
                Where-Object { ($_.DistinguishedName -notlike '*LostAndFound*') -and ($_.DistinguishedName -match 'OU=(.*)') } | `
                ForEach-Object { $matches[0] } | `
                Select-Object -Unique

            $OrganizationalUnits | Where-Object { ($AllUsedOU -notcontains $_) -and -not (Get-ADOrganizationalUnit -Filter * -SearchBase $_ -SearchScope 1 -Server $Domain) -and (($_ -notlike $WellKnownContainers.UsersContainer) -or ($_ -notlike $WellKnownContainers.ComputersContainer)) }
        Details        = [ordered] @{
            Category    = 'Configuration'
            Importance  = 3
            ActionType  = 1
            Description = ''
            Resolution  = ''
            Resources   = @(
                "[Active Directory Friday: Find empty Organizational Unit](https://www.jaapbrasser.com/active-directory-friday-find-empty-organizational-unit/)"
            StatusTrue  = 1
            StatusFalse = 2
        ExpectedOutput = $false
$OrganizationalUnitsProtected = @{
    Name   = 'DomainOrganizationalUnitsProtected'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "Organizational Units: Protected"
        Data           = {
            $OUs = Get-ADOrganizationalUnit -Properties ProtectedFromAccidentalDeletion, CanonicalName -Filter * -Server $Domain
            $FilteredOus = foreach ($OU in $OUs) {
                if ($OU.ProtectedFromAccidentalDeletion -eq $false) {
            $FilteredOus | Select-Object -Property Name, CanonicalName, DistinguishedName, ProtectedFromAccidentalDeletion
        Details        = [ordered] @{
            Area        = 'Cleanup'
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = ''
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $false
$OrphanedForeignSecurityPrincipals = @{
    Name     = 'DomainOrphanedForeignSecurityPrincipals'
    Enable   = $true
    Scope    = 'Domain'
    Source   = @{
        Name           = "Orphaned Foreign Security Principals"
        Data           = {
            $AllFSP = Get-WinADUsersForeignSecurityPrincipalList -Domain $Domain
            $OrphanedObjects = $AllFSP | Where-Object { $_.TranslatedName -eq $null }
        Details        = [ordered] @{
            Category    = 'Cleanup'
            Importance  = 0
            ActionType  = 0
            Description = 'An FSP is an Active Directory (AD) security principal that points to a security principal (a user, computer, or group) from a domain of another forest. AD automatically and transparently creates them in a domain the first time after adding a security principal from another forest to a group from that domain. AD creates FSPs in a domain the first time after adding a security principal of a domain from another forest to a group. And when someone removes the security principal the FSP is pointing to, the FSP becomes an orphan because it points to a non-existent security principal.'
            Resolution  = ''
            Resources   = @(
                '[Clean up orphaned Foreign Security Principals](https://4sysops.com/archives/clean-up-orphaned-foreign-security-principals/)'
                '[Foreign Security Principals and Well-Known SIDS, a.k.a. the curly red arrow problem](https://docs.microsoft.com/en-us/archive/blogs/389thoughts/foreign-security-principals-and-well-known-sids-a-k-a-the-curly-red-arrow-problem)'
                '[Active Directory: Foreign Security Principals and Special Identities](https://social.technet.microsoft.com/wiki/contents/articles/51367.active-directory-foreign-security-principals-and-special-identities.aspx)'
                '[Find orphaned foreign security principals and remove them from groups](https://serverfault.com/questions/320840/find-orphaned-foreign-security-principals-and-remove-them-from-groups)'
            StatusTrue  = 1
            StatusFalse = 3
        ExpectedOutput = $false
    Solution = {
        New-HTMLContainer {
            New-HTMLSpanStyle -FontSize 10pt {
                #New-HTMLText -Text 'Following steps will guide you how to fix permissions consistency'
                New-HTMLWizard {
                    New-HTMLWizardStep -Name 'Prepare environment' {
                        New-HTMLText -Text "To be able to execute actions in automated way please install required modules. Those modules will be installed straight from Microsoft PowerShell Gallery."
                        New-HTMLCodeBlock -Code {
                            Install-Module ADEssentials -Force
                            Import-Module ADEssentials -Force
                        } -Style powershell
                        New-HTMLText -Text "Using force makes sure newest version is downloaded from PowerShellGallery regardless of what is currently installed. Once installed you're ready for next step."

                    New-HTMLWizardStep -Name 'Prepare report' {
                        New-HTMLText -Text "Depending when this report was run you may want to prepare new report before proceeding fixing permissions inconsistencies. To generate new report please use:"
                        New-HTMLCodeBlock -Code {
                            Invoke-Testimo -FilePath $Env:UserProfile\Desktop\TestimoBefore.DomainOrphanedForeignSecurityPrincipals.html -Type DomainOrphanedForeignSecurityPrincipals
                        New-HTMLText -Text @(
                            "When executed it will take a while to generate all data and provide you with new report depending on size of environment."
                            "Once confirmed that data is still showing issues and requires fixing please proceed with next step."
                        New-HTMLText -Text "Alternatively if you prefer working with console you can run: "
                        New-HTMLCodeBlock -Code {
                            $Output = Get-WinADUsersForeignSecurityPrincipalList -IncludeDomains 'TargetDomain'
                            $Output | Where-Object { $_.TranslatedName -eq $null } | Format-Table
                        New-HTMLText -Text "It provides same data as you see in table above just doesn't prettify it for you."
                    New-HTMLWizardStep -Name 'Verify Trusts' {
                        New-HTMLText -Text @(
                            "It's important before deleting any FSP that all trusts are working correctly. "
                            "If trusts are down, translation FSP objects doesn't happen and therefore it would look like that FSP or orphaned. "
                            "Please run following command "
                        New-HTMLCodeBlock -Code {
                            Show-WinADTrust -Online -Recursive -Verbose
                        New-HTMLText -Text @(
                            "Zero level trusts are required to be functional and responding. "
                            "First level and above are optional, but should be verified if that's expected before removing FSP objects. "
                    New-HTMLWizardStep -Name 'Remove Orphaned FSP Objects (manual)' {
                        New-HTMLText -Text @(
                            "You can find all FSPs in the Active Directory Users and Computers (ADUC) console in a container named ForeignSecurityPrincipals. "
                            "However, you must first enable Advanced Features in the console. Otherwise the container won't show anything."
                            "You can recognize orphan FSPs by empty readable names in the ADUC console. "
                            "However, there is a potential issue you need to be aware of. If, at the same time you are looking for orphaned FSPs, "
                            "there is a network connectivity issue between domain controllers and domain controllers from other trusted forests, "
                            "you won't be able to see the readable names. Thus the script and you will incorrectly deduce that they are orphans."
                            "When cleaning up, please consult other Domain Admins and confirm the trusts with other domains are working as required before proceeding."
                        ) -FontWeight normal, normal, normal, normal, normal, normal, normal, bold, normal -Color Black, Black, Black, Black, Black, Black, Black, Red, Black
                    New-HTMLWizardStep -Name 'Restore FSP object' {
                        New-HTMLText -Text @(
                            "If you've deleted FSP object by accident it's possible to restore such object from Active Directory Recycle Bin."
                    New-HTMLWizardStep -Name 'Verification report' {
                        New-HTMLText -TextBlock {
                            "Once cleanup task was executed properly, we need to verify that report now shows no problems."
                        New-HTMLCodeBlock -Code {
                            Invoke-Testimo -FilePath $Env:UserProfile\Desktop\TestimoAfter.DomainOrphanedForeignSecurityPrincipals.html -Type DomainOrphanedForeignSecurityPrincipals
                        New-HTMLText -Text "If everything is healthy in the report you're done! Enjoy rest of the day!" -Color BlueDiamond
                } -RemoveDoneStepOnNavigateBack -Theme arrows -ToolbarButtonPosition center -EnableAllAnchors
$PasswordComplexity = @{
    Name   = 'DomainPasswordComplexity'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = 'Password Complexity Requirements'
        Data           = {
            Get-ADDefaultDomainPasswordPolicy -Server $Domain
        Details        = [ordered] @{
            Area        = 'Security'
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = ''
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        ComplexityEnabled             = @{
            Enable     = $true
            Name       = 'Complexity Enabled'
            Details    = [ordered] @{
                Area        = ''
                Category    = ''
                Severity    = ''
                Importance  = 0
                Description = ''
                Resolution  = ''
                Resources   = @(

            Parameters = @{
                Property      = 'ComplexityEnabled'
                ExpectedValue = $true
                OperationType = 'eq'
        'LockoutDuration'             = @{
            Enable     = $true
            Name       = 'Lockout Duration'
            Parameters = @{
                Property      = 'LockoutDuration'
                ExpectedValue = 30
                OperationType = 'ge'
        'LockoutObservationWindow'    = @{
            Enable     = $true
            Name       = 'Lockout Observation Window'
            Parameters = @{
                #PropertyExtendedValue = 'LockoutObservationWindow'
                Property      = 'LockoutObservationWindow', 'TotalMinutes'
                ExpectedValue = 30
                OperationType = 'ge'
        'LockoutThreshold'            = @{
            Enable     = $true
            Name       = 'Lockout Threshold'
            Parameters = @{
                Property      = 'LockoutThreshold'
                ExpectedValue = 4
                OperationType = 'gt'
        'MaxPasswordAge'              = @{
            Enable     = $true
            Name       = 'Maximum Password Age'
            Parameters = @{
                Property      = 'MaxPasswordAge', 'TotalDays'
                ExpectedValue = 60
                OperationType = 'le'
        'MinPasswordLength'           = @{
            Enable     = $true
            Name       = 'Minimum Password Length'
            Parameters = @{
                Property      = 'MinPasswordLength'
                ExpectedValue = 8
                OperationType = 'gt'
        'MinPasswordAge'              = @{
            Enable     = $true
            Name       = 'Minimum Password Age'
            Parameters = @{
                #PropertyExtendedValue = 'MinPasswordAge', 'TotalDays'
                Property      = 'MinPasswordAge', 'TotalDays'
                ExpectedValue = 1
                OperationType = 'le'
        'PasswordHistoryCount'        = @{
            Enable     = $true
            Name       = 'Password History Count'
            Parameters = @{
                Property      = 'PasswordHistoryCount'
                ExpectedValue = 10
                OperationType = 'ge'
        'ReversibleEncryptionEnabled' = @{
            Enable     = $true
            Name       = 'Reversible Encryption Enabled'
            Parameters = @{
                Property      = 'ReversibleEncryptionEnabled'
                ExpectedValue = $false
                OperationType = 'eq'
$DomainSecurityComputers = @{
    Name            = 'DomainSecurityComputers'
    Enable          = $true
    Scope           = 'Domain'
    Source          = @{
        Name           = "Computers: Standard"
        Data           = {
            $Properties = @(
            Get-ADComputer -Filter { (PasswordNeverExpires -eq $true -or AllowReversiblePasswordEncryption -eq $true -or UseDESKeyOnly -eq $true -or (PrimaryGroupID -ne '515' -and PrimaryGroupID -ne '516' -and PrimaryGroupID -ne '521') -or PasswordNotRequired -eq $true) } -Properties $Properties -Server $Domain | Where-Object { $_.SamAccountName -ne 'AZUREADSSOACC$' } | Select-Object -Property $Properties
        Details        = [ordered] @{
            Category    = 'Security', 'Cleanup'
            Importance  = 0
            ActionType  = 0
            Description = 'Account by default have certain settings that make sure the account is fairly safe and can be used within Active Directory.'
            Resources   = @(
                '[Understanding and Remediating "PASSWD_NOTREQD](https://docs.microsoft.com/en-us/archive/blogs/russellt/passwd_notreqd)'
                '[Miscellaneous facts about computer passwords in Active Directory](https://blog.joeware.net/2012/09/12/2590/)'
                '[Domain member: Maximum machine account password age](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852252(v=ws.11)?redirectedfrom=MSDN)'
                '[Machine Account Password Process](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/machine-account-password-process/ba-p/396026)'
            StatusTrue  = 1
            StatusFalse = 0
        ExpectedOutput = $false
    Tests           = [ordered] @{
        KeberosDES                        = @{
            Enable      = $true
            Name        = 'Kerberos DES detection'
            Parameters  = @{
                WhereObject    = { $_.UseDESKeyOnly -eq $true }
                ExpectedCount  = 0
                OperationType  = 'eq'
                ExpectedOutput = $false
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
            Description = "Computer accounts shouldn't use DES encryption. Having UseDESKeyOnly forces the Kerberos encryption to be DES instead of RC4 which is the Microsoft default. DES is 56 bit encryption and is regarded as weak these days so this setting is not recommended."
        AllowReversiblePasswordEncryption = @{
            Enable      = $true
            Name        = 'Reversible Password detection'
            Parameters  = @{
                WhereObject    = { $_.AllowReversiblePasswordEncryption -eq $true }
                ExpectedCount  = 0
                OperationType  = 'eq'
                ExpectedOutput = $false
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
            Description = "Computer accounts shouldn't use Reversible Password Encryption. Having AllowReversiblePasswordEncryption allows for easy password decryption."
        PasswordNeverExpires              = @{
            Enable      = $true
            Name        = 'PasswordNeverExpires detection'
            Parameters  = @{
                WhereObject    = { $_.PasswordNeverExpires -eq $true }
                ExpectedCount  = 0
                OperationType  = 'eq'
                ExpectedOutput = $false
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
            Description = "Computer accounts shouldn't use PasswordNeverExpires. Having PasswordNeverExpires is dangerous and shoudn't be used."
        PasswordNotRequired               = @{
            Enable      = $true
            Name        = 'PasswordNotRequired detection'
            Parameters  = @{
                WhereObject    = { $_.PasswordNotRequired -eq $true }
                ExpectedCount  = 0
                OperationType  = 'eq'
                ExpectedOutput = $false
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
            Description = "Computer accounts shouldn't use PasswordNotRequired. Having PasswordNotRequired is dangerous and shoudn't be used."
        PrimaryGroup                      = @{
            Enable      = $true
            Name        = "Domain Computers or Domain Controllers or Read-Only Domain Controllers."
            Parameters  = @{
                #WhereObject = { $_.PrimaryGroupID -ne 513 -and $_.SID -ne "$((Get-ADDomain).DomainSID.Value)-501" }
                WhereObject    = { $_.PrimaryGroupID -notin 515, 516, 521 }
                ExpectedCount  = 0
                OperationType  = 'eq'
                ExpectedOutput = $false
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 4
            Description = "Computer accounts shouldn't have different group then Domain Computers or Domain Controllers or Read-Only Domain Controllers as their primary group."
    DataDescription = {
        New-HTMLSpanStyle -FontSize 10pt {
            New-HTMLText -Text @(
                "Account by default have certain settings that make sure the account is fairly safe and can be used within Active Directory. "
                "Those settings are: "
            New-HTMLList {
                New-HTMLListItem -Text "Password is always required"
                New-HTMLListItem -Text "Password is expiring"
                New-HTMLListItem -Text "Password is not reverisble"
                New-HTMLListItem -Text "Keberos Encryption is set to RC4"
                New-HTMLListItem -Text "Primary Group is always Domain Computers/Domain Cotrollers or Domain Read-Only Controllers"
            New-HTMLText -Text @(
                "It's important that all those settings are set as expected."
    DataHighlights  = {
        New-HTMLTableCondition -Name 'Enabled' -ComparisonType string -BackgroundColor PaleGreen -Value $true -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'PasswordNotRequired' -ComparisonType string -BackgroundColor PaleGreen -Value $false -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'PasswordNeverExpires' -ComparisonType string -BackgroundColor PaleGreen -Value $false -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'AllowReversiblePasswordEncryption' -ComparisonType string -BackgroundColor PaleGreen -Value $false -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'UseDESKeyOnly' -ComparisonType string -BackgroundColor PaleGreen -Value $false -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'PrimaryGroupID' -ComparisonType number -BackgroundColor PaleGreen -Value 515, 516, 521 -Operator in -FailBackgroundColor Salmon -HighlightHeaders 'PrimaryGroupID', 'PrimaryGroup'
        New-HTMLTableCondition -Name 'PasswordLastSet' -ComparisonType date -BackgroundColor PaleGreen -Value (Get-Date).AddDays(-180) -Operator gt -FailBackgroundColor Salmon -DateTimeFormat 'DD.MM.YYYY HH:mm:ss'
        New-HTMLTableCondition -Name 'LastLogonDate' -ComparisonType date -BackgroundColor PaleGreen -Value (Get-Date).AddDays(-180) -Operator gt -FailBackgroundColor Salmon -DateTimeFormat 'DD.MM.YYYY HH:mm:ss'
    DataInformation = {
        New-HTMLText -Text 'Explanation to table columns:' -FontSize 10pt
        New-HTMLList {
            New-HTMLListItem -FontWeight bold, normal -Text "PasswordNotRequired", " - means password is not required by the account. This should be investigated right away. "
            New-HTMLListItem -FontWeight bold, normal -Text "PasswordNeverExpires", " - means password is not required by the account. This should be investigated right away. "
            New-HTMLListItem -FontWeight bold, normal -Text "AllowReversiblePasswordEncryption", " - means the password is stored insecurely in Active Directory. Removing this flag is required. "
            New-HTMLListItem -FontWeight bold, normal -Text "UseDESKeyOnly", " - means the kerberos encryption is set to DES which is very weak. Removing flag is required. "
            New-HTMLListItem -FontWeight bold, normal -Text "PrimaryGroupID", " - if primary group ID is something else then 513 it means someone made a primary group change to something else than Domain Users. This should be fixed. "
        } -FontSize 10pt
$DomainSecurityDelegatedObjects = @{
    Name            = 'DomainSecurityDelegatedObjects'
    Enable          = $true
    Scope           = 'Domain'
    Source          = @{
        Name           = "Security: Delegated Objects"
        Data           = {
            Get-WinADDelegatedAccounts -Forest $ForestName -IncludeDomains $Domain
        Details        = [ordered] @{
            Category    = 'Security', 'Cleanup'
            Importance  = 0
            ActionType  = 0
            Description = ''
            Resources   = @(
                '[What is KERBEROS DELEGATION? An overview of kerberos delegation](https://stealthbits.com/blog/what-is-kerberos-delegation-an-overview-of-kerberos-delegation/)'
            StatusTrue  = 1
            StatusFalse = 0
        ExpectedOutput = $null
    Tests           = [ordered] @{
        FullDelegation = @{
            Enable      = $true
            Name        = 'There should be no full delegation'
            Parameters  = @{
                WhereObject    = { $_.FullDelegation -eq $true -and $_.IsDC -eq $false }
                ExpectedCount  = 0
                OperationType  = 'eq'
                ExpectedOutput = $false
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 9
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
            Description = ""
    DataDescription = {
        New-HTMLSpanStyle -FontSize 10pt {
            New-HTMLText -Text @(
                "There are a few flavors of Kerberos delegation since it has evolved over the years. The original implementation is unconstrained delegation, this was what existed in Windows Server 2000. Since then, more strict versions of delegation have come along. Constrained delegation, which was available in Windows Server 2003, and Resource-Based Constrained delegation which was made available in 2012, both have improved the security and implementation of Kerberos delegation. "
                "Those settings are: "
            New-HTMLList {
                New-HTMLListItem -Text "Unconstrained (Full) delegation ", " is most When a privileged account authenticates to a host with unconstrained delegation configured, you now can access any configured service within the domain as that privileged user. " -FontWeight bold, normal
                New-HTMLListItem -Text "Constrained delegation ", " takes it a step further by allowing you to configure which services an account can be delegated to. This, in theory, would limit the potential exposure if a compromise occurred." -FontWeight bold, normal
                New-HTMLListItem -Text "Resource-Based Constrained Delegation ", " changes how you can configure constrained delegation, and it will work across a trust. Instead of specifying which object can delegate to which service, the resource hosting the service specifies which objects can delegate to it. From an administrative standpoint, this allows the resource owner to control who can access it. " -FontWeight bold, normal
            New-HTMLText -Text @(
                "It's important that there are no objects with unconstrained delegation anywhere else than on Domain Controller objects."
    DataHighlights  = {
        New-HTMLTableConditionGroup {
            New-HTMLTableCondition -Name 'IsDC' -ComparisonType string -Value $true -Operator eq
            New-HTMLTableCondition -Name 'FullDelegation' -ComparisonType string -Value $true -Operator eq
        } -BackgroundColor PaleGreen -HighlightHeaders IsDC, FullDelegation
        New-HTMLTableConditionGroup {
            New-HTMLTableCondition -Name 'IsDC' -ComparisonType string -Value $false -Operator eq
            New-HTMLTableCondition -Name 'FullDelegation' -ComparisonType string -Value $true -Operator eq
        } -BackgroundColor Salmon -HighlightHeaders IsDC, FullDelegation

        New-HTMLTableConditionGroup {
            New-HTMLTableCondition -Name 'IsDC' -ComparisonType string -Value $false -Operator eq
            New-HTMLTableCondition -Name 'FullDelegation' -ComparisonType string -Value $false -Operator eq
        } -BackgroundColor PaleGreen -HighlightHeaders IsDC, FullDelegation

        New-HTMLTableCondition -Name 'Enabled' -ComparisonType string -BackgroundColor PaleGreen -Value $true -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'PasswordLastSet' -ComparisonType date -BackgroundColor PaleGreen -Value (Get-Date).AddDays(-180) -Operator gt -FailBackgroundColor Salmon -DateTimeFormat 'DD.MM.YYYY HH:mm:ss'
        New-HTMLTableCondition -Name 'LastLogonDate' -ComparisonType date -BackgroundColor PaleGreen -Value (Get-Date).AddDays(-180) -Operator gt -FailBackgroundColor Salmon -DateTimeFormat 'DD.MM.YYYY HH:mm:ss'
    DataInformation = {

$SecurityGroupsAccountOperators = @{
    Name   = 'DomainSecurityGroupsAccountOperators'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "Groups: Account operators should be empty"
        Data           = {
            Get-ADGroupMember -Identity 'S-1-5-32-548' -Recursive -Server $Domain
        Details        = [ordered] @{
            Area        = 'Cleanup', 'Security'
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = "The Account Operators group should not be used. Custom delegate instead. This group is a great 'backdoor' priv group for attackers. Microsoft even says don't use this group!"
            Resolution  = ''
            Resources   = @()
        ExpectedOutput = $false
$SecurityGroupsSchemaAdmins = @{
    Name   = 'DomainSecurityGroupsSchemaAdmins'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "Groups: Schema Admins should be empty"
        Data           = {
            $DomainSID = (Get-ADDomain -Server $Domain).DomainSID
            Get-ADGroupMember -Recursive -Server $Domain -Identity "$DomainSID-518"
        Requirements   = @{
            IsDomainRoot = $true
        Details        = [ordered] @{
            Area        = 'Cleanup', 'Security'
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = "Schema Admins group should be empty. If you need to manage schema you can always add user for the time of modification."
            Resolution  = 'Keep Schema group empty.'
            Resources   = @(

        ExpectedOutput = $false
$SecurityKRBGT = @{
    Name            = 'DomainSecurityKrbtgt'
    Enable          = $true
    Scope           = 'Domain'
    Source          = @{
        Name           = "Security: Krbtgt password"
        Data           = {
            #Get-ADUser -Filter { name -like "krbtgt*" } -Property Name, Created, logonCount, Modified, PasswordLastSet, PasswordExpired, msDS-KeyVersionNumber, CanonicalName, msDS-KrbTgtLinkBl -Server $Domain
            Get-ADUser -Filter { name -like "krbtgt*" } -Property Name, Created, Modified, PasswordLastSet, PasswordExpired, msDS-KeyVersionNumber, CanonicalName, msDS-KrbTgtLinkBl, Description -Server $Domain | Select-Object Name, Enabled, Description, PasswordLastSet, PasswordExpired, msDS-KrbTgtLinkBl, msDS-KeyVersionNumber, CanonicalName, Created, Modified
        Details        = [ordered] @{
            Category    = 'Security'
            Importance  = 10
            ActionType  = 1
            Description = 'A stolen krbtgt account password can wreak havoc on an organization because it can be used to impersonate authentication throughout the organization thereby giving an attacker access to sensitive data.'
            Resources   = @(
                '[AD Forest Recovery - Resetting the krbtgt password](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password)'
                '[KRBTGT Account Password Reset Scripts now available for customers](https://www.microsoft.com/security/blog/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/)'
                "[Kerberos & KRBTGT: Active Directory's Domain Kerberos Service Account](https://adsecurity.org/?p=483)"
                "[Attacking Read-Only Domain Controllers to Own Active Directory](https://adsecurity.org/?p=3592)"
                '[DETECTING AND PREVENTING A GOLDEN TICKET ATTACK](https://frsecure.com/blog/golden-ticket-attack/)'
                '[Adversary techniques for credential theft and data compromise - Golden Ticket](https://attack.stealthbits.com/how-golden-ticket-attack-works)'
                '[Do You Need to Update KRBTGT Account Password?](https://www.kjctech.net/do-you-need-to-update-krbtgt-account-password/)'
            StatusTrue  = 0
            StatusFalse = 0
        ExpectedOutput = $true
    Tests           = [ordered] @{
        PasswordLastSet        = @{
            Enable      = $false
            Name        = 'Krbtgt Last Password Change should changed frequently'
            Parameters  = @{
                Property      = 'PasswordLastSet'
                ExpectedValue = '(Get-Date).AddDays(-180)'
                OperationType = 'gt'
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 8
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
            Description = 'LastPasswordChange should be less than 180 days ago.'
        PasswordLastSetPrimary = @{
            Enable      = $true
            Name        = 'Krbtgt DC password should be changed frequently'
            Parameters  = @{
                WhereObject   = { $_.Name -eq 'krbtgt' -and $_.PasswordLastSet -lt (Get-Date).AddDays(-180) }
                ExpectedCount = 0
                OperationType = 'eq'
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 8
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
            Description = 'LastPasswordChange should be less than 180 days ago.'
        PasswordLastSetAzure = @{
            Enable      = $true
            Name        = 'Krbtgt Azure AD password should be changed frequently'
            Parameters  = @{
                WhereObject   = { $_.Name -eq 'krbtgt_AzureAD' -and $_.PasswordLastSet -lt (Get-Date).AddDays(-180) }
                ExpectedCount = 0
                OperationType = 'eq'
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 8
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
            Description = 'LastPasswordChange should be less than 180 days ago.'
        PasswordLastSetRODC    = @{
            Enable      = $true
            Name        = 'Krbtgt RODC password should be changed frequently'
            Parameters  = @{
                WhereObject   = { $_.Name -ne 'krbtgt' -and $_.Name -ne 'krbtgt_AzureAD' -and $_.PasswordLastSet -lt (Get-Date).AddDays(-180) }
                ExpectedCount = 0
                OperationType = 'eq'
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 8
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
            Description = 'LastPasswordChange should be less than 180 days ago.'
        DeadKerberosAccount    = @{
            Enable      = $true
            Name        = 'Krbtgt RODC account without RODC'
            Parameters  = @{
                WhereObject   = { $_.Name -ne 'krbtgt' -and $_.Name -ne 'krbtgt_AzureAD' -and $_.'msDS-KrbTgtLinkBl'.Count -eq 0 }
                ExpectedCount = 0
                OperationType = 'eq'
            Details     = [ordered] @{
                Category    = 'Security', 'Cleanup'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 2
            Description = 'Kerberos accounts for dead RODCs should be removed'
    DataInformation = {
        New-HTMLText -Text 'Explanation to table columns:' -FontSize 10pt
        New-HTMLList {
            New-HTMLListItem -FontWeight bold, normal -Text "PasswordLastSet", " - shows the last date password for Kerberos was changed."
            New-HTMLListItem -FontWeight bold, normal -Text "msDS-KrbTgtLinkBl", " - shows linked RODC. If name contains numbers and msDS-KrbTgtLinkBl is empty the kerberos account is not required."
        } -FontSize 10pt

        New-HTMLText -Text "Please keep in mind that if there are more than one keberos account it means there are RODC having own krbtgt account. " -FontSize 10pt
    DataHighlights  = {
        New-HTMLTableConditionGroup {
            New-HTMLTableCondition -Name 'Name' -Value 'krbtgt' -Operator ne -ComparisonType string
            New-HTMLTableCondition -Name 'msDS-KrbTgtLinkBl' -Value '' -Operator eq -ComparisonType string
        } -Row -BackgroundColor Salmon
        New-HTMLTableCondition -Name 'PasswordLastSet' -ComparisonType date -BackgroundColor PaleGreen -Value (Get-Date).AddDays(-180) -Operator gt -FailBackgroundColor Salmon -DateTimeFormat 'DD.MM.YYYY HH:mm:ss'
        New-HTMLTableCondition -Name 'Enabled' -ComparisonType string -BackgroundColor PaleGreen -Value $false -Operator eq -FailBackgroundColor Salmon
$SecurityUsers = @{
    Name            = 'DomainSecurityUsers'
    Enable          = $true
    Scope           = 'Domain'
    Source          = @{
        Name           = "Users: Standard"
        Data           = {
            $Properties = @(
            $GuestSID = "$($DomainInformation.DomainSID)-501"
            # Skipping trusts with SamAccountType and Guests
            # Skipping Exchange_Online-ApplicationAccount because it doesn't require password by default (also disabled)
            Get-ADUser -Filter { (AllowReversiblePasswordEncryption -eq $true -or UseDESKeyOnly -eq $true -or PrimaryGroupID -ne '513' -or PasswordNotRequired -eq $true) -and (SID -ne $GuestSID -and SamAccountType -ne 805306370) } -Properties $Properties -Server $Domain | Where-Object { $_.UserPrincipalName -notlike 'Exchange_Online-ApplicationAccount*' } | Select-Object -Property $Properties
        Details        = [ordered] @{
            Category    = 'Security', 'Cleanup'
            Importance  = 0
            ActionType  = 0
            Description = 'Account by default have certain settings that make sure the account is fairly safe and can be used within Active Directory.'
            Resources   = @(

            StatusTrue  = 1
            StatusFalse = 0
        ExpectedOutput = $false
    Tests           = [ordered] @{
        KeberosDES                        = @{
            Enable      = $true
            Name        = 'Kerberos DES detection'
            Parameters  = @{
                WhereObject    = { $_.UseDESKeyOnly -eq $true }
                ExpectedCount  = 0
                OperationType  = 'eq'
                ExpectedOutput = $false
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
            Description = "User accounts shouldn't use DES encryption. Having UseDESKeyOnly forces the Kerberos encryption to be DES instead of RC4 which is the Microsoft default. DES is 56 bit encryption and is regarded as weak these days so this setting is not recommended."
        AllowReversiblePasswordEncryption = @{
            Enable      = $true
            Name        = 'Reversible Password detection'
            Parameters  = @{
                WhereObject    = { $_.AllowReversiblePasswordEncryption -eq $true }
                ExpectedCount  = 0
                OperationType  = 'eq'
                ExpectedOutput = $false
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
            Description = "User accounts shouldn't use Reversible Password Encryption. Having AllowReversiblePasswordEncryption allows for easy password decryption."
        PasswordNotRequired               = @{
            Enable      = $true
            Name        = 'PasswordNotRequired detection'
            Parameters  = @{
                WhereObject    = { $_.PasswordNotRequired -eq $true }
                ExpectedCount  = 0
                OperationType  = 'eq'
                ExpectedOutput = $false
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
            Description = "User accounts shouldn't use PasswordNotRequired. Having PasswordNotRequired is dangerous and shoudn't be used."
        PrimaryGroup                      = @{
            Enable      = $true
            Name        = "Primary Group shouldn't be changed from default Domain Users."
            Parameters  = @{
                #WhereObject = { $_.PrimaryGroupID -ne 513 -and $_.SID -ne "$((Get-ADDomain).DomainSID.Value)-501" }
                WhereObject    = { $_.PrimaryGroupID -ne 513 -and $_.SID -ne "$($DomainInformation.DomainSID)-501" }
                ExpectedCount  = 0
                OperationType  = 'eq'
                ExpectedOutput = $false
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 4
            Description = "User accounts shouldn't have different group then Domain Users as their primary group."
    DataDescription = {
        New-HTMLSpanStyle -FontSize 10pt {
            New-HTMLText -Text @(
                "Account by default have certain settings that make sure the account is fairly safe and can be used within Active Directory. "
                "Those settings are: "
            New-HTMLList {
                New-HTMLListItem -Text "Password is always required"
                New-HTMLListItem -Text "Password is not reverisble"
                New-HTMLListItem -Text "Keberos Encryption is set to RC4"
                New-HTMLListItem -Text "Primary Group is always Domain Users with exception of Domain Guests"
            New-HTMLText -Text @(
                "It's important that all those settings are set as expected."
    DataHighlights  = {
        New-HTMLTableCondition -Name 'Enabled' -ComparisonType string -BackgroundColor PaleGreen -Value $true -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'PasswordNotRequired' -ComparisonType string -BackgroundColor PaleGreen -Value $false -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'AllowReversiblePasswordEncryption' -ComparisonType string -BackgroundColor PaleGreen -Value $false -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'UseDESKeyOnly' -ComparisonType string -BackgroundColor PaleGreen -Value $false -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'PrimaryGroupID' -ComparisonType string -BackgroundColor PaleGreen -Value '513' -Operator eq -FailBackgroundColor Salmon -HighlightHeaders 'PrimaryGroupID', 'PrimaryGroup'
        New-HTMLTableCondition -Name 'PasswordLastSet' -ComparisonType date -BackgroundColor PaleGreen -Value (Get-Date).AddDays(-180) -Operator gt -FailBackgroundColor Salmon -DateTimeFormat 'DD.MM.YYYY HH:mm:ss'
        New-HTMLTableCondition -Name 'LastLogonDate' -ComparisonType date -BackgroundColor PaleGreen -Value (Get-Date).AddDays(-180) -Operator gt -FailBackgroundColor Salmon -DateTimeFormat 'DD.MM.YYYY HH:mm:ss'
    DataInformation = {
        New-HTMLText -Text 'Explanation to table columns:' -FontSize 10pt
        New-HTMLList {
            New-HTMLListItem -FontWeight bold, normal -Text "PasswordNotRequired", " - means password is not required by the account. This should be investigated right away. "
            New-HTMLListItem -FontWeight bold, normal -Text "AllowReversiblePasswordEncryption", " - means the password is stored insecurely in Active Directory. Removing this flag is required. "
            New-HTMLListItem -FontWeight bold, normal -Text "UseDESKeyOnly", " - means the kerberos encryption is set to DES which is very weak. Removing flag is required. "
            New-HTMLListItem -FontWeight bold, normal -Text "PrimaryGroupID", " - if primary group ID is something else then 513 it means someone made a primary group change to something else than Domain Users. This should be fixed. "
        } -FontSize 10pt
$SecurityUsersAcccountAdministrator = @{
    Name   = 'DomainSecurityUsersAcccountAdministrator'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "Users: Administrator (SID-500)"
        Data           = {
            # this test is kind of special
            # basically when account is disabled it doesn't make sense to check for PasswordLastSet
            # therefore i'm adding setting PasswordLastSet to current date to be able to test just that field
            # At least until support for multiple checks is added

            $DomainSID = (Get-ADDomain -Server $Domain).DomainSID
            $User = Get-ADUser -Identity "$DomainSID-500" -Properties PasswordLastSet, LastLogonDate, servicePrincipalName -Server $Domain
            if ($User.Enabled -eq $false) {
                [PSCustomObject] @{
                    Name                 = $User.SamAccountName
                    Enabled              = $User.Enabled
                    PasswordLastSet      = Get-Date
                    ServicePrincipalName = $User.ServicePrincipalName
                    LastLogonDate        = $User.LastLogonDate
                    DistinguishedName    = $User.DistinguishedName
                    SID                  = $User.SID
            } else {
                [PSCustomObject] @{
                    Name                 = $User.SamAccountName
                    Enabled              = $User.Enabled
                    PasswordLastSet      = $User.PasswordLastSet
                    ServicePrincipalName = $User.ServicePrincipalName
                    LastLogonDate        = $User.LastLogonDate
                    DistinguishedName    = $User.DistinguishedName
                    SID                  = $User.SID
        Details        = [ordered] @{
            Category    = 'Security'
            Importance  = 0
            ActionType  = 0
            Description = "Administrator (SID-500) account is critical account in Active Directory. Due to it's role it shouldn't be used as a daily driver, and only as emeregency account."
            Resources   = @(

            StatusTrue  = 0
            StatusFalse = 0
        ExpectedOutput = $true
    Tests  = [ordered] @{
        LastLogonDate        = @{
            Enable      = $true
            Name        = 'Last Logon Date should not be recent'
            Parameters  = @{
                Property      = 'LastLogonDate'
                ExpectedValue = (Get-Date).AddDays(-60)
                OperationType = 'lt'
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 9
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
            Description = ""
        ServicePrincipalName = @{
            Enable      = $true
            Name        = 'Service Principal Name should be empty'
            Parameters  = @{
                Property      = 'servicePrincipalName'
                ExpectedValue = $null
                OperationType = 'eq'
            Details     = [ordered] @{
                Category    = 'Security'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
            Description = ""
        PasswordLastSet      = @{
            Enable      = $true
            Name        = 'Administrator Last Password Change Should be less than 360 days ago'
            Parameters  = @{
                Property      = 'PasswordLastSet'
                ExpectedValue = '(Get-Date).AddDays(-360)'
                OperationType = 'gt'
            Description = 'Administrator account should be disabled or LastPasswordChange should be less than 1 year ago.'
$SysVolDFSR = @{
    Name   = 'DomainSysVolDFSR'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = "DFSR Flags"
        Data           = {
            $DistinguishedName = (Get-ADDomain -Server $Domain).DistinguishedName
            $ADObject = "CN=DFSR-GlobalSettings,CN=System,$DistinguishedName"
            $Object = Get-ADObject -Identity $ADObject -Properties * -Server $Domain
            if ($Object.'msDFSR-Flags' -gt 47) {
                [PSCustomObject] @{
                    'SysvolMode' = 'DFS-R'
                    'Flags'      = $Object.'msDFSR-Flags'
            } else {
                [PSCustomObject] @{
                    'SysvolMode' = 'Not DFS-R'
                    'Flags'      = $Object.'msDFSR-Flags'
        Details        = [ordered] @{
            Area        = 'Health'
            Category    = 'SYSVOL'
            Severity    = ''
            Importance  = 0
            Description = 'Checks if DFS-R is available.'
            Resolution  = ''
            Resources   = @(
        ExpectedOutput = $true
    Tests  = [ordered] @{
        DFSRSysvolState = @{
            Enable     = $true
            Name       = 'DFSR Sysvol State'
            Parameters = @{
                Property              = 'SysvolMode'
                ExpectedValue         = 'DFS-R'
                OperationType         = 'eq'
                PropertyExtendedValue = 'Flags'
$WellKnownFolders = @{
    Name   = 'DomainWellKnownFolders'
    Enable = $true
    Scope  = 'Domain'
    Source = @{
        Name           = 'Well known folders'
        Data           = {
            $DomainInformation = Get-ADDomain -Server $Domain
            $WellKnownFolders = $DomainInformation | Select-Object -Property UsersContainer, ComputersContainer, DomainControllersContainer, DeletedObjectsContainer, SystemsContainer, LostAndFoundContainer, QuotasContainer, ForeignSecurityPrincipalsContainer
            $CurrentWellKnownFolders = [ordered] @{ }

            $DomainDistinguishedName = $DomainInformation.DistinguishedName
            $DefaultWellKnownFolders = [ordered] @{
                UsersContainer                     = "CN=Users,$DomainDistinguishedName"
                ComputersContainer                 = "CN=Computers,$DomainDistinguishedName"
                DomainControllersContainer         = "OU=Domain Controllers,$DomainDistinguishedName"
                DeletedObjectsContainer            = "CN=Deleted Objects,$DomainDistinguishedName"
                SystemsContainer                   = "CN=System,$DomainDistinguishedName"
                LostAndFoundContainer              = "CN=LostAndFound,$DomainDistinguishedName"
                QuotasContainer                    = "CN=NTDS Quotas,$DomainDistinguishedName"
                ForeignSecurityPrincipalsContainer = "CN=ForeignSecurityPrincipals,$DomainDistinguishedName"
            foreach ($_ in $WellKnownFolders.PSObject.Properties.Name) {
                $CurrentWellKnownFolders[$_] = $DomainInformation.$_
            Compare-MultipleObjects -Objects @($DefaultWellKnownFolders, $CurrentWellKnownFolders) -SkipProperties
        Details        = [ordered] @{
            Area        = 'Configuration'
            Category    = 'OrganizationalUnits'
            Severity    = 'Low'
            Importance  = 5
            Description = 'Verifies whether well-known folders are at their defaults or not.'
            Resolution  = 'Follow given resources to redirect users and computers containers to managable Organizational Units. If other Well Known folers are wrong - investigate.'
            Resources   = @(
        ExpectedOutput = $true
    Tests  = [ordered] @{
        UsersContainer                     = @{
            Enable     = $true
            Name       = "Users Container shouldn't be at default"
            Parameters = @{
                WhereObject           = { $_.Name -eq 'UsersContainer' }
                ExpectedValue         = $false
                Property              = 'Status'
                OperationType         = 'eq'
                PropertyExtendedValue = '1'
        ComputersContainer                 = @{
            Enable     = $true
            Name       = "Computers Container shouldn't be at default"
            Parameters = @{
                WhereObject           = { $_.Name -eq 'ComputersContainer' }
                ExpectedValue         = $false
                Property              = 'Status'
                OperationType         = 'eq'
                PropertyExtendedValue = '1'
        DomainControllersContainer         = @{
            Enable     = $true
            Name       = "Domain Controllers Container should be at default location"
            Parameters = @{
                WhereObject           = { $_.Name -eq 'DomainControllersContainer' }
                ExpectedValue         = $true
                Property              = 'Status'
                OperationType         = 'eq'
                PropertyExtendedValue = '1'
        DeletedObjectsContainer            = @{
            Enable     = $true
            Name       = "Deleted Objects Container should be at default location"
            Parameters = @{
                WhereObject           = { $_.Name -eq 'DeletedObjectsContainer' }
                ExpectedValue         = $true
                Property              = 'Status'
                OperationType         = 'eq'
                PropertyExtendedValue = '1'
        SystemsContainer                   = @{
            Enable     = $true
            Name       = "Systems Container should be at default location"
            Parameters = @{
                WhereObject           = { $_.Name -eq 'SystemsContainer' }
                ExpectedValue         = $true
                Property              = 'Status'
                OperationType         = 'eq'
                PropertyExtendedValue = '1'
        LostAndFoundContainer              = @{
            Enable     = $true
            Name       = "Lost And Found Container should be at default location"
            Parameters = @{
                WhereObject           = { $_.Name -eq 'LostAndFoundContainer' }
                ExpectedValue         = $true
                Property              = 'Status'
                OperationType         = 'eq'
                PropertyExtendedValue = '1'
        QuotasContainer                    = @{
            Enable     = $true
            Name       = "Quotas Container should be at default location"
            Parameters = @{
                WhereObject           = { $_.Name -eq 'QuotasContainer' }
                ExpectedValue         = $true
                Property              = 'Status'
                OperationType         = 'eq'
                PropertyExtendedValue = '1'
        ForeignSecurityPrincipalsContainer = @{
            Enable     = $true
            Name       = "Foreign Security Principals Container should be at default location"
            Parameters = @{
                WhereObject           = { $_.Name -eq 'ForeignSecurityPrincipalsContainer' }
                ExpectedValue         = $true
                Property              = 'Status'
                OperationType         = 'eq'
                PropertyExtendedValue = '1'
$DCDNSForwaders = @{
    Name   = 'DCDNSForwaders'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "DC DNS Forwarders"
        Data           = {
            $Forwarders = Get-WinDnsServerForwarder -Forest $ForestName -Domain $Domain -IncludeDomainControllers $DomainController -WarningAction SilentlyContinue -Formatted
        Details        = [ordered] @{
            Area        = 'Configuration'
            Category    = 'DNS'
            Severity    = 'Medium'
            Importance  = 0
            Description = ''
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        SameForwarders = @{
            Enable      = $true
            Name        = 'Multiple DNS Forwarders'
            Parameters  = @{
                Property              = 'ForwardersCount'
                ExpectedValue         = 1
                OperationType         = 'gt'
                PropertyExtendedValue = 'IPAddress'
            Description = 'DNS: More than one forwarding server should be configured'
$DFS = @{
    Name   = 'DCDFS'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "SYSVOL/DFS Verification"
        Data           = {
            Get-WinADDFSHealth -Forest $ForestName -Domains $Domain -DomainControllers $DomainController -EventDays $EventDays
        Parameters     = @{
            EventDays = 3
        Details        = [ordered] @{
            Area        = 'Health'
            Category    = 'DFS'
            Severity    = 'High'
            Importance  = 0
            Description = "Provides health verification of SYSVOL/DFS on Domain Controller."
            Resolution  = ''
            Resources   = @(


                # personal favourite to fix DFSR issues
        ExpectedOutput = $true
    Tests  = [ordered] @{
        Status              = @{
            Enable     = $true
            Name       = 'DFS should be Healthy'
            Parameters = @{
                ExpectedValue = $true
                Property      = 'Status'
                OperationType = 'eq'
        ReplicationState    = @{
            Enable     = $true
            Name       = 'Replication State should be NORMAL'
            Parameters = @{
                ExpectedValue = 'Normal'
                Property      = 'ReplicationState'
                OperationType = 'eq'
        CentralRepository   = @{
            Enable     = $true
            Name       = 'Central Repository for GPO for Domain should be available'
            Parameters = @{
                ExpectedValue = $true
                Property      = 'CentralRepository'
                OperationType = 'eq'
        CentralRepositoryDC = @{
            Enable     = $true
            Name       = 'Central Repository for GPO for DC should be available'
            Parameters = @{
                ExpectedValue = $true
                Property      = 'CentralRepositoryDC'
                OperationType = 'eq'
        IdenticalCount      = @{
            Enable     = $true
            Name       = 'GPO Count should match folder count'
            Parameters = @{
                ExpectedValue = $true
                Property      = 'IdenticalCount'
                OperationType = 'eq'
        MemberReference     = @{
            Enable     = $true
            Name       = 'MemberReference should return TRUE'
            Parameters = @{
                ExpectedValue = $true
                Property      = 'MemberReference'
                OperationType = 'eq'
        DFSErrors           = @{
            Enable     = $true
            Name       = 'DFSErrors should be 0'
            Parameters = @{
                ExpectedValue = 0
                Property      = 'DFSErrors'
                OperationType = 'eq'
        DFSLocalSetting     = @{
            Enable     = $true
            Name       = 'DFSLocalSetting should be TRUE'
            Parameters = @{
                ExpectedValue = $true
                Property      = 'DFSLocalSetting'
                OperationType = 'eq'
        DomainSystemVolume  = @{
            Enable     = $true
            Name       = 'DomainSystemVolume should be TRUE'
            Parameters = @{
                ExpectedValue = $true
                Property      = 'DomainSystemVolume'
                OperationType = 'eq'
        SYSVOLSubscription  = @{
            Enable     = $true
            Name       = 'SYSVOLSubscription should be TRUE'
            Parameters = @{
                ExpectedValue = $true
                Property      = 'SYSVOLSubscription'
                OperationType = 'eq'
        DFSRAutoRecovery    = @{
            Enable     = $true
            Name       = 'DFSR AutoRecovery should be enabled (not stopped)'
            Parameters = @{
                Property      = 'StopReplicationOnAutoRecovery'
                ExpectedValue = $false
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(

DomainController Domain Status IsPDC GroupPolicyCount SysvolCount CentralRepository CentralRepositoryDC IdenticalCount Availability MemberReference DFSErrors DFSEvents DFSLocalSetting DomainSystemVolume SYSVOLSubscription
---------------- ------ ------ ----- ---------------- ----------- ----------------- ------------------- -------------- ------------ --------------- --------- --------- --------------- ------------------ ------------------
AD2 ad.evotec.xyz False False 14 12 False False False True True 0 True True True
AD1 ad.evotec.xyz True True 14 14 False False True True True 0 True True True
AD3 ad.evotec.xyz False False 14 0 False False False True True 0 True True True

$Diagnostics = @{
    Name   = 'DCDiagnostics'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = 'Diagnostics (DCDIAG)'
        Data           = {
            Test-ADDomainController -Forest $ForestName -ComputerName $DomainController -WarningAction SilentlyContinue
        Details        = [ordered] @{
            Area        = 'Health'
            Category    = 'Overall'
            Description = ''
            Resolution  = ''
            Importance  = 10
            Severity    = 'Medium'
            Resources   = @(
        ExpectedOutput = $true
    Tests  = [ordered] @{
        Connectivity                     = @{
            Enable     = $true
            Name       = 'DCDiag Connectivity'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'Connectivity' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        Advertising                      = @{
            Enable     = $true
            Name       = 'DCDiag Advertising'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'Advertising' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        CheckSecurityError               = @{
            Enable     = $true
            Name       = 'DCDiag CheckSecurityError'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'CheckSecurityError' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        CutoffServers                    = @{
            Enable     = $true
            Name       = 'DCDiag CutoffServers'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'CutoffServers' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        FrsEvent                         = @{
            Enable     = $true
            Name       = 'DCDiag FrsEvent'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'FrsEvent' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        DFSREvent                        = @{
            Enable     = $true
            Name       = 'DCDiag DFSREvent'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'DFSREvent' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        SysVolCheck                      = @{
            Enable     = $true
            Name       = 'DCDiag SysVolCheck'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'SysVolCheck' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        FrsSysVol                        = @{
            Enable     = $true
            Name       = 'DCDiag FrsSysVol'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'FrsSysVol' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        KccEvent                         = @{
            Enable     = $true
            Name       = 'DCDiag KccEvent'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'KccEvent' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        KnowsOfRoleHolders               = @{
            Enable     = $true
            Name       = 'DCDiag KnowsOfRoleHolders'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'KnowsOfRoleHolders' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        MachineAccount                   = @{
            Enable     = $true
            Name       = 'DCDiag MachineAccount'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'MachineAccount' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        NCSecDesc                        = @{
            Enable     = $true
            Name       = 'DCDiag NCSecDesc'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'NCSecDesc' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        NetLogons                        = @{
            Enable     = $true
            Name       = 'DCDiag NetLogons'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'NetLogons' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        ObjectsReplicated                = @{
            Enable     = $true
            Name       = 'DCDiag ObjectsReplicated'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'ObjectsReplicated' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        Replications                     = @{
            Enable     = $true
            Name       = 'DCDiag Replications'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'Replications' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        RidManager                       = @{
            Enable     = $true
            Name       = 'DCDiag RidManager'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'RidManager' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        Services                         = @{
            Enable     = $true
            Name       = 'DCDiag Services'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'Services' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        SystemLog                        = @{
            Enable     = $true
            Name       = 'DCDiag SystemLog'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'SystemLog' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        Topology                         = @{
            Enable     = $true
            Name       = 'DCDiag Topology'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'Topology' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        VerifyEnterpriseReferences       = @{
            Enable     = $true
            Name       = 'DCDiag VerifyEnterpriseReferences'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'VerifyEnterpriseReferences' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        VerifyReferences                 = @{
            Enable     = $true
            Name       = 'DCDiag VerifyReferences'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'VerifyReferences' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        VerifyReplicas                   = @{
            Enable     = $true
            Name       = 'DCDiag VerifyReplicas'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'VerifyReplicas' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        DNS                              = @{
            Enable     = $true
            Name       = 'DCDiag DNS'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'DNS' -and $_.Target -ne $Domain }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        ForestDnsZonesCheckSDRefDom      = @{
            Enable     = $true
            Name       = 'DCDiag ForestDnsZones CheckSDRefDom'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'CheckSDRefDom' -and $_.Target -eq 'ForestDnsZones' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        ForestDnsZonesCrossRefValidation = @{
            Enable     = $true
            Name       = 'DCDiag ForestDnsZones CrossRefValidation'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'CrossRefValidation' -and $_.Target -eq 'ForestDnsZones' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        DomainDnsZonesCheckSDRefDom      = @{
            Enable     = $true
            Name       = 'DCDiag DomainDnsZones CheckSDRefDom'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'CheckSDRefDom' -and $_.Target -eq 'DomainDnsZones' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        DomainDnsZonesCrossRefValidation = @{
            Enable     = $true
            Name       = 'DCDiag DomainDnsZones CrossRefValidation'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'CrossRefValidation' -and $_.Target -eq 'DomainDnsZones' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        SchemaCheckSDRefDom              = @{
            Enable     = $true
            Name       = 'DCDiag Schema CheckSDRefDom'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'CheckSDRefDom' -and $_.Target -eq 'Schema' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        SchemaCrossRefValidation         = @{
            Enable     = $true
            Name       = 'DCDiag Schema CrossRefValidation'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'CrossRefValidation' -and $_.Target -eq 'Schema' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        ConfigurationCheckSDRefDom       = @{
            Enable     = $true
            Name       = 'DCDiag Configuration CheckSDRefDom'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'CheckSDRefDom' -and $_.Target -eq 'Configuration' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        ConfigurationCrossRefValidation  = @{
            Enable     = $true
            Name       = 'DCDiag Configuration CrossRefValidation'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'CrossRefValidation' -and $_.Target -eq 'Configuration' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        NetbiosCheckSDRefDom             = @{
            Enable     = $true
            Name       = 'DCDiag NETBIOS CheckSDRefDom'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'CheckSDRefDom' -and ($_.Target -ne 'Configuration' -and $_.Target -ne 'ForestDnsZones' -and $_.Target -ne 'DomainDnsZones' -and $_.Target -ne 'Schema') }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        NetbiosCrossRefValidation        = @{
            Enable     = $true
            Name       = 'DCDiag NETBIOS CrossRefValidation'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'CrossRefValidation' -and ($_.Target -ne 'Configuration' -and $_.Target -ne 'ForestDnsZones' -and $_.Target -ne 'DomainDnsZones' -and $_.Target -ne 'Schema') }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        DNSDomain                        = @{
            Enable     = $true
            Name       = 'DCDiag DNS'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'DNS' -and $_.Target -eq $Domain }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        LocatorCheck                     = @{
            Enable     = $true
            Name       = 'DCDiag LocatorCheck'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'LocatorCheck' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        FsmoCheck                        = @{
            Enable     = $true
            Name       = 'DCDiag FsmoCheck'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'FsmoCheck' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'
        Intersite                        = @{
            Enable     = $true
            Name       = 'DCDiag Intersite'
            Parameters = @{
                WhereObject   = { $_.Test -eq 'Intersite' }
                Property      = 'Result'
                ExpectedValue = $true
                OperationType = 'eq'

ComputerName Target Test Result Data
------------ ------ ---- ------ ----
ad1.ad.evotec.xyz AD1 Connectivity True Starting test: Connectivity...
ad1.ad.evotec.xyz AD1 Advertising True Starting test: Advertising...
ad1.ad.evotec.xyz AD1 CheckSecurityError True Starting test: CheckSecurityError...
ad1.ad.evotec.xyz AD1 CutoffServers True Starting test: CutoffServers...
ad1.ad.evotec.xyz AD1 FrsEvent True Starting test: FrsEvent...
ad1.ad.evotec.xyz AD1 DFSREvent True Starting test: DFSREvent...
ad1.ad.evotec.xyz AD1 SysVolCheck True Starting test: SysVolCheck...
ad1.ad.evotec.xyz AD1 FrsSysVol True Starting test: FrsSysVol...
ad1.ad.evotec.xyz AD1 KccEvent True Starting test: KccEvent...
ad1.ad.evotec.xyz AD1 KnowsOfRoleHolders True Starting test: KnowsOfRoleHolders...
ad1.ad.evotec.xyz AD1 MachineAccount True Starting test: MachineAccount...
ad1.ad.evotec.xyz AD1 NCSecDesc True Starting test: NCSecDesc...
ad1.ad.evotec.xyz AD1 NetLogons True Starting test: NetLogons...
ad1.ad.evotec.xyz AD1 ObjectsReplicated True Starting test: ObjectsReplicated...
ad1.ad.evotec.xyz AD1 Replications True Starting test: Replications...
ad1.ad.evotec.xyz AD1 RidManager True Starting test: RidManager...
ad1.ad.evotec.xyz AD1 Services True Starting test: Services...
ad1.ad.evotec.xyz AD1 SystemLog False Starting test: SystemLog...
ad1.ad.evotec.xyz AD1 Topology True Starting test: Topology...
ad1.ad.evotec.xyz AD1 VerifyEnterpriseReferences True Starting test: VerifyEnterpriseReferences...
ad1.ad.evotec.xyz AD1 VerifyReferences True Starting test: VerifyReferences...
ad1.ad.evotec.xyz AD1 VerifyReplicas True Starting test: VerifyReplicas...
ad1.ad.evotec.xyz AD1 DNS True Starting test: DNS...
ad1.ad.evotec.xyz ForestDnsZones CheckSDRefDom True Starting test: CheckSDRefDom...
ad1.ad.evotec.xyz ForestDnsZones CrossRefValidation True Starting test: CrossRefValidation...
ad1.ad.evotec.xyz DomainDnsZones CheckSDRefDom True Starting test: CheckSDRefDom...
ad1.ad.evotec.xyz DomainDnsZones CrossRefValidation True Starting test: CrossRefValidation...
ad1.ad.evotec.xyz Schema CheckSDRefDom True Starting test: CheckSDRefDom...
ad1.ad.evotec.xyz Schema CrossRefValidation True Starting test: CrossRefValidation...
ad1.ad.evotec.xyz Configuration CheckSDRefDom True Starting test: CheckSDRefDom...
ad1.ad.evotec.xyz Configuration CrossRefValidation True Starting test: CrossRefValidation...
ad1.ad.evotec.xyz ad CheckSDRefDom True Starting test: CheckSDRefDom...
ad1.ad.evotec.xyz ad CrossRefValidation True Starting test: CrossRefValidation...
ad1.ad.evotec.xyz ad.evotec.xyz DNS True Starting test: DNS...
ad1.ad.evotec.xyz ad.evotec.xyz LocatorCheck True Starting test: LocatorCheck...
ad1.ad.evotec.xyz ad.evotec.xyz FsmoCheck True Starting test: FsmoCheck...
ad1.ad.evotec.xyz ad.evotec.xyz Intersite True Starting test: Intersite...

$DiskSpace = @{
    Name   = 'DCDiskSpace'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = 'Disk Free'
        Data           = {
            Get-ComputerDiskLogical -ComputerName $DomainController -OnlyLocalDisk -WarningAction SilentlyContinue
        Details        = [ordered] @{
            Area        = 'Health'
            Category    = 'Disk'
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        FreeSpace   = @{
            Enable     = $true
            Name       = "Free Space in GB"
            Parameters = @{
                Property              = 'FreeSpace'
                PropertyExtendedValue = 'FreeSpace'
                ExpectedValue         = 10
                OperationType         = 'gt'
                OverwriteName         = { "Free Space in GB / $($_.DeviceID)" }
        FreePercent = @{
            Enable     = $true
            Name       = 'Free Space Percent'
            Parameters = @{
                Property              = 'FreePercent'
                PropertyExtendedValue = 'FreePercent'
                ExpectedValue         = 10
                OperationType         = 'gt'
                OverwriteName         = { "Free Space in Percent / $($_.DeviceID)" }
$DNSNameServers = @{
    Name   = 'DCDnsNameServes'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Name servers for primary domain zone"
        Data           = {
            Test-DNSNameServers -Domain $Domain -DomainController $DomainController
        Details        = [ordered] @{
            Area        = 'Configuration'
            Category    = 'DNS'
            Severity    = 'Medium'
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        DnsNameServersIdentical = @{
            Enable      = $true
            Name        = 'DNS Name servers for primary zone are identical'
            Parameters  = @{
                Property              = 'Status'
                ExpectedValue         = $True
                OperationType         = 'eq'
                PropertyExtendedValue = 'Comment'
            Description = 'DNS Name servers for primary zone should be equal to Domain Controllers for a Domain.'
$DNSResolveExternal = @{
    Name   = 'DCDnsResolveExternal'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Resolves external DNS queries"
        Data           = {
            $Output = Invoke-Command -ComputerName $DomainController -ErrorAction Stop {
                Resolve-DnsName -Name 'testimo-check.evotec.xyz' -ErrorAction SilentlyContinue | Where-Object { $_.Section -eq 'Answer' -and $_.Type -eq 'A' }
        Details        = [ordered] @{
            Area        = 'Health'
            Category    = 'DNS'
            Severity    = 'High'
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        ResolveDNSExternal = @{
            Enable      = $true
            Name        = 'Should resolve External DNS'
            Parameters  = @{
                Property      = 'IPAddress'
                ExpectedValue = ''
                OperationType = 'eq'
            Description = 'DNS should resolve external queries properly.'

$DNSResolveInternal = @{
    Name   = 'DCDnsResolveInternal'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Resolves internal DNS queries"
        Data           = {
            $Output = Invoke-Command -ComputerName $DomainController -ErrorAction Stop {
                    [string] $DomainController
                $AllDomainControllers = Get-ADDomainController -Identity $DomainController -Server $DomainController
                $IPs = $AllDomainControllers.IPv4Address | Sort-Object
                $Output = Resolve-DnsName -Name $DomainController -ErrorAction SilentlyContinue
                    'Result'      = 'IP Comparison'
                    'Status'      = if ($null -eq (Compare-Object -ReferenceObject $IPs -DifferenceObject ($Output.IP4Address | Sort-Object))) { $true } else { $false }
                    'IPAddresses' = $Output.IP4Address
            } -ArgumentList $DomainController
        Details        = [ordered] @{
            Area        = ''
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        ResolveDNSInternal = @{
            Enable      = $true
            Name        = 'Should resolve Internal DNS'
            Parameters  = @{
                Property              = 'Status'
                ExpectedValue         = $true
                OperationType         = 'eq'
                PropertyExtendedValue = 'IPAddresses'
            Description = 'DNS should resolve internal domains correctly.'
$EventLogs = @{
    Name   = 'DCEventLogs'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Event Logs"
        Data           = {
            Get-EventsInformation -LogName 'Application', 'System', 'Security', 'Microsoft-Windows-PowerShell/Operational' -Machine $DomainController -WarningAction SilentlyContinue
        Details        = [ordered] @{
            Area        = ''
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        ApplicationLogMode                               = @{
            Enable     = $true
            Name       = 'Application Log mode is set to AutoBackup'
            Parameters = @{
                WhereObject   = { $_.LogName -eq 'Application' }
                Property      = 'LogMode'
                ExpectedValue = 'AutoBackup'
                OperationType = 'eq'
        ApplicationLogFull                               = @{
            Enable     = $true
            Name       = 'Application log is not full'
            Parameters = @{
                WhereObject   = { $_.LogName -eq 'Application' }
                Property      = 'IsLogFull'
                ExpectedValue = $false
                OperationType = 'eq'
        PowershellLogMode                                = @{
            Enable     = $true
            Name       = 'PowerShell Log mode is set to AutoBackup'
            Parameters = @{
                WhereObject   = { $_.LogName -eq 'Microsoft-Windows-PowerShell/Operational' }
                Property      = 'LogMode'
                ExpectedValue = 'AutoBackup'
                OperationType = 'eq'
        PowerShellLogFull                                = @{
            Enable     = $true
            Name       = 'PowerShell log is not full'
            Parameters = @{
                WhereObject   = { $_.LogName -eq 'Microsoft-Windows-PowerShell/Operational' }
                Property      = 'IsLogFull'
                ExpectedValue = $false
                OperationType = 'eq'
        SystemLogMode                                    = @{
            Enable     = $true
            Name       = 'System Log mode is set to AutoBackup'
            Parameters = @{
                WhereObject   = { $_.LogName -eq 'System' }
                Property      = 'LogMode'
                ExpectedValue = 'AutoBackup'
                OperationType = 'eq'
        SystemLogFull                                    = @{
            Enable     = $true
            Name       = 'System log is not full'
            Parameters = @{
                WhereObject   = { $_.LogName -eq 'System' }
                Property      = 'IsLogFull'
                ExpectedValue = $false
                OperationType = 'eq'

        SecurityLogMode                                  = @{
            Enable     = $true
            Name       = 'Security Log mode is set to AutoBackup'
            Parameters = @{
                WhereObject   = { $_.LogName -eq 'Security' }
                Property      = 'LogMode'
                ExpectedValue = 'AutoBackup'
                OperationType = 'eq'
        SecurityLogFull                                  = @{
            Enable     = $true
            Name       = 'Security log is not full'
            Parameters = @{
                WhereObject   = { $_.LogName -eq 'Security' }
                Property      = 'IsLogFull'
                ExpectedValue = $false
                OperationType = 'eq'
        SecurityMaximumLogSize                           = @{
            Enable     = $true
            Name       = 'Security Log Maximum Size smaller then 4GB'
            Parameters = @{
                WhereObject   = { $_.LogName -eq 'Security' }
                Property      = 'FileSizeMaximumMB'
                ExpectedValue = 4000
                OperationType = 'le'
        SecurityCurrentLogSize                           = @{
            Enable     = $true
            Name       = 'Security Log Current Size smaller then 4GB'
            Parameters = @{
                WhereObject   = { $_.LogName -eq 'Security' }
                Property      = 'FileSizeCurrentMB'
                ExpectedValue = 4000
                OperationType = 'le'
        SecurityPermissionsDefaultNetworkService         = @{
            Enable     = $true
            Name       = 'Security Log has NT AUTHORITY\NETWORK SERVICE with AccessAllowed'
            Parameters = @{
                WhereObject   = { $_.LogName -eq 'Security' -and $_.SecurityDescriptorDiscretionaryAcl -contains 'NT AUTHORITY\NETWORK SERVICE: AccessAllowed (ListDirectory)' }
                ExpectedCount = 1
                OperationType = 'eq'
        SecurityPermissionsDefaultSYSTEM                 = @{
            Enable     = $true
            Name       = 'Security Log has NT AUTHORITY\SYSTEM with AccessAllowed'
            Parameters = @{
                WhereObject   = { $_.LogName -eq 'Security' -and $_.SecurityDescriptorDiscretionaryAcl -contains 'NT AUTHORITY\SYSTEM: AccessAllowed (ChangePermissions, CreateDirectories, Delete, GenericExecute, ListDirectory, ReadPermissions, TakeOwnership)' }
                ExpectedCount = 1
                OperationType = 'eq'
        SecurityPermissionsNDefaultBuiltinAdministrators = @{
            Enable     = $true
            Name       = 'Security Log has BUILTIN\Administrators with AccessAllowed'
            Parameters = @{
                WhereObject   = { $_.LogName -eq 'Security' -and $_.SecurityDescriptorDiscretionaryAcl -contains 'BUILTIN\Administrators: AccessAllowed (CreateDirectories, ListDirectory)' }
                ExpectedCount = 1
                OperationType = 'eq'
        SecurityPermissionsDefaultBuiltinEventLogReaders = @{
            Enable     = $true
            Name       = 'Security Log has BUILTIN\Event Log Readers with AccessAllowed'
            Parameters = @{
                WhereObject   = { $_.LogName -eq 'Security' -and $_.SecurityDescriptorDiscretionaryAcl -contains 'BUILTIN\Event Log Readers: AccessAllowed (ListDirectory)' }
                ExpectedCount = 1
                OperationType = 'eq'

#$Test = Get-EventsInformation -LogName 'Security' -Machine AD1
#$Test = Get-EventsInformation -LogName 'Microsoft-Windows-PowerShell/Operational' -Machine AD1

# PowerShellCore/Operational
# Microsoft-Windows-PowerShell/Operational

#$D = ConvertFrom-SddlString 'O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)'

#Get-PSRegistry -RegistryPath 'HKLM\Software\Policies\Microsoft\Windows\PowerShell' | ft -a
#Get-PSRegistry -RegistryPath 'HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -ComputerName AD1 | ft -a
#Get-PSRegistry -RegistryPath 'HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription' -ComputerName AD1 | ft -a
#Get-PSRegistry -RegistryPath 'HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging' -ComputerName AD1 | ft -a
#Get-PSRegistry -registrypath 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell' -ComputerName AD1
#Get-PSRegistry -registrypath 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies'
#Get-PSRegistry -RegistryPath 'HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell' -Verbose
$FileSystem = @{
    Name   = 'DCFileSystem'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "FileSystem"
        Data           = {
            Get-PSRegistry -RegistryPath 'HKLM\SYSTEM\CurrentControlSet\Control\FileSystem' -ComputerName $DomainController
        Details        = [ordered] @{
            Type        = 'Security'
            Area        = ''
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(
        Requirements   = @{
            CommandAvailable = 'Get-WinADLMSettings'
        ExpectedOutput = $true
    Tests  = [ordered] @{
        NtfsDisable8dot3NameCreation = @{
            Enable     = $true
            Name       = 'NtfsDisable8dot3NameCreation'
            Parameters = @{
                Property      = 'NtfsDisable8dot3NameCreation'
                ExpectedValue = 0
                OperationType = 'gt'
            Details    = [ordered] @{
                Area        = ''
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(

$GroupPolicySYSVOLDC = @{
    Name   = 'DCGroupPolicySYSVOLDC'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Group Policy SYSVOL Verification"
        Data           = {
            Get-GPOZaurrSysvol -IncludeDomains $Domain -IncludeDomainControllers $DomainController -VerifyDomainControllers | Where-Object { $_.Status -ne 'Exists' }
        Details        = [ordered] @{
            Area        = ''
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        ExpectedOutput = $false
$Information = @{
    Name   = 'DCInformation'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Domain Controller Information"
        Data           = {
            Get-ADDomainController -Server $DomainController
        Details        = [ordered] @{
            Area        = ''
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        IsEnabled       = @{
            Enable     = $true
            Name       = 'Is Enabled'
            Parameters = @{
                Property      = 'Enabled'
                ExpectedValue = $True
                OperationType = 'eq'
        IsGlobalCatalog = @{
            Enable     = $true
            Name       = 'Is Global Catalog'
            Parameters = @{
                Property      = 'IsGlobalCatalog'
                ExpectedValue = $True
                OperationType = 'eq'
$LanManagerSettings = @{
    Name   = 'DCLanManagerSettings'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Lan Manager Settings"
        Data           = {
            Get-WinADLMSettings -DomainController $DomainController
        Details        = [ordered] @{
            Area        = ''
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(
        Requirements   = @{
            CommandAvailable = 'Get-WinADLMSettings'
        ExpectedOutput = $true
    Tests  = [ordered] @{
        Level                     = @{
            Enable     = $true
            Name       = 'LM Level'
            Parameters = @{
                Property      = 'Level'
                ExpectedValue = 5
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(

        AuditBaseObjects          = @{
            Enable     = $true
            Name       = 'Audit Base Objects'
            Parameters = @{
                Property      = 'AuditBaseObjects'
                ExpectedValue = $false
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(
        CrashOnAuditFail          = @{
            Enable     = $true
            Name       = 'Crash On Audit Fail'
            Parameters = @{
                Property      = 'CrashOnAuditFail'
                ExpectedValue = 0
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(
        EveryoneIncludesAnonymous = @{
            Enable     = $true
            Name       = 'Everyone Includes Anonymous'
            Parameters = @{
                Property      = 'EveryoneIncludesAnonymous'
                ExpectedValue = $false
                OperationType = 'eq'
            Details    = [ordered] @{
                Title       = 'Disable and Enforce the Setting "Network access: Let Everyone permissions apply to anonymous users"'
                Area        = ''
                Description = 'This setting helps to prevent an unauthorized user could from anonymously listing account names and shared resources and use using the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks.'
                Resolution  = ''
                Importance  = 10
                Resources   = @(
        SecureBoot                = @{
            Enable     = $true
            Name       = 'Secure Boot'
            Parameters = @{
                Property      = 'SecureBoot'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(

        LSAProtectionCredentials  = @{
            Enable     = $true
            Name       = 'LSAProtectionCredentials'
            Parameters = @{
                Property      = 'LSAProtectionCredentials'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(

        LimitBlankPasswordUse     = @{
            Enable     = $true
            Name       = 'LimitBlankPasswordUse'
            Parameters = @{
                Property      = 'LimitBlankPasswordUse'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(

        NoLmHash                  = @{
            Enable     = $true
            Name       = 'NoLmHash'
            Parameters = @{
                Property      = 'NoLmHash'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(

        DisableDomainCreds        = @{
            Enable     = $true
            Name       = 'DisableDomainCreds'
            Parameters = @{
                Property      = 'DisableDomainCreds'
                ExpectedValue = $false
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(
        ForceGuest                = @{
            Enable     = $true
            Name       = 'ForceGuest'
            Parameters = @{
                Property      = 'ForceGuest'
                ExpectedValue = $false
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(

$LanManServer = @{
    Name   = 'DCLanManServer'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Lan Man Server"
        Data           = {
            #Get-WinADLMSettings -DomainController $DomainController
            Get-PSRegistry -RegistryPath 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' -ComputerName $DomainController
        Details        = [ordered] @{
            Area        = 'Security'
            Description = 'Lan Man Server'
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        Requirements   = @{
            CommandAvailable = 'Get-PSRegistry'
        ExpectedOutput = $true
    Tests  = [ordered] @{
        DisableCompression       = @{
            Enable     = $false
            Name       = 'Disable Compression SMBv3'
            Parameters = @{
                Property      = 'DisableCompression'
                ExpectedValue = 1
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = 'Security'
                Description = 'Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.'
                Resolution  = 'Disable SMBv3 compression or apply patch. Since patch is available disabling is not nessecary.'
                Importance  = 10
                Resources   = @(
        EnableForcedLogoff       = @{
            Enable     = $true
            Name       = 'Enable Forced Logoff'
            Parameters = @{
                Property      = 'EnableForcedLogoff'
                ExpectedValue = 1
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = 'Users are not forcibly disconnected when logon hours expire.'
                Resolution  = ''
                Importance  = 10
                Resources   = @(
        EnableSecuritySignature  = @{
            Enable     = $true
            Name       = 'Enable Security Signature'
            Parameters = @{
                Property      = 'EnableSecuritySignature'
                ExpectedValue = 1
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = 'Microsoft network server: Digitally sign communications (if client agrees)'
                Resolution  = ''
                Importance  = 10
                Resources   = @(
                    'https://support.microsoft.com/en-us/help/887429/overview-of-server-message-block-signing' # XP
        RequireSecuritySignature = @{
            Enable     = $true
            Name       = 'Require Security Signature'
            Parameters = @{
                Property      = 'RequireSecuritySignature'
                ExpectedValue = 1
                OperationType = 'eq'
            Details    = [ordered] @{
                Type            = 'Security'
                Area            = ''
                Description     = 'Microsoft network server: Digitally sign communications (always)'
                Vulnerability   = 'Session hijacking uses tools that allow attackers who have access to the same network as the client
                computer or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify
                unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might
                perform objectionable actions. Alternatively, the attacker could pose as the server or client after legitimate
                authentication and gain unauthorized access to data.
                SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS
                and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side
                fails the authentication process, data transmission does not take place.'

                PotentialImpact = 'The Windows implementation of the SMB file and print-sharing protocol support mutual authentication,
                which prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks.
                SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client computer and the server.
                Implementing SMB signing may negatively affect performance because each packet must be signed and verified. If these policy settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks.'

                Resolution      = ''
                Importance      = 10
                Resources       = @(
                    'https://support.microsoft.com/en-us/help/887429/overview-of-server-message-block-signing' # XP

#Get-PSRegistry -RegistryPath 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' -ComputerName AD1

#Get-PSRegistry -RegistryPath 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' -ComputerName AD1

$LDAP = @{
    Name   = 'DCLDAP'
    Enable = $false
    Scope  = 'DC'
    Source = @{
        Name           = 'LDAP Connectivity'
        Data           = {
            Test-LDAP -ComputerName $DomainController -WarningAction SilentlyContinue -VerifyCertificate
        Details        = [ordered] @{
            Category    = 'Health'
            Description = ''
            Resolution  = ''
            Importance  = 0
            ActionType  = 0
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        PortLDAP                 = @{
            Enable     = $true
            Name       = 'LDAP Port is Available'

            Parameters = @{
                Property      = 'LDAP'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Category   = 'Health'
                Importance = 10
                ActionType = 2
        PortLDAPS                = @{
            Enable     = $true
            Name       = 'LDAP SSL Port is Available'
            Parameters = @{
                Property      = 'LDAPS'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Category   = 'Health'
                Importance = 10
                ActionType = 2
        PortLDAP_GC              = @{
            Enable     = $true
            Name       = 'LDAP GC Port is Available'
            Parameters = @{
                Property      = 'GlobalCatalogLDAP'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Category   = 'Health'
                Importance = 10
                ActionType = 2
        PortLDAPS_GC             = @{
            Enable     = $true
            Name       = 'LDAP SSL GC Port is Available'
            Parameters = @{
                Property      = 'GlobalCatalogLDAPS'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Category   = 'Health'
                Importance = 10
                ActionType = 2
        BindLDAPS                = @{
            Enable     = $true
            Name       = 'LDAP SSL Bind available'
            Parameters = @{
                Property      = 'LDAPSBind'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Category   = 'Health'
                Importance = 10
                ActionType = 2
        BindLDAPS_GC             = @{
            Enable     = $true
            Name       = 'LDAP SSL GC Bind is Available'
            Parameters = @{
                Property      = 'GlobalCatalogLDAPSBind'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Category   = 'Health'
                Importance = 10
                ActionType = 2
        X509NotBeforeDays        = @{
            Enable     = $true
            Name       = 'Not Before Days should be less/equal 0'
            Parameters = @{
                Property      = 'X509NotBeforeDays'
                ExpectedValue = 0
                OperationType = 'le'
            Details    = [ordered] @{
                Category   = 'Health'
                Importance = 10
                ActionType = 2
        X509NotAfterDaysWarning  = @{
            Enable     = $true
            Name       = 'Not After Days should be more than 10 days'
            Parameters = @{
                Property      = 'X509NotAfterDays'
                ExpectedValue = 10
                OperationType = 'gt'
            Details    = [ordered] @{
                Category   = 'Health'
                Importance = 10
                ActionType = 1
        X509NotAfterDaysCritical = @{
            Enable     = $true
            Name       = 'Not After Days should be more than 0 days'
            Parameters = @{
                Property      = 'X509NotAfterDays'
                ExpectedValue = 0
                OperationType = 'gt'
            Details    = [ordered] @{
                Category   = 'Health'
                Importance = 10
                ActionType = 2
$LDAPInsecureBindings = @{
    Name   = 'DCLDAPInsecureBindings'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = 'LDAP Insecure Bindings'
        Data           = {
            Get-WinADLDAPBindingsSummary -IncludeDomainControllers $DomainController -WarningAction SilentlyContinue
        Details        = [ordered] @{
            Area        = 'Security'
            Category    = 'LDAP'
            Description = 'LDAP channel binding and LDAP signing provide ways to increase the security of network communications between an Active Directory Domain Services (AD DS) or an Active Directory Lightweight Directory Services (AD LDS) and its clients. There is a vulerability in the default configuration for Lightweight Directory Access Protocol (LDAP) channel binding and LDAP signing and may expose Active directory domain controllers to elevation of privilege vulnerabilities. Microsoft Security Advisory ADV190023 address the issue by recommending the administrators enable LDAP channel binding and LDAP signing on Active Directory Domain Controllers. This hardening must be done manually until the release of the security update that will enable these settings by default.'
            Resolution  = 'Make sure to remove any Clients performing simple or unsigned bindings.'
            Importance  = 10
            Resources   = @(
        ExpectedOutput = $false
    Tests  = [ordered] @{
        SimpleBinds   = @{
            Enable     = $true
            Name       = 'Simple binds performed without SSL/TLS is 0'
            Parameters = @{
                Property      = 'Number of simple binds performed without SSL/TLS'
                ExpectedValue = 0
                OperationType = 'eq'
        UnsignedBinds = @{
            Enable     = $true
            Name       = 'Negotiate/Kerberos/NTLM/Digest binds performed without signing is 0'
            Parameters = @{
                Property      = 'Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing'
                ExpectedValue = 0
                OperationType = 'eq'

$MSSLegacy = @{
    Name   = 'DCMSSLegacy'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "MSS (Legacy)"
        Data           = {
            Get-PSRegistry -RegistryPath 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' -ComputerName $DomainController
        Details        = [ordered] @{
            Area        = 'Security'
            Category    = 'Network'
            Description = 'Provides verification of MSS Network Settings on Domain Controllers'
            Resolution  = ''
            Importance  = 10
            Resources   = @(
        Requirements   = @{
            CommandAvailable = 'Get-PSRegistry'
        ExpectedOutput = $true
    Tests  = [ordered] @{
        DisableIPSourceRouting = @{
            Enable     = $true
            Name       = 'DisableIPSourceRouting'
            Parameters = @{
                Property      = 'DisableIPSourceRouting'
                ExpectedValue = 2
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = 'Highest protection, source routing is completely disabled'
                Resolution  = ''
                Importance  = 10
                Resources   = @(
        EnableICMPRedirect     = @{
            Enable     = $true
            Name       = 'EnableICMPRedirect'
            Parameters = @{
                Property      = 'EnableICMPRedirect'
                ExpectedValue = 0
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(

#Get-PSRegistry -RegistryPath 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' -ComputerName AD1
#Get-PSRegistry -RegistryPath 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' -ComputerName AD1
$NetSessionEnumeration = @{
    Name   = 'DCNetSessionEnumeration'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Net Session Enumeration"
        Data           = {
            $Registry = Get-PSRegistry -RegistryPath "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity" -ComputerName $DomainController
            $CSD = [System.Security.AccessControl.CommonSecurityDescriptor]::new($true, $false, $Registry.SrvsvcSessionInfo, 0)
            $CSD.DiscretionaryAcl.SecurityIdentifier | Where-Object { $_ -eq 'S-1-5-11' }
            # ConvertFrom-SID -sid $CSD.DiscretionaryAcl.SecurityIdentifier | Where-Object { $_.Name -eq 'Authenticated Users' }
        Details        = [ordered] @{
            Type        = 'Security'
            Area        = ''
            Description = 'Net Session Enumeration is a method used to retrieve information about established sessions on a server. Any domain user can query a server for its established sessions.'
            Resolution  = 'Hardening Net Session Enumeration'
            Importance  = 10
            Resources   = @(
        Requirements   = @{
            CommandAvailable = 'Get-PSRegistry'
        ExpectedOutput = $false
$NetworkCardSettings = @{
    Name   = 'DCNetworkCardSettings'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Get all network interfaces and firewall status"
        Data           = {
            Get-ComputerNetwork -ComputerName $DomainController
        Details        = [ordered] @{
            Area        = 'Connectivity'
            Category    = ''
            Severity    = ''
            Importance  = 0
            Description = ''
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        NETBIOSOverTCIP        = @{
            Enable     = $true
            Name       = 'NetBIOS over TCIP should be disabled.'
            Parameters = @{
                Property      = 'NetBIOSOverTCPIP'
                ExpectedValue = 'Disabled'
                OperationType = 'eq'
            Details    = @{
                Area        = 'Connectivity'
                Category    = 'Legacy Protocols'
                Severity    = 'Critical'
                Importance  = 90 # 100 is top
                Description = @'
                NetBIOS over TCP/IP is a networking protocol that allows legacy computer applications relying on the NetBIOS to be used on modern TCP/IP networks.
                Enabling NetBios might help an attackers access shared directories, files and also gain sensitive information such as computer name, domain, or workgroup.

                Resolution  = 'Disable NetBIOS over TCPIP'
                Resources   = @(
        Loopbackpresent        = @{
            Enable     = $true
            Name       = 'Loopback IP address should be list in DNS servers on network card'
            Parameters = @{
                Property      = 'DNSServerSearchOrder'
                ExpectedValue = ''
                OperationType = 'Contains'
        WindowsFirewall        = @{
            Enable     = $true
            Name       = 'Windows Firewall should be enabled on network card'
            Parameters = @{
                Property      = 'FirewallStatus'
                ExpectedValue = $true
                OperationType = 'eq'
        WindowsFirewallProfile = @{
            Enable     = $true
            Name       = 'Windows Firewall should be set on domain network profile'
            Parameters = @{
                Property      = 'FirewallProfile'
                ExpectedValue = 'DomainAuthenticated'
                OperationType = 'eq'
        DHCPDisabled           = @{
            Enable     = $false
            Name       = 'DHCP should be disabled on network card'
            Parameters = @{
                Property      = 'DHCPEnabled'
                ExpectedValue = $false
                OperationType = 'eq'
$NTDSParameters = @{
    Name   = 'DCNTDSParameters'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "NTDS Parameters"
        Data           = {
            Get-PSRegistry -RegistryPath "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -ComputerName $DomainController
        Details        = [ordered] @{
            Area        = ''
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        DsaNotWritable = @{
            Enable     = $true
            Name       = 'Domain Controller should be writeable'
            Parameters = @{
                Property       = 'Dsa Not Writable'
                ExpectedOutput = $false
$OperatingSystem = @{
    Name   = 'DCOperatingSystem'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = 'Operating System'
        Data           = {
            Get-ComputerOperatingSystem -ComputerName $DomainController -WarningAction SilentlyContinue
        Details        = [ordered] @{
            Area        = ''
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        OperatingSystem = @{
            Enable     = $true
            Name       = 'Operating system Windows Server 2012 and up'
            Parameters = @{
                Property              = 'OperatingSystem'
                ExpectedValue         = @('Microsoft Windows Server 2019*', 'Microsoft Windows Server 2016*', 'Microsoft Windows Server 2012*', 'Microsoft Windows Server 2022*')
                OperationType         = 'like'
                # this means Expected Value will require at least one $true comparison
                # anything else will require all values to match $true
                OperationResult       = 'OR'
                # This overwrites value, normally it shows results of comparison
                PropertyExtendedValue = 'OperatingSystem'

$Pingable = @{
    Name   = 'DCPingable'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = 'Ping Connectivity'
        Data           = {
            Test-NetConnection -ComputerName $DomainController -WarningAction SilentlyContinue
        Details        = [ordered] @{
            Area        = ''
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        Ping = @{
            Enable     = $true
            Name       = 'Responding to PING'
            Parameters = @{
                Property              = 'PingSucceeded'
                PropertyExtendedValue = 'PingReplyDetails', 'RoundtripTime'
                ExpectedValue         = $true
                OperationType         = 'eq'
$Ports = [ordered] @{
    Name = 'DCPorts'
    Enable = $true
    Scope  = 'DC'
    Source = [ordered] @{
        Name           = 'TCP Ports are open/closed as required' # UDP Testing is unreliable for now
        Data           = {
            # Port 389, 636, 3268, 3269 are tested as LDAP Ports with proper LDAP
            $TcpPorts = @(53, 88, 135, 139, 389, 445, 464, 636, 3268, 3269, 9389)
            # $TcpPorts = @(25, 53, 88, 464, 5722, 9389)
            Test-ComputerPort -ComputerName $DomainController -PortTCP $TcpPorts -WarningAction SilentlyContinue
                ComputerName Port Protocol Status Summary Response
                ------------ ---- -------- ------ ------- --------
                AD1 53 TCP True TCP 53 Successful
                AD1 3389 TCP True TCP 3389 Successful
                AD7 53 TCP False TCP 53 Failed
                AD7 3389 TCP False TCP 3389 Failed

            # UDP Testing is unreliable
            <# Potential ports to test
                'WinRm' = @{ 'TCP' = 5985 }
                'Smb' = @{ 'TCP' = 445; 'UDP' = 445 }
                'Dns' = @{ 'TCP' = 53; 'UDP' = 53 }
                'ActiveDirectoryGeneral' = @{ 'TCP' = 25, 88, 389, 464, 636, 5722, 9389; 'UDP' = 88, 123, 389, 464 }
                'ActiveDirectoryGlobalCatalog' = @{ 'TCP' = 3268, 3269 }
                'NetBios' = @{ 'TCP' = 135, 137, 138, 139; 'UDP' = 137, 138, 139 }
                Test-ComputerPort -ComputerName $DomainController -PortTCP 25, 88, 389, 464, 636, 5722, 9389 -PortUDP 88, 123, 389, 464

        Requirements   = @{
            CommandAvailable = 'Test-NetConnection'
        Details        = [ordered] @{
            Area        = ''
            Category    = ''
            Severity    = ''
            Importance   = 0
            Description = ''
            Resolution  = ''
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        Port53   = [ordered] @{
            Enable     = $true
            Name       = 'Port is OPEN'
            Parameters = @{
                WhereObject           = { $_.Port -eq '53' }
                Property              = 'Status'
                ExpectedValue         = $true
                OperationType         = 'eq'
                PropertyExtendedValue = 'Summary'
        Port88   = [ordered] @{
            Enable     = $true
            Name       = 'Port is OPEN'
            Parameters = @{
                WhereObject           = { $_.Port -eq '88' }
                Property              = 'Status'
                ExpectedValue         = $true
                OperationType         = 'eq'
                PropertyExtendedValue = 'Summary'
        Port135  = [ordered] @{
            Enable     = $true
            Name       = 'Port is OPEN'
            Parameters = @{
                WhereObject           = { $_.Port -eq '135' }
                Property              = 'Status'
                ExpectedValue         = $true
                OperationType         = 'eq'
                PropertyExtendedValue = 'Summary'
        Port139  = [ordered] @{
            Enable     = $true
            Name       = 'Port is CLOSED'
            Parameters = @{
                WhereObject           = { $_.Port -eq '139' }
                Property              = 'Status'
                ExpectedValue         = $false
                OperationType         = 'eq'
                PropertyExtendedValue = 'Summary'
            Details    = [ordered] @{
                Area        = ''
                Category    = ''
                Severity    = ''
                Importance   = 0
                Description = @'
                NetBIOS over TCP/IP is a networking protocol that allows legacy computer applications relying on the NetBIOS to be used on modern TCP/IP networks.
                Enabling NetBios might help an attackers access shared directories, files and also gain sensitive information such as computer name, domain, or workgroup.

                Resolution  = 'Disable NETBIOS over TCPIP'
                Resources   = @(
        Port445  = [ordered] @{
            Enable     = $true
            Name       = 'Port is OPEN'
            Parameters = @{
                WhereObject           = { $_.Port -eq '445' }
                Property              = 'Status'
                ExpectedValue         = $true
                OperationType         = 'eq'
                PropertyExtendedValue = 'Summary'
        Port464  = [ordered] @{
            Enable     = $true
            Name       = 'Port is OPEN'
            Parameters = @{
                WhereObject           = { $_.Port -eq '464' }
                Property              = 'Status'
                ExpectedValue         = $true
                OperationType         = 'eq'
                PropertyExtendedValue = 'Summary'
        Port636  = [ordered] @{
            Enable     = $true
            Name       = 'Port is OPEN'
            Parameters = @{
                WhereObject           = { $_.Port -eq '636' }
                Property              = 'Status'
                ExpectedValue         = $true
                OperationType         = 'eq'
                PropertyExtendedValue = 'Summary'

        Port3268 = [ordered] @{
            Enable     = $true
            Name       = 'Port is OPEN'
            Parameters = @{
                WhereObject           = { $_.Port -eq '3268' }
                Property              = 'Status'
                ExpectedValue         = $true
                OperationType         = 'eq'
                PropertyExtendedValue = 'Summary'
        Port3269 = [ordered] @{
            Enable     = $true
            Name       = 'Port is OPEN'
            Parameters = @{
                WhereObject           = { $_.Port -eq '3269' }
                Property              = 'Status'
                ExpectedValue         = $true
                OperationType         = 'eq'
                PropertyExtendedValue = 'Summary'
        Port9389 = [ordered] @{
            Enable     = $true
            Name       = 'Port is OPEN'
            Parameters = @{
                WhereObject           = { $_.Port -eq '9389' }
                Property              = 'Status'
                ExpectedValue         = $true
                OperationType         = 'eq'
                PropertyExtendedValue = 'Summary'
# This is already done in RDPSecurity as well, stays disabled by default.

$RDPPorts = [ordered] @{
    Name   = 'DCRDPPorts'
    Enable = $false
    Scope  = 'DC'
    Source = [ordered] @{
        Name           = 'RDP Port is open'
        Data           = {
            Test-ComputerPort -ComputerName $DomainController -PortTCP 3389 -WarningAction SilentlyContinue
        Details        = [ordered] @{
            Area        = ''
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        PortOpen = [ordered] @{
            Enable     = $false
            Name       = 'Port is OPEN'
            Parameters = @{
                Property              = 'Status'
                ExpectedValue         = $true
                OperationType         = 'eq'
                PropertyExtendedValue = 'Summary'
$RDPSecurity = [ordered] @{
    Name   = 'DCRDPSecurity'
    Enable = $true
    Scope  = 'DC'
    Source = [ordered] @{
        Name           = 'RDP Security'
        Data           = {
            Get-ComputerRDP -ComputerName $DomainController -WarningAction SilentlyContinue
        Details        = [ordered] @{
            Area        = 'Connectivity'
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        PortOpen                 = [ordered] @{
            Enable     = $true
            Name       = 'Port is OPEN'
            Parameters = @{
                Property              = 'Connectivity'
                ExpectedValue         = $true
                OperationType         = 'eq'
                PropertyExtendedValue = 'ConnectivitySummary'
            Details    = [ordered] @{
                Area        = 'Connectivity'
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(
        NLAAuthenticationEnabled = [ordered] @{
            Enable     = $true
            Name       = 'NLA Authentication is Enabled'
            Parameters = @{
                Property      = 'UserAuthenticationRequired'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = 'Connectivity'
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(
        MinimalEncryptionLevel   = [ordered] @{
            Enable     = $true
            Name       = 'Minimal Encryption Level is set to at least High'
            Parameters = @{
                Property              = 'MinimalEncryptionLevelValue'
                ExpectedValue         = 3
                OperationType         = 'ge'
                PropertyExtendedValue = 'MinimalEncryptionLevel'
            Details    = [ordered] @{
                Area        = 'Connectivity'
                Description = 'Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote Desktop Services sessions in both directions.'
                Resolution  = ''
                Importance  = 10
                Resources   = @(

$Services = [ordered] @{
    Name   = 'DCServices'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = 'Service Status'
        Data           = {
            $Services = @('ADWS', 'DNS', 'DFS', 'DFSR', 'Eventlog', 'EventSystem', 'KDC', 'LanManWorkstation', 'LanManServer', 'NetLogon', 'NTDS', 'RPCSS', 'SAMSS', 'Spooler', 'W32Time', 'XblGameSave', 'XblAuthManager')
            Get-PSService -Computers $DomainController -Services $Services
        Details        = [ordered] @{
            Category    = 'Configuration'
            Description = 'Active Directory is dependent on several Windows services. If one or more of these services is not configured for automatic startup, AD functions may be partially or completely unavailable until the services are manually started. This could result in a failure to replicate data or to support client authentication and authorization requests.'
            Importance  = 0
            Resources   = @(
            Tags        = 'Services', 'Configuration'
            StatusTrue  = 1
            StatusFalse = 5
        ExpectedOutput = $true
    Tests  = [ordered] @{
        ADWSServiceStatus                 = @{
            Enable     = $true
            Name       = 'ADWS Service is RUNNING'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'ADWS' }
                Property      = 'Status'
                ExpectedValue = 'Running'
                OperationType = 'eq'

        ADWSServiceStartType              = @{
            Enable     = $true
            Name       = 'ADWS Service START TYPE is Automatic'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'ADWS' }
                Property      = 'StartType'
                ExpectedValue = 'Auto'
                OperationType = 'eq'
        DNSServiceStatus                  = @{
            Enable     = $true
            Name       = 'DNS Service is RUNNING'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'DNS' }
                Property      = 'Status'
                ExpectedValue = 'Running'
                OperationType = 'eq'

        DNSServiceStartType               = @{
            Enable     = $true
            Name       = 'DNS Service START TYPE is Automatic'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'DNS' }
                Property      = 'StartType'
                ExpectedValue = 'Auto'
                OperationType = 'eq'
        DFSServiceStatus                  = @{
            Enable     = $true
            Name       = 'DFS Service is RUNNING'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'DFS' }
                Property      = 'Status'
                ExpectedValue = 'Running'
                OperationType = 'eq'

        DFSServiceStartType               = @{
            Enable     = $true
            Name       = 'DFS Service START TYPE is Automatic'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'DFS' }
                Property      = 'StartType'
                ExpectedValue = 'Auto'
                OperationType = 'eq'
        DFSRServiceStatus                 = @{
            Enable     = $true
            Name       = 'DFSR Service is RUNNING'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'DFSR' }
                Property      = 'Status'
                ExpectedValue = 'Running'
                OperationType = 'eq'

        DFSRServiceStartType              = @{
            Enable     = $true
            Name       = 'DFSR Service START TYPE is Automatic'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'DFSR' }
                Property      = 'StartType'
                ExpectedValue = 'Auto'
                OperationType = 'eq'
        EventlogServiceStatus             = @{
            Enable     = $true
            Name       = 'Eventlog Service is RUNNING'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'Eventlog' }
                Property      = 'Status'
                ExpectedValue = 'Running'
                OperationType = 'eq'

        EventlogServiceStartType          = @{
            Enable     = $true
            Name       = 'Eventlog Service START TYPE is Automatic'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'Eventlog' }
                Property      = 'StartType'
                ExpectedValue = 'Auto'
                OperationType = 'eq'
        EventSystemServiceStatus          = @{
            Enable     = $true
            Name       = 'EventSystem Service is RUNNING'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'EventSystem' }
                Property      = 'Status'
                ExpectedValue = 'Running'
                OperationType = 'eq'

        EventSystemServiceStartType       = @{
            Enable     = $true
            Name       = 'EventSystem Service START TYPE is Automatic'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'EventSystem' }
                Property      = 'StartType'
                ExpectedValue = 'Auto'
                OperationType = 'eq'
        KDCServiceStatus                  = @{
            Enable     = $true
            Name       = 'KDC Service is RUNNING'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'KDC' }
                Property      = 'Status'
                ExpectedValue = 'Running'
                OperationType = 'eq'

        KDCServiceStartType               = @{
            Enable     = $true
            Name       = 'KDC Service START TYPE is Automatic'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'KDC' }
                Property      = 'StartType'
                ExpectedValue = 'Auto'
                OperationType = 'eq'
        LanManWorkstationServiceStatus    = @{
            Enable     = $true
            Name       = 'LanManWorkstation Service is RUNNING'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'LanManWorkstation' }
                Property      = 'Status'
                ExpectedValue = 'Running'
                OperationType = 'eq'

        LanManWorkstationServiceStartType = @{
            Enable     = $true
            Name       = 'LanManWorkstation Service START TYPE is Automatic'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'LanManWorkstation' }
                Property      = 'StartType'
                ExpectedValue = 'Auto'
                OperationType = 'eq'
        LanManServerServiceStatus         = @{
            Enable     = $true
            Name       = 'LanManServer Service is RUNNING'

            Parameters = @{
                WhereObject   = { $_.Name -eq 'LanManServer' }
                Property      = 'Status'
                ExpectedValue = 'Running'
                OperationType = 'eq'

        LanManServerServiceStartType      = @{
            Enable     = $true
            Name       = 'LanManServer Service START TYPE is Automatic'

            Parameters = @{
                WhereObject   = { $_.Name -eq 'LanManServer' }
                Property      = 'StartType'
                ExpectedValue = 'Auto'
                OperationType = 'eq'
        NetLogonServiceStatus             = @{
            Enable     = $true
            Name       = 'NetLogon Service is RUNNING'

            Parameters = @{
                WhereObject   = { $_.Name -eq 'NetLogon' }
                Property      = 'Status'
                ExpectedValue = 'Running'
                OperationType = 'eq'

        NetLogonServiceStartType          = @{
            Enable     = $true
            Name       = 'NetLogon Service START TYPE is Automatic'

            Parameters = @{
                WhereObject   = { $_.Name -eq 'NetLogon' }
                Property      = 'StartType'
                ExpectedValue = 'Auto'
                OperationType = 'eq'
        NTDSServiceStatus                 = @{
            Enable     = $true
            Name       = 'NTDS Service is RUNNING'

            Parameters = @{
                WhereObject   = { $_.Name -eq 'NTDS' }
                Property      = 'Status'
                ExpectedValue = 'Running'
                OperationType = 'eq'

        NTDSServiceStartType              = @{
            Enable     = $true
            Name       = 'NTDS Service START TYPE is Automatic'

            Parameters = @{
                WhereObject   = { $_.Name -eq 'NTDS' }
                Property      = 'StartType'
                ExpectedValue = 'Auto'
                OperationType = 'eq'
        RPCSSServiceStatus                = @{
            Enable     = $true
            Name       = 'RPCSS Service is RUNNING'

            Parameters = @{
                WhereObject   = { $_.Name -eq 'RPCSS' }
                Property      = 'Status'
                ExpectedValue = 'Running'
                OperationType = 'eq'

        RPCSSServiceStartType             = @{
            Enable     = $true
            Name       = 'RPCSS Service START TYPE is Automatic'

            Parameters = @{
                WhereObject   = { $_.Name -eq 'RPCSS' }
                Property      = 'StartType'
                ExpectedValue = 'Auto'
                OperationType = 'eq'
        SAMSSServiceStatus                = @{
            Enable     = $true
            Name       = 'SAMSS Service is RUNNING'

            Parameters = @{
                WhereObject   = { $_.Name -eq 'SAMSS' }
                Property      = 'Status'
                ExpectedValue = 'Running'
                OperationType = 'eq'

        SAMSSServiceStartType             = @{
            Enable     = $true
            Name       = 'SAMSS Service START TYPE is Automatic'

            Parameters = @{
                WhereObject   = { $_.Name -eq 'SAMSS' }
                Property      = 'StartType'
                ExpectedValue = 'Auto'
                OperationType = 'eq'
        SpoolerServiceStatus              = @{
            Enable     = $true
            Name       = 'Spooler Service is STOPPED'

            Parameters = @{
                WhereObject    = { $_.Name -eq 'Spooler' }
                Property       = 'Status'
                ExpectedValue  = 'Stopped'
                OperationType  = 'eq'
                ExpectedOutput = $false
            Details    = [ordered] @{
                Area        = 'Security'
                Category    = 'Services'
                Severity    = ''
                Importance  = 0
                Description = 'Due to security concerns SPOOLER should be disabled and stopped. However in some cases it may be required to have SPOOLER service up and running to cleanup stale printer objects from AD.'
                Resolution  = ''
                Resources   = @(

        SpoolerServiceStartType           = @{
            Enable     = $true
            Name       = 'Spooler Service START TYPE is DISABLED'

            Parameters = @{
                WhereObject    = { $_.Name -eq 'Spooler' }
                Property       = 'StartType'
                ExpectedValue  = 'Disabled'
                OperationType  = 'eq'
                ExpectedOutput = $false
            Details    = [ordered] @{
                Area        = 'Security'
                Category    = 'Services'
                Severity    = ''
                Importance  = 0
                Description = 'Due to security concerns SPOOLER should be disabled and stopped. However in some cases it may be required to have SPOOLER service up and running to cleanup stale printer objects from AD.'
                Resolution  = ''
                Resources   = @(

        W32TimeServiceStatus              = @{
            Enable     = $true
            Name       = 'W32Time Service is RUNNING'

            Parameters = @{
                WhereObject   = { $_.Name -eq 'W32Time' }
                Property      = 'Status'
                ExpectedValue = 'Running'
                OperationType = 'eq'

        W32TimeServiceStartType           = @{
            Enable     = $true
            Name       = 'W32Time Service START TYPE is Automatic'

            Parameters = @{
                WhereObject   = { $_.Name -eq 'W32Time' }
                Property      = 'StartType'
                ExpectedValue = 'Auto'
                OperationType = 'eq'
        XblAuthManagerServiceStatus       = @{
            Enable     = $true
            Name       = 'XblAuthManager Service is STOPPED'

            Parameters = @{
                WhereObject    = { $_.Name -eq 'XblAuthManager' }
                Property       = 'Status'
                ExpectedValue  = 'Stopped', 'N/A'
                OperationType  = 'in'
                ExpectedOutput = $false
        XblAuthManagerStartupType         = @{
            Enable     = $true
            Name       = 'XblAuthManager Service START TYPE is Disabled'

            Parameters = @{
                WhereObject    = { $_.Name -eq 'XblAuthManager' }
                Property       = 'StartType'
                ExpectedValue  = 'Disabled', 'N/A'
                OperationType  = 'in'
                ExpectedOutput = $false
        XblGameSaveServiceStatus          = @{
            Enable     = $true
            Name       = 'XblGameSave Service is STOPPED'
            Parameters = @{
                WhereObject    = { $_.Name -eq 'XblGameSave' }
                Property       = 'Status'
                ExpectedValue  = 'Stopped', 'N/A'
                OperationType  = 'in'
                ExpectedOutput = $false
        XblGameSaveStartupType            = @{
            Enable     = $true
            Name       = 'XblGameSave Service START TYPE is Disabled'

            Parameters = @{
                WhereObject    = { $_.Name -eq 'XblGameSave' }
                Property       = 'StartType'
                ExpectedValue  = 'Disabled', 'N/A'
                OperationType  = 'in'
                ExpectedOutput = $false

$ServiceWINRM = @{
    Name   = 'DCServiceWINRM'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Service WINRM"
        Data           = {
            Get-PSRegistry -RegistryPath 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' -ComputerName $DomainController
        Details        = [ordered] @{
            Type        = 'Security'
            Area        = ''
            Description = 'Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins. The Windows Remote Management (WinRM) service must not store RunAs credentials.'
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        Requirements   = @{
            CommandAvailable = 'Get-PSRegistry'
        ExpectedOutput = $true
    Tests  = [ordered] @{
        DisableRunAs = @{
            Enable     = $true
            Name       = 'DisableRunAs'
            Parameters = @{
                Property      = 'DisableRunAs'
                ExpectedValue = 1
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = 'Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins. The Windows Remote Management (WinRM) service must not store RunAs credentials.'
                Resolution  = ''
                Importance  = 10
                Resources   = @(

$SMBProtocols = @{
    Name   = 'DCSMBProtocols'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = 'SMB Protocols'
        Data           = {
            Get-ComputerSMB -ComputerName $DomainController
        Details        = [ordered] @{
            Area        = ''
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(
        Requirements   = @{
            CommandAvailable = 'Get-ComputerSMB'
        ExpectedOutput = $true
    # BPA Recommendations
    Tests  = [ordered] @{
        AsynchronousCredits             = @{
            Enable     = $true
            Name       = 'AsynchronousCredits'
            Parameters = @{
                Property      = 'AsynchronousCredits'
                ExpectedValue = 64
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = 'AsynchronousCredits should have the recommended value'
                Resolution  = ''
                Importance  = 10
                Resources   = @(

        AutoDisconnectTimeout           = @{
            Enable     = $true
            Name       = 'AutoDisconnectTimeout'
            Parameters = @{
                Property      = 'AutoDisconnectTimeout'
                ExpectedValue = 0
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = 'AutoDisconnectTimeout should have the recommended value'
                Resolution  = ''
                Importance  = 10
                Resources   = @(

        CachedOpenLimit                 = @{
            Enable     = $true
            Name       = 'CachedOpenLimit'
            Parameters = @{
                Property      = 'CachedOpenLimit'
                ExpectedValue = 5
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = 'CachedOpenLimit should have the recommended value'
                Resolution  = ''
                Importance  = 10
                Resources   = @(

        DurableHandleV2TimeoutInSeconds = @{
            Enable     = $true
            Name       = 'DurableHandleV2TimeoutInSeconds'
            Parameters = @{
                Property      = 'DurableHandleV2TimeoutInSeconds'
                ExpectedValue = 30
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = 'DurableHandleV2TimeoutInSeconds should have the recommended value'
                Resolution  = ''
                Importance  = 10
                Resources   = @(

        EnableSMB1Protocol              = @{
            Enable     = $true
            Name       = 'SMB v1 Protocol should be disabled'
            Parameters = @{
                Property      = 'EnableSMB1Protocol'
                ExpectedValue = $false
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(

        EnableSMB2Protocol              = @{
            Enable     = $true
            Name       = 'SMB v2 Protocol should be enabled'
            Parameters = @{
                Property      = 'EnableSMB2Protocol'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(

        MaxThreadsPerQueue              = @{
            Enable     = $true
            Name       = 'MaxThreadsPerQueue'
            Parameters = @{
                Property      = 'MaxThreadsPerQueue'
                ExpectedValue = 20
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = 'MaxThreadsPerQueue should have the recommended value'
                Resolution  = ''
                Importance  = 10
                Resources   = @(

        Smb2CreditsMin                  = @{
            Enable     = $true
            Name       = 'Smb2CreditsMin'
            Parameters = @{
                Property      = 'Smb2CreditsMin'
                ExpectedValue = 128
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = 'Smb2CreditsMin should have the recommended value'
                Resolution  = ''
                Importance  = 10
                Resources   = @(

        Smb2CreditsMax                  = @{
            Enable     = $true
            Name       = 'Smb2CreditsMax'
            Parameters = @{
                Property      = 'Smb2CreditsMax'
                ExpectedValue = 2048
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = 'Smb2CreditsMax should have the recommended value'
                Resolution  = ''
                Importance  = 10
                Resources   = @(
        RequireSecuritySignature        = @{
            Enable     = $true
            Name       = 'SMB v2 Require Security Signature'
            Parameters = @{
                Property      = 'RequireSecuritySignature'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Area        = ''
                Description = ''
                Resolution  = ''
                Importance  = 10
                Resources   = @(


AnnounceComment :
AnnounceServer : False
AsynchronousCredits : 64
AuditSmb1Access : False
AutoDisconnectTimeout : 15
AutoShareServer : True
AutoShareWorkstation : True
CachedOpenLimit : 10
DurableHandleV2TimeoutInSeconds : 180
EnableAuthenticateUserSharing : False
EnableDownlevelTimewarp : False
EnableForcedLogoff : True
EnableLeasing : True
EnableMultiChannel : True
EnableOplocks : True
EnableSecuritySignature : False
EnableSMB1Protocol : False
EnableSMB2Protocol : True
EnableStrictNameChecking : True
EncryptData : False
IrpStackSize : 15
KeepAliveTime : 2
MaxChannelPerSession : 32
MaxMpxCount : 50
MaxSessionPerConnection : 16384
MaxThreadsPerQueue : 20
MaxWorkItems : 1
NullSessionPipes :
NullSessionShares :
OplockBreakWait : 35
PendingClientTimeoutInSeconds : 120
RejectUnencryptedAccess : True
RequireSecuritySignature : False
ServerHidden : True
Smb2CreditsMax : 2048
Smb2CreditsMin : 128
SmbServerNameHardeningLevel : 0
TreatHostAsStableStorage : False
ValidateAliasNotCircular : True
ValidateShareScope : True
ValidateShareScopeNotAliased : True
ValidateTargetName : True

$SMBShares = @{
    Name   = 'DCSMBShares'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = 'Default SMB Shares'
        Data           = {
            Get-ComputerSMBShare -ComputerName $DomainController -Translated
        Details        = [ordered] @{
            Area        = ''
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        Requirements   = @{
            CommandAvailable = 'Get-ComputerSMBShare'
        ExpectedOutput = $true
    Tests  = [ordered] @{
        AdminShare   = @{
            Enable     = $true
            Name       = 'Remote Admin Share is available'
            Parameters = @{
                WhereObject           = { $_.Name -eq 'ADMIN$' }
                ExpectedCount         = 1
                PropertyExtendedValue = 'Path'
        DefaultShare = @{
            Enable     = $true
            Name       = 'Default Share is available'
            Parameters = @{
                WhereObject           = { $_.Name -eq 'C$' }
                ExpectedCount         = 1
                PropertyExtendedValue = 'Path'
        RemoteIPC    = @{
            Enable     = $true
            Name       = 'Remote IPC Share is available'
            Parameters = @{
                WhereObject           = { $_.Name -eq 'IPC$' }
                ExpectedCount         = 1
                PropertyExtendedValue = 'Path'
        NETLOGON     = @{
            Enable     = $true
            Name       = 'NETLOGON Share is available'
            Parameters = @{
                WhereObject           = { $_.Name -eq 'NETLOGON' }
                ExpectedCount         = 1
                PropertyExtendedValue = 'Path'
        SYSVOL       = @{
            Enable     = $true
            Name       = 'SYSVOL Share is available'
            Parameters = @{
                WhereObject           = { $_.Name -eq 'SYSVOL' }
                ExpectedCount         = 1
                PropertyExtendedValue = 'Path'
$SMBSharesPermissions = @{
    Name   = 'DCSMBSharesPermissions'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = 'Default SMB Shares Permissions'
        Data           = {
            Get-ComputerSMBSharePermissions -ComputerName $DomainController -ShareName 'Netlogon', 'Sysvol' -Translated
        Details        = [ordered] @{
            Area        = 'Security'
            Description = "SMB Shares for Sysvol and Netlogon should be at their defaults. That means 2 permissions for Netlogon and 3 for SysVol."
            Resolution  = 'Add/Remove unnecessary permissions.'
            Importance  = 20
            Resources   = @(

        Requirements   = @{
            CommandAvailable = 'Get-ComputerSMBSharePermissions'
        ExpectedOutput = $true
    Tests  = [ordered] @{
        OverallCount                  = @{
            Enable     = $true
            Name       = 'Should only have default number of permissions'
            Parameters = @{
                ExpectedCount = 5
            Details    = [ordered] @{
                Area        = 'Security'
                Description = "SMB Shares for Sysvol and Netlogon should be at their defaults. That means 2 permissions for Netlogon and 3 for SysVol."
                Resolution  = 'Add/Remove unnecessary permissions.'
                Importance  = 5
                Resources   = @(

        NetlogonEveryone              = @{
            Enable      = $true
            Name        = 'Netlogon Share Permissions - Everyone'
            Parameters  = @{
                WhereObject   = { $_.Name -eq 'NETLOGON' -and $_.AccountName -eq 'Everyone' }
                ExpectedCount = 1
            Area        = 'Security'
            Description = "SMB Shares for NETLOGON should contain Everyone with Read access rights."
            Resolution  = 'Add/Remove unnecessary permissions.'
            Importance  = 5
            Resources   = @(

        NetlogonAdministrators        = @{
            Enable      = $true
            Name        = 'Netlogon Share Permissions - BUILTIN\Administrators'
            Parameters  = @{
                WhereObject   = { $_.Name -eq 'NETLOGON' -and $_.AccountName -eq 'BUILTIN\Administrators' }
                ExpectedCount = 1
            Area        = 'Security'
            Description = "SMB Shares for NETLOGON should contain BUILTIN\Administrators with Full access rights."
            Resolution  = 'Add/Remove unnecessary permissions.'
            Importance  = 5
            Resources   = @(

        SysvolEveryone                = @{
            Enable      = $true
            Name        = 'SysVol Share Permissions - Everyone'
            Parameters  = @{
                WhereObject   = { $_.Name -eq 'SYSVOL' -and $_.AccountName -eq 'Everyone' }
                ExpectedCount = 1
            Area        = 'Security'
            Description = "SMB Shares for SYSVOL should contain Everyone with Read access rights."
            Resolution  = 'Add/Remove unnecessary permissions.'
            Importance  = 5
            Resources   = @(

        SysvolAdministrators          = @{
            Enable      = $true
            Name        = 'SysVol Share Permissions - BUILTIN\Administrators'
            Parameters  = @{
                WhereObject   = { $_.Name -eq 'SYSVOL' -and $_.AccountName -eq 'BUILTIN\Administrators' }
                ExpectedCount = 1
            Area        = 'Security'
            Description = "SMB Shares for SYSVOL should contain BUILTIN\Administrators with Full access rights."
            Resolution  = 'Add/Remove unnecessary permissions.'
            Importance  = 5
            Resources   = @(

        SysvolAuthenticatedUsers      = @{
            Enable      = $true
            Name        = 'SysVol Share Permissions - NT AUTHORITY\Authenticated Users'
            Parameters  = @{
                WhereObject   = { $_.Name -eq 'SYSVOL' -and $_.AccountName -eq 'NT AUTHORITY\Authenticated Users' }
                ExpectedCount = 1
            Area        = 'Security'
            Description = "SMB Shares for SYSVOL should contain NT AUTHORITY\Authenticated Users with Full access rights."
            Resolution  = 'Add/Remove unnecessary permissions.'
            Importance  = 5
            Resources   = @(


        NetlogonEveryoneValue         = @{
            Enable      = $true
            Name        = 'Netlogon Share Permissions Value - Everyone'
            Parameters  = @{
                WhereObject   = { $_.Name -eq 'NETLOGON' -and $_.AccountName -eq 'Everyone' }
                Property      = 'AccessRight'
                ExpectedValue = 'Read'
                OperationType = 'eq'
            Area        = 'Security'
            Description = "SMB Shares for NETLOGON should contain Everyone with Read access rights."
            Resolution  = 'Add/Remove unnecessary permissions.'
            Importance  = 5
            Resources   = @(

        NetlogonAdministratorsValue   = @{
            Enable      = $true
            Name        = 'Netlogon Share Permissions Value - BUILTIN\Administrators'
            Parameters  = @{
                WhereObject   = { $_.Name -eq 'NETLOGON' -and $_.AccountName -eq 'BUILTIN\Administrators' }
                Property      = 'AccessRight'
                ExpectedValue = 'Full'
                OperationType = 'eq'
            Area        = 'Security'
            Description = "SMB Shares for NETLOGON should contain BUILTIN\Administrators with Full access rights."
            Resolution  = 'Add/Remove unnecessary permissions.'
            Importance  = 5
            Resources   = @(

        SysvolEveryoneValue           = @{
            Enable      = $true
            Name        = 'SysVol Share Permissions Value - Everyone'
            Parameters  = @{
                WhereObject   = { $_.Name -eq 'SYSVOL' -and $_.AccountName -eq 'Everyone' }
                Property      = 'AccessRight'
                ExpectedValue = 'Read'
                OperationType = 'eq'
            Area        = 'Security'
            Description = "SMB Shares for SYSVOL should contain Everyone with Read access rights."
            Resolution  = 'Add/Remove unnecessary permissions.'
            Importance  = 5
            Resources   = @(

        SysvolAdministratorsValue     = @{
            Enable      = $true
            Name        = 'SysVol Share Permissions Value - BUILTIN\Administrators'
            Parameters  = @{
                WhereObject   = { $_.Name -eq 'SYSVOL' -and $_.AccountName -eq 'BUILTIN\Administrators' }
                Property      = 'AccessRight'
                ExpectedValue = 'Full'
                OperationType = 'eq'
            Area        = 'Security'
            Description = "SMB Shares for SYSVOL should contain BUILTIN\Administrators with Full access rights."
            Resolution  = 'Add/Remove unnecessary permissions.'
            Importance  = 5
            Resources   = @(

        SysvolAuthenticatedUsersValue = @{
            Enable      = $true
            Name        = 'SysVol Share Permissions Value - NT AUTHORITY\Authenticated Users'
            Parameters  = @{
                WhereObject   = { $_.Name -eq 'SYSVOL' -and $_.AccountName -eq 'NT AUTHORITY\Authenticated Users' }
                Property      = 'AccessRight'
                ExpectedValue = 'Full'
                OperationType = 'eq'
            Area        = 'Security'
            Description = "SMB Shares for SYSVOL should contain NT AUTHORITY\Authenticated Users with Full access rights."
            Resolution  = 'Add/Remove unnecessary permissions.'
            Importance  = 5
            Resources   = @(


$TimeSettings = [ordered] @{
    Name   = 'DCTimeSettings'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Time Settings"
        Data           = {
            Get-TimeSettings -ComputerName $DomainController -Domain $Domain
        Details        = [ordered] @{
            Area        = 'Configuration'
            Description = ''
            Resolution  = ''
            Importance  = 2
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        NTPServerEnabled           = @{
            Enable     = $true
            Name       = 'NtpServer must be enabled.'
            Parameters = @{
                WhereObject   = { $_.ComputerName -eq $DomainController }
                Property      = 'NtpServerEnabled'
                ExpectedValue = $true
                OperationType = 'eq'
        NTPServerIntervalMissing   = @{
            Enable     = $true
            Name       = 'Ntp Server Interval should be set'
            Parameters = @{
                WhereObject   = { $_.ComputerName -eq $DomainController }
                Property      = 'NtpServerIntervals'
                ExpectedValue = 'Missing'
                OperationType = 'notcontains'
        NTPServerIntervalIncorrect = @{
            Enable     = $true
            Name       = 'Ntp Server Interval should be within known settings'
            Parameters = @{
                WhereObject   = { $_.ComputerName -eq $DomainController }
                Property      = 'NtpServerIntervals'
                ExpectedValue = 'Incorrect'
                OperationType = 'notcontains'
        VMTimeProvider             = @{
            Enable     = $true
            Name       = 'Virtual Machine Time Provider should be disabled.'
            Parameters = @{
                WhereObject   = { $_.ComputerName -eq $DomainController }
                Property      = 'VMTimeProvider'
                ExpectedValue = $false
                OperationType = 'eq'
        NtpTypeNonPDC              = [ordered]  @{
            Enable       = $true
            Name         = 'NTP Server should be set to Domain Hierarchy'
            Requirements = @{
                IsPDC = $false
            Parameters   = @{
                WhereObject   = { $_.ComputerName -eq $DomainController }
                Property      = 'NtpType'
                ExpectedValue = 'NT5DS'
                OperationType = 'eq'

        NtpTypePDC                 = [ordered] @{
            Enable       = $true
            Name         = 'NTP Server should be set to NTP'
            Requirements = @{
                IsPDC = $true
            Parameters   = @{
                WhereObject   = { $_.ComputerName -eq $DomainController }
                Property      = 'NtpType'
                ExpectedValue = 'NTP'
                OperationType = 'eq'

$TimeSynchronizationExternal = @{
    Name               = 'DCTimeSynchronizationExternal'
    Enable             = $true
    Scope              = 'DC'
    Source             = @{
        Name           = "Time Synchronization External"
        Data           = {
            Get-ComputerTime -TimeTarget $DomainController -WarningAction SilentlyContinue -TimeSource $TimeSource
        Parameters     = @{
            TimeSource = 'pool.ntp.org'
        Details        = [ordered] @{
            Area        = ''
            Category    = 'Configuration'
            Description = ''
            Resolution  = ''
            Importance  = 2
            Resources   = @(
                '[How to: Fix Time Sync in your Domain](https://community.spiceworks.com/how_to/166215-fix-time-sync-in-your-domain-use-w32time)'
                '[Windows Time Settings in a Domain](https://www.concurrency.com/blog/october-2018/windows-time-settings-in-a-domain)'
        ExpectedOutput = $true
    Tests              = [ordered] @{
        TimeSynchronizationTest = @{
            Enable     = $true
            Name       = 'Time Difference'
            Details    = [ordered] @{
                Area        = ''
                Category    = 'Configuration'
                Description = ''
                Importance  = 2
                Resources   = @(

            Parameters = @{
                Property              = 'TimeDifferenceSeconds'
                ExpectedValue         = 1
                OperationType         = 'le'
                PropertyExtendedValue = 'TimeDifferenceSeconds'
    MicrosoftMaterials = 'https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773263(v=ws.10)#w2k3tr_times_tools_uhlp'
$TimeSynchronizationInternal = @{
    Name   = 'DCTimeSynchronizationInternal'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Time Synchronization Internal"
        Data           = {
            Get-ComputerTime -TimeTarget $DomainController -WarningAction SilentlyContinue
        Details        = [ordered] @{
            Category    = 'Configuration'
            Area        = ''
            Description = ''
            Resolution  = ''
            Importance  = 2
            Resources   = @(
        ExpectedOutput = $true
    Tests  = [ordered] @{
        LastBootUpTime          = @{
            Enable     = $true
            Name       = 'Last Boot Up time should be less than X days'
            Parameters = @{
                Property      = 'LastBootUpTime'
                ExpectedValue = '(Get-Date).AddDays(-60)'
                OperationType = 'gt'
        TimeSynchronizationTest = @{
            Enable     = $true
            Name       = 'Time Difference'
            Parameters = @{
                Property              = 'TimeDifferenceSeconds'
                ExpectedValue         = 1
                OperationType         = 'le'
                PropertyExtendedValue = 'TimeDifferenceSeconds'

Name LocalDateTime RemoteDateTime InstallTime LastBootUpTime TimeDifferenceMinutes TimeDifferenceSeconds TimeDifferenceMilliseconds TimeSourceName Status
---- ------------- -------------- ----------- -------------- --------------------- --------------------- -------------------------- -------------- ------
AD2 17.09.2019 07:38:57 17.09.2019 07:38:57 30.05.2018 18:30:48 13.09.2019 07:54:10 0,0417166666666667 2,503 2503 AD1.ad.evotec.xyz
AD3 17.09.2019 07:38:56 17.09.2019 02:38:57 26.05.2019 17:30:17 13.09.2019 07:54:09 0,02175 1,305 1305 AD1.ad.evotec.xyz
EVOWin 17.09.2019 07:38:57 17.09.2019 07:38:57 24.05.2019 22:46:45 13.09.2019 07:53:44 0,0415 2,49 2490 AD1.ad.evotec.xyz

$UNCHardenedPaths = @{
    Name   = 'DCUNCHardenedPaths'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Hardened UNC Paths"
        Data           = {
            Get-PSRegistry -RegistryPath "HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" -ComputerName $DomainController
        Details        = [ordered] @{
            Type        = 'Security'
            Area        = ''
            Description = 'Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.'
            Resolution  = 'Harden UNC Paths for SYSVOL and NETLOGON'
            Importance  = 10
            Resources   = @(
        Requirements   = @{
            CommandAvailable = 'Get-PSRegistry'
        Implementation = {

        Rollback       = {
            Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" -Name "*"
        ExpectedOutput = $true
    Tests  = [ordered] @{
        NetLogonUNCPath = @{
            Enable      = $true
            Name        = 'Netlogon UNC Hardening'
            Parameters  = @{
                Property      = '\\*\NETLOGON'
                ExpectedValue = 'RequireMutualAuthentication=1, RequireIntegrity=1', 'RequireMutualAuthentication=1,RequireIntegrity=1'
                OperationType = 'in'
            Description = "Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares."
        SysVolUNCPath   = @{
            Enable      = $true
            Name        = 'SysVol UNC Hardening'
            Parameters  = @{
                Property      = '\\*\SYSVOL'
                ExpectedValue = 'RequireMutualAuthentication=1, RequireIntegrity=1', 'RequireMutualAuthentication=1,RequireIntegrity=1'
                OperationType = 'in'
            Description = "Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares."
$WindowsFeaturesOptional = @{
    Name     = 'DCWindowsFeaturesOptional'
    Enable   = $true
    Scope    = 'DC'
    Source   = @{
        Name           = "Windows Features Optional"
        Data           = {
            $Output = Invoke-Command -ComputerName $DomainController -ErrorAction Stop {
                Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2
            $Output | Select-Object -Property DisplayName, Description, RestartRequired, FeatureName, State
        Details        = [ordered] @{
            Category    = 'Configuration'
            Description = 'Windows optional features'
            Importance  = 0
            ActionType  = 0
            Resources   = @(
                "[The Windows PowerShell 2.0 feature must be disabled on the system](https://www.stigviewer.com/stig/windows_10/2017-04-28/finding/V-70637)"
            Tags        = 'Features', 'Configuration'
            StatusTrue  = 0
            StatusFalse = 0
        ExpectedOutput = $true
    Tests    = [ordered] @{
        # WindowsPowerShellRoot = @{
        # Enable = $true
        # Name = 'Windows PowerShell Root should be disabled'
        # Parameters = @{
        # WhereObject = { $_.FeatureName -eq 'MicrosoftWindowsPowerShellRoot' }
        # Property = 'State'
        # ExpectedValue = 'Disabled'
        # OperationType = 'eq'
        # }
        # Details = @{
        # Description = "Windows PowerShell 2.0 Engine includes the core components from Windows PowerShell 2.0 for backward compatibility with existing Windows PowerShell host applications. Windows PowerShell 5.0 added advanced logging features which can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.0 script block logging feature."
        # Tags = 'Backup', 'Configuration'
        # StatusTrue = 1
        # StatusFalse = 4
        # }
        # }
        WindowsPowerShell2 = @{
            Enable     = $true
            Name       = 'Windows PowerShell 2.0 should be disabled'
            Parameters = @{
                WhereObject   = { $_.FeatureName -eq 'MicrosoftWindowsPowerShellV2' }
                Property      = 'State'
                ExpectedValue = 'Disabled'
                OperationType = 'eq'
            Details    = @{
                Category    = 'Configuration'
                Importance  = 8
                ActionType  = 2
                Description = "Windows PowerShell 2.0 Engine includes the core components from Windows PowerShell 2.0 for backward compatibility with existing Windows PowerShell host applications. Windows PowerShell 5.0 added advanced logging features which can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.0 script block logging feature."
                Tags        = 'Backup', 'Configuration'
                StatusTrue  = 1
                StatusFalse = 4
    Solution = {
        New-HTMLContainer {
            New-HTMLSpanStyle -FontSize 10pt {
                New-HTMLWizard {
                    New-HTMLWizardStep -Name 'Disabling Windows PowerShell 2.0' {
                        New-HTMLText -Text @(
                            "Windows PowerShell 5.0 added advanced logging features which can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.0 script block logging feature."
                        New-HTMLText -Text @(
                            "Run 'Windows PowerShell' with elevated privileges (run as administrator)."
                        New-HTMLCodeBlock -Style powershell {
                            Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2

                        New-HTMLText -Text @(
                            "In some cases it may be required to disable MicrosoftWindowsPowerShellRoot. "
                            "Run 'Windows PowerShell' with elevated privileges (run as administrator)."
                        New-HTMLCodeBlock -Style powershell {
                            Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellRoot
                } -RemoveDoneStepOnNavigateBack -Theme arrows -ToolbarButtonPosition center -EnableAllAnchors

$WindowsRemoteManagement = @{
    Name   = 'DCWindowsRemoteManagement'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = 'Windows Remote Management'
        Data           = {
            Test-WinRM -ComputerName $DomainController
        Details        = [ordered] @{
            Area        = ''
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        WindowsRemoteManagement = @{
            Enable1    = $true
            Name       = 'Test submits an identification request that determines whether the WinRM service is running.'
            Parameters = @{
                Property      = 'Status'
                ExpectedValue = $true
                OperationType = 'eq'
$WindowsRolesAndFeatures = @{
    Name   = 'DCWindowsRolesAndFeatures'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Windows Roles and Features"
        Data           = {
            Get-WindowsFeature -ComputerName $DomainController #| Where-Object { $_.'InstallState' -eq 'Installed' }
        ExpectedOutput = $true
    Tests  = [ordered] @{
        ActiveDirectoryDomainServices = @{
            Enable     = $true
            Name       = 'Active Directory Domain Services is installed'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'AD-Domain-Services' }
                Property      = 'Installed'
                ExpectedValue = $true
                OperationType = 'eq'
        DNSServer                     = @{
            Enable     = $true
            Name       = 'DNS Server is installed'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'DNS' }
                Property      = 'Installed'
                ExpectedValue = $true
                OperationType = 'eq'
        FileandStorageServices        = @{
            Enable     = $true
            Name       = 'File and Storage Services is installed'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'FileAndStorage-Services' }
                Property      = 'Installed'
                ExpectedValue = $true
                OperationType = 'eq'
        FileandiSCSIServices          = @{
            Enable     = $true
            Name       = 'File and iSCSI Services is installed'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'File-Services' }
                Property      = 'Installed'
                ExpectedValue = $true
                OperationType = 'eq'
        FileServer                    = @{
            Enable     = $true
            Name       = 'File Server is installed'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'FS-FileServer' }
                Property      = 'Installed'
                ExpectedValue = $true
                OperationType = 'eq'
        StorageServices               = @{
            Enable     = $true
            Name       = 'Storage Services is installed'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'Storage-Services' }
                Property      = 'Installed'
                ExpectedValue = $true
                OperationType = 'eq'
        WindowsPowerShell51           = @{
            Enable     = $true
            Name       = 'Windows PowerShell 5.1 is installed'
            Parameters = @{
                WhereObject   = { $_.Name -eq 'PowerShell' }
                Property      = 'Installed'
                ExpectedValue = $true
                OperationType = 'eq'
$WindowsUpdates = @{
    Name   = 'DCWindowsUpdates'
    Enable = $true
    Scope  = 'DC'
    Source = @{
        Name           = "Windows Updates"
        Data           = {
            Get-HotFix -ComputerName $DomainController | Sort-Object -Property InstalledOn -Descending | Select-Object -First 1 -Property HotFixID, InstalledOn, Description, InstalledBy
        Details        = [ordered] @{
            Area        = ''
            Description = ''
            Resolution  = ''
            Importance  = 10
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        WindowsUpdates = @{
            Enable     = $true
            Name       = 'Last Windows Updates should be less than X days ago'
            Parameters = @{
                Property      = 'InstalledOn'
                ExpectedValue = '(Get-Date).AddDays(-60)'
                OperationType = 'gt'
$Backup = @{
    Name            = "ForestBackup"
    Enable          = $true
    Scope           = 'Forest'
    Source          = @{
        Name           = 'Forest Backup'
        Data           = {
            Get-WinADLastBackup -Forest $ForestName
        Details        = [ordered] @{
            Category    = 'Configuration'
            Description = 'Active Directory is critical system for any company. Having a proper, up to date backup in place is crucial.'
            Importance  = 0
            ActionType  = 0
            Resources   = @(
                '[Backing Up and Restoring an Active Directory Server](https://docs.microsoft.com/en-us/windows/win32/ad/backing-up-and-restoring-an-active-directory-server)'
                '[Backup Active Directory (Full and Incremental Backup)](https://activedirectorypro.com/backup-active-directory/)'
            Tags        = 'Backup', 'Configuration'
            StatusTrue  = 0
            StatusFalse = 0
        ExpectedOutput = $true
    Tests           = [ordered] @{
        LastBackupTests = @{
            Enable     = $true
            Name       = 'Forest Last Backup Time'
            Parameters = @{
                ExpectedValue         = 2
                OperationType         = 'lt'
                Property              = 'LastBackupDaysAgo'
                PropertyExtendedValue = 'LastBackup'
                OverwriteName         = { "Last Backup $($_.NamingContext)" }
            Details    = [ordered] @{
                Category    = 'Configuration'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
    DataDescription = {
        New-HTMLSpanStyle -FontSize 10pt {
            New-HTMLText -Text @(
                'Active Directory is critical system for any company. Having a proper, up to date backup is crucial. '
                'Last backup should be maximum few days old, if not less than 24 hours old. '
                "Please keep in mind that this test doesn't verifies the backup, nor provides information if the backup was saved to proper place and will be available for restore operations. "
                "This tests merely checks what was reported by Active Directory - that backup did happen. "
                "You should make sure that your backup, and more importantly restore process actually works! "
    DataHighlights  = {
        New-HTMLTableCondition -Name 'LastBackupDaysAgo' -ComparisonType number -BackgroundColor PaleGreen -Value 2 -Operator lt
        New-HTMLTableCondition -Name 'LastBackupDaysAgo' -ComparisonType number -BackgroundColor Salmon -Value 2 -Operator ge
        New-HTMLTableCondition -Name 'LastBackupDaysAgo' -ComparisonType number -BackgroundColor Tomato -Value 10 -Operator ge
$DuplicateSPN = @{
    Name            = 'ForestDuplicateSPN'
    Enable          = $true
    Scope           = 'Forest'
    Source          = @{
        Name           = 'Duplicate SPN'
        Data           = {
            Get-WinADDuplicateSPN -Forest $ForestName
        Details        = [ordered] @{
            Category    = 'Security'
            Description = "SPNs must be unique, so if an SPN already exists for a service on a server then you must delete the SPN that is is already registered to one account and recreate the SPN registered to the correct account."
            Importance  = 5
            ActionType  = 1
            Resources   = @(
                "[Duplicate SPN found - Troubleshooting Duplicate SPNs](https://support.squaredup.com/hc/en-us/articles/4406616176657-Duplicate-SPN-found-Troubleshooting-Duplicate-SPNs)"
                "[SPN and UPN uniqueness](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/spn-and-upn-uniqueness)"
                "[Name Formats for Unique SPNs](https://docs.microsoft.com/en-us/windows/win32/ad/name-formats-for-unique-spns)"
                "[Kerberos - duplicate SPNs](https://itworldjd.wordpress.com/2017/02/15/kerberos-duplicate-spns/)"
            StatusTrue  = 0
            StatusFalse = 5
        ExpectedOutput = $false
    DataDescription = {
        New-HTMLSpanStyle -FontSize 10pt {
            New-HTMLText -Text @(
                'Services use service publication in the Active Directory directory service to provide information about themselves in the directory for easy discovery by client applications and other services. '
                'Service publication occurs when the installation program for a service publishes information about the service, including binding and keyword data, to the directory. '
                'Service publication happens by creating service objects (also called connection point objects) in Active Directory. '
            New-HTMLText -Text @(
                'In addition, Active Directory supports service principal names (SPNs) as a means by which client applications can identify '
                'and authenticate the services that they use. Service authentication happens through Kerberos authentication of SPNs. '
                'Kerberos uses SPNs extensively. When a Kerberos client uses its TGT to request a service ticket for a specific service, the service uses SPN to identify it. '
                'The KDC will grant the client a service ticket that is encrypted in part with a shared secret '
                'that the service account identified by the AD account matches the SPN has (basically the account password). '
            New-HTMLText -Text @(
                'In the case of a duplicate SPN, what can happen is that the KDC will generate a service ticket that may base its shared secret on the wrong account. '
                'Then, when the client provides that ticket to the service during authentication, the service itself cannot decrypt it, and the authentication fails. '
                'The server will typically log an "AP Modified" error, and the client will see a "wrong principal" error code.'
    DataInformation = {
        New-HTMLText -Text 'Explanation to table columns:' -FontSize 10pt
        New-HTMLList {
            New-HTMLListItem -FontWeight bold, normal -Text "IsOrphaned", " - means object contains AdminCount set to 1, while not being a critical object or direct or indirect member of any critical system groups. "
            New-HTMLListItem -FontWeight bold, normal -Text "IsMember", " - means object is memberof (direct or indirect) of critical system groups. "
            New-HTMLListItem -FontWeight bold, normal -Text "IsCriticalSystemObject", " - means object is critical system object. "
        } -FontSize 10pt
    DataHighlights  = {
        # New-HTMLTableCondition -Name 'IsOrphaned' -ComparisonType string -BackgroundColor Salmon -Value $true
        # New-HTMLTableCondition -Name 'IsOrphaned' -ComparisonType string -BackgroundColor PaleGreen -Value $false
        # New-HTMLTableCondition -Name 'IsCriticalSystemObject' -ComparisonType string -BackgroundColor PaleGreen -Value $true
        # New-HTMLTableCondition -Name 'IsCriticalSystemObject' -ComparisonType string -BackgroundColor TangerineYellow -Value $false
$ForestConfigurationPartitionOwners = @{
    Name           = 'ForestConfigurationPartitionOwners'
    Enable         = $true
    Scope          = 'Forest'
    Source         = @{
        Name           = "Configuration Partitions: Owners"
        Data           = {
            Get-WinADACLConfiguration -Forest $ForestName -Owner -ObjectType site, subnet, siteLink
        Details        = [ordered] @{
            Category    = 'Security'
            Severity    = ''
            Importance  = 5
            Description = "The configuration partition contains replication topology and other configuration data that must be replicated throughout the forest. Every domain controller in the forest has a replica of the same configuration partition. Just like schema partition, there is just one master configuration partition per forest and a second one on all DCs in a forest. It contains the forest-wide active directory topology including DCs, sites, services, subnets and sitelinks. It is replicated to all DCs in a forest. Owners of Active Directory Configuration Partition, and more specifically Sites, Subnets and Sitelinks should always be set to Administrative (Domain Admins / Enterprise Admins). Being an owner of a site, subnet or sitelink is potentially dangerous and can lead to domain compromise. In comparison to ForestConfigurationPartitionOwnersContainers this test focuses only on chosen object types and nothing else. If there are issues reported in this test you may consider running Testimo with ForestConfigurationPartitionOwnersContainers check to verify if everything is as required. "
            Resources   = @(
                '[Escalating privileges with ACLs in Active Directory](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)'
                '[Site Topology Owner Role](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/site-topology-owner-role)'
            StatusTrue  = 0
            StatusFalse = 0
        ExpectedOutput = $true
    Tests          = [ordered] @{
        SiteOwners     = @{
            Enable     = $true
            Name       = 'Site Owners should be Administrative'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.ObjectType -eq 'Site' -and $_.OwnerType -ne 'Administrative' }
            Details    = [ordered] @{
                Category    = 'Security'
                Importance  = 5
                StatusTrue  = 1
                StatusFalse = 3
        SubnetOwners   = @{
            Enable     = $true
            Name       = 'Subnet Owners should be Administrative'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.ObjectType -eq 'Subnet' -and $_.OwnerType -ne 'Administrative' }
            Details    = [ordered] @{
                Category    = 'Security'
                Importance  = 5
                StatusTrue  = 1
                StatusFalse = 3
        SiteLinkOwners = @{
            Enable     = $true
            Name       = 'SiteLink Owners should be Administrative'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.ObjectType -eq 'SiteLink' -and $_.OwnerType -ne 'Administrative' }
            Details    = [ordered] @{
                Category    = 'Security'
                Importance  = 5
                StatusTrue  = 1
                StatusFalse = 3
    DataHighlights = {
        New-HTMLTableCondition -Name 'OwnerType' -ComparisonType string -BackgroundColor Salmon -Value 'Administrative' -Operator ne -Row
        New-HTMLTableCondition -Name 'OwnerType' -ComparisonType string -BackgroundColor PaleGreen -Value 'Administrative' -Operator eq -Row
    Solution       = {
        New-HTMLContainer {
            New-HTMLSpanStyle -FontSize 10pt {
                New-HTMLWizard {
                    New-HTMLWizardStep -Name 'Prepare environment' {
                        New-HTMLText -Text "To be able to execute actions in automated way please install required modules. Those modules will be installed straight from Microsoft PowerShell Gallery."
                        New-HTMLCodeBlock -Code {
                            Install-Module ADEssentials -Force
                            Import-Module ADEssentials -Force
                        } -Style powershell
                        New-HTMLText -Text "Using force makes sure newest version is downloaded from PowerShellGallery regardless of what is currently installed. Once installed you're ready for next step."
                    New-HTMLWizardStep -Name 'Prepare report' {
                        New-HTMLText -Text "Depending when this report was run you may want to prepare new report before proceeding fixing owners. To generate new report please use:"
                        New-HTMLCodeBlock -Code {
                            Invoke-Testimo -FilePath $Env:UserProfile\Desktop\TestimoBefore.ForestConfigurationPartitionOwners.html -Type ForestConfigurationPartitionOwners
                        New-HTMLText -Text @(
                            "When executed it will take a while to generate all data and provide you with new report depending on size of environment."
                            "Once confirmed that data is still showing issues and requires fixing please proceed with next step."
                        New-HTMLText -Text "Alternatively if you prefer working with console you can run: "
                        New-HTMLCodeBlock -Code {
                            $Output = Get-WinADACLConfiguration -ObjectType site, subnet, siteLink -Owner -Verbose
                            $Output | Format-Table # do your actions as desired
                        New-HTMLText -Text "It provides same data as you see in table above just doesn't prettify it for you."
                    New-HTMLWizardStep -Name 'Fix AD Partition Configuration Owners' {
                        New-HTMLText -Text @(
                            "Configuration partition contains important AD Objects. Those are among other objects Subnets, Sites and SiteLinks. "
                            "Those objects should have proper owners which usually means being owned by Domain Admins/Enterprise Admins or at some cases by NT AUTHORITY\SYSTEM account. "
                            "Following command when executed fixes owners of those types. "
                            "If the object has proper owner, the owner change is skipped. "
                            "It makes sure each critical AD Object is owned Administrative or WellKnownAdministrative account. "
                            "Make sure when running it for the first time to run it with ",
                            " parameter as shown below to prevent accidental overwrite."
                        ) -FontWeight normal, normal, normal, normal, normal, normal, bold, normal -Color Black, Black, Black, Black, Black, Black, Red, Black
                        New-HTMLCodeBlock -Code {
                            Repair-WinADACLConfigurationOwner -ObjectType site, siteLink, subnet -Verbose -WhatIf -LimitProcessing 2
                        New-HTMLText -TextBlock {
                            "After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be fixed matches expected data. Once happy with results please follow with command: "
                        New-HTMLCodeBlock -Code {
                            Repair-WinADACLConfigurationOwner -ObjectType site, siteLink, subnet -Verbose -WhatIf
                        New-HTMLText -TextBlock {
                            "This command when executed repairs only first X object owners. Use LimitProcessing parameter to prevent mass fixing and increase the counter when no errors occur. "
                            "Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly. "
                    New-HTMLWizardStep -Name 'Verification report' {
                        New-HTMLText -TextBlock {
                            "Once cleanup task was executed properly, we need to verify that report now shows no problems."
                        New-HTMLCodeBlock -Code {
                            Invoke-Testimo -FilePath $Env:UserProfile\Desktop\TestimoAfter.ForestConfigurationPartitionOwners.html -Type ForestConfigurationPartitionOwners
                        New-HTMLText -TextBlock {
                            "If there were issues reported by this test you may consider running additional test "
                            "ForestConfigurationPartitionOwnersContainers "
                            "which focuses on whole containers rather than just specific objects. "
                            "This is to make sure most of configuration partition is as expected when it comes to object owners."
                        } -FontWeight normal, bold, normal, normal -Color Black, Amaranth, Black, Black
                        New-HTMLCodeBlock -Code {
                            Invoke-Testimo -FilePath $Env:UserProfile\Desktop\TestimoAfter.ForestConfigurationPartitionOwnersContainers.html -Type ForestConfigurationPartitionOwnersContainers
                        New-HTMLText -Text "If everything is healthy in the report you're done! Enjoy rest of the day!" -Color BlueDiamond
                } -RemoveDoneStepOnNavigateBack -Theme arrows -ToolbarButtonPosition center -EnableAllAnchors
$ForestConfigurationPartitionOwnersContainers = @{
    # This test is disabled by default because
    Name           = 'ForestConfigurationPartitionOwnersContainers'
    Enable         = $false
    Scope          = 'Forest'
    Source         = @{
        Name           = "Configuration Partitions: Container Owners"
        Data           = {
            Get-WinADACLConfiguration -Forest $ForestName -Owner -ContainerType site, subnet, siteLink
        Details        = [ordered] @{
            Category    = 'Security'
            Importance  = 5
            Description = "The configuration partition contains replication topology and other configuration data that must be replicated throughout the forest. Every domain controller in the forest has a replica of the same configuration partition. Just like schema partition, there is just one master configuration partition per forest and a second one on all DCs in a forest. It contains the forest-wide active directory topology including DCs, sites, services, subnets and sitelinks. It is replicated to all DCs in a forest. Owners of Active Directory Configuration Partition, and more specifically Sites, Subnets and Sitelinks should always be set to Administrative (Domain Admins / Enterprise Admins). Being an owner of a site, subnet or sitelink is potentially dangerous and can lead to domain compromise. While ForestConfigurationPartitionOwners test checks only specific objects for ownership this test checks all objects within specific containers. This means every single object is required to have proper membership. "
            Resources   = @(
                '[Escalating privileges with ACLs in Active Directory](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)'
            StatusTrue  = 0
            StatusFalse = 0
        ExpectedOutput = $true
    Tests          = [ordered] @{
        SiteOwners     = @{
            Enable     = $true
            Name       = 'Site Container Owners should be Administrative or WellKnownAdministrative'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.ObjectType -eq 'Site' -and $_.OwnerType -notin 'Administrative', 'WellKnownAdministrative' }
            Details    = [ordered] @{
                Category    = 'Security'
                Importance  = 5
                StatusTrue  = 1
                StatusFalse = 3
        SubnetOwners   = @{
            Enable     = $true
            Name       = 'Subnet Container Owners should be Administrative or WellKnownAdministrative'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.ObjectType -eq 'Subnet' -and $_.OwnerType -notin 'Administrative', 'WellKnownAdministrative' }
            Details    = [ordered] @{
                Category    = 'Security'
                Importance  = 5
                StatusTrue  = 1
                StatusFalse = 3
        SiteLinkOwners = @{
            Enable     = $true
            Name       = 'SiteLink Container Owners should be Administrative or WellKnownAdministrative'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.ObjectType -eq 'SiteLink' -and $_.OwnerType -notin 'Administrative', 'WellKnownAdministrative' }
            Details    = [ordered] @{
                Category    = 'Security'
                Importance  = 5
                StatusTrue  = 1
                StatusFalse = 3
    DataHighlights = {
        New-HTMLTableCondition -Name 'OwnerType' -ComparisonType string -BackgroundColor Salmon -Value 'Administrative' -Operator ne -Row
        New-HTMLTableCondition -Name 'OwnerType' -ComparisonType string -BackgroundColor PaleGreen -Value 'Administrative' -Operator eq -Row
        New-HTMLTableCondition -Name 'OwnerType' -ComparisonType string -BackgroundColor PaleGreen -Value 'WellKnownAdministrative' -Operator eq -Row
    Solution       = {
        New-HTMLContainer {
            New-HTMLSpanStyle -FontSize 10pt {
                New-HTMLWizard {
                    New-HTMLWizardStep -Name 'Prepare environment' {
                        New-HTMLText -Text "To be able to execute actions in automated way please install required modules. Those modules will be installed straight from Microsoft PowerShell Gallery."
                        New-HTMLCodeBlock -Code {
                            Install-Module ADEssentials -Force
                            Import-Module ADEssentials -Force
                        } -Style powershell
                        New-HTMLText -Text "Using force makes sure newest version is downloaded from PowerShellGallery regardless of what is currently installed. Once installed you're ready for next step."
                    New-HTMLWizardStep -Name 'Prepare report' {
                        New-HTMLText -Text "Depending when this report was run you may want to prepare new report before proceeding fixing owners. To generate new report please use:"
                        New-HTMLCodeBlock -Code {
                            Invoke-Testimo -FilePath $Env:UserProfile\Desktop\TestimoBefore.ForestConfigurationPartitionOwnersContainers.html -Type ForestConfigurationPartitionOwnersContainers
                        New-HTMLText -Text @(
                            "When executed it will take a while to generate all data and provide you with new report depending on size of environment."
                            "Once confirmed that data is still showing issues and requires fixing please proceed with next step."
                        New-HTMLText -Text "Alternatively if you prefer working with console you can run: "
                        New-HTMLCodeBlock -Code {
                            $Output = Get-WinADACLConfiguration -ContainerType site, subnet, siteLink -Owner -Verbose
                            $Output | Format-Table # do your actions as desired
                        New-HTMLText -Text "It provides same data as you see in table above just doesn't prettify it for you."
                    New-HTMLWizardStep -Name 'Fix AD Partition Configuration (Containers) Owners' {
                        New-HTMLText -Text @(
                            "Configuration partition contains important AD Objects. Those are among other objects Subnets, Sites and SiteLinks. "
                            "Those objects should have proper owners which usually means being owned by Domain Admins/Enterprise Admins or at some cases by NT AUTHORITY\SYSTEM account. "
                            "Following command when executed fixes owners of those types. "
                            "If the object has proper owner, the owner change is skipped. "
                            "It makes sure each critical AD Object is owned Administrative or WellKnownAdministrative account. "
                            "Make sure when running it for the first time to run it with ",
                            " parameter as shown below to prevent accidental overwrite."
                        ) -FontWeight normal, normal, normal, normal, normal, normal, bold, normal -Color Black, Black, Black, Black, Black, Black, Red, Black
                        New-HTMLText -Text "Make sure to fill in TargetDomain to match your Domain Admin permission account"

                        New-HTMLCodeBlock -Code {
                            Repair-WinADACLConfigurationOwner -ContainerType site, siteLink, subnet -Verbose -WhatIf -LimitProcessing 2
                        New-HTMLText -TextBlock {
                            "After execution please make sure there are no errors, make sure to review provided output, and confirm that what is about to be fixed matches expected data. Once happy with results please follow with command: "
                        New-HTMLCodeBlock -Code {
                            Repair-WinADACLConfigurationOwner -ContainerType site, siteLink, subnet -Verbose -WhatIf
                        New-HTMLText -TextBlock {
                            "This command when executed repairs only first X object owners. Use LimitProcessing parameter to prevent mass fixing and increase the counter when no errors occur. "
                            "Repeat step above as much as needed increasing LimitProcessing count till there's nothing left. In case of any issues please review and action accordingly. "
                    New-HTMLWizardStep -Name 'Verification report' {
                        New-HTMLText -TextBlock {
                            "Once cleanup task was executed properly, we need to verify that report now shows no problems."
                        New-HTMLCodeBlock -Code {
                            Invoke-Testimo -FilePath $Env:UserProfile\Desktop\TestimoAfter.ForestConfigurationPartitionOwnersContainers.html -Type ForestConfigurationPartitionOwnersContainers
                        New-HTMLText -Text "If everything is healthy in the report you're done! Enjoy rest of the day!" -Color BlueDiamond
                } -RemoveDoneStepOnNavigateBack -Theme arrows -ToolbarButtonPosition center -EnableAllAnchors
$ForestDHCP = @{
    Name            = "ForestDHCP"
    Enable          = $true
    Scope           = 'Forest'
    Source          = @{
        Name           = 'Forest DHCP'
        Data           = {
        Details        = [ordered] @{
            Category    = 'Configuration'
            Description = 'DHCP is important part of any network. Having DHCP registered in AD makes sure that all computers properly register themselves in DNS automatically. However, while tempting to put DHCP on the very same server with AD and DNS it should be hosted separately. The DHCP Server service performs TCP/IP configuration for DHCP clients, including dynamic assignments of IP addresses, specification of DNS servers, and connection-specific DNS names. Domain controllers do not require the DHCP Server service to operate and for higher security and server hardening it is recommended not to install the DHCP Server role on domain controllers.'
            Importance  = 0
            ActionType  = 0
            Resources   = @(
                "[Disable or remove the DHCP Server service installed on any domain controllers](https://docs.microsoft.com/en-us/services-hub/health/remediation-steps-ad/disable-or-remove-the-dhcp-server-service-installed-on-any-domain-controllers)"
            Tags        = 'DHCP', 'Configuration'
            StatusTrue  = 0
            StatusFalse = 0
        ExpectedOutput = $null
    Tests           = [ordered] @{
        DHCPonDC          = @{
            Enable     = $true
            Name       = 'DHCP on Domain Controller'
            Parameters = @{
                WhereObject   = { $_.IsDC -eq $true }
                ExpectedCount = 0
            Details    = [ordered] @{
                Category    = 'Configuration'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
        DHCPResolvesInDNS = @{
            Enable     = $true
            Name       = 'DHCP Resolves in DNS'
            Parameters = @{
                WhereObject   = { $_.IsInDNS -eq $false }
                ExpectedCount = 0
            Details    = [ordered] @{
                Category    = 'Configuration'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
    DataDescription = {
        New-HTMLSpanStyle -FontSize 10pt {
            New-HTMLText -Text @(
                'DHCP is important part of any network. Having DHCP registered in AD makes sure that all computers properly register themselves in DNS automatically. '
                'However, while tempting to put DHCP on the very same server with AD and DNS it should be hosted separately. '
                "The DHCP Server service performs TCP/IP configuration for DHCP clients, including dynamic assignments of IP addresses, "
                "specification of DNS servers, and connection-specific DNS names. "
                "Domain controllers do not require the DHCP Server service to operate and for higher security and server hardening it is recommended not to install the DHCP Server role on domain controllers."
            New-HTMLText -LineBreak
            New-HTMLText -Text @(
                'This test verifies that DHCP registed servers are registred in DNS (aka NOT DEAD) and that DHCP is not hosted on a Domain Controller.'
    DataHighlights  = {
        New-HTMLTableCondition -Name 'IsInDNS' -ComparisonType bool -BackgroundColor PaleGreen -Value $true -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'IsDC' -ComparisonType bool -BackgroundColor PaleGreen -Value $false -Operator eq -FailBackgroundColor Salmon
    Solution        = {
        New-HTMLContainer {
            New-HTMLSpanStyle -FontSize 10pt {
                New-HTMLWizard {
                    New-HTMLWizardStep -Name 'Prepare DHCP service removal' {
                        New-HTMLText -Text @(
                            "The DHCP Server service performs TCP/IP configuration for DHCP clients, including dynamic assignments of IP addresses, "
                            "specification of DNS servers, and connection-specific DNS names. "
                            "Domain controllers do not require the DHCP Server service to operate and for higher security and server hardening it is recommended not to install the DHCP Server role on domain controllers."
                        New-HTMLText -LineBreak
                        New-HTMLText -Text "Prepare & send communication about DHCP removal."
                    New-HTMLWizardStep -Name 'Move DHCP service' {
                        New-HTMLText -Text @(
                            "Please make sure before removing DHCP service that you first take care of moving DHCP service to a different server/device. "
                            "Please use proper SOP that's approved for your environment!"
                    New-HTMLWizardStep -Name 'Remove DHCP service from Domain Controller' {
                        New-HTMLText -Text "Following steps give a brief overview on steps required to disable and remove DHCP service. Please make sure you follow proper SOP as depending on Windows version and environment the steps may be different."

                        New-HTMLList {
                            New-HTMLListItem -Text 'Stop the DHCP Server service and disable it'
                            New-HTMLListItem -Text 'Click Start, type Run, type services.msc, and then click OK.'
                            New-HTMLListItem -Text 'In the list of services, look for a service titled DHCP Server.'
                            New-HTMLListItem -Text 'If it exists, double-click DHCP Server.'
                            New-HTMLListItem -Text 'On the General tab, under Startup type, select Disabled.'
                            New-HTMLListItem -Text "If the Service status says ‘Running’, click Stop."
                            New-HTMLListItem -Text 'Click OK.'

                        New-HTMLText -Text 'If there are no issues after disabling DHCP - remove DHCP Service in the Server Manager.'

                        New-HTMLList {
                            New-HTMLListItem -Text 'In the Server Manager, click Manage, and then click Remove Roles and Features.'
                            New-HTMLListItem -Text 'Click Next.'
                            New-HTMLListItem -Text 'Select the local server, and click Next.'
                            New-HTMLListItem -Text 'On the Remove server roles page, uncheck the checkbox for DHCP Server.'
                            New-HTMLListItem -Text 'Click Remove Features, then click Next.'
                            New-HTMLListItem -Text 'On the Remove features page, click Next.'
                            New-HTMLListItem -Text 'Click Remove.'
                            New-HTMLListItem -Text 'When the removal is complete, click Close.'

                        New-HTMLText -Text 'Repeat these steps for all affected domain controllers.'
                } -RemoveDoneStepOnNavigateBack -Theme arrows -ToolbarButtonPosition center -EnableAllAnchors
$ForestFSMORoles = @{
    Name   = 'ForestRoles'
    Enable = $true
    Scope  = 'Forest'
    Source = @{
        Name           = 'Roles availability'
        Data           = {
            Test-ADRolesAvailability -Forest $ForestName
        Details        = [ordered] @{
            Category    = 'Health'
            Description = ''
            Resolution  = ''
            Importance  = 0
            ActionType  = 0
            Severity    = 'High'
            Resources   = @(

            StatusTrue  = 0
            StatusFalse = 2
        ExpectedOutput = $true
    Tests  = [ordered] @{
        SchemaMasterAvailability       = @{
            Enable     = $true
            Name       = 'Schema Master Availability'
            Parameters = @{
                ExpectedValue         = $true
                Property              = 'SchemaMasterAvailability'
                OperationType         = 'eq'
                PropertyExtendedValue = 'SchemaMaster'
            Details    = [ordered] @{
                Category    = 'Health'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 10
        DomainNamingMasterAvailability = @{
            Enable     = $true
            Name       = 'Domain Master Availability'
            Parameters = @{
                ExpectedValue         = $true
                Property              = 'DomainNamingMasterAvailability'
                OperationType         = 'eq'
                PropertyExtendedValue = 'DomainNamingMaster'
            Details    = [ordered] @{
                Category    = 'Health'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 10
$ForestSubnets = @{
    Name            = 'ForestSubnets'
    Enable          = $true
    Scope           = 'Forest'
    Source          = [ordered] @{
        Name           = 'Subnets verification'
        Data           = {
            Get-WinADForestSubnet -VerifyOverlap -Forest $ForestName
        Details        = [ordered] @{
            Category    = 'Configuration'
            Description = "AD subnets are used so that a machine can work out which AD site they should be in. If you have a subnet that hasn’t been defined to Active Directory, any machines will have difficulty identifying which AD site they should be in. This can easily lead to them authenticating against a domain controller that’s inappropriate from a network standpoint, which will cause a poor logon experience for those users."
            Importance  = 3
            ActionType  = 1
            Resources   = @(
                "[Configuring Active Directory Sites and Subnets](https://theitbros.com/active-directory-sites-and-subnets/)"
                "[How to Create an Active Directory Subnet/Site with /32 or /128 and Why](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-create-an-active-directory-subnet-site-with-32-or-128-and/ba-p/256105)"
                "[Active Directory subnets, sites, and site links](https://www.windows-active-directory.com/active-directory-subnets-sites-and-site-links.html)"
                "[Chapter 16. Managing sites and subnets](https://livebook.manning.com/book/learn-active-directory-management-in-a-month-of-lunches/chapter-16/44)"
            StatusTrue  = 1
            StatusFalse = 2
        ExpectedOutput = $true
    Tests           = [ordered] @{
        SubnetsWithoutSites = @{
            Enable      = $true
            Name        = 'Subnets without Sites'
            Description = 'Verify each subnet is attached to a site'
            Parameters  = @{
                WhereObject   = { $_.SiteStatus -eq $false }
                ExpectedCount = 0
            Details     = [ordered] @{
                Category    = 'Configuration'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 3
        SubnetsOverlapping  = @{
            Enable     = $true
            Name       = 'Subnets overlapping'
            Parameters = @{
                WhereObject   = { $_.Overlap -eq $true }
                ExpectedCount = 0
            Details    = [ordered] @{
                Category    = 'Configuration'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 4
    DataDescription = {
        New-HTMLSpanStyle -FontSize 10pt {
            New-HTMLText -Text @(
                "AD subnets are used so that a machine can work out which AD site they should be in. "
                "If you have a subnet that hasn’t been defined to Active Directory, any machines will have difficulty identifying which AD site they should be in. "
                "This can easily lead to them authenticating against a domain controller that’s inappropriate from a network standpoint, which will cause a poor logon experience for those users. "
                "There are 3 stages to this test: "
            New-HTMLList {
                New-HTMLListItem -Text "Gather data about subnets. It should return at least one subnet to pass a test. "
                New-HTMLListItem -Text "Find subnets that are not attached to any sites. "
                New-HTMLListItem -Text "Find subnets that are overlapping with other subnets. "
            New-HTMLText -Text @(
                "All three tests are required to pass for properly configured Active Directory. "
    DataHighlights  = {
        New-HTMLTableCondition -Name 'SiteStatus' -ComparisonType string -BackgroundColor PaleGreen -Value $true -Operator eq -FailBackgroundColor Salmon
        #New-HTMLTableCondition -Name 'SiteStatus' -ComparisonType string -BackgroundColor Salmon -Value $false -Operator eq
        New-HTMLTableCondition -Name 'Overlap' -ComparisonType string -BackgroundColor PaleGreen -Value $false -Operator eq
        New-HTMLTableCondition -Name 'Overlap' -ComparisonType string -BackgroundColor Salmon -Value $true -Operator eq
    DataInformation = {
        New-HTMLText -Text 'Explanation to table columns:' -FontSize 10pt
        New-HTMLList {
            New-HTMLListItem -FontWeight bold, normal -Text "SiteStatus", " - means subnet is assigned to a site. If it's false that means subnet is orphaned and it should be reassigned to proper site or deleted. "
            New-HTMLListItem -FontWeight bold, normal -Text "Overlap", " - means subnet is overlapping with other subnets which are shown in OverLapList column. This needs to be resolved by working with Network Team. "
        } -FontSize 10pt

        New-HTMLText -Text "Please keep in mind that overlapping is only assesed for IPv4. IPv6 is not assed. Site Status however works as expected for IPv6 as well." -FontSize 10pt
    Solution        = {
        New-HTMLContainer {
            New-HTMLSpanStyle -FontSize 10pt {
                New-HTMLWizard {
                    New-HTMLWizardStep -Name 'Investigate Subnets without Sites' {
                        New-HTMLText -Text @(
                            "Subnets without sites are pretty uncommon. "
                            "This usually happens if site is deleted while the subnets are still attached to it. "
                            "Subnets without sites have no use. "
                            "Please move subnet to proper site, or if it's no longer needed, remove it totally. "
                    New-HTMLWizardStep -Name 'Investigate Subnets overlapping' {
                        New-HTMLText -Text @(
                            "Subnets are supposed to be unique across forest. "
                            "You can assign only one subnet to only one site. "
                            "However it's possible to define subnets that overlap already defined subnets such as will overlap with "
                            "This shouldn't happen as it will influence authentication process and cause poor logon experience. "
                            "Investigate why subnets are added with overlap and fix it. "
                            "Please make sure to consult it with appriopriate people or/and network team. "
                        ) -FontWeight normal, bold, normal, normal, normal, normal, bold, bold
                } -RemoveDoneStepOnNavigateBack -Theme arrows -ToolbarButtonPosition center -EnableAllAnchors
$OptionalFeatures = [ordered] @{
    Name            = "ForestOptionalFeatures"
    Enable          = $true
    Scope           = 'Forest'
    Source          = [ordered] @{
        Name           = 'Optional Features'
        Data           = {
        Details        = [ordered] @{
            Category    = 'Configuration'
            Description = "Verifies availability of Recycle Bin, LAPS and PAM in the Active Directory Forest."
            Importance  = 0
            ActionType  = 0
            Resources   = @(

            StatusTrue  = 0
            StatusFalse = 5
        ExpectedOutput = $true
    Tests           = [ordered] @{
        RecycleBinEnabled    = @{
            Enable     = $true
            Name       = 'Recycle Bin Enabled'
            Parameters = @{
                Property      = 'Recycle Bin Enabled'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Category    = 'Configuration'
                Description = "The AD Recycle bin allows you to quickly restore deleted objects without the need of a system state or 3rd party backup. The recycle bin feature preserves all link valued and non link valued attributes. This means that a restored object will retain all it's settings when restored."
                Importance  = 5
                ActionType  = 2
                Resources   = @(
                    '[How to Enable Active Directory Recycle Bin (Server 2016)](https://activedirectorypro.com/enable-active-directory-recycle-bin-server-2016/)'
                StatusTrue  = 1
                StatusFalse = 4
        LapsAvailable        = @{
            Enable     = $true
            Name       = 'LAPS Schema Extended'
            Parameters = @{
                Property      = 'LAPS Enabled'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Category    = 'Configuration'
                Description = "Microsoft Local Administrator Password Solution (LAPS) is a password manager that utilizes Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints. LAPS is a great mitigation tool against lateral movement and privilege escalation, by forcing all local Administrator accounts to have unique, complex passwords, so an attacker compromising one local Administrator account can’t move laterally to other endpoints and accounts that may share that same password."
                Importance  = 10
                ActionType  = 2
                Resources   = @(
                    '[Running LAPS in the race to security](https://blog.stealthbits.com/running-laps-in-the-race-to-security/)'
                    '[Lithnet LAPS Web App](https://github.com/lithnet/laps-web)'
                    '[Lithnet Access Manager](https://github.com/lithnet/access-manager)'
                    '[Getting Bitlocker and LAPS summary report with PowerShell](https://evotec.xyz/getting-bitlocker-and-laps-summary-report-with-powershell/)'
                    '[Backing up Bitlocker Keys and LAPS passwords from Active Directory](https://evotec.xyz/backing-up-bitlocker-keys-and-laps-passwords-from-active-directory/)'
                StatusTrue  = 1
                StatusFalse = 4
        WindowsLapsAvailable = @{
            Enable     = $true
            Name       = 'Windows LAPS Schema Extended'
            Parameters = @{
                Property      = 'Windows LAPS Enabled'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Category    = 'Configuration'
                Description = "Microsoft Local Administrator Password Solution (LAPS) is a password manager that utilizes Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints. LAPS is a great mitigation tool against lateral movement and privilege escalation, by forcing all local Administrator accounts to have unique, complex passwords, so an attacker compromising one local Administrator account can’t move laterally to other endpoints and accounts that may share that same password."
                Importance  = 10
                ActionType  = 2
                Resources   = @(
                    '[LAPS is now integrated into Windows](https://borncity.com/win/2023/04/19/windows-server-update-your-active-directory-schema-for-the-current-windows-laps-version/)'
                StatusTrue  = 1
                StatusFalse = 4
        PrivAccessManagement = @{
            Enable     = $true
            Name       = 'Privileged Access Management Enabled'
            Parameters = @{
                Property      = 'Privileged Access Management Feature Enabled'
                ExpectedValue = $true
                OperationType = 'eq'
            Details    = [ordered] @{
                Category    = 'Configuration'
                Description = "Privileged Access Management (PAM) is a solution that helps organizations restrict privileged access within an existing Active Directory environment. Consider introducing PAM to your environment."
                Importance  = 5
                ActionType  = 0
                Resources   = @(
                    '[Privileged Access Management for Active Directory Domain Services](https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services)'
                StatusTrue  = 1
                StatusFalse = 0
    DataDescription = {
        New-HTMLSpanStyle -FontSize 10pt {
            New-HTMLText -Text @(
                "Following test verifies availability of Recycle Bin, LAPS and PAM in the Active Directory Forest. "
                "While LAPS and RecycleBin are quite critical for properly functioning Active Directory, PAM is just a recommendation and is not so easy to implement. "
                "Therefore only 2 out of 3 tests are considered critical. PAM test is optional. "
    DataHighlights  = {
        New-HTMLTableCondition -Name 'Value' -ComparisonType string -BackgroundColor PaleGreen -Value $true -Operator eq
        New-HTMLTableCondition -Name 'Value' -ComparisonType string -BackgroundColor Salmon -Value $false -Operator eq
$OrphanedAdmins = @{
    Name            = "ForestOrphanedAdmins"
    Enable          = $true
    Scope           = 'Forest'
    Source          = @{
        Name           = 'Orphaned Administrative Objects (AdminCount)'
        Data           = {
            Get-WinADPrivilegedObjects -Forest $ForestName
        Details        = [ordered] @{
            Category    = 'Security'
            Description = "Active Directory user, group, and computer objects possess an AdminCount attribute. The AdminCount attribute’s value defaults to NOT SET. Its utility comes from the fact when a user, group, or computer is added, either directly or transitively, to any of a specific set of protected groups its value is updated to 1. This can provide a relatively simple method by which objects with inherited administrative privileges may be identified. Consider this: a user is stamped with an AdminCount of 1, as a result of being added to Domain Admins; the user is removed from Domain Admins; the AdminCount value persists. In this instance the user is considered as orphaned. The ramifications? The AdminSDHolder ACL will be stamped upon this user every hour to protect against tampering. In turn, this can cause unexpected issues with delegation and application permissions."
            Importance  = 4
            ActionType  = 1
            Resources   = @(
                '[Security Focus: Orphaned AdminCount -eq 1 AD Users](https://blogs.technet.microsoft.com/poshchap/2016/07/29/security-focus-orphaned-admincount-eq-1-ad-users/)'
                "[Fun with Active Directory's AdminCount Attiribute](https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/)"
                '[AdminSDHolder, Protected Groups and SDPROP](https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx)'
                '[Scanning for Active Directory Privileges & Privileged Accounts](https://adsecurity.org/?p=3658)'
            StatusTrue  = 0
            StatusFalse = 0
        ExpectedOutput = $true
    Tests           = [ordered] @{
        Enabled = @{
            Enable     = $true
            Name       = 'No orphaned AdminCount'
            Parameters = @{
                ExpectedCount = 0
                OperationType = 'eq'
                WhereObject   = { $_.IsOrphaned -ne $false }
            Details    = [ordered] @{
                Category    = 'Security'
                Importance  = 4
                StatusTrue  = 1
                StatusFalse = 2
    DataInformation = {
        New-HTMLText -Text 'Explanation to table columns:' -FontSize 10pt
        New-HTMLList {
            New-HTMLListItem -FontWeight bold, normal -Text "IsOrphaned", " - means object contains AdminCount set to 1, while not being a critical object or direct or indirect member of any critical system groups. "
            New-HTMLListItem -FontWeight bold, normal -Text "IsMember", " - means object is memberof (direct or indirect) of critical system groups. "
            New-HTMLListItem -FontWeight bold, normal -Text "IsCriticalSystemObject", " - means object is critical system object. "
        } -FontSize 10pt
    DataHighlights  = {
        New-HTMLTableCondition -Name 'IsOrphaned' -ComparisonType string -BackgroundColor Salmon -Value $true
        New-HTMLTableCondition -Name 'IsOrphaned' -ComparisonType string -BackgroundColor PaleGreen -Value $false
        New-HTMLTableCondition -Name 'IsCriticalSystemObject' -ComparisonType string -BackgroundColor PaleGreen -Value $true
        New-HTMLTableCondition -Name 'IsCriticalSystemObject' -ComparisonType string -BackgroundColor TangerineYellow -Value $false
$Replication = @{
    Name   = "ForestReplication"
    Enable = $true
    Scope  = 'Forest'
    Source = @{
        Name           = 'Forest Replication'
        Data           = {
            Get-WinADForestReplication -WarningAction SilentlyContinue -Forest $ForestName
        Details        = [ordered] @{
            Category    = 'Health'
            Description = ''
            Importance  = 10
            ActionType  = 2
            Severity    = 'High'
            Resources   = @(
                "[Active Directory Replication](https://blog.netwrix.com/2017/02/20/active-directory-replication/)"
                "[Active Directory Replication Concepts](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/replication/active-directory-replication-concepts)"
                "[Repadmin: How to Check Active Directory Replication](https://activedirectorypro.com/repadmin-how-to-check-active-directory-replication/)"
            StatusTrue  = 1
            StatusFalse = 5
        ExpectedOutput = $true
    Tests  = [ordered] @{
        ReplicationTests = @{
            Enable     = $true
            Name       = 'Replication Test'
            Parameters = @{
                ExpectedValue         = $true
                Property              = 'Status'
                OperationType         = 'eq'
                PropertyExtendedValue = 'StatusMessage'
                OverwriteName         = { "Replication from $($_.Server) to $($_.ServerPartner)" }
            Details    = @{
                Category    = 'Health'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5

$ReplicationStatus = @{
    Name   = "ForestReplicationStatus"
    Enable = $true
    Scope  = 'Forest'
    Source = @{
        Name           = 'Forest Replication using RepAdmin'
        Data           = {
            $Header = '"showrepl_COLUMNS","Destination DSA Site","Destination DSA","Naming Context","Source DSA Site","Source DSA","Transport Type","Number of Failures","Last Failure Time","Last Success Time","Last Failure Status"'
            $data = repadmin /showrepl * /csv
            $data[0] = $Header
            $data | ConvertFrom-Csv
        Details        = [ordered] @{
            Category    = 'Health'
            Description = ''
            Importance  = 10
            ActionType  = 2
            Severity    = 'High'
            Resources   = @(
                "[Active Directory Replication](https://blog.netwrix.com/2017/02/20/active-directory-replication/)"
                "[Active Directory Replication Concepts](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/replication/active-directory-replication-concepts)"
                "[Repadmin: How to Check Active Directory Replication](https://activedirectorypro.com/repadmin-how-to-check-active-directory-replication/)"
            StatusTrue  = 1
            StatusFalse = 5
        Requirements   = @{
            CommandAvailable = 'repadmin'
            IsInternalForest = $true
        ExpectedOutput = $true
    Tests  = [ordered] @{
        ReplicationTests = @{
            Enable     = $true
            Name       = 'Replication Test'
            Parameters = @{
                ExpectedValue         = 0
                Property              = 'Number of Failures'
                OperationType         = 'eq'
                PropertyExtendedValue = 'Last Success Time'
                OverwriteName         = { "Replication from $($_.'Source DSA') to $($_.'Destination DSA'), Naming Context: $($_.'Naming Context')" }
            Details    = @{
                Category    = 'Health'
                Importance  = 10
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
$RootKDS = @{
    Name            = "ForestRootKDS"
    Enable          = $true
    Scope           = 'Forest'
    Source          = @{
        Name           = 'Forest Root KDS Key'
        Data           = {
        Details        = [ordered] @{
            Category    = 'Configuration'
            Description = 'Active Directory KDS Root Key is required to create GMSA accounts'
            Importance  = 6
            ActionType  = 1
            Resources   = @(
                '[ConfigMgr – SQL and Active Directory gMSA](https://configmgr.com/tag/root-key/)'
                '[Create the Key Distribution Services KDS Root Key](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key)'
            Tags        = 'Configuration', 'GMSA'
            StatusTrue  = 1
            StatusFalse = 3
        ExpectedOutput = $true
    DataDescription = {
        New-HTMLSpanStyle -FontSize 10pt {
            New-HTMLText -Text @(
                "Domain Controllers (DC) require a root key to begin generating gMSA passwords. "
                "The domain controllers will wait up to 10 hours from time of creation to allow all domain controllers to converge their AD replication before allowing the creation of a gMSA. "
                "The 10 hours is a safety measure to prevent password generation from occurring before all DCs in the environment are capable of answering gMSA requests. "
                "If you try to use a gMSA too soon the key might not have been replicated to all domain controllers and therefore password retrieval might fail when the gMSA host attempts to retrieve the password. "
                "gMSA password retrieval failures can also occur when using DCs with limited replication schedules or if there is a replication issue."
    DataHighlights  = {

    Solution        = {
        New-HTMLContainer {
            New-HTMLSpanStyle -FontSize 10pt {
                New-HTMLWizard {
                    New-HTMLWizardStep -Name 'Setting up KDS Root Key' {
                        New-HTMLText -Text @(
                            "On the Windows Server 2012 or later domain controller, run the Windows PowerShell from the Taskbar. "
                            "To create the KDS root key using the Add-KdsRootKey cmdlet, run the following command: "
                        New-HTMLCodeBlock {
                            Add-KdsRootKey -EffectiveImmediately
                        New-HTMLText -Text "The 10 hours is a safety measure to prevent password generation from occurring before all DCs in the environment are capable of answering gMSA requests."
                        New-HTMLText -LineBreak
                        New-HTMLText -Text @(
                            "The Effective time parameter can be used to give time for keys to be propagated to all DCs before use. "
                            "Using Add-KdsRootKey -EffectiveImmediately will add a root key to the target DC which will be used by the KDS service immediately. "
                            "However, other domain controllers will not be able to use the root key until replication is successful."
                            "For test environments with only one DC, you can create a KDS root key and set the start time in the past to avoid the interval wait for key generation by using the following procedure. "
                            "Validate that a 4004 event has been logged in the kds event log."
                        New-HTMLText -Text "To create the ", "KDS root key ", "using the ", "Add-KdsRootKey", " cmdlet" -Color None, Tangerine, None, Tangerine, None
                        New-HTMLCodeBlock {
                            Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))
                } -RemoveDoneStepOnNavigateBack -Theme arrows -ToolbarButtonPosition center -EnableAllAnchors
$SiteLinks = @{
    Name   = "ForestSiteLinks"
    Enable = $true
    Scope  = 'Forest'
    Source = @{
        Name           = 'Site Links'
        Data           = {
            Get-WinADSiteLinks -Forest $ForestName
        Details        = [ordered] @{
            Area        = 'Configuration'
            Category    = 'Sites'
            Description = ''
            Resolution  = ''
            Importance  = 10
            Severity    = 'Informational'
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        MinimalReplicationFrequency = @{
            Enable     = $true
            Name       = 'Replication Frequency should be set to maximum 60 minutes'
            Parameters = @{
                Property      = 'ReplicationFrequencyInMinutes'
                ExpectedValue = 60
                OperationType = 'le'
        UseNotificationsForLinks    = @{
            Enable     = $true
            Name       = 'Automatic site links should use notifications'
            Parameters = @{
                Property              = 'Options'
                ExpectedValue         = 'UseNotify'
                OperationType         = 'contains'
                PropertyExtendedValue = 'Options'

$SiteLinksConnections = @{
    Name   = "ForestSiteLinksConnections"
    Enable = $true
    Scope  = 'Forest'
    Source = @{
        Name           = 'Site Links Connections'
        Data           = {
            Test-ADSiteLinks -Splitter ', ' -Forest $ForestName
        Details        = [ordered] @{
            Area        = 'Configuration'
            Category    = 'Sites'
            Description = ''
            Resolution  = ''
            Importance  = 10
            Severity    = 'Informational'
            Resources   = @(

        ExpectedOutput = $true
    Tests  = [ordered] @{
        AutomaticSiteLinks              = @{
            Enable      = $true
            Name        = 'All site links are automatic'
            Description = 'Verify there are no manually configured sitelinks'
            Parameters  = @{
                Property      = 'SiteLinksManualCount'
                ExpectedValue = 0
                OperationType = 'eq'
        SiteLinksCrossSiteNotifications = @{
            Enable     = $true
            Name       = 'All cross-site links use notifications'
            Parameters = @{
                Property      = 'SiteLinksCrossSiteNotUseNotifyCount'
                ExpectedValue = 0
                OperationType = 'eq'
        SiteLinksSameSiteNotifications  = @{
            Enable     = $true
            Name       = 'All same-site links have no notifications'
            Parameters = @{
                Property      = 'SiteLinksSameSiteUseNotifyCount'
                ExpectedValue = 0
                OperationType = 'eq'
        NoDisabledLinks                 = @{
            Enable     = $true
            Name       = 'All links are enabled'
            Parameters = @{
                Property      = 'SiteLinksDisabledCount'
                ExpectedValue = 0
                OperationType = 'eq'
$Sites = @{
    Name            = "ForestSites"
    Enable          = $true
    Scope           = 'Forest'
    Source          = [ordered] @{
        Name           = 'Forest Sites'
        Data           = {
            Get-WinADForestSites -Forest $ForestName
        Details        = [ordered] @{
            Category    = 'Configuration'
            Description = 'Sites are Active Directory objects that represent one or more TCP/IP subnets with highly reliable and fast network connections. Site information allows administrators to configure Active Directory access and replication to optimize usage of the physical network. Site objects are associated with a set of subnets, and each domain controller in a forest is associated with an Active Directory site according to its IP address. Sites can host domain controllers from more than one domain, and a domain can be represented in more than one site.'
            Importance  = 0
            ActionType  = 0
            Resources   = @(
                "[Site Functions](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/site-functions)"
                "[Active Directory Sites](https://www.windows-active-directory.com/active-directory-sites.html)"
            StatusTrue  = 0
            StatusFalse = 0
        ExpectedOutput = $true
    Tests           = [ordered] @{
        SitesWithoutDC      = @{
            Enable      = $true
            Name        = 'Sites without Domain Controllers'
            Description = 'Verify each `site has at least [one subnet configured]`'
            Parameters  = @{
                WhereObject   = { $_.DomainControllersCount -eq 0 }
                ExpectedCount = 0
            Details     = [ordered] @{
                Category    = 'Configuration'
                Importance  = 0
                ActionType  = 0
                StatusTrue  = 1
                StatusFalse = 0
        SitesWithoutSubnets = @{
            Enable     = $true
            Name       = 'Sites without Subnets'
            Parameters = @{
                WhereObject   = { $_.SubnetsCount -eq 0 }
                ExpectedCount = 0
            Details    = [ordered] @{
                Category    = 'Configuration'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 2
    DataDescription = {
        New-HTMLSpanStyle -FontSize 10pt {
            New-HTMLText -Text @(
                "Sites are Active Directory objects that represent one or more TCP/IP subnets with highly reliable and fast network connections. "
                "Site information allows administrators to configure Active Directory access and replication to optimize usage of the physical network. "
                "Site objects are associated with a set of subnets, and each domain controller in a forest is associated with an Active Directory site according to its IP address. "
                "Sites can host domain controllers from more than one domain, and a domain can be represented in more than one site."
            ) #-LineBreak
            New-HTMLText -Text @(
                "Sites without subnets have no role and just stay there unused. "
                "Sites without Domain Controllers still have their role in the Active Directory Topology. "
                "Following tests finds "
                "sites without subnets "
                "and Domain Admins role is to asses whether such stie is still needed and is just missing a subnet, or should be deleted because it's no longer required. "
                "Following tests also finds "
                "sites without Domain Controllers"
                ", but this test is just informational - although if Domain Admin is aware of a site that is no longer required it should be deleted. "
            ) -FontWeight normal, normal, normal, bold, normal, normal, bold, normal
    DataHighlights  = {
        New-HTMLTableCondition -Name 'SubnetsCount' -ComparisonType number -BackgroundColor PaleGreen -Value 0 -Operator gt
        New-HTMLTableCondition -Name 'SubnetsCount' -ComparisonType number -BackgroundColor Salmon -Value 0 -Operator eq
        New-HTMLTableCondition -Name 'DomainControllersCount' -ComparisonType number -BackgroundColor PaleGreen -Value 0 -Operator gt
    Solution        = {
        New-HTMLContainer {
            New-HTMLSpanStyle -FontSize 10pt {
                New-HTMLWizard {
                    New-HTMLWizardStep -Name 'Investigate Sites without Subnets' {
                        New-HTMLText -Text @(
                            "Sites without subnets have no use. "
                            "It can mean the site is no longer in use and can be safely deleted. "
                            "Please investigate and find out if that's really the case. "
                            "Otherwise you should create proper subnet for given site. "
                    New-HTMLWizardStep -Name 'Investigate Sites without Domain Controllers (optional)' {
                        New-HTMLText -Text @(
                            "Sites without Domain Controllers do happen and are quite common. "
                            "But this isn't always true. "
                            "Consider investigating whether sites without Domain Controller are as expected. "
                        ) -FontWeight normal, bold, normal, normal, normal, normal, bold, bold
                } -RemoveDoneStepOnNavigateBack -Theme arrows -ToolbarButtonPosition center -EnableAllAnchors
$TombstoneLifetime = @{
    Name           = "ForestTombstoneLifetime"
    Enable         = $true
    Scope          = 'Forest'
    Source         = [ordered]@{
        Name           = 'Tombstone Lifetime'
        Data           = {
            # Check tombstone lifetime (if blank value is 60)
            # Recommended value 720
            # Minimum value 180
            $Output = (Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,$((Get-ADRootDSE -Server $ForestName).configurationNamingContext)" -Server $ForestName -Properties tombstoneLifetime) | Select-Object -Property DistinguishedName, Name, objectClass, ObjectGuid, tombstoneLifetime
            if ($null -eq $Output) {
                [PSCustomObject] @{
                    TombstoneLifeTime = 60
            } else {
        Details        = [ordered] @{
            Category    = 'Configuration'
            Description = "A tombstone is a container object consisting of the deleted objects from AD. These objects have not been physically removed from the database. When an AD object, such as a user is deleted, the object technically remains in the directory for a given period of time; known as the Tombstone Lifetime. At that point, Active Directory sets the ‘isDeleted' attribute of the deleted object to TRUE and moves it to a special container called Tombstone (previously known as CN=Deleted Objects.) Once the object is older than the tombstone lifetime, it will be removed (physically deleted) by the garbage collection process."
            Importance  = 0
            ActionType  = 0
            Resources   = @(
                '[Understanding Tombstones, Active Directory, and How To Protect It](https://support.storagecraft.com/s/article/Understanding-Tombstones-Active-Directory-and-How-To-Protect-It?language=en_US)'
                '[Adjust Active Directory Tombstone Lifetime](https://helpcenter.netwrix.com/NA/Configure_IT_Infrastructure/AD/AD_Tombstone.html)'
            StatusTrue  = 0
            StatusFalse = 2
        ExpectedOutput = $true
    Tests          = [ordered] @{
        TombstoneLifetime = [ordered] @{
            Enable     = $true
            Name       = 'TombstoneLifetime should be set to minimum of 180 days'
            Parameters = @{
                ExpectedValue = 180
                Property      = 'TombstoneLifeTime'
                OperationType = 'ge'
            Details    = [ordered] @{
                Category    = 'Configuration'
                Importance  = 7
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 3
    DataHighlights = {
        New-HTMLTableCondition -Name 'tombstoneLifetime' -ComparisonType number -BackgroundColor PaleGreen -Value 180 -Operator ge -Row
        New-HTMLTableCondition -Name 'tombstoneLifetime' -ComparisonType number -BackgroundColor Orange -Value 180 -Operator lt -Row
        New-HTMLTableCondition -Name 'tombstoneLifetime' -ComparisonType number -BackgroundColor Salmon -Value 60 -Operator le -Row
$Trusts = @{
    Name           = "ForestTrusts"
    Enable         = $true
    Scope          = 'Forest'
    Source         = @{
        Name           = "Trust Availability"
        Data           = {
            Get-WinADTrust -Forest $ForestName
        Details        = [ordered] @{
            Category    = 'Health', 'Configuration'
            Importance  = 4
            ActionType  = 0
            Description = 'Verifies if trusts are available and tests for trust unconstrained TGTDelegation'
            Resolution  = ''
            Resources   = @(
                '[Changes to Ticket-Granting Ticket (TGT) Delegation Across Trusts in Windows Server (CIS edition)](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/changes-to-ticket-granting-ticket-tgt-delegation-across-trusts/ba-p/440261)'
                "[Visually display Active Directory Trusts using PowerShell](https://evotec.xyz/visually-display-active-directory-trusts-using-powershell/)"
            StatusTrue  = 0
            StatusFalse = 3
        ExpectedOutput = $null
    Tests          = [ordered] @{
        TrustsConnectivity            = @{
            Enable     = $true
            Name       = 'Trust status'
            Parameters = @{
                OverwriteName = { "Trust status | Source $($_.'TrustSource'), Target $($_.'TrustTarget'), Direction $($_.'TrustDirection')" }
                Property      = 'TrustStatus'
                ExpectedValue = 'OK'
                OperationType = 'eq'
            Details    = [ordered] @{
                Category    = 'Configuration'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 0
        TrustsQueryStatus             = @{
            Enable     = $true
            Name       = 'Trust Query Status'
            Parameters = @{
                OverwriteName = { "Trust query | Source $($_.'TrustSource'), Target $($_.'TrustTarget'), Direction $($_.'TrustDirection')" }
                Property      = 'QueryStatus'
                ExpectedValue = 'OK'
                OperationType = 'eq'
            Details    = [ordered] @{
                Category    = 'Configuration'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
        TrustsUnconstrainedDelegation = @{
            Enable     = $true
            Name       = 'Trust unconstrained TGTDelegation'
            Parameters = @{
                # TGTDelegation should be set to $True (contrary to name)
                OverwriteName = { "Trust unconstrained TGTDelegation | Source $($_.'TrustSource'), Target $($_.'TrustTarget'), Direction $($_.'TrustDirection')" }
                WhereObject   = { ($_.'TrustAttributes' -ne 'Within Forest') -and ($_.'TrustDirection' -eq 'BiDirectional' -or $_.'TrustDirection' -eq 'InBound') }
                Property      = 'IsTGTDelegationEnabled'
                ExpectedValue = $false
                OperationType = 'eq'
            Details    = [ordered] @{
                Category    = 'Configuration'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
    DataHighlights = {
        New-HTMLTableCondition -Name 'QueryStatus' -ComparisonType string -BackgroundColor PaleGreen -Value 'OK' -Operator eq -FailBackgroundColor Salmon
        New-HTMLTableCondition -Name 'TrustStatus' -ComparisonType string -BackgroundColor PaleGreen -Value 'OK' -Operator eq -FailBackgroundColor Orange
        New-TableConditionGroup {
            New-HTMLTableCondition -Name 'TrustType' -ComparisonType string -Value 'Forest', 'External' -Operator in
            New-HTMLTableCondition -Name 'SIDFilteringQuarantined' -ComparisonType string -Value $true -Operator eq
        } -Logic AND -HighlightHeaders 'SIDFilteringQuarantined', 'TrustType' -BackgroundColor PaleGreen

        New-TableConditionGroup {
            New-HTMLTableCondition -Name 'TrustType' -ComparisonType string -Value 'Forest', 'External' -Operator in
            New-HTMLTableCondition -Name 'SIDFilteringQuarantined' -ComparisonType string -Value $false -Operator eq
        } -Logic AND -HighlightHeaders 'SIDFilteringQuarantined', 'TrustType' -BackgroundColor Salmon

        New-TableConditionGroup {
            New-HTMLTableCondition -Name 'TrustType' -ComparisonType string -Value 'TreeRoot' -Operator eq
        } -Logic AND -HighlightHeaders 'SIDFilteringQuarantined', 'TrustType' -BackgroundColor PaleGreen
$VulnerableSchemaClass = @{
    Name            = "ForestVulnerableSchemaClass"
    Enable          = $true
    Scope           = 'Forest'
    Source          = @{
        Name           = 'Vurnerable Schema Class'
        Data           = {
        Details        = [ordered] @{
            Category    = 'Security'
            Description = 'Environments running supported versions of Exchange Server should address CVE-2021-34470 by applying the CU and/or SU for the respective versions of Exchange, as described in Released: July 2021 Exchange Server Security Updates. Environments where the latest version of Exchange Server is any version before Exchange 2013, or environments where all Exchange servers have been removed, one can use a script to address the vulnerability.'
            Resolution  = ''
            Importance  = 5
            ActionType  = 1
            StatusTrue  = 1
            StatusFalse = 5
            Resources   = @(
                "[July 2021 Exchange Server Security Updates](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421)"
        ExpectedOutput = $true
    Tests           = [ordered] @{
        VurnerableSchemaClass = @{
            Enable     = $true
            Name       = 'Schema Class should not be vulnerable'
            Parameters = @{
                Property      = 'Vulnerable'
                ExpectedValue = $false
                OperationType = 'eq'
            Details    = @{
                Category    = 'Security'
                Importance  = 5
                ActionType  = 2
                StatusTrue  = 1
                StatusFalse = 5
    DataDescription = {
        New-HTMLSpanStyle -FontSize 10pt {
            New-HTMLText -Text @(
                'Environments running supported versions of Exchange Server should address CVE-2021-34470 by applying the CU and/or SU for the respective versions of Exchange, as described in Released: July 2021 Exchange Server Security Updates. '
            New-HTMLText -Text @(
                'Environments where the latest version of Exchange Server is any version before Exchange 2013, or environments where all Exchange servers have been removed, can use this script to address the vulnerability.'
    DataHighlights  = {
        New-HTMLTableCondition -Name 'Vulnerable' -ComparisonType string -BackgroundColor PaleGreen -Value $false -Operator eq
        New-HTMLTableCondition -Name 'Vulnerable' -ComparisonType string -BackgroundColor Salmon -Value $true -Operator eq
    Solution        = {
        New-HTMLContainer {
            New-HTMLSpanStyle -FontSize 10pt {
                New-HTMLWizard {
                    New-HTMLWizardStep -Name 'Vulnerable Schema Class' {
                        New-HTMLText -Text @(
                            "Depending whether there is still an Exchange Server present or not there are two ways to address the vulnerability."
                        ) -FontWeight normal, normal, normal, normal, normal, normal, bold, normal -Color Black, Black, Black, Black, Black, Black, Red, Black
                    New-HTMLWizardStep -Name 'Exchange Server is still in use' {
                        New-HTMLText -Text @(
                            "If the Exchange Server is still present, you can apply the CU "
                            "for the respective version of Exchange along with preparing the schema which will fix the vulnerability."
                            "More details can be found on [July 2021 Exchange Server Security Updates](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421)"
                    New-HTMLWizardStep -Name 'Exchange Server is not in use anymore or older version' {
                        New-HTMLText -Text "Without explicit action by a schema admin in your organization, you might be vulnerable to CVE-2021-34470 if:"
                        New-HTMLList {
                            New-HTMLListItem -Text "You ran Exchange Server in the past, but you have since uninstalled all Exchange servers."
                            New-HTMLListItem -Text "You still run Exchange Server, but only versions older than Exchange 2013 (namely,Exchange 2003, Exchange 2007 and/or Exchange 2010)."
                        New-HTMLText -Text "If your organization is in one of these scenarios, we recommend the following to update your Active Directory schema to address the vulnerability in CVE-2021-34470:"
                        New-HTMLText -Text "Download the script [Test-CVE-2021-34470](https://microsoft.github.io/CSS-Exchange/Security/Test-CVE-2021-34470/) from GitHub and use it to apply the needed schema update; please note the script requirements on the GitHub page."
                } -RemoveDoneStepOnNavigateBack -Theme arrows -ToolbarButtonPosition center -EnableAllAnchors

function Add-TestimoBaselines {
        [System.Collections.IDictionary[]] $BaseLineObjects
    $ListNewSources = [System.Collections.Generic.List[string]]::new()
    $ListOverwritten = [System.Collections.Generic.List[string]]::new()
    foreach ($Source in $BaseLineObjects) {
        if (-not $Script:TestimoConfiguration[$Source.Scope]) {
            $Script:TestimoConfiguration[$Source.Scope] = [ordered] @{}

        #$Execute = Compare-MultipleObjects -FlattenObject -Objects $Source.BaseLineSource, $Source.BaseLineTarget

        $ExcludeProperties = @(
            if ($Source.ExcludeProperty) {
        If ($Source.BaseLineSource -and $Source.BaseLineTarget) {
            try {
                $DataOutput = Compare-MultipleObjects -FlattenObject -Objects $Source.BaseLineSource, $Source.BaseLineTarget -ObjectsName "Source", "Target" -ExcludeProperty $ExcludeProperties -SkipProperties -AllProperties
            } catch {
                $DataOutput = $null
                Write-Warning -Message "Error comparing $($Source.BaseLineSource) and $($Source.BaseLineTarget) with error: $($_.Exception.Message)"
        } else {
            $DataOutput = $null

        $Script:TestimoConfiguration[$Source.Scope][$Source.Name] = @{
            Name           = $Source.Name
            Enable         = $true
            Scope          = $Source.Scope
            Source         = @{
                Name           = $Source.DisplayName
                DataCode       = 'Compare-MultipleObjects -FlattenObject -Objects $Source.BaseLineSource, $Source.BaseLineTarget -CompareNames "Source", "Target" -ExcludeProperty "*@odata*" -SkipProperties'
                DataOutput     = $DataOutput
                Details        = [ordered] @{
                    Area        = ''
                    Category    = $Source.Category
                    Severity    = ''
                    Importance  = 0
                    Description = ''
                    Resolution  = ''
                    Resources   = @(

                ExpectedOutput = $true
            Tests          = [ordered] @{
                Baseline = @{
                    Enable     = $true
                    Name       = 'Baseline comparison'
                    Parameters = @{
                        #OverwriteName = { "Trust status | Source $($_.'TrustSource'), Target $($_.'TrustTarget'), Direction $($_.'TrustDirection')" }
                        Property      = 'Status'
                        ExpectedValue = $true
                        OperationType = 'eq'
                        OverwriteName = { "Property $($_.Name)" }
                    Details    = [ordered] @{
                        Category    = $Source.Category
                        Importance  = 5
                        ActionType  = 2
                        StatusTrue  = 1
                        StatusFalse = 5
            DataHighlights = {
                New-HTMLTableCondition -Name 'Status' -ComparisonType bool -BackgroundColor PaleGreen -Value $true -Operator eq -FailBackgroundColor Salmon
    if ($ListNewSources.Count -gt 0) {
        Out-Informative -Text 'Following baseline sources were added' -Level 0 -Status $true -ExtendedValue ($ListNewSources -join ', ') -OverrideTextStatus "External Baselines"
    if ($ListOverwritten.Count -gt 0) {
        Out-Informative -Text 'Following baseline sources overwritten' -Level 0 -Status $true -ExtendedValue ($ListOverwritten -join ', ') -OverrideTextStatus "Overwritten Baselines"
function Add-TestimoSources {
        [string[]] $FolderPath
    $ListNewSources = [System.Collections.Generic.List[string]]::new()
    $ListOverwritten = [System.Collections.Generic.List[string]]::new()
    foreach ($Folder in $FolderPath) {
        $FilesWithCode = @( Get-ChildItem -Path "$Folder\*.ps1" -ErrorAction SilentlyContinue -Recurse )

        Foreach ($import in $FilesWithCode) {
            $Content = Get-Content -LiteralPath $import.fullname -Raw
            $Script = [scriptblock]::Create($Content)
            $Data = $Script.Invoke()
            foreach ($Source in $Data) {
                if (-not $Script:TestimoConfiguration[$Source.Scope]) {
                    $Script:TestimoConfiguration[$Source.Scope] = [ordered] @{}
                if ($Source.Scope -in 'Forest', 'Domain', 'DC') {
                    if ($Script:TestimoConfiguration['ActiveDirectory'][$Source.Name]) {
                    } else {
                    $Script:TestimoConfiguration['ActiveDirectory'][$Source.Name] = $Source
                } else {
                    $Script:TestimoConfiguration[$Source.Scope][$Source.Name] = $Source
    if ($ListNewSources.Count -gt 0) {
        Out-Informative -Text 'Following external sources were added' -Level 0 -Status $true -ExtendedValue ($ListNewSources -join ', ') -OverrideTextStatus "External Sources"
    if ($ListOverwritten.Count -gt 0) {
        Out-Informative -Text 'Following external sources overwritten' -Level 0 -Status $true -ExtendedValue ($ListOverwritten -join ', ') -OverrideTextStatus "Overwritten Sources"
function Get-RequestedSources {
        [string[]] $Sources,
        [string[]] $ExcludeSources,
        [string[]] $IncludeTags,
        [string[]] $ExcludeTags
    $NonWorking = [System.Collections.Generic.List[String]]::new()
    $Working = [System.Collections.Generic.List[String]]::new()
    $NonWorkingExclusions = [System.Collections.Generic.List[String]]::new()
    $WorkingExclusions = [System.Collections.Generic.List[String]]::new()
    foreach ($Source in $Sources) {
        $Found = $false
        foreach ($Key in $Script:TestimoConfiguration.Keys) {
            if ($Key -notin 'Types', 'Exclusions', 'Inclusions', 'Debug') {
                if ($Source -in $Script:TestimoConfiguration[$Key].Keys) {
                    $Found = $true
        if ($Found) {
        } else {
    foreach ($Source in $ExcludeSources) {
        $Found = $false
        foreach ($Key in $Script:TestimoConfiguration.Keys) {
            if ($Key -notin 'Types', 'Exclusions', 'Inclusions', 'Debug') {
                if ($Source -in $Script:TestimoConfiguration[$Key].Keys) {
                    $Found = $true
        if ($Found) {
        } else {
    foreach ($Tag in $IncludeTags) {
        foreach ($Key in $Script:TestimoConfiguration.Keys) {
            if ($Key -notin 'Types', 'Exclusions', 'Inclusions', 'Debug') {
                foreach ($Source in $Script:TestimoConfiguration[$Key].Keys) {
                    if ($Tag -in $Script:TestimoConfiguration[$Key][$Source]['Source']['Details'].Tags) {
    if ($IncludeTags.Count -gt 0) {
        Out-Informative -Text 'Following tags will be used' -Level 0 -Status $true -ExtendedValue ($IncludeTags -join ', ') -OverrideTextStatus "Tags"
    if ($ExcludeTags.Count -gt 0) {
        Out-Informative -Text 'Following tags will be excluded' -Level 0 -Status $true -ExtendedValue ($ExcludeTags -join ', ') -OverrideTextStatus "Tags"
    if ($Working.Count -gt 0) {
        Out-Informative -Text 'Following sources will be used' -Level 0 -Status $true -ExtendedValue ($Working -join ', ') -OverrideTextStatus "Valid Sources"
    if ($NonWorking.Count -gt 0) {
        Out-Informative -Text 'Following sources were provided incorrectly (skipping)' -Level 0 -Status $false -ExtendedValue ($NonWorking -join ', ') -OverrideTextStatus "Failed Sources"
    if ($WorkingExclusions.Count -gt 0) {
        Out-Informative -Text 'Following sources will be excluded' -Level 0 -Status $true -ExtendedValue ($WorkingExclusions -join ', ') -OverrideTextStatus "Valid Sources"
    if ($NonWorkingExclusions.Count -gt 0) {
        Out-Informative -Text 'Following sources for exclusions were provided incorrectly (skipping)' -Level 0 -Status $false -ExtendedValue ($NonWorkingExclusions -join ', ') -OverrideTextStatus "Failed Sources"
function Get-TestimoDomainControllers {
        [string] $Domain,
        [switch] $SkipRODC
    try {
        $DC = Get-ADDomainController -Discover -DomainName $Domain
        $DomainControllers = Get-ADDomainController -Server $DC.HostName[0] -Filter * -ErrorAction Stop
        if ($SkipRODC) {
            $DomainControllers = $DomainControllers | Where-Object { $_.IsReadOnly -eq $false }
        foreach ($_ in $DomainControllers) {
            if ($Script:TestimoConfiguration['Inclusions']['DomainControllers']) {
                if ($_ -in $Script:TestimoConfiguration['Inclusions']['DomainControllers']) {
                    [PSCustomObject] @{
                        Name  = $($_.HostName).ToLower()
                        IsPDC = $_.OperationMasterRoles -contains 'PDCEmulator'
                # We skip checking for exclusions
            if ($_.HostName -notin $Script:TestimoConfiguration['Exclusions']['DomainControllers']) {
                [PSCustomObject] @{
                    Name  = $($_.HostName).ToLower()
                    IsPDC = $_.OperationMasterRoles -contains 'PDCEmulator'
    } catch {
function Get-TestimoSourcesStatus {
        [string] $Scope
    $AllTests = foreach ($Source in $($Script:TestimoConfiguration.ActiveDirectory.Keys)) {
        if ($Scope -ne $Script:TestimoConfiguration.ActiveDirectory[$Source].Scope) {
    $AllTests -contains $true
function Import-TestimoConfiguration {
        [Object] $Configuration

    if ($Configuration) {
        if ($Configuration -is [System.Collections.IDictionary]) {
            $Option = 'Hashtable'
            $LoadedConfiguration = $Configuration
        } elseif ($Configuration -is [string]) {
            if (Test-Path -LiteralPath $Configuration) {
                $Option = 'File'
                $FileContent = Get-Content -LiteralPath $Configuration
            } else {
                $Option = 'JSON'
                $FileContent = $Configuration
            try {
                $LoadedConfiguration = $FileContent | ConvertFrom-Json
            } catch {
                Out-Informative -OverrideTitle 'Testimo' -Text "Loading configuration from JSON failed. Skipping." -Level 0 -Status $null -Domain $Domain -DomainController $DomainController -ExtendedValue ("Not JSON or syntax is incorrect.")
        } else {
            Out-Informative -OverrideTitle 'Testimo' -Text "Loading configuratio failed. Skipping." -Level 0 -Status $null -Domain $Domain -DomainController $DomainController -ExtendedValue ("Not JSON/Hashtable or syntax is incorrect.")
        Out-Informative -OverrideTitle 'Testimo' -Text "Using configuration provided by user" -Level 0 -Start

        if ($LoadedConfiguration -is [System.Collections.IDictionary]) {
            foreach ($Key in ($LoadedConfiguration).Keys) {
                if ($Script:TestimoConfiguration['ActiveDirectory'][$Key]) {
                    $Target = 'ActiveDirectory'
                } elseif ($Script:TestimoConfiguration['Office365'][$Key]) {
                    $Target = 'Office365'
                } else {
                    $Target = 'Unknown'
                if ($Target -ne 'Unknown') {
                    $Script:TestimoConfiguration[$Target][$Key]['Enable'] = $LoadedConfiguration.$Key.Enable

                    if ($null -ne $LoadedConfiguration[$Key]['Source']) {
                        if ($null -ne $LoadedConfiguration[$Key]['Source']['ExpectedOutput']) {
                            $Script:TestimoConfiguration[$Target][$Key]['Source']['ExpectedOutput'] = $LoadedConfiguration.$Key['Source']['ExpectedOutput']
                        if ($null -ne $LoadedConfiguration[$Key]['Source']['Parameters']) {
                            foreach ($Parameter in [string] $LoadedConfiguration[$Key]['Source']['Parameters'].Keys) {
                                $Script:TestimoConfiguration[$Target][$Key]['Source']['Parameters'][$Parameter] = $LoadedConfiguration[$Key]['Source']['Parameters'][$Parameter]
                    foreach ($Test in $LoadedConfiguration.$Key.Tests.Keys) {
                        $Script:TestimoConfiguration[$Target][$Key]['Tests'][$Test]['Enable'] = $LoadedConfiguration.$Key.Tests.$Test.Enable

                        if ($null -ne $LoadedConfiguration.$Key.Tests.$Test.Parameters.ExpectedValue) {
                            $Script:TestimoConfiguration[$Target][$Key]['Tests'][$Test]['Parameters']['ExpectedValue'] = $LoadedConfiguration.$Key.Tests.$Test.Parameters.ExpectedValue
                        if ($null -ne $LoadedConfiguration.$Key.Tests.$Test.Parameters.ExpectedCount) {
                            $Script:TestimoConfiguration[$Target][$Key]['Tests'][$Test]['Parameters']['ExpectedCount'] = $LoadedConfiguration.$Key.Tests.$Test.Parameters.ExpectedCount
                        if ($null -ne $LoadedConfiguration.$Key.Tests.$Test.Parameters.Property) {
                            $Script:TestimoConfiguration[$Target][$Key]['Tests'][$Test]['Parameters']['Property'] = $LoadedConfiguration.$Key.Tests.$Test.Parameters.Property
                        if ($null -ne $LoadedConfiguration.$Key.Tests.$Test.Parameters.OperationType) {
                            $Script:TestimoConfiguration[$Target][$Key]['Tests'][$Test]['Parameters']['OperationType'] = $LoadedConfiguration.$Key.Tests.$Test.Parameters.OperationType
                } else {

        } else {
            foreach ($Key in ($LoadedConfiguration).PSObject.Properties.Name) {
                if ($Script:TestimoConfiguration['ActiveDirectory'][$Key]) {
                    $Target = 'ActiveDirectory'
                } elseif ($Script:TestimoConfiguration['Office365'][$Key]) {
                    $Target = 'Office365'
                } else {
                    $Target = 'Unknown'
                if ($Target -ne 'Unknown') {
                    $Script:TestimoConfiguration[$Target][$Key]['Enable'] = $LoadedConfiguration.$Key.Enable

                    if ($null -ne $LoadedConfiguration.$Key.'Source') {
                        if ($null -ne $LoadedConfiguration.$Key.'Source'.'ExpectedOutput') {
                            $Script:TestimoConfiguration[$Target][$Key]['Source']['ExpectedOutput'] = $LoadedConfiguration.$Key.'Source'.'ExpectedOutput'
                        if ($null -ne $LoadedConfiguration.$Key.'Source'.'Parameters') {
                            foreach ($Parameter in $LoadedConfiguration.$Key.'Source'.'Parameters'.PSObject.Properties.Name) {
                                $Script:TestimoConfiguration[$Target][$Key]['Source']['Parameters'][$Parameter] = $LoadedConfiguration.$Key.'Source'.'Parameters'.$Parameter

                    foreach ($Test in $LoadedConfiguration.$Key.Tests.PSObject.Properties.Name) {
                        $Script:TestimoConfiguration[$Target][$Key]['Tests'][$Test]['Enable'] = $LoadedConfiguration.$Key.Tests.$Test.Enable

                        if ($null -ne $LoadedConfiguration.$Key.Tests.$Test.Parameters.ExpectedValue) {
                            $Script:TestimoConfiguration[$Target][$Key]['Tests'][$Test]['Parameters']['ExpectedValue'] = $LoadedConfiguration.$Key.Tests.$Test.Parameters.ExpectedValue
                        if ($null -ne $LoadedConfiguration.$Key.Tests.$Test.Parameters.ExpectedCount) {
                            $Script:TestimoConfiguration[$Target][$Key]['Tests'][$Test]['Parameters']['ExpectedCount'] = $LoadedConfiguration.$Key.Tests.$Test.Parameters.ExpectedCount
                        if ($null -ne $LoadedConfiguration.$Key.Tests.$Test.Parameters.Property) {
                            $Script:TestimoConfiguration[$Target][$Key]['Tests'][$Test]['Parameters']['Property'] = $LoadedConfiguration.$Key.Tests.$Test.Parameters.Property
                        if ($null -ne $LoadedConfiguration.$Key.Tests.$Test.Parameters.OperationType) {
                            $Script:TestimoConfiguration[$Target][$Key]['Tests'][$Test]['Parameters']['OperationType'] = $LoadedConfiguration.$Key.Tests.$Test.Parameters.OperationType
                } else {

        Out-Informative -OverrideTitle 'Testimo' -Status $null -Domain $Domain -DomainController $DomainController -ExtendedValue ("Configuration loaded from $Option") -End

    } else {
        Out-Informative -OverrideTitle 'Testimo' -Text "Using configuration defaults" -Level 0 -Status $null -ExtendedValue ("No configuration provided by user")

function Initialize-TestimoTests {
    Simple command that goes thru all the tests and makes sure minimal tests are "improved" to become standard test
    Simple command that goes thru all the tests and makes sure minimal tests are "improved" to become standard test
    General notes


    foreach ($Key in $Script:TestimoConfiguration.Keys) {
        if ($Key -notin 'Types', 'Exclusions', 'Inclusions', 'Debug') {
            foreach ($Source in [string[]] $Script:TestimoConfiguration[$Key].Keys) {
                foreach ($TestName in [string[]] $Script:TestimoConfiguration[$Key][$Source].Tests.Keys) {
                    $TestValue = $Script:TestimoConfiguration[$Key][$Source].Tests.$TestName
                    if ($TestValue -is [System.Collections.IDictionary]) {
                        if ($TestValue.Details) {
                            if (-not $TestValue.Details.Category) {
                                if ($Script:TestimoConfiguration[$Key][$Source].Source.Details -and $Script:TestimoConfiguration[$Key][$Source].Source.Details.Category) {
                                    $TestValue.Details.Category = $Script:TestimoConfiguration[$Key][$Source].Source.Details.Category
                            if (-not $TestValue.Details.Category) {
                                if ($Script:TestimoConfiguration[$Key][$Source].Source.Details -and $Script:TestimoConfiguration[$Key][$Source].Source.Details.ActionType) {
                                    $TestValue.Details.ActionType = $Script:TestimoConfiguration[$Key][$Source].Source.Details.ActionType
                    } else {
                        # we use configuration as default category
                        $DefaultCategory = 'Configuration'
                        # but we also check if source has something different and we use it
                        if ($Script:TestimoConfiguration[$Key][$Source].Source.Details -and $Script:TestimoConfiguration[$Key][$Source].Source.Details.Category) {
                            $DefaultCategory = $Script:TestimoConfiguration[$Key][$Source].Source.Details.Category

                        # Overwrite the test value with the default settings
                        # This is to support basic paramters testing in a way that DSC does
                        $Script:TestimoConfiguration[$Key][$Source].Tests.$TestName = [ordered] @{
                            Enable     = $true
                            Name       = $TestName
                            Parameters = @{
                                Property = $TestName
                                OperationType = 'eq'
                                ExpectedValue = $TestValue
                            Details    = [ordered] @{
                                Category    = $DefaultCategory
                                Importance  = 5
                                ActionType  = 2
                                StatusTrue  = 1
                                StatusFalse = 5
function New-ChartData {
    $ChartData = [ordered] @{}
    foreach ($Result in $Results) {
        if ($null -ne $Result.Assessment) {
            if (-not $ChartData[$Result.Assessment]) {
                $ChartData[$Result.Assessment] = [ordered] @{
                    Count = 0
                    Color = $Script:StatusToColors[$Result.Assessment]
        } else {
            # if for whatever reason result.assesment is null we need to improvise
            if (-not $ChartData['Skipped']) {
                $ChartData['Skipped'] = [ordered] @{
                    Count = 0
                    Color = $Script:StatusToColors['Skipped']
function Out-Begin {
        [string] $Scope,
        [string] $Text,
        [int] $Level,
        [string] $Type = 't',
        [string] $Domain,
        [string] $DomainController
    if ($Scope -in 'Forest', 'Domain', 'DC') {
        if ($Domain -and $DomainController) {
            if ($Type -eq 't') {
                [ConsoleColor[]] $Color = [ConsoleColor]::Cyan, [ConsoleColor]::DarkGray, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow, [ConsoleColor]::Yellow
            } elseif ($Type -eq 'e') {
                [ConsoleColor[]] $Color = [ConsoleColor]::Red, [ConsoleColor]::DarkGray, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow, [ConsoleColor]::Yellow
            } else {
                [ConsoleColor[]] $Color = [ConsoleColor]::Yellow, [ConsoleColor]::DarkGray, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow, [ConsoleColor]::Yellow
            $TestText = "[$Type]", "[$Domain]", "[$($DomainController)] ", $Text
        } elseif ($Domain) {
            if ($Type -eq 't') {
                [ConsoleColor[]] $Color = [ConsoleColor]::Cyan, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow
            } elseif ($Type -eq 'e') {
                [ConsoleColor[]] $Color = [ConsoleColor]::Red, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow
            } else {
                [ConsoleColor[]] $Color = [ConsoleColor]::Yellow, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow
            $TestText = "[$Type]", "[$Domain] ", $Text
        } elseif ($DomainController) {
            # Shouldn't really happen
            Write-Warning "Out-Begin - Shouldn't happen - Fix me."
        } else {
            if ($Type -eq 't') {
                [ConsoleColor[]] $Color = [ConsoleColor]::Cyan, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow
            } elseif ($Type -eq 'e') {
                [ConsoleColor[]] $Color = [ConsoleColor]::Red, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow
            } else {
                [ConsoleColor[]] $Color = [ConsoleColor]::Yellow, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow
            $TestText = "[$Type]", "[Forest] ", $Text
    } else {
        if ($Type -eq 't') {
            [ConsoleColor[]] $Color = [ConsoleColor]::Cyan, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow
        } elseif ($Type -eq 'e') {
            [ConsoleColor[]] $Color = [ConsoleColor]::Red, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow
        } else {
            [ConsoleColor[]] $Color = [ConsoleColor]::Yellow, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow
        $TestText = "[$Type]", "[$Scope] ", $Text
    Write-Color -Text $TestText -Color $Color -StartSpaces $Level -NoNewLine
function Out-Failure {
        [string] $Scope,
        [string] $Text,
        [int] $Level,
        [string] $ExtendedValue = 'Input data not provided. Failing test.',
        [string] $Domain,
        [string] $DomainController,
        [string] $ReferenceID,
        [validateSet('e', 'i', 't')][string] $Type = 't',
        [System.Collections.IDictionary] $Source,
        [System.Collections.IDictionary] $Test
    Out-Begin -Scope $Scope -Text $Text -Level $Level -Domain $Domain -DomainController $DomainController -Type $Type
    Out-Status -Scope $Scope -Text $Text -Status $false -ExtendedValue $ExtendedValue -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Source $Source -Test $Test
function Out-Informative {
        [int] $Level = 0,
        [string] $OverrideTitle,
        [string] $OverrideTextStatus,
        [string] $Domain,
        [string] $DomainController,
        [string] $Text,
        [nullable[bool]] $Status,
        [string] $ExtendedValue,
        [switch] $Start,
        [switch] $End,
        [string] $Scope

    if ($Start -or (-not $Start -and -not $End)) {
        $Type = 'i'
        if ($Scope -in 'Forest', 'Domain', 'DC') {
            if ($Domain -and $DomainController) {
                [ConsoleColor[]] $Color = [ConsoleColor]::Yellow, [ConsoleColor]::DarkGray, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow, [ConsoleColor]::Yellow
                $TestText = "[$Type]", "[$Domain]", "[$($DomainController)] ", $Text
            } elseif ($Domain) {
                [ConsoleColor[]] $Color = [ConsoleColor]::Yellow, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow
                $TestText = "[$Type]", "[$Domain] ", $Text
            } elseif ($DomainController) {
                # Shouldn't really happen
                Write-Warning "Out-Begin - Shouldn't happen - Fix me."
            } else {
                [ConsoleColor[]] $Color = [ConsoleColor]::Yellow, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow
                if ($OverrideTitle) {
                    $TestText = "[$Type]", "[$OverrideTitle] ", $Text
                } else {
                    $TestText = "[$Type]", "[Forest] ", $Text
        } else {
            [ConsoleColor[]] $Color = [ConsoleColor]::Yellow, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow
            if ($OverrideTitle) {
                $TestText = "[$Type]", "[$OverrideTitle] ", $Text
            } else {
                if ($Scope) {
                    $TestText = "[$Type]", "[$Scope] ", $Text
                } else {
                    $TestText = "[$Type]", "[Testimo] ", $Text
        Write-Color -Text $TestText -Color $Color -StartSpaces $Level -NoNewLine
    if ($End -or (-not $Start -and -not $End)) {
        if ($Status -eq $true) {
            [string] $TextStatus = 'Pass'
            [ConsoleColor[]] $Color = [ConsoleColor]::Cyan, [ConsoleColor]::Green, [ConsoleColor]::Cyan, [ConsoleColor]::Cyan, [ConsoleColor]::Green, [ConsoleColor]::Cyan
        } elseif ($Status -eq $false) {
            [string] $TextStatus = 'Fail'
            [ConsoleColor[]] $Color = [ConsoleColor]::Cyan, [ConsoleColor]::Red, [ConsoleColor]::Cyan, [ConsoleColor]::Cyan, [ConsoleColor]::Red, [ConsoleColor]::Cyan
        } else {
            [string] $TextStatus = 'Informative'
            [ConsoleColor[]] $Color = [ConsoleColor]::Cyan, [ConsoleColor]::DarkGray, [ConsoleColor]::Cyan, [ConsoleColor]::Cyan, [ConsoleColor]::Magenta, [ConsoleColor]::Cyan
        if ($OverrideTextStatus) {
            $TextStatus = $OverrideTextStatus
        if ($ExtendedValue) {
            Write-Color -Text ' [', $TextStatus, ']', " [", $ExtendedValue, "]" -Color $Color
        } else {
            Write-Color -Text ' [', $TextStatus, ']' -Color $Color
function Out-Skip {
        [string] $Scope,
        [PSCustomobject] $TestsSummary,
        [int] $Level = 0,
        [string] $Domain,
        [string] $DomainController,
        [string] $Test,
        [string] $Source,
        [string] $Reason = 'Skipping - unmet dependency'

    Out-Begin -Scope $Scope -Type 'i' -Text $Test -Level $Level -Domain $Domain -DomainController $DomainController

    Out-Status -Scope $Scope -Text $Test -Status $null -ExtendedValue $Reason -Domain $Domain -DomainController $DomainController -ReferenceID $Source

    $TestsSummary.Skipped = $TestsSummary.Skipped + 1
    $TestsSummary.Total = $TestsSummary.Failed + $TestsSummary.Passed + $TestsSummary.Skipped
function Out-Status {
        [string] $Scope,
        [string] $TestID,
        [string] $Text,
        [nullable[bool]] $Status,
        [string] $Section,
        [string] $ExtendedValue,
        [string] $Domain,
        [string] $DomainController,
        [System.Collections.IDictionary] $Source,
        [System.Collections.IDictionary] $Test,
        [string] $ReferenceID
    if ($Domain -and $DomainController) {
        $TestType = 'Domain Controller'
        $TestText = "Domain Controller - $DomainController | $Text"
    } elseif ($Domain) {
        $TestType = 'Domain'
        $TestText = "Domain - $Domain | $Text"
    } else {
        $TestType = $Scope
        $TestText = "$Scope | $Text"

    if ($Source -and -not $Test) {
        # This means we're dealing with source
        if (-not [string]::IsNullOrWhitespace($Source.Details.Importance)) {
            $ImportanceInformation = $Script:Importance[$Source.Details.Importance]
        } else {
            $ImportanceInformation = 'Not defined'
        if (-not [string]::IsNullOrWhitespace($Source.Details.Category)) {
            $Category = $Source.Details.Category
        } else {
            $Category = 'Not defined'
        if (-not [string]::IsNullOrWhitespace($Source.Details.ActionType)) {
            $Action = $Script:ActionType[$Source.Details.ActionType]
        } else {
            $Action = 'Not defined'

        if ($null -ne $Source.Details.StatusTrue -and $null -ne $Source.Details.StatusFalse) {
            if ($Status -eq $true) {
                $StatusTranslation = $Script:StatusTranslation[$Source.Details.StatusTrue]
                $StatusColor = $Script:StatusTranslationConsoleColors[$Source.Details.StatusTrue]
            } elseif ($Status -eq $false) {
                $StatusTranslation = $Script:StatusTranslation[$Source.Details.StatusFalse]
                $StatusColor = $Script:StatusTranslationConsoleColors[$Source.Details.StatusFalse]
            } elseif ($null -eq $Status) {
                $StatusTranslation = $Script:StatusTranslation[0]
                $StatusColor = $Script:StatusTranslationConsoleColors[0]
        } else {
            # We need to overwrite some values to better suite our reports
            #$StatusTranslation = $Status
            if ($Status -eq $true) {
                $StatusTranslation = $Script:StatusTranslation[1]
                $StatusColor = $Script:StatusTranslationConsoleColors[1]
            } elseif ($Status -eq $false) {
                $StatusTranslation = $Script:StatusTranslation[4]
                $StatusColor = $Script:StatusTranslationConsoleColors[4]
            } elseif ($null -eq $Status) {
                $StatusTranslation = $Script:StatusTranslation[0]
                $StatusColor = $Script:StatusTranslationConsoleColors[0]
    } else {
        if (-not [string]::IsNullOrWhitespace($Test.Details.Importance)) {
            $ImportanceInformation = $Script:Importance[$Test.Details.Importance]
        } else {
            $ImportanceInformation = 'Not defined'
        if (-not [string]::IsNullOrWhitespace($Test.Details.Category)) {
            $Category = $Test.Details.Category
        } else {
            $Category = 'Not defined'
        if (-not [string]::IsNullOrWhitespace($Test.Details.ActionType)) {
            $Action = $Script:ActionType[$Test.Details.ActionType]
        } else {
            $Action = 'Not defined'
        if ($null -ne $Test.Details.StatusTrue -and $null -ne $Test.Details.StatusFalse) {
            if ($Status -eq $true) {
                $StatusTranslation = $Script:StatusTranslation[$Test.Details.StatusTrue]
                $StatusColor = $Script:StatusTranslationConsoleColors[$Test.Details.StatusTrue]
            } elseif ($Status -eq $false) {
                $StatusTranslation = $Script:StatusTranslation[$Test.Details.StatusFalse]
                $StatusColor = $Script:StatusTranslationConsoleColors[$Test.Details.StatusFalse]
            } elseif ($null -eq $Status) {
                $StatusTranslation = $Script:StatusTranslation[0]
                $StatusColor = $Script:StatusTranslationConsoleColors[0]
        } else {
            # We need to overwrite some values to better suite our reports
            #$StatusTranslation = $Status
            if ($Status -eq $true) {
                $StatusTranslation = $Script:StatusTranslation[1]
                $StatusColor = $Script:StatusTranslationConsoleColors[1]
            } elseif ($Status -eq $false) {
                $StatusTranslation = $Script:StatusTranslation[4]
                $StatusColor = $Script:StatusTranslationConsoleColors[4]
            } elseif ($null -eq $Status) {
                $StatusTranslation = $Script:StatusTranslation[0]
                $StatusColor = $Script:StatusTranslationConsoleColors[0]

    $Output = [PSCustomObject]@{
        Name             = $TestText
        Source           = $Source.Name
        DisplayName      = $Text
        Type             = $TestType
        Category         = $Category
        Assessment       = $StatusTranslation
        Status           = $Status
        Action           = $Action
        Importance       = $ImportanceInformation
        Extended         = $ExtendedValue
        Domain           = $Domain
        DomainController = $DomainController
    if (-not $ReferenceID) {
    } else {
        if ($Scope -in 'Forest', 'Domain', 'DC') {
            if ($Domain -and $DomainController) {
            } elseif ($Domain) {
            } else {
        } else {
    if ($null -eq $StatusColor) {
        Write-Warning -Message "Status color for $StatusTranslation is not within -1 and 5 range. Test: $($Output.Name). Fix test!!"
        $StatusColor = [ConsoleColor]::Red
    [ConsoleColor[]] $Color = [ConsoleColor]::Cyan, $StatusColor, [ConsoleColor]::Cyan, [ConsoleColor]::Cyan, $StatusColor, [ConsoleColor]::Cyan
    if ($ExtendedValue) {
        Write-Color -Text ' [', $StatusTranslation, ']', " [", $ExtendedValue, "]" -Color $Color
    } else {
        Write-Color -Text ' [', $StatusTranslation, ']' -Color $Color

function Out-Summary {
        [string] $Scope,
        [System.Diagnostics.Stopwatch] $Time,
        [int] $Level,
        [string] $Domain,
        [string] $DomainController,
        [PSCustomobject] $TestsSummary
    $EndTime = Stop-TimeLog -Time $Time -Option OneLiner
    $Type = 'i'
    if ($Scope -in 'Forest', 'Domain', 'DC') {
        if ($Domain -and $DomainController) {
            if ($Type -eq 't') {
                [ConsoleColor[]] $Color = @(
            } else {
                [ConsoleColor[]] $Color = @(
                    [ConsoleColor]::Yellow, # Type
                    [ConsoleColor]::DarkGray, # Domain
                    [ConsoleColor]::DarkGray, # Domain Controller
                    [ConsoleColor]::Yellow, # Text
                    [ConsoleColor]::Yellow, # [
                    [ConsoleColor]::DarkGray, # Time To Execute Text
                    [ConsoleColor]::Yellow, # Actual Time
                    [ConsoleColor]::DarkGray, # Bracket ]
                    [ConsoleColor]::DarkGray # Bracket [
                    [ConsoleColor]::Yellow, # Tests Total text
                    [ConsoleColor]::White, # Count Tests
                    [ConsoleColor]::Yellow # Tests Tests
                    [ConsoleColor]::Green # Tests passed
                    [ConsoleColor]::Yellow # Tests failed
                    [ConsoleColor]::Red # Tests failed count
                    [ConsoleColor]::Yellow # Tests skipped
                    [ConsoleColor]::Cyan # Tests skipped count
            $TestText = @(
                "[$Type]", # Yellow
                "[$Domain]", # DarkGray
                "[$($DomainController)] ", # DarkGray
                $Text, # Yellow
                ' [', # Yellow
                'Time to execute tests: ', # DarkGray
                $EndTime, # Yellow
                ']', # DarkGray
                '[', # DarkGray
                'Tests Total: ', # Yellow
            ($TestsSummary.Total), # White
                ', Passed: ', # Yellow
                ', Failed: ',
                ', Skipped: ',
        } elseif ($Domain) {
            if ($Type -eq 't') {
                [ConsoleColor[]] $Color = [ConsoleColor]::Cyan, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow, [ConsoleColor]::DarkGray
            } else {
                [ConsoleColor[]] $Color = @(
                    [ConsoleColor]::Yellow, # Type
                    [ConsoleColor]::DarkGray, # Domain
                    #[ConsoleColor]::DarkGray, # Domain Controller
                    [ConsoleColor]::Yellow, # Text
                    [ConsoleColor]::Yellow, # [
                    [ConsoleColor]::DarkGray, # Time To Execute Text
                    [ConsoleColor]::Yellow, # Actual Time
                    [ConsoleColor]::DarkGray, # Bracket ]
                    [ConsoleColor]::DarkGray # Bracket [
                    [ConsoleColor]::Yellow, # Tests Total text
                    [ConsoleColor]::White, # Count Tests
                    [ConsoleColor]::Yellow # Tests Tests
                    [ConsoleColor]::Green # Tests passed
                    [ConsoleColor]::Yellow # Tests failed
                    [ConsoleColor]::Red # Tests failed count
                    [ConsoleColor]::Yellow # Tests skipped
                    [ConsoleColor]::Cyan # Tests skipped count
            $TestText = @(
                "[$Type]", # Yellow
                "[$Domain] ", # DarkGray
                # "[$($DomainController)] ", # DarkGray
                $Text, # Yellow
                ' [', # Yellow
                'Time to execute tests: ', # DarkGray
                $EndTime, # Yellow
                ']', # DarkGray
                '[', # DarkGray
                'Tests Total: ', # Yellow
            ($TestsSummary.Total), # White
                ', Passed: ', # Yellow
                ', Failed: ',
                ', Skipped: ',
        } elseif ($DomainController) {
            # Shouldn't really happen
            Write-Warning "Out-Begin - Shouldn't happen - Fix me."
        } else {
            if ($Type -eq 't') {
                [ConsoleColor[]] $Color = [ConsoleColor]::Cyan, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow, [ConsoleColor]::DarkGray
            } else {
                [ConsoleColor[]] $Color = @(
                    [ConsoleColor]::Yellow, # Type
                    [ConsoleColor]::DarkGray, # Domain / Forest
                    #[ConsoleColor]::DarkGray, # Domain Controller
                    [ConsoleColor]::Yellow, # Text
                    [ConsoleColor]::Yellow, # [
                    [ConsoleColor]::DarkGray, # Time To Execute Text
                    [ConsoleColor]::Yellow, # Actual Time
                    [ConsoleColor]::DarkGray, # Bracket ]
                    [ConsoleColor]::DarkGray # Bracket [
                    [ConsoleColor]::Yellow, # Tests Total text
                    [ConsoleColor]::White, # Count Tests
                    [ConsoleColor]::Yellow # Tests Tests
                    [ConsoleColor]::Green # Tests passed
                    [ConsoleColor]::Yellow # Tests failed
                    [ConsoleColor]::Red # Tests failed count
                    [ConsoleColor]::Yellow # Tests skipped
                    [ConsoleColor]::Cyan # Tests skipped count
            $TestText = @(
                "[$Type]", # Yellow
                "[Forest] ", # DarkGray
                # "[$($DomainController)] ", # DarkGray
                $Text, # Yellow
                ' [', # Yellow
                'Time to execute tests: ', # DarkGray
                $EndTime, # Yellow
                ']', # DarkGray
                '[', # DarkGray
                'Tests Total: ', # Yellow
            ($TestsSummary.Total), # White
                ', Passed: ', # Yellow
                ', Failed: ',
                ', Skipped: ',
    } else {
        if ($Type -eq 't') {
            [ConsoleColor[]] $Color = [ConsoleColor]::Cyan, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow, [ConsoleColor]::DarkGray, [ConsoleColor]::Yellow, [ConsoleColor]::DarkGray
        } else {
            [ConsoleColor[]] $Color = @(
                [ConsoleColor]::Yellow, # Type
                [ConsoleColor]::DarkGray, # Domain / Forest
                #[ConsoleColor]::DarkGray, # Domain Controller
                [ConsoleColor]::Yellow, # Text
                [ConsoleColor]::Yellow, # [
                [ConsoleColor]::DarkGray, # Time To Execute Text
                [ConsoleColor]::Yellow, # Actual Time
                [ConsoleColor]::DarkGray, # Bracket ]
                [ConsoleColor]::DarkGray # Bracket [
                [ConsoleColor]::Yellow, # Tests Total text
                [ConsoleColor]::White, # Count Tests
                [ConsoleColor]::Yellow # Tests Tests
                [ConsoleColor]::Green # Tests passed
                [ConsoleColor]::Yellow # Tests failed
                [ConsoleColor]::Red # Tests failed count
                [ConsoleColor]::Yellow # Tests skipped
                [ConsoleColor]::Cyan # Tests skipped count
        $TestText = @(
            "[$Type]", # Yellow
            "[$Scope] ", # DarkGray
            # "[$($DomainController)] ", # DarkGray
            $Text, # Yellow
            ' [', # Yellow
            'Time to execute tests: ', # DarkGray
            $EndTime, # Yellow
            ']', # DarkGray
            '[', # DarkGray
            'Tests Total: ', # Yellow
        ($TestsSummary.Total), # White
            ', Passed: ', # Yellow
            ', Failed: ',
            ', Skipped: ',
    Write-Color -Text $TestText -Color $Color -StartSpaces $Level
$Script:Importance = @{
    0  = 'Informational'
    1  = 'Negligible'
    2  = 'Very low'
    3  = 'Low'
    4  = 'Minor'
    5  = 'Moderate Low'
    6  = 'Moderate'
    7  = 'High'
    8  = 'Very High'
    9  = 'Significant'
    10 = 'Extreme'
$Script:StatusTranslation = @{
    -1 = 'Skipped'
    0  = 'Informational' # #4D9F6F # Low risk
    1  = 'Good'
    2  = 'Low' # #507DC6 # General Risk
    3  = 'Elevated' # #998D16 # Significant Risk
    4  = 'High' # #7A5928 High Risk
    5  = 'Severe' # #D65742 Server Risk

$Script:StatusToColors = @{
    'Skipped'       = 'DeepSkyBlue'
    'Informational' = 'CornflowerBlue'
    'Good'          = 'LawnGreen'
    'Low'           = 'ParisDaisy' # # General Risk
    'Elevated'      = 'SafetyOrange' # # Significant Risk
    'High'          = 'InternationalOrange' # High Risk
    'Severe'        = 'TorchRed' # Server Risk
    $true           = 'LawnGreen'
    $false          = 'TorchRed'

$Script:StatusTranslationColors = @{
    -1 = 'DeepSkyBlue'
    0  = 'CornflowerBlue'
    1  = 'LawnGreen'
    2  = 'ParisDaisy' # # General Risk
    3  = 'SafetyOrange' # # Significant Risk
    4  = 'InternationalOrange' # High Risk
    5  = 'TorchRed' # Server Risk
$Script:ActionType = @{
    0 = 'Informational'
    1 = 'Recommended'
    2 = 'Must Implement'
$Script:StatusTranslationConsoleColors = @{
    -1 = [System.ConsoleColor]::DarkBlue
    0  = [System.ConsoleColor]::DarkBlue
    1  = [System.ConsoleColor]::Green
    2  = [System.ConsoleColor]::Magenta # # General Risk
    3  = [System.ConsoleColor]::DarkMagenta # # Significant Risk
    4  = [System.ConsoleColor]::Red # High Risk
    5  = [System.ConsoleColor]::DarkRed # Server Risk

$Script:WarningSystem = @{
    0 = 'All Clear'
    1 = 'Advice'
    2 = 'Watch and Act'
    3 = 'Emergency Warning'
$Script:PotentialImpact = @{
    0 = 'Neglible'
    1 = 'Minor'
    3 = 'Moderate'
    4 = 'Significant'
    5 = 'Severe'
$Script:Likelihood = @{
    0 = 'Very Unlikely'
    1 = 'Unlikely'
    2 = 'Possible'
    3 = 'Likely'
    4 = 'Very Likely'
$Script:Consequence = @{
    0 = 'Small'
    1 = 'Moderate'
    2 = 'Severe'
    3 = 'Catastrophic'

function Set-TestsStatus {
        [string[]] $Sources,
        [string[]] $ExcludeSources,
        [string[]] $IncludeTags,
        [string[]] $ExcludeTags
    # we first disable all sources to make sure it's a clean start
    foreach ($Key in $Script:TestimoConfiguration.Keys) {
        if ($Key -notin 'Types', 'Exclusions', 'Inclusions', 'Debug') {
            foreach ($Source in $Script:TestimoConfiguration.$Key.Keys) {
                if ($Script:TestimoConfiguration[$Key][$Source]) {
                    $Script:TestimoConfiguration[$Key][$Source]['Enable'] = $false
                    $Script:TestimoConfiguration.Types[$Key] = $false
    # then we go thru the sources and enable them
    foreach ($Key in $Script:TestimoConfiguration.Keys) {
        if ($Key -notin 'Types', 'Exclusions', 'Inclusions', 'Debug') {
            foreach ($Tag in $IncludeTags) {
                if ($Script:TestimoConfiguration[$Key]) {
                    foreach ($Source in $Script:TestimoConfiguration[$Key].Keys) {
                        if ($Tag -in $Script:TestimoConfiguration[$Key][$Source]['Source']['Details'].Tags) {
                            $Script:TestimoConfiguration[$Key][$Source]['Enable'] = $true
                            $Script:TestimoConfiguration.Types[$Key] = $true
            foreach ($Source in $Sources) {
                if ($Script:TestimoConfiguration[$Key][$Source]) {
                    $Script:TestimoConfiguration[$Key][$Source]['Enable'] = $true
                    $Script:TestimoConfiguration.Types[$Key] = $true
            foreach ($Source in $ExcludeSources) {
                if ($Script:TestimoConfiguration[$Key][$Source]) {
                    $Script:TestimoConfiguration[$Key][$Source]['Enable'] = $false
            foreach ($Tag in $ExcludeTags) {
                if ($Script:TestimoConfiguration[$Key]) {
                    foreach ($Source in $Script:TestimoConfiguration[$Key].Keys) {
                        if ($Tag -in $Script:TestimoConfiguration[$Key][$Source]['Source']['Details'].Tags) {
                            $Script:TestimoConfiguration[$Key][$Source]['Enable'] = $false
function Start-TestimoEmail {
        [string] $From,
        [string[]] $To,
        [string[]] $CC,
        [string[]] $BCC,
        [string] $Server,
        [int] $Port,
        [switch] $SSL,
        [string] $UserName,
        [string] $Password,
        [switch] $PasswordAsSecure,
        [switch] $PasswordFromFile,
        [string] $Priority = 'High',
        [string] $Subject = '[Reporting Evotec] Summary of Active Directory Tests'
    Email {
        EmailHeader {
            EmailFrom -Address $From
            EmailTo -Addresses $To
            EmailServer -Server $Server -UserName $UserName -Password $PasswordFromFile -PasswordAsSecure:$PasswordAsSecure -PasswordFromFile:$PasswordFromFile -Port 587 -SSL:$SSL
            EmailOptions -Priority $Priority -DeliveryNotifications Never
            EmailSubject -Subject $Subject
        EmailBody -FontFamily 'Calibri' -Size 15 {
            #EmailText -Text "Summary of Active Directory Tests" -Color None, Blue -LineBreak

            EmailTable -DataTable $Results {
                EmailTableCondition -ComparisonType 'string' -Name 'Status' -Operator eq -Value 'True' -BackgroundColor Green -Color White -Inline -Row
                EmailTableCondition -ComparisonType 'string' -Name 'Status' -Operator ne -Value 'True' -BackgroundColor Red -Color White -Inline -Row
            } -HideFooter
    } -AttachSelf -Supress $false
function Start-TestimoReport {
        [System.Collections.IDictionary] $TestResults,
        [string] $FilePath,
        [switch] $Online,
        [switch] $ShowHTML,
        [switch] $HideSteps,
        [switch] $AlwaysShowSteps,
        [string[]] $Scopes,
        [switch] $SplitReports
    if ($FilePath -eq '') {
        $FilePath = Get-FileName -Extension 'html' -Temporary

    $ColorPassed = 'LawnGreen'
    $ColorSkipped = 'DeepSkyBlue'
    $ColorFailed = 'TorchRed'
    $ColorPassedText = 'Black'
    $ColorFailedText = 'Black'
    $ColorSkippedText = 'Black'

    $TestResults['Configuration'] = @{
        Colors = @{
            ColorPassed      = $ColorPassed
            ColorSkipped     = $ColorSkipped
            ColorFailed      = $ColorFailed
            ColorPassedText  = $ColorPassedText
            ColorFailedText  = $ColorFailedText
            ColorSkippedText = $ColorSkippedText
    $TestResults['Configuration']['ResultConditions'] = {
        #New-TableCondition -Name 'Status' -Value $true -BackgroundColor 'LawnGreen'
        # #New-TableCondition -Name 'Status' -Value $false -BackgroundColor 'Tomato'
        # New-TableCondition -Name 'Status' -Value $null -BackgroundColor 'DeepSkyBlue'
        foreach ($Status in $Script:StatusTranslation.Keys) {
            New-HTMLTableCondition -Name 'Assessment' -Value $Script:StatusTranslation[$Status] -BackgroundColor $Script:StatusTranslationColors[$Status] #-Row
        New-HTMLTableCondition -Name 'Assessment' -Value $true -BackgroundColor $TestResults['Configuration']['Colors']['ColorPassed'] -Color $TestResults['Configuration']['Colors']['ColorPassedText'] #-Row
        New-HTMLTableCondition -Name 'Assessment' -Value $false -BackgroundColor $TestResults['Configuration']['Colors']['ColorFailed'] -Color $TestResults['Configuration']['Colors']['ColorFailedText'] #-Row
    $TestResults['Configuration']['ResultConditionsEmail'] = {
        $Translations = @{
            -1 = 'Skipped'
            0  = 'Informational' # #4D9F6F # Low risk
            1  = 'Good'
            2  = 'Low' # #507DC6 # General Risk
            3  = 'Elevated' # #998D16 # Significant Risk
            4  = 'High' # #7A5928 High Risk
            5  = 'Severe' # #D65742 Server Risk
        $TranslationsColors = @{
            -1 = 'DeepSkyBlue'
            0  = 'ElectricBlue'
            1  = 'LawnGreen'
            2  = 'ParisDaisy' # # General Risk
            3  = 'SafetyOrange' # # Significant Risk
            4  = 'InternationalOrange' # High Risk
            5  = 'TorchRed' # Server Risk
        foreach ($Status in $Translations.Keys) {
            New-HTMLTableCondition -Name 'Assessment' -Value $Translations[$Status] -BackgroundColor $TranslationsColors[$Status] -Inline
        New-HTMLTableCondition -Name 'Assessment' -Value $true -BackgroundColor 'LawnGreen' -Inline
        New-HTMLTableCondition -Name 'Assessment' -Value $false -BackgroundColor 'TorchRed' -Inline
    # [Array] $PassedTests = $TestResults['Results'] | Where-Object { $_.Status -eq $true }
    # [Array] $FailedTests = $TestResults['Results'] | Where-Object { $_.Status -eq $false }
    # [Array] $SkippedTests = $TestResults['Results'] | Where-Object { $_.Status -ne $true -and $_.Status -ne $false }
    if ($SplitReports) {
        Start-TestimoReportHTMLWithSplit -TestResults $TestResults -FilePath $FilePath -Online:$Online -ShowHTML:$ShowHTML.IsPresent -HideSteps:$HideSteps.IsPresent -AlwaysShowSteps:$AlwaysShowSteps.IsPresent -Scopes $Scopes
    } else {
        Start-TestimoReportHTML -TestResults $TestResults -FilePath $FilePath -Online:$Online -ShowHTML:$ShowHTML.IsPresent -HideSteps:$HideSteps.IsPresent -AlwaysShowSteps:$AlwaysShowSteps.IsPresent -Scopes $Scopes
function Start-TestimoReportHTML {
        [System.Collections.IDictionary] $TestResults,
        [string] $FilePath,
        [switch] $Online,
        [switch] $ShowHTML,
        [switch] $HideSteps,
        [switch] $AlwaysShowSteps,
        [string[]] $Scopes

    $Time = Start-TimeLog
    Out-Informative -OverrideTitle 'Testimo' -Text 'HTML Report Generation Started' -Level 0 -Status $null #-ExtendedValue $Script:Reporting['Version']

    New-HTML -FilePath $FilePath -Online:$Online {
        New-HTMLSectionStyle -BorderRadius 0px -HeaderBackGroundColor Grey -RemoveShadow
        New-HTMLTableOption -DataStore JavaScript -BoolAsString -ArrayJoin -ArrayJoinString ', ' -DateTimeFormat 'dd.MM.yyyy HH:mm:ss'
        New-HTMLTabStyle -BorderRadius 0px -BackgroundColorActive SlateGrey

        New-HTMLHeader {
            New-HTMLSection -Invisible {
                New-HTMLSection {
                    New-HTMLText -Text "Report generated on $(Get-Date)" -Color Blue
                } -JustifyContent flex-start -Invisible
                New-HTMLSection {
                    New-HTMLText -Text $Script:Reporting['Version'] -Color Blue
                } -JustifyContent flex-end -Invisible

        # Find amount of sources used. If just one, skip summary
        $NumberOfSourcesExecuted = 0
        #$NumberOfSourcesExecuted += $TestResults['Forest']['Tests'].Count
        foreach ($Key in $TestResults.Keys) {
            if ($Key -notin 'Version', 'Errors', 'Results', 'Summary', 'Domains', 'BySource', 'Configuration') {
                $NumberOfSourcesExecuted += $TestResults[$Key]['Tests'].Count
        foreach ($Domain in $TestResults['Domains'].Keys) {
            $NumberOfSourcesExecuted += $TestResults['Domains'][$Domain]['Tests'].Count
            $NumberOfSourcesExecuted += $TestResults['Domains'][$Domain]['DomainControllers'].Count

        if ($NumberOfSourcesExecuted -gt 1) {
            Start-TestimoReportSummaryAdvanced -TestResults $TestResults
        foreach ($Scope in $Scopes) {
            if ($TestResults[$Scope]['Tests'].Count -gt 0) {
                # There's at least 1 forest test - so lets go
                if ($NumberOfSourcesExecuted -eq 1) {
                    # there's just one forest test, and only 1 forest test in total so we don't need tabs
                    foreach ($Source in $TestResults[$Scope]['Tests'].Keys) {
                        $Name = $TestResults[$Scope]['Tests'][$Source]['Name']
                        $Data = $TestResults[$Scope]['Tests'][$Source]['Data']
                        $Information = $TestResults[$Scope]['Tests'][$Source]['Information']
                        $SourceCode = $TestResults[$Scope]['Tests'][$Source]['SourceCode']
                        $Results = $TestResults[$Scope]['Tests'][$Source]['Results'] #| Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended
                        $WarningsAndErrors = $TestResults[$Scope]['Tests'][$Source]['WarningsAndErrors']
                        try {
                            Start-TestimoReportSection -Name $Name -Data $Data -Information $Information -SourceCode $SourceCode -Results $Results -WarningsAndErrors $WarningsAndErrors -TestResults $TestResults -Type $Scope -AlwaysShowSteps:$AlwaysShowSteps.IsPresent
                        } catch {
                            Write-Warning -Message "Failed to generate report (1) for $Source in $Scope"
                } else {
                    New-HTMLTab -Name $Scope -IconBrands first-order {
                        foreach ($Source in $TestResults[$Scope]['Tests'].Keys) {
                            $Name = $TestResults[$Scope]['Tests'][$Source]['Name']
                            $Data = $TestResults[$Scope]['Tests'][$Source]['Data']
                            $Information = $TestResults[$Scope]['Tests'][$Source]['Information']
                            $SourceCode = $TestResults[$Scope]['Tests'][$Source]['SourceCode']
                            $Results = $TestResults[$Scope]['Tests'][$Source]['Results'] #| Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended
                            $WarningsAndErrors = $TestResults[$Scope]['Tests'][$Source]['WarningsAndErrors']
                            try {
                                Start-TestimoReportSection -Name $Name -Data $Data -Information $Information -SourceCode $SourceCode -Results $Results -WarningsAndErrors $WarningsAndErrors -TestResults $TestResults -Type $Scope -AlwaysShowSteps:$AlwaysShowSteps.IsPresent
                            } catch {
                                Write-Warning -Message "Failed to generate report (2) for $Source in $Scope"
        if ($TestResults['Forest']['Tests'].Count -gt 0) {
            # There's at least 1 forest test - so lets go
            if ($NumberOfSourcesExecuted -eq 1) {
                # there's just one forest test, and only 1 forest test in total so we don't need tabs
                foreach ($Source in $TestResults['Forest']['Tests'].Keys) {
                    $Name = $TestResults['Forest']['Tests'][$Source]['Name']
                    $Data = $TestResults['Forest']['Tests'][$Source]['Data']
                    $Information = $TestResults['Forest']['Tests'][$Source]['Information']
                    $SourceCode = $TestResults['Forest']['Tests'][$Source]['SourceCode']
                    $Results = $TestResults['Forest']['Tests'][$Source]['Results'] #| Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended
                    $WarningsAndErrors = $TestResults['Forest']['Tests'][$Source]['WarningsAndErrors']
                    try {
                        Start-TestimoReportSection -Name $Name -Data $Data -Information $Information -SourceCode $SourceCode -Results $Results -WarningsAndErrors $WarningsAndErrors -TestResults $TestResults -Type 'Forest' -AlwaysShowSteps:$AlwaysShowSteps.IsPresent
                    } catch {
                        Write-Warning -Message "Failed to generate report (3) for $Source in $Scope"
            } else {
                New-HTMLTab -Name 'Forest' -IconBrands first-order {
                    foreach ($Source in $TestResults['Forest']['Tests'].Keys) {
                        $Name = $TestResults['Forest']['Tests'][$Source]['Name']
                        $Data = $TestResults['Forest']['Tests'][$Source]['Data']
                        $Information = $TestResults['Forest']['Tests'][$Source]['Information']
                        $SourceCode = $TestResults['Forest']['Tests'][$Source]['SourceCode']
                        $Results = $TestResults['Forest']['Tests'][$Source]['Results'] #| Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended
                        $WarningsAndErrors = $TestResults['Forest']['Tests'][$Source]['WarningsAndErrors']
                        try {
                            Start-TestimoReportSection -Name $Name -Data $Data -Information $Information -SourceCode $SourceCode -Results $Results -WarningsAndErrors $WarningsAndErrors -TestResults $TestResults -Type 'Forest' -AlwaysShowSteps:$AlwaysShowSteps.IsPresent
                        } catch {
                            Write-Warning -Message "Failed to generate report (4) for $Source in $Scope"
        $DomainsFound = @{}
        [Array] $ProcessDomains = foreach ($Domain in $TestResults['Domains'].Keys) {
            if ($TestResults['Domains'][$Domain]['Tests'].Count -gt 0) {
                $DomainsFound[$Domain] = $true
        if ($ProcessDomains -contains $true) {
            New-HTMLTab -Name 'Domains' -IconBrands wpbeginner {
                foreach ($Domain in $TestResults['Domains'].Keys) {
                    if ($TestResults['Domains'][$Domain]['Tests'].Count -gt 0 -or $TestResults['Domains'][$Domain]['DomainControllers'].Count -gt 0) {
                        New-HTMLTab -Name "Domain $Domain" -IconBrands deskpro {
                            foreach ($Source in $TestResults['Domains'][$Domain]['Tests'].Keys) {
                                $Information = $TestResults['Domains'][$Domain]['Tests'][$Source]['Information']
                                $Name = $TestResults['Domains'][$Domain]['Tests'][$Source]['Name']
                                $Data = $TestResults['Domains'][$Domain]['Tests'][$Source]['Data']
                                $SourceCode = $TestResults['Domains'][$Domain]['Tests'][$Source]['SourceCode']
                                $Results = $TestResults['Domains'][$Domain]['Tests'][$Source]['Results'] #| Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended, Domain
                                $WarningsAndErrors = $TestResults['Domains'][$Domain]['Tests'][$Source]['WarningsAndErrors']
                                try {
                                    Start-TestimoReportSection -Name $Name -Data $Data -Information $Information -SourceCode $SourceCode -Results $Results -WarningsAndErrors $WarningsAndErrors -HideSteps:$HideSteps -TestResults $TestResults -Type 'Domain' -AlwaysShowSteps:$AlwaysShowSteps.IsPresent
                                } catch {
                                    Write-Warning -Message "Failed to generate report (5) for $Source in domain $Domain"

        if ($TestResults['Domains'].Keys.Count -gt 0) {
            $DomainsFound = @{}
            [Array] $ProcessDomainControllers = foreach ($Domain in $TestResults['Domains'].Keys) {
                if ($TestResults['Domains'][$Domain]['DomainControllers'].Count -gt 0) {
                    $DomainsFound[$Domain] = $true
            if ($ProcessDomainControllers -contains $true) {
                New-HTMLTab -Name 'Domain Controllers' -IconRegular snowflake {
                    foreach ($Domain in $TestResults['Domains'].Keys) {
                        if ($TestResults['Domains'][$Domain]['Tests'].Count -gt 0 -or $TestResults['Domains'][$Domain]['DomainControllers'].Count -gt 0) {
                            New-HTMLTab -Name "Domain $Domain" -IconBrands deskpro {
                                if ($TestResults['Domains'][$Domain]['DomainControllers'].Count -gt 0) {
                                    #New-HTMLTabPanel -Orientation vertical {
                                    foreach ($DC in $TestResults['Domains'][$Domain]['DomainControllers'].Keys) {
                                        New-HTMLTab -TabName $DC -TextColor DarkSlateGray {
                                            #-HeaderText "Domain Controller - $DC" -HeaderBackGroundColor DarkSlateGray {
                                            New-HTMLContainer {
                                                foreach ($Source in $TestResults['Domains'][$Domain]['DomainControllers'][$DC]['Tests'].Keys) {
                                                    $Information = $TestResults['Domains'][$Domain]['DomainControllers'][$DC]['Tests'][$Source]['Information']
                                                    $Name = $TestResults['Domains'][$Domain]['DomainControllers'][$DC]['Tests'][$Source]['Name']
                                                    $Data = $TestResults['Domains'][$Domain]['DomainControllers'][$DC]['Tests'][$Source]['Data']
                                                    $SourceCode = $TestResults['Domains'][$Domain]['DomainControllers'][$DC]['Tests'][$Source]['SourceCode']
                                                    $Results = $TestResults['Domains'][$Domain]['DomainControllers'][$DC]['Tests'][$Source]['Results'] #| Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended, Domain, DomainController
                                                    $WarningsAndErrors = $TestResults['Domains'][$Domain]['DomainControllers'][$DC]['Tests'][$Source]['WarningsAndErrors']
                                                    try {
                                                        Start-TestimoReportSection -Name $Name -Data $Data -Information $Information -SourceCode $SourceCode -Results $Results -WarningsAndErrors $WarningsAndErrors -TestResults $TestResults -Type 'DC' -AlwaysShowSteps:$AlwaysShowSteps.IsPresent
                                                    } catch {
                                                        Write-Warning -Message "Failed to generate report (6) for $Source in $Domain for $DC"
    } -ShowHTML:$ShowHTML
    $TimeEnd = Stop-TimeLog -Time $Time
    Out-Informative -OverrideTitle 'Testimo' -Text "HTML Report Saved to $FilePath" -Level 0 -Status $null -ExtendedValue $TimeEnd
function Start-TestimoReportHTMLWithSplit {
        [System.Collections.IDictionary] $TestResults,
        [string] $FilePath,
        [switch] $Online,
        [switch] $ShowHTML,
        [switch] $HideSteps,
        [switch] $AlwaysShowSteps,
        [string[]] $Scopes

    $DateName = $(Get-Date -f yyyy-MM-dd_HHmmss)
    $FileName = [io.path]::GetFileNameWithoutExtension($FilePath)
    $DirectoryName = [io.path]::GetDirectoryName($FilePath)

    # Find amount of sources used. If just one, skip summary
    $NumberOfSourcesExecuted = 0
    #$NumberOfSourcesExecuted += $TestResults['Forest']['Tests'].Count
    foreach ($Key in $TestResults.Keys) {
        if ($Key -notin 'Version', 'Errors', 'Results', 'Summary', 'Domains', 'BySource', 'Configuration') {
            $NumberOfSourcesExecuted += $TestResults[$Key]['Tests'].Count
    foreach ($Domain in $TestResults['Domains'].Keys) {
        $NumberOfSourcesExecuted += $TestResults['Domains'][$Domain]['Tests'].Count
        $NumberOfSourcesExecuted += $TestResults['Domains'][$Domain]['DomainControllers'].Count

    foreach ($Scope in $Scopes) {
        if ($TestResults[$Scope]['Tests'].Count -gt 0) {
            foreach ($Source in $TestResults[$Scope]['Tests'].Keys) {
                $Time = Start-TimeLog
                $NewFileName = $FileName + '_' + $Source + "_" + $DateName + '.html'
                $FilePath = [io.path]::Combine($DirectoryName, $NewFileName)
                Out-Informative -OverrideTitle 'Testimo' -Text "HTML Report for $Source Generation Started" -Level 0 -Status $null #-ExtendedValue $Script:Reporting['Version']
                New-HTML -FilePath $FilePath -Online:$Online {
                    New-HTMLSectionStyle -BorderRadius 0px -HeaderBackGroundColor Grey -RemoveShadow
                    New-HTMLTableOption -DataStore JavaScript -BoolAsString -ArrayJoin -ArrayJoinString ', ' -DateTimeFormat 'dd.MM.yyyy HH:mm:ss'
                    New-HTMLTabStyle -BorderRadius 0px -BackgroundColorActive SlateGrey

                    New-HTMLHeader {
                        New-HTMLSection -Invisible {
                            New-HTMLSection {
                                New-HTMLText -Text "Report generated on $(Get-Date)" -Color Blue
                            } -JustifyContent flex-start -Invisible
                            New-HTMLSection {
                                New-HTMLText -Text $Script:Reporting['Version'] -Color Blue
                            } -JustifyContent flex-end -Invisible
                    $Name = $TestResults[$Scope]['Tests'][$Source]['Name']
                    $Data = $TestResults[$Scope]['Tests'][$Source]['Data']
                    $Information = $TestResults[$Scope]['Tests'][$Source]['Information']
                    $SourceCode = $TestResults[$Scope]['Tests'][$Source]['SourceCode']
                    $Results = $TestResults[$Scope]['Tests'][$Source]['Results'] #| Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended
                    $WarningsAndErrors = $TestResults[$Scope]['Tests'][$Source]['WarningsAndErrors']
                    try {
                        Start-TestimoReportSection -Name $Name -Data $Data -Information $Information -SourceCode $SourceCode -Results $Results -WarningsAndErrors $WarningsAndErrors -TestResults $TestResults -Type $Scope -AlwaysShowSteps:$AlwaysShowSteps.IsPresent
                    } catch {
                        Write-Warning -Message "Failed to generate report (1) for $Source in $Scope"
                } -ShowHTML:$ShowHTML.IsPresent
                $TimeEnd = Stop-TimeLog -Time $Time
                Out-Informative -OverrideTitle 'Testimo' -Text "HTML Report for $Source Saved to $FilePath" -Level 0 -Status $null -ExtendedValue $TimeEnd
    if ($TestResults['Forest']['Tests'].Count -gt 0) {
        # there's just one forest test, and only 1 forest test in total so we don't need tabs
        foreach ($Source in $TestResults['Forest']['Tests'].Keys) {
            $Time = Start-TimeLog
            $NewFileName = $FileName + '_' + $Source + "_" + $DateName + '.html'
            $FilePath = [io.path]::Combine($DirectoryName, $NewFileName)
            Out-Informative -OverrideTitle 'Testimo' -Text "HTML Report for $Source Generation Started" -Level 0 -Status $null #-ExtendedValue $Script:Reporting['Version']
            New-HTML -FilePath $FilePath -Online:$Online {
                New-HTMLSectionStyle -BorderRadius 0px -HeaderBackGroundColor Grey -RemoveShadow
                New-HTMLTableOption -DataStore JavaScript -BoolAsString -ArrayJoin -ArrayJoinString ', ' -DateTimeFormat 'dd.MM.yyyy HH:mm:ss'
                New-HTMLTabStyle -BorderRadius 0px -BackgroundColorActive SlateGrey

                New-HTMLHeader {
                    New-HTMLSection -Invisible {
                        New-HTMLSection {
                            New-HTMLText -Text "Report generated on $(Get-Date)" -Color Blue
                        } -JustifyContent flex-start -Invisible
                        New-HTMLSection {
                            New-HTMLText -Text $Script:Reporting['Version'] -Color Blue
                        } -JustifyContent flex-end -Invisible
                $Name = $TestResults['Forest']['Tests'][$Source]['Name']
                $Data = $TestResults['Forest']['Tests'][$Source]['Data']
                $Information = $TestResults['Forest']['Tests'][$Source]['Information']
                $SourceCode = $TestResults['Forest']['Tests'][$Source]['SourceCode']
                $Results = $TestResults['Forest']['Tests'][$Source]['Results'] #| Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended
                $WarningsAndErrors = $TestResults['Forest']['Tests'][$Source]['WarningsAndErrors']
                try {
                    Start-TestimoReportSection -Name $Name -Data $Data -Information $Information -SourceCode $SourceCode -Results $Results -WarningsAndErrors $WarningsAndErrors -TestResults $TestResults -Type 'Forest' -AlwaysShowSteps:$AlwaysShowSteps.IsPresent
                } catch {
                    Write-Warning -Message "Failed to generate report (3) for $Source in $Scope"
            } -ShowHTML:$ShowHTML.IsPresent
            $TimeEnd = Stop-TimeLog -Time $Time
            Out-Informative -OverrideTitle 'Testimo' -Text "HTML Report for $Source Saved to $FilePath" -Level 0 -Status $null -ExtendedValue $TimeEnd

    $DomainsFound = @{}
    [Array] $ProcessDomains = foreach ($Domain in $TestResults['Domains'].Keys) {
        if ($TestResults['Domains'][$Domain]['Tests'].Count -gt 0) {
            $DomainsFound[$Domain] = $true
    if ($ProcessDomains -contains $true) {
        # Establish the sources we have for Domains
        $DomainSources = foreach ($Domain in $TestResults['Domains'].Keys) {
            foreach ($Source in $TestResults['Domains'][$Domain]['Tests'].Keys) {
        foreach ($Source in $DomainSources | Sort-Object -Unique) {
            $Time = Start-TimeLog
            $NewFileName = $FileName + '_' + $Source + "_" + $DateName + '.html'
            $FilePath = [io.path]::Combine($DirectoryName, $NewFileName)
            Out-Informative -OverrideTitle 'Testimo' -Text "HTML Report for $Source Generation Started" -Level 0 -Status $null #-ExtendedValue $Script:Reporting['Version']
            New-HTML -FilePath $FilePath -Online:$Online {
                New-HTMLSectionStyle -BorderRadius 0px -HeaderBackGroundColor Grey -RemoveShadow
                New-HTMLTableOption -DataStore JavaScript -BoolAsString -ArrayJoin -ArrayJoinString ', ' -DateTimeFormat 'dd.MM.yyyy HH:mm:ss'
                New-HTMLTabStyle -BorderRadius 0px -BackgroundColorActive SlateGrey

                New-HTMLHeader {
                    New-HTMLSection -Invisible {
                        New-HTMLSection {
                            New-HTMLText -Text "Report generated on $(Get-Date)" -Color Blue
                        } -JustifyContent flex-start -Invisible
                        New-HTMLSection {
                            New-HTMLText -Text $Script:Reporting['Version'] -Color Blue
                        } -JustifyContent flex-end -Invisible

                foreach ($Domain in $TestResults['Domains'].Keys) {
                    if ($TestResults['Domains'][$Domain]['Tests'].Count -gt 0 -or $TestResults['Domains'][$Domain]['DomainControllers'].Count -gt 0) {

                        $Information = $TestResults['Domains'][$Domain]['Tests'][$Source]['Information']
                        $Name = $TestResults['Domains'][$Domain]['Tests'][$Source]['Name']
                        $Data = $TestResults['Domains'][$Domain]['Tests'][$Source]['Data']
                        $SourceCode = $TestResults['Domains'][$Domain]['Tests'][$Source]['SourceCode']
                        $Results = $TestResults['Domains'][$Domain]['Tests'][$Source]['Results'] #| Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended, Domain
                        $WarningsAndErrors = $TestResults['Domains'][$Domain]['Tests'][$Source]['WarningsAndErrors']

                        if ($Results.Status -notcontains $False) {
                            $Title = "$Domain 💚"
                        } else {
                            $Title = "$Domain 📛"

                        New-HTMLTab -Name "Domain $Title" -IconBrands deskpro {
                            try {
                                Start-TestimoReportSection -Name $Name -Data $Data -Information $Information -SourceCode $SourceCode -Results $Results -WarningsAndErrors $WarningsAndErrors -HideSteps:$HideSteps -TestResults $TestResults -Type 'Domain' -AlwaysShowSteps:$AlwaysShowSteps.IsPresent
                            } catch {
                                Write-Warning -Message "Failed to generate report (5) for $Source in domain $Domain"

                # }
            } -ShowHTML:$ShowHTML.IsPresent
            $TimeEnd = Stop-TimeLog -Time $Time
            Out-Informative -OverrideTitle 'Testimo' -Text "HTML Report for $Source Saved to $FilePath" -Level 0 -Status $null -ExtendedValue $TimeEnd

    if ($TestResults['Domains'].Keys.Count -gt 0) {
        $DomainsFound = @{}
        [Array] $ProcessDomainControllers = foreach ($Domain in $TestResults['Domains'].Keys) {
            if ($TestResults['Domains'][$Domain]['DomainControllers'].Count -gt 0) {
                $DomainsFound[$Domain] = $true
        if ($ProcessDomainControllers -contains $true) {
            # Establish the sources we have for Domain Controllers
            $DCSources = foreach ($Domain in $TestResults['Domains'].Keys) {
                foreach ($DC in $TestResults['Domains'][$Domain]['DomainControllers'].Keys) {
                    foreach ($Source in $TestResults['Domains'][$Domain]['DomainControllers'][$DC]['Tests'].Keys) {
            foreach ($Source in $DCSources | Sort-Object -Unique) {
                $Time = Start-TimeLog
                $NewFileName = $FileName + '_' + $Source + "_" + $DateName + '.html'
                $FilePath = [io.path]::Combine($DirectoryName, $NewFileName)
                Out-Informative -OverrideTitle 'Testimo' -Text "HTML Report for $Source Generation Started" -Level 0 -Status $null #-ExtendedValue $Script:Reporting['Version']
                New-HTML -FilePath $FilePath -Online:$Online {
                    New-HTMLSectionStyle -BorderRadius 0px -HeaderBackGroundColor Grey -RemoveShadow
                    New-HTMLTableOption -DataStore JavaScript -BoolAsString -ArrayJoin -ArrayJoinString ', ' -DateTimeFormat 'dd.MM.yyyy HH:mm:ss'
                    New-HTMLTabStyle -BorderRadius 0px -BackgroundColorActive SlateGrey

                    New-HTMLHeader {
                        New-HTMLSection -Invisible {
                            New-HTMLSection {
                                New-HTMLText -Text "Report generated on $(Get-Date)" -Color Blue
                            } -JustifyContent flex-start -Invisible
                            New-HTMLSection {
                                New-HTMLText -Text $Script:Reporting['Version'] -Color Blue
                            } -JustifyContent flex-end -Invisible

                    foreach ($Domain in $TestResults['Domains'].Keys) {
                        if ($TestResults['Domains'][$Domain]['Tests'].Count -gt 0 -or $TestResults['Domains'][$Domain]['DomainControllers'].Count -gt 0) {
                            if ($TestResults['Domains'][$Domain]['DomainControllers'].Count -gt 0) {
                                foreach ($DC in $TestResults['Domains'][$Domain]['DomainControllers'].Keys) {
                                    $Information = $TestResults['Domains'][$Domain]['DomainControllers'][$DC]['Tests'][$Source]['Information']
                                    $Name = $TestResults['Domains'][$Domain]['DomainControllers'][$DC]['Tests'][$Source]['Name']
                                    $Data = $TestResults['Domains'][$Domain]['DomainControllers'][$DC]['Tests'][$Source]['Data']
                                    $SourceCode = $TestResults['Domains'][$Domain]['DomainControllers'][$DC]['Tests'][$Source]['SourceCode']
                                    $Results = $TestResults['Domains'][$Domain]['DomainControllers'][$DC]['Tests'][$Source]['Results'] #| Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended, Domain, DomainController
                                    $WarningsAndErrors = $TestResults['Domains'][$Domain]['DomainControllers'][$DC]['Tests'][$Source]['WarningsAndErrors']

                                    if ($Results.Status -notcontains $False) {
                                        $Title = "$DC 💚"
                                    } else {
                                        $Title = "$DC 📛"

                                    New-HTMLTab -TabName $Title -TextColor DarkSlateGray {
                                        New-HTMLContainer {
                                            try {
                                                Start-TestimoReportSection -Name $Name -Data $Data -Information $Information -SourceCode $SourceCode -Results $Results -WarningsAndErrors $WarningsAndErrors -TestResults $TestResults -Type 'DC' -AlwaysShowSteps:$AlwaysShowSteps.IsPresent
                                            } catch {
                                                Write-Warning -Message "Failed to generate report (6) for $Source in $Domain for $DC"




                } -ShowHTML:$ShowHTML.IsPresent
                $TimeEnd = Stop-TimeLog -Time $Time
                Out-Informative -OverrideTitle 'Testimo' -Text "HTML Report for $Source Saved to $FilePath" -Level 0 -Status $null -ExtendedValue $TimeEnd
function Start-TestimoReportSection {
        [string] $Name,
        [Array] $Data,
        [Array] $Results,
        [Array] $WarningsAndErrors,
        [switch] $HideSteps,
        [switch] $AlwaysShowSteps,
        [string] $Type
    [Array] $FailedTestsSingular = $Results | Where-Object { $_.Status -eq $false }

    if ($Type -eq 'Forest') {
        $ResultsDisplay = $Results | Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended
    } elseif ($Type -eq 'DC') {
        $ResultsDisplay = $Results | Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended, Domain
    } elseif ($Type -eq 'Domain') {
        $ResultsDisplay = $Results | Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended, Domain, DomainController
    } else {
        # Office 365 and other scopes
        $ResultsDisplay = $Results | Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended
    $ResultsCache = [ordered] @{}
    foreach ($Result in $ResultsDisplay) {
        $ResultsCache[$Result.DisplayName] = $Result

    $ChartData = New-ChartData -Results $Results

    New-HTMLSection -HeaderText $Name -HeaderBackGroundColor CornflowerBlue -Direction column {
        New-HTMLSection -Invisible -Direction column {
            New-HTMLSection -HeaderText 'Information' {
                New-HTMLContainer {
                    New-HTMLChart {
                        foreach ($Key in $ChartData.Keys) {
                            New-ChartPie -Name $Key -Value $ChartData[$Key].Count -Color $ChartData[$Key].Color
                    } -Height 250
                    New-HTMLText -Text @(
                        "Below command was used to generate and asses current data that is visible in this report. "
                        "In case there are more information required feel free to confirm problems found yourself. "
                    ) -FontSize 10pt
                    if ($SourceCode) {
                        New-HTMLCodeBlock -Code $SourceCode -Style 'PowerShell' -Theme enlighter
                    } elseif ($Information.Source.DataCode) {
                        New-HTMLCodeBlock -Code $Information.Source.DataCode -Style 'PowerShell' -Theme enlighter
                    if ($WarningsAndErrors) {
                        New-HTMLSection -HeaderText 'Warnings & Errors' -HeaderBackGroundColor OrangePeel {
                            New-HTMLTable -DataTable $WarningsAndErrors -Filtering -PagingLength 7
                New-HTMLContainer {
                    if ($Information.Source.Details) {
                        if ($Information.DataDescription) {
                            & $Information.DataDescription
                        } elseif ($Information.Source.Details.Description) {
                            New-HTMLText -Text $Information.Source.Details.Description -FontSize 10pt

                        $SummaryOfTests = foreach ($Test in $Information.Tests.Keys) {
                            if ($Information.Tests[$Test].Enable -eq $true -and $Information.Tests[$Test].Details.Description) {
                                New-HTMLListItem -FontSize 10pt -Text $Information.Tests[$Test].Name, " - ", $Information.Tests[$Test].Details.Description
                                if ($Information.Tests[$Test].Details.Resources) {
                                    New-HTMLList -FontSize 10pt {
                                        foreach ($Resource in $Information.Tests[$Test].Details.Resources) {
                                            if ($Resource.StartsWith('[')) {
                                                New-HTMLListItem -Text $Resource
                                            } else {
                                                # Since the link is given in pure form, we want to convert it to markdown link
                                                $Resource = "[$Resource]($Resource)"
                                                New-HTMLListItem -Text $Resource
                        if ($SummaryOfTests) {
                            New-HTMLList {

                        if ($Information.Source.Details.Resources) {
                            #New-HTMLText -LineBreak
                            New-HTMLText -Text 'Following resources may be helpful to understand this topic', ', please make sure to read those to understand this topic before following any instructions.' -FontSize 10pt -FontWeight bold, normal
                            New-HTMLList -FontSize 10pt {
                                foreach ($Resource in $Information.Source.Details.Resources) {
                                    if ($Resource.StartsWith('[')) {
                                        New-HTMLListItem -Text $Resource
                                    } else {
                                        # Since the link is given in pure form, we want to convert it to markdown link
                                        $Resource = "[$Resource]($Resource)"
                                        New-HTMLListItem -Text $Resource
                    #New-HTMLText -FontSize 10pt -Text 'Summary of Test results for ', $Name -FontWeight bold
                    New-HTMLText -FontSize 10pt -Text @(
                        "In the table below you can find summary of tests executed in the "
                        " category. Each test has their "
                        "assessment level ", ', '
                        "importance level ", ' and '
                        "action ",
                        "defined. "
                        "Depending on the assessment, importance and action AD Team needs to investigate according to the steps provided including using their internal processes (for example SOP). "
                        "It's important to have an understanding what the test is trying to tell you and what solution is provided. "
                        "If you have doubts, or don't understand some test please consider talking to senior admins for guidance. "
                    ) -FontWeight normal, bold, normal, bold, normal, bold, normal, bold, normal, normal, normal, normal
                    New-HTMLTable -DataTable $ResultsDisplay {
                        & $TestResults['Configuration']['ResultConditions']
                    } -Filtering -PagingLength 10
        # If there is no data to display we don't want to add empty table and section to the report. It makes no sense to take useful resources.
        if ($Data) {
            New-HTMLSection -HeaderText 'Data' {
                New-HTMLContainer {
                    if ($Information.DataInformation) {
                        & $Information.DataInformation
                    New-HTMLTable -DataTable $Data -Filtering {
                        if ($Information.DataHighlights) {
                            & $Information.DataHighlights
                        } else {
                            foreach ($Test in $Information.Tests.Values) {
                                if ($Test.Enable -eq $true) {
                                    if ($null -ne $Test.Parameters -and $Test.Parameters.ContainsKey('ExpectedValue')) {
                                        #$TemporaryResults = $ResultsCache[$Test.Name]
                                        #$StatusColor = $Script:StatusToColors[$TemporaryResults.Assessment]
                                        # We need to fix PSWriteHTML to support New-HTMLTableContent for javascript based content
                                        #New-HTMLTableContent -ColumnName $Test.Parameters.Property -RowIndex 1 -BackGroundColor $StatusColor
                    } -PagingLength 7 -DateTimeSortingFormat 'DD.MM.YYYY HH:mm:ss' -WordBreak break-all -ScrollX
        if ($Information.Solution) {
            if (($HideSteps.IsPresent -eq $false -and $FailedTestsSingular.Count -gt 0) -or $AlwaysShowSteps.IsPresent) {
                New-HTMLSection -Name 'Solution' {
                    & $Information.Solution
function Start-TestimoReportSummary {
        [System.Collections.IDictionary] $TestResults
    $ChartData = New-ChartData -Results $TestResults['Results']
    $TableData = [ordered] @{}
    foreach ($Chart in $ChartData.Keys) {
        $TableData[$Chart] = $ChartData[$Chart].Count
    $TableData['Total'] = $TestResults['Summary'].Total
    $DisplayTableData = [PSCustomObject] $TableData

    New-HTMLTab -Name 'Summary' -IconBrands galactic-senate {
        New-HTMLSection -HeaderText "Tests results" -HeaderBackGroundColor DarkGray {
            New-HTMLContainer {
                New-HTMLChart {
                    #New-ChartPie -Name 'Passed' -Value ($PassedTests.Count) -Color $ColorPassed
                    #New-ChartPie -Name 'Failed' -Value ($FailedTests.Count) -Color $ColorFailed
                    #New-ChartPie -Name 'Skipped' -Value ($SkippedTests.Count) -Color $ColorSkipped
                    foreach ($Key in $ChartData.Keys) {
                        New-ChartPie -Name $Key -Value $ChartData[$Key].Count -Color $ChartData[$Key].Color
                New-HTMLTable -DataTable $DisplayTableData -HideFooter -DisableSearch {
                    foreach ($Chart in $ChartData.Keys) {
                        New-HTMLTableContent -ColumnName $Chart -BackGroundColor $ChartData[$Chart].Color -Color Black
                    #New-HTMLTableContent -ColumnName 'Passed' -BackGroundColor $TestResults['Configuration']['Colors']['ColorPassed'] -Color $TestResults['Configuration']['Colors']['ColorPassedText']
                    #New-HTMLTableContent -ColumnName 'Failed' -BackGroundColor $TestResults['Configuration']['Colors']['ColorFailed'] -Color $TestResults['Configuration']['Colors']['ColorFailedText']
                    #New-HTMLTableContent -ColumnName 'Skipped' -BackGroundColor $TestResults['Configuration']['Colors']['ColorSkipped'] -Color $TestResults['Configuration']['Colors']['ColorSkippedText']
                } -DataStore HTML -Buttons @() -DisablePaging -DisableInfo -DisableOrdering
            } -Width '35%'
            New-HTMLContainer {
                New-HTMLText -Text @(
                    "Below you can find overall summary of all tests executed in this Testimo run."
                ) -FontSize 10pt

                $ResultsDisplay = $TestResults['Results'] | Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended, Domain, DomainController
                New-HTMLTable -DataTable $ResultsDisplay {
                    #New-HTMLTableCondition -Name 'Status' -Value $true -BackgroundColor $TestResults['Configuration']['Colors']['ColorPassed'] -Color $TestResults['Configuration']['Colors']['ColorPassedText'] #-Row
                    #New-HTMLTableCondition -Name 'Status' -Value $false -BackgroundColor $TestResults['Configuration']['Colors']['ColorFailed'] -Color $TestResults['Configuration']['Colors']['ColorFailedText'] #-Row
                    #New-HTMLTableCondition -Name 'Status' -Value $null -BackgroundColor $TestResults['Configuration']['Colors']['ColorSkipped'] -Color $TestResults['Configuration']['Colors']['ColorSkippedText'] #-Row
                    foreach ($Status in $Script:StatusTranslation.Keys) {
                        New-HTMLTableCondition -Name 'Assessment' -Value $Script:StatusTranslation[$Status] -BackgroundColor $Script:StatusTranslationColors[$Status] -Row
                    New-HTMLTableCondition -Name 'Assessment' -Value $true -BackgroundColor $TestResults['Configuration']['Colors']['ColorPassed'] -Color $TestResults['Configuration']['Colors']['ColorPassedText'] -Row
                    New-HTMLTableCondition -Name 'Assessment' -Value $false -BackgroundColor $TestResults['Configuration']['Colors']['ColorFailed'] -Color $TestResults['Configuration']['Colors']['ColorFailedText'] -Row
                } -Filtering
function Start-TestimoReportSummaryAdvanced {
        [System.Collections.IDictionary] $TestResults

    $ChartData = New-ChartData -Results $TestResults['Results']
    $TableData = [ordered] @{}
    $TableData['Total'] = 0
    foreach ($Chart in $ChartData.Keys) {
        $TableData[$Chart] = $ChartData[$Chart].Count
        $TableData['Total'] = $TableData['Total'] + $ChartData[$Chart].Count
    $DisplayTableData = [PSCustomObject] $TableData

    New-HTMLTab -Name 'Summary' -IconBrands galactic-senate {
        New-HTMLSection -Invisible {
            New-HTMLContainer {
                New-HTMLPanel {
                    New-HTMLSummary -Title 'Testimo Summary' {
                        foreach ($Source in $TestResults.BySource.Keys) {
                            $SourceData = $TestResults.BySource[$Source]
                            $Results = $TestResults.BySource[$Source].Results

                            $CountBad = 0
                            $CountGood = 0
                            foreach ($Result in $Results) {
                                if ($Result.Assessment -in 'Informational', 'Good') {
                                } else {

                            if ($CountGood -gt 0 -and $CountBad -gt 0) {
                                $ItemConfiguration = @{
                                    IconColor = 'Orange'
                                    IconSolid = 'exclamation-circle'
                            } elseif ($CountBad -gt 0) {
                                $ItemConfiguration = @{
                                    IconColor = 'Red'
                                    IconSolid = 'window-close'
                            } else {
                                $ItemConfiguration = @{
                                    IconColor   = 'DarkPastelGreen'
                                    IconRegular = 'check-circle'
                            $NameOfItem = "$($SourceData.Name) (number of tests: $($Results.Count))"
                            Write-Verbose -Message "Generating SummaryItem for $NameOfItem"
                            New-HTMLSummaryItem -Text $NameOfItem {
                                foreach ($Result in $Results) {
                                    if ($Result.Assessment -in 'Informational', 'Good') {
                                        $ItemConfigurationTest = @{
                                            IconColor   = 'DarkPastelGreen'
                                            IconRegular = 'check-circle'
                                    } else {
                                        $ItemConfigurationTest = @{
                                            IconColor = 'Red'
                                            IconSolid = 'window-close'
                                    New-HTMLSummaryItem -Text $Result.DisplayName {
                                        New-HTMLSummaryItemData -Text "type" -Value ($Result.Type -join ",")
                                        New-HTMLSummaryItemData -Text "category" -Value ($Result.Category -join ",")
                                        # New-HTMLSummaryItemData -Text "assesment" -Value $Result.Assessment
                                        # New-HTMLSummaryItemData -Text "action" -Value $Result.Action
                                        # New-HTMLSummaryItemData -Text "importance" -Value $Result.Importance
                                    } @ItemConfigurationTest
                            } @ItemConfiguration
                } -BorderRadius 0px
            } -Width '40%'
            New-HTMLContainer {
                New-HTMLPanel {
                    New-HTMLContainer {
                        New-HTMLChart {
                            #New-ChartPie -Name 'Passed' -Value ($PassedTests.Count) -Color $ColorPassed
                            #New-ChartPie -Name 'Failed' -Value ($FailedTests.Count) -Color $ColorFailed
                            #New-ChartPie -Name 'Skipped' -Value ($SkippedTests.Count) -Color $ColorSkipped
                            foreach ($Key in $ChartData.Keys) {
                                New-ChartPie -Name $Key -Value $ChartData[$Key].Count -Color $ChartData[$Key].Color
                        New-HTMLTable -DataTable $DisplayTableData -HideFooter -DisableSearch {
                            foreach ($Chart in $ChartData.Keys) {
                                New-HTMLTableContent -ColumnName $Chart -BackGroundColor $ChartData[$Chart].Color -Color Black
                            #New-HTMLTableContent -ColumnName 'Passed' -BackGroundColor $TestResults['Configuration']['Colors']['ColorPassed'] -Color $TestResults['Configuration']['Colors']['ColorPassedText']
                            #New-HTMLTableContent -ColumnName 'Failed' -BackGroundColor $TestResults['Configuration']['Colors']['ColorFailed'] -Color $TestResults['Configuration']['Colors']['ColorFailedText']
                            #New-HTMLTableContent -ColumnName 'Skipped' -BackGroundColor $TestResults['Configuration']['Colors']['ColorSkipped'] -Color $TestResults['Configuration']['Colors']['ColorSkippedText']
                        } -DataStore HTML -Buttons @() -DisablePaging -DisableInfo -DisableOrdering
                    New-HTMLContainer {
                        New-HTMLSection -HeaderText "Tests results" -HeaderBackGroundColor DarkGray {
                            $ResultsDisplay = $TestResults['Results'] | Select-Object -Property DisplayName, Type, Category, Assessment, Importance, Action, Extended, Domain, DomainController
                            New-HTMLTable -DataTable $ResultsDisplay {
                                #New-HTMLTableCondition -Name 'Status' -Value $true -BackgroundColor $TestResults['Configuration']['Colors']['ColorPassed'] -Color $TestResults['Configuration']['Colors']['ColorPassedText'] #-Row
                                #New-HTMLTableCondition -Name 'Status' -Value $false -BackgroundColor $TestResults['Configuration']['Colors']['ColorFailed'] -Color $TestResults['Configuration']['Colors']['ColorFailedText'] #-Row
                                #New-HTMLTableCondition -Name 'Status' -Value $null -BackgroundColor $TestResults['Configuration']['Colors']['ColorSkipped'] -Color $TestResults['Configuration']['Colors']['ColorSkippedText'] #-Row
                                foreach ($Status in $Script:StatusTranslation.Keys) {
                                    New-HTMLTableCondition -Name 'Assessment' -Value $Script:StatusTranslation[$Status] -BackgroundColor $Script:StatusTranslationColors[$Status] -Row
                                New-HTMLTableCondition -Name 'Assessment' -Value $true -BackgroundColor $TestResults['Configuration']['Colors']['ColorPassed'] -Color $TestResults['Configuration']['Colors']['ColorPassedText'] -Row
                                New-HTMLTableCondition -Name 'Assessment' -Value $false -BackgroundColor $TestResults['Configuration']['Colors']['ColorFailed'] -Color $TestResults['Configuration']['Colors']['ColorFailedText'] -Row
                            } -Filtering
                } -BorderRadius 0px

function Start-Testing {
        [ScriptBlock] $Execute,
        [string] $Scope,
        [string] $Domain,
        [string] $DomainController,
        [bool] $IsPDC,
        [Object] $ForestInformation,
        [Object] $DomainInformation,
        [System.Collections.IDictionary] $ForestDetails,
        [switch] $SkipRODC,
        [System.Collections.IDictionary] $Variables
    $GlobalTime = Start-TimeLog

    if ($Scope -eq 'Forest') {
        $Level = 3
        $LevelTest = 6
        $LevelSummary = 3
        $LevelTestFailure = 6
        $Config = $Script:TestimoConfiguration['ActiveDirectory']
        $SummaryText = "Forest"
    } elseif ($Scope -eq 'Domain') {
        $Level = 6
        $LevelTest = 9
        $LevelSummary = 6
        $LevelTestFailure = 9
        $Config = $Script:TestimoConfiguration['ActiveDirectory']
        $SummaryText = "Domain $Domain"
    } elseif ($Scope -eq 'DC') {
        $Level = 9
        $LevelTest = 12
        $LevelSummary = 9
        $LevelTestFailure = 12
        $Config = $Script:TestimoConfiguration['ActiveDirectory']
        $SummaryText = "Domain $Domain, $DomainController"
    } else {
        $Level = 3
        $LevelTest = 6
        $LevelSummary = 3
        $LevelTestFailure = 6
        $Config = $Script:TestimoConfiguration[$Scope]
        $SummaryText = $Scope
    # Build requirements variables
    [bool] $IsDomainRoot = $ForestInformation.Name -eq $Domain

    # Out-Begin -Type 'i' -Text $SummaryText -Level ($LevelSummary - 3) -Domain $Domain -DomainController $DomainController
    # Out-Status -Text $SummaryText -Status $null -ExtendedValue '' -Domain $Domain -DomainController $DomainController

    Out-Informative -Scope $Scope -Text $SummaryText -Status $null -ExtendedValue '' -Domain $Domain -DomainController $DomainController -Level ($LevelSummary - 3)

    $TestsSummaryTogether = @(
        foreach ($Source in $Config.Keys) {
            if ($Scope -ne $Config[$Source].Scope) {
            $CurrentSection = $Config[$Source]
            if ($null -eq $CurrentSection) {
                # Probably should write some tests
                Write-Warning "Source $Source in scope: $Scope is defined improperly. Please verify."
            if ($CurrentSection['Enable'] -eq $true) {
                $Time = Start-TimeLog
                $CurrentSource = $CurrentSection['Source']
                #$CurrentTests = $CurrentSection['Tests']
                [Array] $AllTests = $CurrentSection['Tests'].Keys

                $ReferenceID = $Source #Get-RandomStringName -Size 8
                $TestsSummary = [PSCustomobject] @{
                    Passed  = 0
                    Failed  = 0
                    Skipped = 0
                    Total   = 0 # $AllTests.Count + 1 # +1 includes availability of data test
                # build data output for extended results
                $TestOutput = [ordered] @{
                    Name             = $CurrentSource['Name']
                    SourceCode       = if ($CurrentSource['Data']) { $CurrentSource['Data'] } else { $null }
                    Details          = $CurrentSource['Details']
                    Results          = [System.Collections.Generic.List[PSCustomObject]]::new()
                    Domain           = $Domain
                    DomainController = $DomainController

                # Lets divide tests results into by type Forest/Domain/Domain Controller
                if ($Scope -in 'Forest', 'Domain', 'DC') {
                    if ($Domain -and $DomainController) {
                        $Script:Reporting['Domains'][$Domain]['DomainControllers'][$DomainController]['Tests'][$ReferenceID] = $TestOutput
                    } elseif ($Domain) {
                        $Script:Reporting['Domains'][$Domain]['Tests'][$ReferenceID] = $TestOutput
                    } else {
                        $Script:Reporting['Forest']['Tests'][$ReferenceID] = $TestOutput
                } else {
                    $Script:Reporting[$Scope]['Tests'][$ReferenceID] = $TestOutput

                # Lets divide tests by source (same content/different way to use later on)
                #if (-not $Script:Reporting['BySource'][$Source]) {
                # $Script:Reporting['BySource'][$Source] = [System.Collections.Generic.List[PSCustomObject]]::new()
                $Script:Reporting['BySource'][$Source] = $TestOutput
                if (-not $CurrentSection['Source']) {
                    Write-Warning "Source $Source in scope: $Scope is defined improperly. Please verify."

                # Check if requirements are met
                if ($CurrentSource['Requirements']) {
                    if ($null -ne $CurrentSource['Requirements']['IsDomainRoot']) {
                        if (-not $CurrentSource['Requirements']['IsDomainRoot'] -eq $IsDomainRoot) {
                            Out-Skip -Scope $Scope -Test $CurrentSource['Name'] -DomainController $DomainController -Domain $Domain -TestsSummary $TestsSummary -Source $ReferenceID -Level $Level
                    if ($null -ne $CurrentSource['Requirements']['IsPDC']) {
                        if (-not $CurrentSource['Requirements']['IsPDC'] -eq $IsPDC) {
                            Out-Skip -Scope $Scope -Test $CurrentSource['Name'] -DomainController $DomainController -Domain $Domain -TestsSummary $TestsSummary -Source $ReferenceID -Level $Level
                    if ($null -ne $CurrentSource['Requirements']['OperatingSystem']) {

                    if ($null -ne $CurrentSource['Requirements']['CommandAvailable']) {
                        [Array] $Commands = foreach ($Command in $CurrentSource['Requirements']['CommandAvailable']) {
                            $OutputCommand = Get-Command -Name $Command -ErrorAction SilentlyContinue
                            if (-not $OutputCommand) {
                        if ($Commands -contains $false) {
                            $CommandsTested = $CurrentSource['Requirements']['CommandAvailable'] -join ', '
                            Out-Skip -Scope $Scope -Test $CurrentSource['Name'] -DomainController $DomainController -Domain $Domain -TestsSummary $TestsSummary -Source $ReferenceID -Level $Level -Reason "Skipping - At least one command unavailable ($CommandsTested)"
                    if ($null -ne $CurrentSource['Requirements']['IsInternalForest']) {
                        if ($CurrentSource['Requirements']['IsInternalForest'] -eq $true) {
                            if ($ForestName) {
                                Out-Skip -Scope $Scope -Test $CurrentSource['Name'] -DomainController $DomainController -Domain $Domain -TestsSummary $TestsSummary -Source $ReferenceID -Level $Level -Reason "Skipping - External forest requested. Not supported test."
                # START - Execute TEST - By getting the Data SOURCE
                Out-Informative -Scope $Scope -Text $CurrentSource['Name'] -Level $Level -Domain $Domain -DomainController $DomainController -Start
                if ($CurrentSource['Parameters']) {
                    $SourceParameters = $CurrentSource['Parameters']
                } else {
                    $SourceParameters = @{}
                if ($Scope -in 'Forest', 'Domain', 'DC') {
                    $SourceParameters['DomainController'] = $DomainController
                    if ($Scope -eq 'Forest') {
                        $SourceParameters['QueryServer'] = $ForestDetails['QueryServers']['Forest']['HostName'][0]
                    } else {
                        $SourceParameters['QueryServer'] = $ForestDetails['QueryServers'][$Domain]['HostName'][0]
                    $SourceParameters['Domain'] = $Domain
                    $SourceParameters['ForestDetails'] = $ForestDetails
                    $SourceParameters['ForestName'] = $ForestInformation.Name
                    $SourceParameters['DomainInformation'] = $DomainInformation
                    $SourceParameters['ForestInformation'] = $ForestInformation
                    $SourceParameters['SkipRODC'] = $SkipRODC.IsPresent # bool true/false
                } else {
                    $SourceParameters['Authorization'] = $Script:AuthorizationO365Cache
                    $SourceParameters['Session'] = Get-PSSession | Where-Object { $_.ComputerName -eq 'outlook.office365.com' -and $_.State -eq 'Opened' } | Select-Object -First 1
                foreach ($Variable in $Variables.Keys) {
                    $SourceParameters[$Variable] = $Variables[$Variable]
                if ($CurrentSource['Data'] -is [ScriptBlock]) {
                    if ($Script:TestimoConfiguration.Debug.ShowErrors) {
                        $OutputData = & $CurrentSource['Data'] -DomainController $DomainController -Domain $Domain
                        $OutputInvoke = @{
                            Output = $OutputData
                        $ErrorMessage = $null
                    } else {
                        $OutputInvoke = Invoke-CommandCustom -ScriptBlock $CurrentSource['Data'] -Parameter $SourceParameters -ReturnVerbose -ReturnError -ReturnWarning -AddParameter
                        if ($OutputInvoke.Error) {
                            $ErrorMessage = $OutputInvoke.Error.Exception.Message -replace "`n", " " -replace "`r", " "
                        } else {
                            $ErrorMessage = $null
                } else {
                    $OutputInvoke = @{
                        Output = $CurrentSource['DataOutput']
                $WarningsAndErrors = @(
                    #if ($ShowWarning) {
                    foreach ($War in $OutputInvoke.Warning) {
                        [PSCustomObject] @{
                            Type       = 'Warning'
                            Comment    = $War
                            Reason     = ''
                            TargetName = ''
                    #if ($ShowError) {
                    foreach ($Err in $OutputInvoke.Error) {
                        [PSCustomObject] @{
                            Type       = 'Error'
                            Comment    = $Err
                            Reason     = $Err.CategoryInfo.Reason
                            TargetName = $Err.CategoryInfo.TargetName
                Out-Informative -Scope $Scope -Text $CurrentSource['Name'] -Status $null -ExtendedValue $null -Domain $Domain -DomainController $DomainController -End
                # END - Execute TEST - By getting the Data SOURCE
                $Object = $OutputInvoke.Output
                if ($CurrentSource['Flatten'] -and $Object) {
                    $Object = $Object | ConvertTo-FlatObject

                # Add data output to extended results
                if ($Scope -in 'Forest', 'Domain', 'DC') {
                    if ($Domain -and $DomainController) {
                        $Script:Reporting['Domains'][$Domain]['DomainControllers'][$DomainController]['Tests'][$ReferenceID]['Data'] = $Object
                        $Script:Reporting['Domains'][$Domain]['DomainControllers'][$DomainController]['Tests'][$ReferenceID]['Verbose'] = $OutputInvoke.Verbose
                        $Script:Reporting['Domains'][$Domain]['DomainControllers'][$DomainController]['Tests'][$ReferenceID]['Warning'] = $OutputInvoke.Warning
                        $Script:Reporting['Domains'][$Domain]['DomainControllers'][$DomainController]['Tests'][$ReferenceID]['Error'] = $OutputInvoke.Error
                        $Script:Reporting['Domains'][$Domain]['DomainControllers'][$DomainController]['Tests'][$ReferenceID]['WarningsAndErrors'] = $WarningsAndErrors
                        $Script:Reporting['Domains'][$Domain]['DomainControllers'][$DomainController]['Tests'][$ReferenceID]['DetailsTests'] = [ordered]@{ }
                        $Script:Reporting['Domains'][$Domain]['DomainControllers'][$DomainController]['Tests'][$ReferenceID]['ResultsTests'] = [ordered]@{ }
                        $Script:Reporting['Domains'][$Domain]['DomainControllers'][$DomainController]['Tests'][$ReferenceID]['Information'] = $CurrentSection
                    } elseif ($Domain) {
                        $Script:Reporting['Domains'][$Domain]['Tests'][$ReferenceID]['Data'] = $Object
                        $Script:Reporting['Domains'][$Domain]['Tests'][$ReferenceID]['Verbose'] = $OutputInvoke.Verbose
                        $Script:Reporting['Domains'][$Domain]['Tests'][$ReferenceID]['Warning'] = $OutputInvoke.Warning
                        $Script:Reporting['Domains'][$Domain]['Tests'][$ReferenceID]['Error'] = $OutputInvoke.Error
                        $Script:Reporting['Domains'][$Domain]['Tests'][$ReferenceID]['WarningsAndErrors'] = $WarningsAndErrors
                        $Script:Reporting['Domains'][$Domain]['Tests'][$ReferenceID]['DetailsTests'] = [ordered]@{ }
                        $Script:Reporting['Domains'][$Domain]['Tests'][$ReferenceID]['ResultsTests'] = [ordered]@{ }
                        $Script:Reporting['Domains'][$Domain]['Tests'][$ReferenceID]['Information'] = $CurrentSection
                    } else {
                        $Script:Reporting['Forest']['Tests'][$ReferenceID]['Data'] = $Object
                        $Script:Reporting['Forest']['Tests'][$ReferenceID]['Verbose'] = $OutputInvoke.Verbose
                        $Script:Reporting['Forest']['Tests'][$ReferenceID]['Warning'] = $OutputInvoke.Warning
                        $Script:Reporting['Forest']['Tests'][$ReferenceID]['Error'] = $OutputInvoke.Error
                        $Script:Reporting['Forest']['Tests'][$ReferenceID]['WarningsAndErrors'] = $WarningsAndErrors
                        $Script:Reporting['Forest']['Tests'][$ReferenceID]['DetailsTests'] = [ordered]@{ }
                        $Script:Reporting['Forest']['Tests'][$ReferenceID]['ResultsTests'] = [ordered]@{ }
                        $Script:Reporting['Forest']['Tests'][$ReferenceID]['Information'] = $CurrentSection
                } else {
                    $Script:Reporting[$Scope]['Tests'][$ReferenceID]['Data'] = $Object
                    $Script:Reporting[$Scope]['Tests'][$ReferenceID]['Verbose'] = $OutputInvoke.Verbose
                    $Script:Reporting[$Scope]['Tests'][$ReferenceID]['Warning'] = $OutputInvoke.Warning
                    $Script:Reporting[$Scope]['Tests'][$ReferenceID]['Error'] = $OutputInvoke.Error
                    $Script:Reporting[$Scope]['Tests'][$ReferenceID]['WarningsAndErrors'] = $WarningsAndErrors
                    $Script:Reporting[$Scope]['Tests'][$ReferenceID]['DetailsTests'] = [ordered]@{ }
                    $Script:Reporting[$Scope]['Tests'][$ReferenceID]['ResultsTests'] = [ordered]@{ }
                    $Script:Reporting[$Scope]['Tests'][$ReferenceID]['Information'] = $CurrentSection
                # If there's no output from Source Data all other tests will fail
                if ($ErrorMessage) {
                    $FailAllTests = $true
                    $ExtendedValue = $ErrorMessage -join "; "
                    Out-Failure -Scope $Scope -Text $CurrentSource['Name'] -Level $LevelTest -ExtendedValue $ExtendedValue -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Source $CurrentSource
                    $TestsSummary.Failed = $TestsSummary.Failed + 1
                } elseif ($Object -and $CurrentSource['ExpectedOutput'] -eq $true) {
                    # Output is provided and we did expect it - passed test
                    $FailAllTests = $false
                    Out-Begin -Scope $Scope -Text $CurrentSource['Name'] -Level $LevelTest -Domain $Domain -DomainController $DomainController
                    Out-Status -Scope $Scope -Text $CurrentSource['Name'] -Status $true -ExtendedValue 'Data is available' -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Source $CurrentSource
                    $TestsSummary.Passed = $TestsSummary.Passed + 1

                } elseif ($Object -and $CurrentSource['ExpectedOutput'] -eq $false) {
                    # Output is provided, but we expected no output - failing test
                    $FailAllTests = $false
                    Out-Failure -Scope $Scope -Text $CurrentSource['Name'] -Level $LevelTest -ExtendedValue 'Data is available. This is a bad thing' -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Source $CurrentSource
                    $TestsSummary.Failed = $TestsSummary.Failed + 1

                } elseif ($Object -and $null -eq $CurrentSource['ExpectedOutput']) {
                    # Output is provided, but we weren't sure if there should be output or not
                    $FailAllTests = $false
                    Out-Begin -Scope $Scope -Text $CurrentSource['Name'] -Level $LevelTest -Domain $Domain -DomainController $DomainController
                    Out-Status -Scope $Scope -Text $CurrentSource['Name'] -Status $null -ExtendedValue 'Data is available' -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Source $CurrentSource
                    #$TestsSummary.Passed = $TestsSummary.Passed + 1
                    $TestsSummary.Skipped = $TestsSummary.Skipped + 1

                } elseif ($null -eq $Object -and $CurrentSource['ExpectedOutput'] -eq $true) {
                    # Output was not provided and we expected it
                    $FailAllTests = $true
                    Out-Failure -Scope $Scope -Text $CurrentSource['Name'] -Level $LevelTest -ExtendedValue 'No data available' -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Source $CurrentSource
                    $TestsSummary.Failed = $TestsSummary.Failed + 1
                } elseif ($null -eq $Object -and $CurrentSource['ExpectedOutput'] -eq $false) {
                    # This tests whether there was an output from Source or not.
                    # Sometimes it makes sense to ask for data and get null/empty in return
                    # you just need to make sure to define ExpectedOutput = $false in source definition
                    $FailAllTests = $false
                    Out-Begin -Scope $Scope -Text $CurrentSource['Name'] -Level $LevelTest -Domain $Domain -DomainController $DomainController
                    Out-Status -Scope $Scope -Text $CurrentSource['Name'] -Status $true -ExtendedValue 'No data returned, which is a good thing' -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Source $CurrentSource
                    $TestsSummary.Passed = $TestsSummary.Passed + 1
                } elseif ($null -eq $Object -and $null -eq $CurrentSource['ExpectedOutput']) {
                    # Output is not provided, but we weren't sure if there should be output or not
                    $FailAllTests = $false
                    Out-Begin -Scope $Scope -Text $CurrentSource['Name'] -Level $LevelTest -Domain $Domain -DomainController $DomainController
                    Out-Status -Scope $Scope -Text $CurrentSource['Name'] -Status $null -ExtendedValue 'No data returned' -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Source $CurrentSource
                    # $TestsSummary.Passed = $TestsSummary.Passed + 1
                    $TestsSummary.Skipped = $TestsSummary.Skipped + 1
                } else {
                    $FailAllTests = $true
                    Out-Failure -Scope $Scope -Text $CurrentSource['Name'] -Level $LevelTest -ExtendedValue 'No data available' -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Source $CurrentSource
                    $TestsSummary.Failed = $TestsSummary.Failed + 1

                foreach ($Test in $AllTests) {
                    # Add content with description of the test
                    if ($Scope -in 'Forest', 'Domain', 'DC') {
                        if ($Domain -and $DomainController) {
                            $Script:Reporting['Domains'][$Domain]['DomainControllers'][$DomainController]['Tests'][$ReferenceID]['DetailsTests'][$Test] = $CurrentSection['Tests'][$Test]['Details']
                        } elseif ($Domain) {
                            $Script:Reporting['Domains'][$Domain]['Tests'][$ReferenceID]['DetailsTests'][$Test] = $CurrentSection['Tests'][$Test]['Details']
                        } else {
                            $Script:Reporting['Forest']['Tests'][$ReferenceID]['DetailsTests'][$Test] = $CurrentSection['Tests'][$Test]['Details']
                    } else {
                        $Script:Reporting[$Scope]['Tests'][$ReferenceID]['DetailsTests'][$Test] = $CurrentSection['Tests'][$Test]['Details']

                    $CurrentTest = $CurrentSection['Tests'][$Test]
                    if ($CurrentTest['Enable'] -eq $True) {
                        # Check for requirements
                        if ($CurrentTest['Requirements']) {
                            if ($null -ne $CurrentTest['Requirements']['IsDomainRoot']) {
                                if (-not $CurrentTest['Requirements']['IsDomainRoot'] -eq $IsDomainRoot) {
                                    $TestsSummary.Skipped = $TestsSummary.Skipped + 1
                            if ($null -ne $CurrentTest['Requirements']['IsPDC']) {
                                if (-not $CurrentTest['Requirements']['IsPDC'] -eq $IsPDC) {
                                    $TestsSummary.Skipped = $TestsSummary.Skipped + 1
                        if (-not $FailAllTests) {
                            $testStepOneSplat = @{
                                Test             = $CurrentTest
                                Object           = $Object
                                Domain           = $Domain
                                DomainController = $DomainController
                                Level            = $LevelTest
                                TestName         = $CurrentTest['Name']
                                ReferenceID      = $ReferenceID
                                Requirements     = $CurrentTest['Requirements']
                                Scope            = $Scope
                            # We provide whatever parameters are available in Data Source to Tests (mainly for use within WhereObject)
                            #if ($CurrentSource['Parameters']) {
                            # $testStepOneSplat['Parameters'] = $CurrentSource['Parameters']
                            if ($Scope -in 'Forest', 'Domain', 'DC') {
                                if ($Scope -eq 'Forest') {
                                    $testStepOneSplat['QueryServer'] = $ForestDetails['QueryServers']['Forest']['HostName'][0]
                                } else {
                                    $testStepOneSplat['QueryServer'] = $ForestDetails['QueryServers'][$Domain]['HostName'][0]
                                $testStepOneSplat['ForestDetails'] = $ForestDetails
                                $testStepOneSplat['ForestName'] = $ForestInformation.Name
                                $testStepOneSplat['DomainInformation'] = $DomainInformation
                                $testStepOneSplat['ForestInformation'] = $ForestInformation
                            $TestsResults = Test-StepOne @testStepOneSplat
                            $TestsSummary.Passed = $TestsSummary.Passed + ($TestsResults | Where-Object { $_ -eq $true }).Count
                            $TestsSummary.Failed = $TestsSummary.Failed + ($TestsResults | Where-Object { $_ -eq $false }).Count
                        } else {
                            $TestsResults = $null
                            $TestsSummary.Failed = $TestsSummary.Failed + 1
                            Out-Failure -Scope $Scope -Text $CurrentTest['Name'] -Level $LevelTestFailure -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -ExtendedValue 'Input data not provided. Failing test.' -Source $CurrentTest
                        if ($Scope -in 'Forest', 'Domain', 'DC') {
                            if ($Domain -and $DomainController) {
                                $Script:Reporting['Domains'][$Domain]['DomainControllers'][$DomainController]['Tests'][$ReferenceID]['ResultsTests'][$Test] = $TestsResults
                            } elseif ($Domain) {
                                $Script:Reporting['Domains'][$Domain]['Tests'][$ReferenceID]['ResultsTests'][$Test] = $TestsResults
                            } else {
                                $Script:Reporting['Forest']['Tests'][$ReferenceID]['ResultsTests'][$Test] = $TestsResults
                        } else {
                            $Script:Reporting[$Scope]['Tests'][$ReferenceID]['ResultsTests'][$Test] = $TestsResults
                    } else {
                        $TestsSummary.Skipped = $TestsSummary.Skipped + 1
                $TestsSummary.Total = $TestsSummary.Failed + $TestsSummary.Passed + $TestsSummary.Skipped
                Out-Summary -Scope $Scope -Text $CurrentSource['Name'] -Time $Time -Level $LevelSummary -Domain $Domain -DomainController $DomainController -TestsSummary $TestsSummary
        if ($Execute) {
            & $Execute
    $TestsSummaryFinal = [PSCustomObject] @{
        Passed  = ($TestsSummaryTogether.Passed | Measure-Object -Sum).Sum
        Failed  = ($TestsSummaryTogether.Failed | Measure-Object -Sum).Sum
        Skipped = ($TestsSummaryTogether.Skipped | Measure-Object -Sum).Sum
        Total   = ($TestsSummaryTogether.Total | Measure-Object -Sum).Sum

    if ($Scope -in 'Forest', 'Domain', 'DC') {
        if ($Domain -and $DomainController) {
            $Script:Reporting['Domains'][$Domain]['DomainControllers'][$DomainController]['Summary'] = $TestsSummaryFinal
        } elseif ($Domain) {
            $Script:Reporting['Domains'][$Domain]['Summary'] = $TestsSummaryFinal
        } else {
            if ($Scope -ne 'Forest') {
                $Script:Reporting['Summary'] = $TestsSummaryFinal
            } else {
                $Script:Reporting['Forest']['Summary'] = $TestsSummaryFinal
    } else {
        $Script:Reporting[$Scope]['Summary'] = $TestsSummaryFinal
    Out-Summary -Scope $Scope -Text $SummaryText -Time $GlobalTime -Level ($LevelSummary - 3) -Domain $Domain -DomainController $DomainController -TestsSummary $TestsSummaryFinal
function Test-StepOne {
        [string] $Scope,
        [System.Collections.IDictionary] $Test,
        [string] $Domain,
        [string] $DomainController,
        [Array] $Object,
        [string] $TestName,
        [int] $Level,
        [string] $ReferenceID,
        [System.Collections.IDictionary] $Requirements,
        [string] $QueryServer,
        [System.Collections.IDictionary] $ForestDetails,
        [object] $DomainInformation,
        [object] $ForestInformation,
        [string] $ForestName

    [string] $OperationType = $Test.Parameters.OperationType
    if ($OperationType -eq '') { $OperationType = 'eq' }
    [string[]] $Property = $Test.Parameters.Property
    [string[]] $PropertyExtendedValue = $Test.Parameters.PropertyExtendedValue
    $ExpectedValue = $Test.Parameters.ExpectedValue
    [nullable[int]] $ExpectedCount = $Test.Parameters.ExpectedCount
    [scriptblock] $OverwriteName = $Test.Parameters.OverwriteName
    [scriptblock] $WhereObject = $Test.Parameters.WhereObject
    [nullable[bool]] $ExpectedResult = $Test.Parameters.ExpectedResult
    [nullable[bool]] $ExpectedOutput = $Test.Parameters.ExpectedOutput
    [string] $OperationResult = $Test.Parameters.OperationResult

    if ($Object) {
        if ($WhereObject) {
            $Object = $Object | Where-Object $WhereObject
        if ($null -ne $Requirements) {
            if ($null -ne $Requirements['ExpectedOutput']) {
                #if ($Requirements['MustMatch']) {
                # $TestsSummary.Skipped = $TestsSummary.Skipped + 1
                # continue

        if ($null -eq $ExpectedCount) {
            # This checks for ExpectedResult/ExpectedOutput
            # The difference is that
            # - ExpectedResult (true/false) - when ExpectedResult is True it means we filtered our objected with Where and it still provided output
            # This allows us to not check each element in Array one by one, but just assume this in bundle
            # - ExpectedOutput (true/false) - when we do Where-Object but it's possible that Array won't contain what we are looking for, and at the same time, it's not a problem
            if ($null -eq $Object) {
                if ($ExpectedResult -eq $false) {
                    Out-Begin -Scope $Scope -Text $TestName -Level $Level -Domain $Domain -DomainController $DomainController
                    Out-Status -Scope $Scope -Text $TestName -Status $true -ExtendedValue "Data is not available. This is expected" -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Test $Test
                    return $true
                } elseif ($ExpectedResult -eq $true) {
                    Out-Begin -Scope $Scope -Text $TestName -Level $Level -Domain $Domain -DomainController $DomainController
                    Out-Status -Scope $Scope -Text $TestName -Status $false -ExtendedValue 'Data is not available. This is not expected' -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Test $Test
                    return $false
                # This checks for NULL after Where-Object
                # Data Source is not null, but after WHERE-Object becomes NULL - we need to fail this
                if ($null -eq $ExpectedOutput -or $ExpectedOutput -eq $true) {
                    Out-Begin -Scope $Scope -Text $TestName -Level $Level -Domain $Domain -DomainController $DomainController
                    Out-Status -Scope $Scope -Text $TestName -Status $false -ExtendedValue 'Data is not available' -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Test $Test
                    return $false
                } elseif ($ExpectedOutput -eq $false) {
                    Out-Begin -Scope $Scope -Text $TestName -Level $Level -Domain $Domain -DomainController $DomainController
                    Out-Status -Scope $Scope -Text $TestName -Status $true -ExtendedValue "Data is not available, but it's not required" -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Test $Test
                    return $true
            } else {
                if ($ExpectedResult -eq $false) {
                    Out-Begin -Scope $Scope -Text $TestName -Level $Level -Domain $Domain -DomainController $DomainController
                    Out-Status -Scope $Scope -Text $TestName -Status $false -ExtendedValue 'Data is available. This is not expected' -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Test $Test
                    return $false
                } elseif ($ExpectedResult -eq $true) {
                    Out-Begin -Scope $Scope -Text $TestName -Level $Level -Domain $Domain -DomainController $DomainController
                    Out-Status -Scope $Scope -Text $TestName -Status $true -ExtendedValue "Data is available. This is expected" -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Test $Test
                    return $true

        if ($null -ne $ExpectedCount) {
            if ($OverwriteName) {
                $TestName = & $OverwriteName
            Test-StepTwo -Scope $Scope -Test $Test -Object $Object -ExpectedCount $ExpectedCount -OperationType $OperationType -TestName $TestName -Level $Level -Domain $Domain -DomainController $DomainController -Property $Property -ExpectedValue $ExpectedValue -PropertyExtendedValue $PropertyExtendedValue -OperationResult $OperationResult -ReferenceID $ReferenceID -ExpectedOutput $ExpectedOutput
        } else {
            if ($Test.Parameters.Bundle -eq $true) {
                # We treat Input as a whole rather than line one by line
                Test-StepTwo -Scope $Scope -Test $Test -Object $Object -OperationType $OperationType -TestName $TestName -Level $Level -Domain $Domain -DomainController $DomainController -Property $Property -ExpectedValue $ExpectedValue -PropertyExtendedValue $PropertyExtendedValue -OperationResult $OperationResult -ReferenceID $ReferenceID -ExpectedOutput $ExpectedOutput
            } else {
                foreach ($_ in $Object) {
                    if ($OverwriteName) {
                        $TestName = & $OverwriteName
                    Test-StepTwo -Scope $Scope -Test $Test -Object $_ -OperationType $OperationType -TestName $TestName -Level $Level -Domain $Domain -DomainController $DomainController -Property $Property -ExpectedValue $ExpectedValue -PropertyExtendedValue $PropertyExtendedValue -OperationResult $OperationResult -ReferenceID $ReferenceID -ExpectedOutput $ExpectedOutput
function Test-StepTwo {
        [string] $Scope,
        [System.Collections.IDictionary] $Test,
        [string] $Domain,
        [string] $DomainController,
        [Array] $Object,
        [string] $TestName,
        [string] $OperationType,
        [int] $Level,
        [string[]] $Property,
        [string[]] $PropertyExtendedValue,
        [Array] $ExpectedValue,
        [nullable[int]] $ExpectedCount,
        [string] $OperationResult,
        [string] $ReferenceID,
        [nullable[bool]] $ExpectedOutput
    Out-Begin -Scope $Scope -Text $TestName -Level $Level -Domain $Domain -DomainController $DomainController

    $TemporaryBoundParameters = $PSBoundParameters

    $ScriptBlock = {
        $Operators = @{
            'lt'          = 'Less Than'
            'gt'          = 'Greater Than'
            'le'          = 'Less Or Equal'
            'ge'          = 'Greater Or Equal'
            'eq'          = 'Equal'
            'contains'    = 'Contains'
            'notcontains' = 'Not contains'
            'like'        = 'Like'
            'match'       = 'Match'
            'notmatch'    = 'Not match'
            'notin'       = 'Not in'
            'in'          = 'Either Value'
        [Object] $TestedValue = $Object
        foreach ($V in $Property) {
            $TestedValue = $TestedValue.$V
        if ($null -ne $TestedValue -and $TestedValue.GetType().BaseType.Name -eq 'Enum') {
            $TestedValue = $TestedValue.ToString()

        if ($TemporaryBoundParameters.ContainsKey('ExpectedCount')) {
            if ($null -eq $Object) {
                $TestedValueCount = 0
            } else {
                $TestedValueCount = $TestedValue.Count
            if ($OperationType -eq 'lt') {
                $TestResult = $TestedValueCount -lt $ExpectedCount
            } elseif ($OperationType -eq 'gt') {
                $TestResult = $TestedValueCount -gt $ExpectedCount
            } elseif ($OperationType -eq 'ge') {
                $TestResult = $TestedValueCount -ge $ExpectedCount
            } elseif ($OperationType -eq 'le') {
                $TestResult = $TestedValueCount -le $ExpectedCount
            } elseif ($OperationType -eq 'like') {
                # Useless - doesn't make any sense
                $TestResult = $TestedValueCount -like $ExpectedCount
            } elseif ($OperationType -eq 'contains') {
                # Useless - doesn't make any sense
                $TestResult = $TestedValueCount -contains $ExpectedCount
            } elseif ($OperationType -eq 'in') {
                # Useless - doesn't make any sense
                $TestResult = $ExpectedCount -in $TestedValueCount
            } elseif ($OperationType -eq 'notin') {
                # Useless - doesn't make any sense
                $TestResult = $ExpectedCount -notin $TestedValueCount
            } else {
                $TestResult = $TestedValueCount -eq $ExpectedCount
            $TextTestedValue = $TestedValueCount
            $TextExpectedValue = $ExpectedCount

        } elseif ($TemporaryBoundParameters.ContainsKey('ExpectedValue')) {
            $OutputValues = [System.Collections.Generic.List[Object]]::new()
            if ($null -eq $TestedValue -and $null -ne $ExpectedValue) {
                # if testedvalue is null and expected value is not null that means there's no sense in testing things
                # it should fail
                $TestResult = for ($i = 0; $i -lt $ExpectedValue.Count; $i++) {
                    $false # return fail

                    # We need to add this to be able to convert values as below for output purposes only.
                    if ($ExpectedValue[$i] -is [string] -and $ExpectedValue[$i] -like '*Get-Date*') {
                        [scriptblock] $DateConversion = [scriptblock]::Create($ExpectedValue[$i])
                        $CompareValue = & $DateConversion
                    } else {
                        $CompareValue = $ExpectedValue[$I]
                    # gather comparevalue for display purposes

                $TextExpectedValue = $OutputValues -join ', '
                $TextTestedValue = 'Null'
            } else {
                [Array] $TestResult = @(
                    if ($OperationType -eq 'notin') {
                        $ExpectedValue -notin $TestedValue
                        $TextExpectedValue = $ExpectedValue
                    } elseif ($OperationType -eq 'in') {
                        $TestedValue -in $ExpectedValue
                        $TextExpectedValue = $ExpectedValue -join ' or '
                    } else {
                        for ($i = 0; $i -lt $ExpectedValue.Count; $i++) {

                            # this check is introduced to convert Get-Date in ExpectedValue to proper values
                            # normally it wouldn't be nessecary but since we're exporting configuration to JSON
                            # it would export currentdatetime to JSON and we don't want that.
                            if ($ExpectedValue[$i] -is [string] -and $ExpectedValue[$i] -like '*Get-Date*') {
                                [scriptblock] $DateConversion = [scriptblock]::Create($ExpectedValue[$i])
                                $CompareValue = & $DateConversion
                            } else {
                                $CompareValue = $ExpectedValue[$I]
                            if ($TestedValue -is [System.Collections.ICollection] -or $TestedValue -is [Array]) {
                                $CompareObjects = Compare-Object -ReferenceObject $TestedValue -DifferenceObject $CompareValue -IncludeEqual

                                if ($OperationType -eq 'eq') {
                                    if ($CompareObjects.SideIndicator -notcontains "=>" -and $CompareObjects.SideIndicator -notcontains "<=" -and $CompareObjects.SideIndicator -contains "==") {
                                    } else {
                                } elseif ($OperationType -eq 'ne') {
                                    if ($CompareObjects.SideIndicator -contains "=>" -or $CompareObjects.SideIndicator -contains "<=") {
                                    } else {
                                } else {
                                    # Not supported for arrays
                            } else {
                                if ($OperationType -eq 'lt') {
                                    $TestedValue -lt $CompareValue
                                } elseif ($OperationType -eq 'gt') {
                                    $TestedValue -gt $CompareValue
                                } elseif ($OperationType -eq 'ge') {
                                    $TestedValue -ge $CompareValue
                                } elseif ($OperationType -eq 'le') {
                                    $TestedValue -le $CompareValue
                                } elseif ($OperationType -eq 'like') {
                                    $TestedValue -like $CompareValue
                                } elseif ($OperationType -eq 'contains') {
                                    $TestedValue -contains $CompareValue
                                } elseif ($OperationType -eq 'notcontains') {
                                    $TestedValue -notcontains $CompareValue
                                } elseif ($OperationType -eq 'match') {
                                    $TestedValue -match $CompareValue
                                } elseif ($OperationType -eq 'notmatch') {
                                    $TestedValue -notmatch $CompareValue
                                } else {
                                    $TestedValue -eq $CompareValue
                            # gather comparevalue for display purposes
                        if ($ExpectedValue.Count -eq 0) {
                            $TextExpectedValue = 'Null'
                        } else {
                            $TextExpectedValue = $OutputValues -join ', '
                    if ($null -eq $TestedValue) {
                        $TextTestedValue = 'Null'
                    } else {
                        $TextTestedValue = $TestedValue
        } else {
            if ($ExpectedOutput -eq $false) {
                [Array] $TestResult = @(
                    if ($null -eq $TestedValue) {
                    } else {
                $TextExpectedValue = 'No output'
            } else {
                # Skipped tests
                $TestResult = $null
                $ExtendedTextValue = "Test provided but no tests required."

        if ($null -eq $TestResult) {
            $ReportResult = $null
            $ReportExtended = $ExtendedTextValue
        } else {
            if ($OperationResult -eq 'OR') {
                if ($TestResult -contains $true) {
                    $ReportResult = $true
                    $ReportExtended = "Expected value ($($Operators[$OperationType])): $($TextExpectedValue)"
                } else {
                    $ReportResult = $false
                    if ($Test.Parameters.DisplayResult -ne $false) {
                        $ReportExtended = "Expected value ($($Operators[$OperationType])): $TextExpectedValue, Found value: $($TextTestedValue)"
                    } else {
                        $ReportExtended = "Expected value ($($Operators[$OperationType])): $TextExpectedValue"
            } else {
                if ($TestResult -notcontains $false) {
                    $ReportResult = $true
                    $ReportExtended = "Expected value ($($Operators[$OperationType])): $($TextExpectedValue)"
                } else {
                    $ReportResult = $false
                    if ($Test.Parameters.DisplayResult -ne $false) {
                        $ReportExtended = "Expected value ($($Operators[$OperationType])): $TextExpectedValue, Found value: $($TextTestedValue)"
                    } else {
                        $ReportExtended = "Expected value ($($Operators[$OperationType])): $TextExpectedValue"

        if ($PropertyExtendedValue.Count -gt 0) {
            $ReportExtended = $Object
            foreach ($V in $PropertyExtendedValue) {
                $ReportExtended = $ReportExtended.$V
            $ReportExtended = $ReportExtended -join ', '
        Out-Status -Scope $Scope -Text $TestName -Status $ReportResult -ExtendedValue $ReportExtended -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Test $Test
        return $ReportResult

    if ($Script:TestimoConfiguration.Debug.ShowErrors) {
        & $ScriptBlock
    } else {
        try {
            & $ScriptBlock
        } catch {
            Out-Status -Scope $Scope -Text $TestName -Status $false -ExtendedValue $_.Exception.Message -Domain $Domain -DomainController $DomainController -ReferenceID $ReferenceID -Test $Test
            return $False

$Script:TestimoConfiguration = [ordered] @{
    Types           = [ordered]@{ }
    Exclusions      = [ordered] @{
        Domains           = @()
        DomainControllers = @()
    Inclusions      = [ordered] @{
        Domains           = @()
        DomainControllers = @()
    ActiveDirectory = [ordered]@{
        ForestBackup                                 = $Backup
        ForestDHCP                                   = $ForestDHCP
        ForestReplication                            = $Replication # this should work 2012+
        ForestReplicationStatus                      = $ReplicationStatus # Thi is based on repadmin / could be useful for Windows 2008R2
        ForestOptionalFeatures                       = $OptionalFeatures
        ForestSites                                  = $Sites
        ForestSiteLinks                              = $SiteLinks
        ForestSiteLinksConnections                   = $SiteLinksConnections
        ForestRoles                                  = $ForestFSMORoles
        ForestRootKDS                                = $RootKDS
        ForestSubnets                                = $ForestSubnets
        ForestOrphanedAdmins                         = $OrphanedAdmins
        ForestTombstoneLifetime                      = $TombstoneLifetime
        ForestTrusts                                 = $Trusts
        ForestConfigurationPartitionOwners           = $ForestConfigurationPartitionOwners
        ForestConfigurationPartitionOwnersContainers = $ForestConfigurationPartitionOwnersContainers
        ForestDuplicateSPN                           = $DuplicateSPN
        ForestVulnerableSchemaClass                  = $VulnerableSchemaClass
        DomainLDAP                                   = $DomainLDAP
        DomainMachineQuota                           = $MachineQuota
        DomainDomainControllers                      = $DomainDomainControllers
        DomainRoles                                  = $DomainFSMORoles
        DomainWellKnownFolders                       = $WellKnownFolders
        DomainPasswordComplexity                     = $PasswordComplexity
        DomainGroupPolicyAssessment                  = $GroupPolicyAssessment
        DomainGroupPolicyPermissions                 = $GroupPolicyPermissions
        DomainGroupPolicyPermissionConsistency       = $GroupPolicyPermissionConsistency
        DomainGroupPolicyOwner                       = $GroupPolicyOwner
        DomainGroupPolicyADM                         = $GroupPolicyADM
        DomainGroupPolicySysvol                      = $GroupPolicySysvol
        DomainOrphanedForeignSecurityPrincipals      = $OrphanedForeignSecurityPrincipals
        DomainOrganizationalUnitsEmpty               = $OrganizationalUnitsEmpty
        DomainOrganizationalUnitsProtected           = $OrganizationalUnitsProtected
        DomainNetLogonOwner                          = $NetLogonOwner
        DomainDNSScavengingForPrimaryDNSServer       = $DNSScavengingForPrimaryDNSServer
        DomainDNSForwaders                           = $DNSForwaders
        DomainDnsZonesAging                          = $DnsZonesAging
        #DomainSecurityAdministrator = $DomainSecurityAdministrator
        DomainSecurityComputers                      = $DomainSecurityComputers
        DomainSecurityDelegatedObjects               = $DomainSecurityDelegatedObjects
        DomainSecurityGroupsAccountOperators         = $SecurityGroupsAccountOperators
        DomainSecurityGroupsSchemaAdmins             = $SecurityGroupsSchemaAdmins
        DomainSecurityUsers                          = $SecurityUsers
        DomainSecurityUsersAcccountAdministrator     = $SecurityUsersAcccountAdministrator
        DomainSecurityKrbtgt                         = $SecurityKRBGT
        DomainSysVolDFSR                             = $SysVolDFSR
        DomainDNSZonesForest0ADEL                    = $DNSZonesForest0ADEL
        DomainDNSZonesDomain0ADEL                    = $DNSZonesDomain0ADEL
        DomainDHCPAuthorized                         = $DHCPAuthorized
        DomainComputersUnsupported                   = $ComputersUnsupported
        DomainComputersUnsupportedMainstream         = $ComputersUnsupportedMainstream
        DomainExchangeUsers                          = $ExchangeUsers
        DomainDuplicateObjects                       = $DuplicateObjects
        DCInformation                                = $Information
        DCWindowsRemoteManagement                    = $WindowsRemoteManagement
        DCEventLogs                                  = $EventLogs
        DCOperatingSystem                            = $OperatingSystem
        DCServices                                   = $Services
        DCLDAP                                       = $LDAP
        DCLDAPInsecureBindings                       = $LDAPInsecureBindings
        DCPingable                                   = $Pingable
        DCPorts                                      = $Ports
        DCRDPPorts                                   = $RDPPorts
        DCRDPSecurity                                = $RDPSecurity
        DCDiskSpace                                  = $DiskSpace
        DCTimeSettings                               = $TimeSettings
        DCTimeSynchronizationInternal                = $TimeSynchronizationInternal
        DCTimeSynchronizationExternal                = $TimeSynchronizationExternal
        DCNetworkCardSettings                        = $NetworkCardSettings
        DCWindowsUpdates                             = $WindowsUpdates
        DCWindowsRolesAndFeatures                    = $WindowsRolesAndFeatures
        DCWindowsFeaturesOptional                    = $WindowsFeaturesOptional
        DCDnsResolveInternal                         = $DNSResolveInternal
        DCDnsResolveExternal                         = $DNSResolveExternal
        DCDnsNameServes                              = $DNSNameServers
        DCSMBProtocols                               = $SMBProtocols
        DCSMBShares                                  = $SMBShares
        DCSMBSharesPermissions                       = $SMBSharesPermissions
        DCDFS                                        = $DFS
        DCNTDSParameters                             = $NTDSParameters
        DCGroupPolicySYSVOLDC                        = $GroupPolicySYSVOLDC
        DCLanManagerSettings                         = $LanManagerSettings
        DCDiagnostics                                = $Diagnostics
        DCLanManServer                               = $LanManServer
        DCMSSLegacy                                  = $MSSLegacy
        DCFileSystem                                 = $FileSystem
        DCNetSessionEnumeration                      = $NetSessionEnumeration
        DCServiceWINRM                               = $ServiceWINRM
        DCUNCHardenedPaths                           = $UNCHardenedPaths
        DCDNSForwaders                               = $DCDNSForwaders
    #Office365 = [ordered]@{ }
    Debug           = [ordered] @{
        ShowErrors = $false
function Compare-Testimo {
    [cmdletbinding(DefaultParameterSetName = 'JSON')]
        [parameter(Mandatory, ParameterSetName = 'Object')]
        [parameter(Mandatory, ParameterSetName = 'JSON')]
        [string] $Name,

        [parameter(ParameterSetName = 'Object')]
        [parameter(ParameterSetName = 'JSON')]
        [parameter()][string] $DisplayName,

        [parameter(Mandatory, ParameterSetName = 'Object')]
        [parameter(Mandatory, ParameterSetName = 'JSON')]
        [string] $Scope,

        [parameter(ParameterSetName = 'Object')]
        [parameter(ParameterSetName = 'JSON')]
        [string] $Category = 'Baseline',

        [parameter(Mandatory, ParameterSetName = 'Object')][Object] $BaseLineSource,
        [parameter(Mandatory, ParameterSetName = 'Object')][Object] $BaseLineTarget,
        [parameter(Mandatory, ParameterSetName = 'JSON')][Object] $BaseLineSourcePath,
        [parameter(Mandatory, ParameterSetName = 'JSON')][Object] $BaseLineTargetPath,

        [parameter(ParameterSetName = 'Object')]
        [parameter(ParameterSetName = 'JSON')]
        [string[]] $ExcludeProperty

    $IsDsc = $false
    if ($PSBoundParameters.ContainsKey("BaseLineSourcePath")) {
        $SourcePath = Get-Item -LiteralPath $BaseLineSourcePath -ErrorAction SilentlyContinue
        $TargetPath = Get-Item -LiteralPath $BaseLineTargetPath -ErrorAction SilentlyContinue
        if (-not $SourcePath -or -not $TargetPath) {
            Out-Informative -Text "Could not find baseline source or target. Invalid path. Skipping source $Name" -Level 0 -Status $null -ExtendedValue $null
        if ($SourcePath.Extension -eq '.json' -and $TargetPath.Extension -eq '.json') {
            $BaseLineSource = Get-Content -LiteralPath $BaseLineSourcePath -Raw | ConvertFrom-Json
            $BaseLineTarget = Get-Content -LiteralPath $BaseLineTargetPath -Raw | ConvertFrom-Json
                Name            = $Name
                DisplayName     = if ($DisplayName) { $DisplayName } else { $Name }
                Scope           = $Scope
                Category        = $Category
                BaseLineSource  = $BaseLineSource
                BaseLineTarget  = $BaseLineTarget
                ExcludeProperty = $ExcludeProperty
        } elseif ($SourcePath.Extension -eq '.ps1' -and $TargetPath.Extension -eq '.ps1') {
            $IsDsc = $true
            $CommandExists = Get-Command -Name 'ConvertTo-DSCObject' -ErrorAction SilentlyContinue
            if ($CommandExists) {
                $DSCGroups = [ordered] @{}
                $DSCGroupsTarget = [ordered] @{}

                [Array] $BaseLineSource = ConvertTo-DSCObject -Path $BaseLineSourcePath
                [Array] $BaseLineTarget = ConvertTo-DSCObject -Path $BaseLineTargetPath

                foreach ($DSC in $BaseLineSource) {
                    if ($DSC.Keys -notcontains 'ResourceName') {
                        Out-Informative -Text "Reading DSC Source failed. Probably missing DSC module. File $BaseLineSourcePath" -Level 0 -Status $false -ExtendedValue $null
                    if (-not $DSCGroups[$DSC.ResourceName]) {
                        $DSCGroups[$DSC.ResourceName] = [System.Collections.Generic.List[PSCustomObject]]::new()
                    try {
                        $DSCGroups[$DSC.ResourceName].Add([PSCustomObject] $DSC)
                    } catch {
                        Out-Informative -Text "Reading DSC Source failed. Probably missing DSC module. File $BaseLineSourcePath" -Level 0 -Status $false -ExtendedValue $null
                foreach ($DSC in $BaseLineTarget) {
                    if ($DSC.Keys -notcontains 'ResourceName') {
                        Out-Informative -Text "Reading DSC Target failed. Probably missing DSC module. File $BaseLineTargetPath" -Level 0 -Status $false -ExtendedValue $null
                    if (-not $DSCGroupsTarget[$DSC.ResourceName]) {
                        $DSCGroupsTarget[$DSC.ResourceName] = [System.Collections.Generic.List[PSCustomObject]]::new()
                    $DSCGroupsTarget[$DSC.ResourceName].Add([PSCustomObject] $DSC)

                foreach ($Source in $DSCGroups.Keys) {
                    if ($DSCGroups[$Source].Count -gt 1 -or $DSCGroupsTarget[$Source].Count -gt 1) {
                        # This is to handle arrays within objects like: AADConditionalAccessPolicy
                        # By default its hard to compare array to array because the usual way is to do it by index.
                        # So we're forcing an array to become single object with it's property
                        $NewSourceObject = [ordered] @{}
                        foreach ($DSC in $DSCGroups[$Source]) {
                            if ($DSC.DisplayName) {
                                $NewSourceObject[$DSC.DisplayName] = $DSC
                            } elseif ($DSC.Name) {
                                $NewSourceObject[$DSC.Name] = $DSC
                            } elseif ($DSC.Identity) {
                                $NewSourceObject[$DSC.Identity] = $DSC
                            } else {
                                $NewSourceObject[$DSC.ResourceName] = $DSC
                        $SourceObject = [PSCustomObject] $NewSourceObject

                        $NewTargetObject = [ordered] @{}
                        foreach ($DSC in $DSCGroupsTarget[$Source]) {
                            if ($DSC.DisplayName) {
                                $NewTargetObject[$DSC.DisplayName] = $DSC
                            } elseif ($DSC.Name) {
                                $NewTargetObject[$DSC.Name] = $DSC
                            } elseif ($DSC.Identity) {
                                $NewTargetObject[$DSC.Identity] = $DSC
                            } else {
                                $NewTargetObject[$DSC.ResourceName] = $DSC
                        $TargetObject = [PSCustomObject] $NewTargetObject

                        if ($TargetObject) {
                                Name            = $Source
                                DisplayName     = $Source
                                Scope           = $Scope
                                Category        = $Category
                                BaseLineSource  = $SourceObject
                                BaseLineTarget  = $TargetObject
                                ExcludeProperty = $ExcludeProperty
                        } else {
                                Name            = $Source
                                DisplayName     = $Source
                                Scope           = $Scope
                                Category        = $Category
                                BaseLineSource  = $SourceObject
                                BaseLineTarget  = $null
                                ExcludeProperty = $ExcludeProperty
                    } else {
                        # This is standard DSC comparison
                        if ($DSCGroupsTarget[$Source]) {
                                Name            = $Source
                                DisplayName     = $Source
                                Scope           = $Scope
                                Category        = $Category
                                BaseLineSource  = if ($DSCGroups[$Source].Count -eq 1) { $DSCGroups[$Source][0] } else { $DSCGroups[$Source] }
                                BaseLineTarget  = if ($DSCGroupsTarget[$Source].Count -eq 1) { $DSCGroupsTarget[$Source][0] } else { $DSCGroupsTarget[$Source] }
                                ExcludeProperty = $ExcludeProperty
                        } else {
                                Name            = $Source
                                DisplayName     = $Source
                                Scope           = $Scope
                                Category        = $Category
                                BaseLineSource  = if ($DSCGroups[$Source].Count -eq 1) { $DSCGroups[$Source][0] } else { $DSCGroups[$Source] }
                                BaseLineTarget  = $null
                                ExcludeProperty = $ExcludeProperty
            } else {
                Out-Informative -Text "DSCParser is not available. Skipping source $Name" -Level 0 -Status $null -ExtendedValue $null
        } else {
            Out-Informative -Text "Only PS1 (DSC) and JSON files are supported. Skipping source $Name" -Level 0 -Status $null -ExtendedValue $null
        if (-not $BaseLineSource -or -not $BaseLineTarget) {
            Out-Informative -Text "Loading BaseLineSource or BaseLineTarget didn't work. Skipping source $Name" -Level 0 -Status $null -ExtendedValue $null
function Get-TestimoConfiguration {
        [switch] $AsJson,
        [string] $FilePath
    $NewConfig = [ordered] @{ }
    foreach ($Source in ($Script:TestimoConfiguration.ActiveDirectory).Keys) {
        if (-not $Script:TestimoConfiguration['ActiveDirectory'][$Source]) {
            Out-Informative -Text "Configuration for $Source is not available. Skipping source $Source" -Level 0 -Status $null -ExtendedValue $null
        $NewConfig[$Source] = [ordered] @{ }
        $NewConfig[$Source]['Enable'] = $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Enable']
        if ($null -ne $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Source']['ExpectedOutput']) {
            $NewConfig[$Source]['Source'] = [ordered] @{ }
            $NewConfig[$Source]['Source']['ExpectedOutput'] = $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Source']['ExpectedOutput']

        if ($null -ne $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Source']['Parameters']) {
            $NewConfig[$Source]['Source'] = [ordered] @{ }
            $NewConfig[$Source]['Source']['Parameters'] = $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Source']['Parameters']
        $NewConfig[$Source]['Tests'] = [ordered] @{ }
        foreach ($Test in $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Tests'].Keys) {
            $NewConfig[$Source]['Tests'][$Test] = [ordered] @{ }
            $NewConfig[$Source]['Tests'][$Test]['Enable'] = $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Tests'][$Test]['Enable']
            $NewConfig[$Source]['Tests'][$Test]['Parameters'] = [ordered] @{ }

            if ($null -ne $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Tests'][$Test]['Parameters']) {
                if ($null -ne $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Tests'][$Test]['Parameters']['Property']) {

                    if ($null -ne $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Tests'][$Test]['Parameters']['Property']) {
                        $NewConfig[$Source]['Tests'][$Test]['Parameters']['Property'] = $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Tests'][$Test]['Parameters']['Property']
                    if ($null -ne $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Tests'][$Test]['Parameters']['ExpectedValue']) {
                        $NewConfig[$Source]['Tests'][$Test]['Parameters']['ExpectedValue'] = $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Tests'][$Test]['Parameters']['ExpectedValue']
                    if ($null -ne $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Tests'][$Test]['Parameters']['ExpectedCount']) {
                        $NewConfig[$Source]['Tests'][$Test]['Parameters']['ExpectedCount'] = $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Tests'][$Test]['Parameters']['ExpectedCount']
                    if ($null -ne $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Tests'][$Test]['Parameters']['OperationType']) {
                        $NewConfig[$Source]['Tests'][$Test]['Parameters']['OperationType'] = $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Tests'][$Test]['Parameters']['OperationType']
                    #if ($nulle -ne $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Tests'][$Test]['Parameters']['PropertyExtendedValue']) {
                    # $NewConfig[$Source]['Tests'][$Test]['Parameters']['PropertyExtendedValue'] = $Script:TestimoConfiguration['ActiveDirectory'][$Source]['Tests'][$Test]['Parameters']['PropertyExtendedValue']
    if ($FilePath) {
        $NewConfig | ConvertTo-Json -Depth 10 | Set-Content -LiteralPath $FilePath
    if ($AsJSON) {
        return $NewConfig | ConvertTo-Json -Depth 10
    return $NewConfig
function Get-TestimoSources {
        [string[]] $Sources,
        [switch] $SourcesOnly,
        [switch] $Enabled,
        [switch] $Advanced
    if (-not $Sources) {
        $Sources = $Script:TestimoConfiguration.ActiveDirectory.Keys
    if ($SourcesOnly) {
        return $Sources
    foreach ($S in $Sources) {
        $Object = [ordered]@{
            Source = $S
            Scope  = $Script:TestimoConfiguration.ActiveDirectory[$S].Scope
            Name   = $Script:TestimoConfiguration.ActiveDirectory[$S].Source.Name
            Tests  = $Script:TestimoConfiguration.ActiveDirectory[$S].Tests.Keys
        $Object['Area'] = $Script:TestimoConfiguration.ActiveDirectory[$S].Source.Details.Area
        $Object['Category'] = $Script:TestimoConfiguration.ActiveDirectory[$S].Source.Details.Category
        $Object['Tags'] = $Script:TestimoConfiguration.ActiveDirectory[$S].Source.Details.Tags
        $Object['Severity'] = $Script:TestimoConfiguration.ActiveDirectory[$S].Source.Details.Severity
        $Object['RiskLevel'] = $Script:TestimoConfiguration.ActiveDirectory[$S].Source.Details.RiskLevel
        $Object['Description'] = $Script:TestimoConfiguration.ActiveDirectory[$S].Source.Details.Description
        $Object['Resolution'] = $Script:TestimoConfiguration.ActiveDirectory[$S].Source.Details.Resolution
        $Object['Resources'] = $Script:TestimoConfiguration.ActiveDirectory[$S].Source.Details.Resources
        if ($Advanced) {
            $Object['Advanced'] = $Script:TestimoConfiguration.ActiveDirectory[$S]
        [PSCustomObject] $Object
function Import-PrivateModule {
        [string] $Name,
        [switch] $Portable
    try {
        $ADModule = Import-Module -PassThru -Name $Name -ErrorAction Stop
    } catch {
        if ($_.Exception.Message -like '*was not loaded because no valid module file was found in any module directory*') {
            $Module = Get-Module -Name $Name
            #$PSD1 = -join ($Name, ".psd1")
            #$Module = [io.path]::Combine($Module.ModuleBase, $PSD1)
            if ($Module) {
                $ADModule = Import-Module $Module -PassThru
function Invoke-Testimo {
    Testimo simplifies Active Directory testing and reporting.
    Testimo simplifies Active Directory testing and reporting. It provides a way to execute tests and generate HTML reports. It's a wrapper around other modules like PSWinDocumentation, PSSharedGoods, PSEventViewer, PSWriteHTML, ADEssentials, GPOZaurr, and more.
    .PARAMETER BaselineTests
    Parameter description
    .PARAMETER Sources
    Type of report to be generated from a list of available reports.
    .PARAMETER ExcludeSources
    Type of report to be excluded from a list of available reports. By default all reports are run.
    .PARAMETER ExcludeDomains
    Exclude domain from search, by default whole forest is scanned
    .PARAMETER IncludeDomains
    Include only specific domains, by default whole forest is scanned
    .PARAMETER ExcludeDomainControllers
    Exclude specific domain controllers, by default there are no exclusions
    .PARAMETER IncludeDomainControllers
    Include only specific domain controllers, by default all domain controllers are included
    .PARAMETER IncludeTags
    Include only tests with specific tags, by default all tests are included
    .PARAMETER ExcludeTags
    Exclude tests with specific tags, by default no tests are excluded
    .PARAMETER ForestName
    Target different Forest, by default current forest is used
    .PARAMETER PassThru
    Returns created objects after the report is done
    .PARAMETER ShowErrors
    Parameter description
    .PARAMETER ExtendedResults
    Returns more information to console
    .PARAMETER Configuration
    Loads configuration from a file or an object
    .PARAMETER FilePath
    Path where the HTML report will be saved. If not specified, the report will be saved in the temporary directory and the path will be displayed in console.
    .PARAMETER ShowReport
    Parameter description
    Do not show HTML report once the tests are completed. By default HTML is opened in default browser upon completion.
    .PARAMETER HideSteps
    Do not show steps in report
    .PARAMETER AlwaysShowSteps
    Parameter description
    Skip Read-Only Domain Controllers. By default all domain controllers are included.
    .PARAMETER Online
    HTML files should use CSS/JS from the Internet (CDN). By default, CSS/JS is embedded in the HTML file which can make the file much larger in size.
    .PARAMETER ExternalTests
    Parameter description
    .PARAMETER Variables
    Parameter description
    .PARAMETER SplitReports
    Split report into multiple files, one for each report. This can be useful for large domains with huge reports.
    Invoke-Testimo -Sources DCDiskSpace, DCFileSystem
    Invoke-Testimo -Sources DCDiskSpace, DCFileSystem -SplitReports -ReportPath "$PSScriptRoot\Reports\Testimo.html" -AlwaysShowSteps
    Invoke-Testimo -Sources DomainComputersUnsupported, DomainDuplicateObjects -SplitReports -ReportPath "$PSScriptRoot\Reports\Testimo.html" -AlwaysShowSteps
    General notes

    [alias('Test-ImoAD', 'Test-IMO', 'Testimo')]
        [ScriptBlock] $BaselineTests,
        [alias('Type')][string[]] $Sources,
        [alias('ExludeType')] [string[]] $ExcludeSources,
        [string[]] $ExcludeDomains,
        [string[]] $ExcludeDomainControllers,
        [string[]] $IncludeDomains,
        [string[]] $IncludeDomainControllers,
        # this requires rebuild of all tests
        [string] $ForestName,
        [alias('ReturnResults')][switch] $PassThru,
        [switch] $ShowErrors,
        [switch] $ExtendedResults,
        [Object] $Configuration,
        [alias('ReportPath')][string] $FilePath,
        [Parameter(DontShow)][switch] $ShowReport,
        [switch] $HideHTML,
        [alias('HideSolution')][switch] $HideSteps,
        [alias('AlwaysShowSolution')][switch] $AlwaysShowSteps,
        [switch] $SkipRODC,
        [switch] $Online,
        [string[]] $ExternalTests,
        [System.Collections.IDictionary] $Variables,
        [switch] $SplitReports,
        [alias('Tags')][string[]] $IncludeTags,
        [string[]] $ExcludeTags
    if ($ShowReport) {
        Write-Warning "Invoke-Testimo - Paramter ShowReport is deprecated. By default HTML report will open up after running Testimo. If you want to prevent that, use HideHTML switch instead. This message and parameter will be removed in future releases."

    $Script:Reporting = [ordered] @{ }
    $Script:Reporting['Version'] = ''
    $Script:Reporting['Errors'] = [System.Collections.Generic.List[PSCustomObject]]::new()
    $Script:Reporting['Results'] = $null
    $Script:Reporting['Summary'] = [ordered] @{ }

    $TestimoVersion = Get-Command -Name 'Invoke-Testimo' -ErrorAction SilentlyContinue
    $ProgressPreference = 'SilentlyContinue'
    [Array] $GitHubReleases = (Get-GitHubLatestRelease -Url "https://api.github.com/repos/evotecit/Testimo/releases")
    $ProgressPreference = 'Continue'
    $LatestVersion = $GitHubReleases[0]

    if (-not $LatestVersion.Errors) {
        if ($TestimoVersion.Version -eq $LatestVersion.Version) {
            $Script:Reporting['Version'] = "Current/Latest: $($LatestVersion.Version) at $($LatestVersion.PublishDate)"
        } elseif ($TestimoVersion.Version -lt $LatestVersion.Version) {
            $Script:Reporting['Version'] = "Current: $($TestimoVersion.Version), Published: $($LatestVersion.Version) at $($LatestVersion.PublishDate). Update?"
        } elseif ($TestimoVersion.Version -gt $LatestVersion.Version) {
            $Script:Reporting['Version'] = "Current: $($TestimoVersion.Version), Published: $($LatestVersion.Version) at $($LatestVersion.PublishDate). Lucky you!"
    } else {
        $Script:Reporting['Version'] = "Current: $($TestimoVersion.Version)"
    Out-Informative -OverrideTitle 'Testimo' -Text 'Version' -Level 0 -Status $null -ExtendedValue $Script:Reporting['Version']

    if ($BaselineTests) {
        $BaseLineTestsObjects = & $BaselineTests
        if ($BaseLineTestsObjects) {
            Add-TestimoBaseLines -BaseLineObjects $BaseLineTestsObjects

    Add-TestimoSources -Folder $ExternalTests

    if (-not $Script:DefaultSources) {
        $Script:DefaultSources = Get-TestimoSources -Enabled -SourcesOnly
    } else {
        Set-TestsStatus -Sources $Script:DefaultSources

    # make sure that tests are initialized (small one line tests require more, default data)

    Import-TestimoConfiguration -Configuration $Configuration

    $global:ProgressPreference = 'SilentlyContinue'
    $global:ErrorActionPreference = 'Stop'
    $Script:TestResults = [System.Collections.Generic.List[PSCustomObject]]::new()
    $Script:TestimoConfiguration.Debug.ShowErrors = $ShowErrors
    $Script:TestimoConfiguration.Exclusions.Domains = $ExcludeDomains
    $Script:TestimoConfiguration.Exclusions.DomainControllers = $ExcludeDomainControllers
    $Script:TestimoConfiguration.Inclusions.Domains = $IncludeDomains
    $Script:TestimoConfiguration.Inclusions.DomainControllers = $IncludeDomainControllers

    if (-not $Sources -and -not ($IncludeTags -or $ExcludeTags)) {
        $Sources = $Script:DefaultSources
    Set-TestsStatus -Sources $Sources -ExcludeSources $ExcludeSources -IncludeTags $IncludeTags -ExcludeTags $ExcludeTags

    $Script:Reporting['Forest'] = [ordered] @{ }
    $Script:Reporting['Forest']['Summary'] = $null
    $Script:Reporting['Forest']['Tests'] = [ordered] @{ }
    $Script:Reporting['Domains'] = [ordered] @{ }
    $Scopes = $Script:TestimoConfiguration.Types.Keys
    foreach ($Scope in $Scopes) {
        $Script:Reporting[$Scope] = [ordered] @{ }
        $Script:Reporting[$Scope]['Summary'] = $null
        $Script:Reporting[$Scope]['Tests'] = [ordered] @{ }
    $Script:Reporting['BySource'] = [ordered] @{}

    if ($Script:TestimoConfiguration.Inclusions.Domains) {
        Out-Informative -Text 'Only following Domains will be scanned' -Level 0 -Status $null -ExtendedValue ($Script:TestimoConfiguration.Inclusions.Domains -join ', ')
    if ( $Script:TestimoConfiguration.Inclusions.DomainControllers) {
        Out-Informative -Text 'Only following Domain Controllers will be scanned' -Level 0 -Status $null -ExtendedValue ($Script:TestimoConfiguration.Inclusions.DomainControllers -join ', ')
    # We only exclude if inclusion is not specified for Domains
    if ($Script:TestimoConfiguration.Exclusions.Domains -and -not $Script:TestimoConfiguration.Inclusions.Domains) {
        Out-Informative -Text 'Following Domains will be ignored' -Level 0 -Status $null -ExtendedValue ($Script:TestimoConfiguration.Exclusions.Domains -join ', ')
    # We only exclude if inclusion is not specified for Domain Controllers
    if ( $Script:TestimoConfiguration.Exclusions.DomainControllers -and -not $Script:TestimoConfiguration.Inclusions.DomainControllers) {
        Out-Informative -Text 'Following Domain Controllers will be ignored' -Level 0 -Status $null -ExtendedValue ($Script:TestimoConfiguration.Exclusions.DomainControllers -join ', ')

    Get-RequestedSources -Sources $Sources -ExcludeSources $ExcludeSources -IncludeTags $IncludeTags -ExcludeTags $ExcludeTags

    if ($Script:TestimoConfiguration['Types']['ActiveDirectory']) {
        $ForestDetails = Get-WinADForestDetails -WarningVariable ForestWarning -WarningAction SilentlyContinue -Forest $ForestName -ExcludeDomains $ExcludeDomains -IncludeDomains $IncludeDomains -IncludeDomainControllers $IncludeDomainControllers -ExcludeDomainControllers $ExcludeDomainControllers -SkipRODC:$SkipRODC -Extended
        if ($ForestDetails) {
            # Tests related to FOREST
            $null = Start-Testing -Scope 'Forest' -ForestInformation $ForestDetails.Forest -ForestDetails $ForestDetails -SkipRODC:$SkipRODC -Variables $Variables {
                # Tests related to DOMAIN
                foreach ($Domain in $ForestDetails.Domains) {
                    $Script:Reporting['Domains'][$Domain] = [ordered] @{ }
                    $Script:Reporting['Domains'][$Domain]['Summary'] = [ordered] @{ }
                    $Script:Reporting['Domains'][$Domain]['Tests'] = [ordered] @{ }
                    $Script:Reporting['Domains'][$Domain]['DomainControllers'] = [ordered] @{ }

                    if ($ForestDetails['DomainsExtended']["$Domain"]) {
                        Start-Testing -Scope 'Domain' -Domain $Domain -DomainInformation $ForestDetails['DomainsExtended']["$Domain"] -ForestInformation $ForestDetails.Forest -ForestDetails $ForestDetails -SkipRODC:$SkipRODC -Variables $Variables {
                            # Tests related to DOMAIN CONTROLLERS
                            if (Get-TestimoSourcesStatus -Scope 'DC') {
                                foreach ($DC in $ForestDetails['DomainDomainControllers'][$Domain]) {
                                    $Script:Reporting['Domains'][$Domain]['DomainControllers'][$DC.HostName] = [ordered] @{ }
                                    $Script:Reporting['Domains'][$Domain]['DomainControllers'][$DC.HostName]['Summary'] = [ordered] @{ }
                                    $Script:Reporting['Domains'][$Domain]['DomainControllers'][$DC.HostName]['Tests'] = [ordered] @{ }
                                    Start-Testing -Scope 'DC' -Domain $Domain -DomainController $DC.HostName -IsPDC $DC.IsPDC -DomainInformation $ForestDetails['DomainsExtended']["$Domain"] -ForestInformation $ForestDetails.Forest -ForestDetails $ForestDetails -Variables $Variables
        } else {
            Write-Color -Text '[e]', '[Testimo] ', "Forest Information couldn't be gathered. ", "[", "Error", "] ", "[", $ForestWarning, "]" -Color Red, DarkGray, Yellow, Cyan, DarkGray, Cyan, Cyan, Red, Cyan
    foreach ($Scope in $Scopes | Where-Object { $_ -notin 'ActiveDirectory' }) {
        if ($Script:TestimoConfiguration['Types'][$Scope]) {
            $null = Start-Testing -Scope $Scope -Variables $Variables
    $Script:Reporting['Results'] = $Script:TestResults

    if ($PassThru -and $ExtendedResults) {
    } else {
        if ($PassThru) {
    if (-not $FilePath) {
        $FilePath = Get-FileName -Extension 'html' -Temporary

    Start-TestimoReport -Scopes $Scopes -FilePath $FilePath -Online:$Online -ShowHTML:(-not $HideHTML.IsPresent) -TestResults $Script:Reporting -HideSteps:$HideSteps -AlwaysShowSteps:$AlwaysShowSteps -SplitReports:$SplitReports

[scriptblock] $SourcesAutoCompleter = {
    param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)
    ) | Sort-Object | Where-Object { $_ -like "*$wordToComplete*" }
Register-ArgumentCompleter -CommandName Invoke-Testimo -ParameterName Sources -ScriptBlock $SourcesAutoCompleter
Register-ArgumentCompleter -CommandName Invoke-Testimo -ParameterName ExcludeSources -ScriptBlock $SourcesAutoCompleter
Register-ArgumentCompleter -CommandName Get-TestimoSources -ParameterName Sources -ScriptBlock $SourcesAutoCompleter

# Export functions and aliases as required
Export-ModuleMember -Function @('Compare-Testimo','Get-TestimoConfiguration','Get-TestimoSources','Import-PrivateModule','Invoke-Testimo') -Alias @('Testimo','Test-IMO','Test-ImoAD')

# SIG # Begin signature block
# qlVcq1Lgd0zhJ9us2vdrZ83jJ3PXr6CCJrQwggWNMIIEdaADAgECAhAOmxiO+dAt
# EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV
# ggIBAL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3E
# MB/zG6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKy
# xl7sWxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU1
# 5zHL2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJB
# MtfbBHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObUR
# WBf3JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6
# nj3cAORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxB
# YKqxYxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5S
# UUd0viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+x
# q4aLT8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjggE6MIIB
# Y2VydC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv
# aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENB
# Vec4X6CjdBs9thbX979XB72arKGHLOyFXqkauyL4hxppVCLtpIh3bb0aFPQTSnov
# Lbc47/T/gLn4offyct4kvFIDyE7QKt76LVbP+fT3rDB6mouyXtTP0UNEm0Mh65Zy
# oUi0mcudT6cGAxN3J0TU53/oWajwvy8LpunyNDzs9wPHh6jSTEAZNUZqaVSwuKFW
# juyk1T3osdz9HNj0d1pcVIxv76FQPfx2CWiEn2/K2yCNNWAcAgPLILCsWKAOQGPF
# mCLBsln1VWvPJ6tsds5vIy30fnFqI2si/xK4VC0nftg62fC2h5b9W9FcrBjDTZ9z
# twGpn1eqXijiuZQwggWQMIIDeKADAgECAhAFmxtXno4hMuI5B72nd3VcMA0GCSqG
# aTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/zG6Q4FutWxpdtHauyefLK
# EdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZanMylNEQRBAu34LzB4Tm
# dDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7sWxq868nPzaw0QF+xembu
# d8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL2pNe3I6PgNq2kZhAkHnD
# eMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfbBHMqbpEBfCFM1LyuGwN1
# XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3JFxGj2T3wWmIdph2PVld
# QnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3cAORFJYm2mkQZK37AlLTS
# YW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqxYxhElRp2Yn72gLD76GSm
# M9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0viastkF13nqsX40/ybzT
# QRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aLT8LWRV+dIPyhHsXAj6Kx
# hkiG9w0BAQwFAAOCAgEAu2HZfalsvhfEkRvDoaIAjeNkaA9Wz3eucPn9mkqZucl4
# aWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK7VB6fWIhCoDIc2bRoAVg
# X+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eBcg3AFDLvMFkuruBx8lbk
# apdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp5aPNoiBB19GcZNnqJqGL
# 3nFJ2SgXUE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vriRbgjU2wGb2dVf0a1TD9u
# KFp5JtKkqGKX0h7i7UqLvBv9R0oN32dmfrJbQdA75PQ79ARj6e/CVABRoIoqyc54
# zNXqhwQYs86vSYiv85KZtrPmYQ/ShQDnUBrkG5WdGaG5nLGbsQAe79APT0JsyQq8
# 7kP6OnGlyE0mpTX9iV28hWIdMtKgK1TtmlfB2/oQzxm3i0objwG2J5VT6LaJbVu8
# aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyBIa0HEEcRrYc9B9F1vM/zZn4w
# g9GeTKJtoLDMg/la9hGhRBVCX6SI82j6ffOciQt/nR+eDzMfUBMLJnOWbfhXqAJ9
# /UO0hNoR8XOxs+4rgISKIhjf69o9xBd/qxkrPkLcZ47qUT3w1lbU5ygt69OxtXXn
# HwZljZQp09nsad/ZkIdGAHvbREGJ3HxqV3rwN3mfXazL6IRktFLydkf3YYMZ3V+0
# VAshaG43IbtArF+y3kp9zvU5EmfvDqVjbOSmxR3NNg1c1eYbqMFkdECnwHLFuk4f
# sbVYTXn+149zk6wsOeKlSNbwsDETqVcplicu9Yemj052FVUmcJgmf6AaRyBD40Nj
# gHt1biclkJg6OBGz9vae5jtb7IHeIhTZgirHkr+g3uM+onP65x9abJTyUpURK1h0
# QCirc0PO30qhHGs4xSnzyqqWc0Jon7ZGs506o9UD4L/wojzKQtwYSH8UNM/STKvv
# mz3+DrhkKvp1KCRB7UK/BZxmSVJQ9FHzNklNiyDSLFc1eSuo80VgvCONWPfcYd6T
# /jnA+bIwpUzX6ZhKWD7TA4j+s4/TXkt2ElGTyYwMO1uKIqjBJgj5FBASA31fI7tk
# 42PgpuE+9sJ0sj8eCXbsq11GdeJgo1gJASgADoRU7s7pXcheMBK9Rp6103a50g5r
# FgQUuhbZbU2FL3MpdpovdYxqII+eyG8wHwYDVR0jBBgwFoAU7NfjgtJxXWRM3y5n
# Y29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln
# aUNlcnRUcnVzdGVkUm9vdEc0LmNydDBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8v
# Y3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNybDAgBgNV
# AH1ZjsCTtm+YqUQiAX5m1tghQuGwGC4QTRPPMFPOvxj7x1Bd4ksp+3CKDaopafxp
# zpVpP0d3+3J0FNf/q0+KLHqrhc1DX+1gtqpPkWaeLJ7giqzl/Yy8ZCaHbJK9nXzQ
# cAp876i8dU+6WvepELJd6f8oVInw1YpxdmXazPByoyP6wCeCRK6ZJxurJB4mwbfe
# Kuv2nrF5mYGjVoarCkXJ38SNoOeY+/umnXKvxMfBwWpx2cYTgAnEtp/Nh4cku0+j
# Sbl3ZpHxcpzpSwJSpzd+k1OsOx0ISQ+UzTl63f8lY5knLD0/a6fxZsNBzU+2QJsh
# IUDQtxMkzdwdeDrknq3lNHGS1yZr5Dhzq6YBT70/O3itTK37xJV77QpfMzmHQXh6
# OOmc4d0j/R0o08f56PGYX/sr2H7yRp11LB4nLCbbbxV7HhmLNriT1ObyF5lZynDw
# N7+YAN8gFk8n+2BnFqFmut1VwDophrCYoCvtlUG3OtUVmDG0YgkPCr2B2RP+v6TR
# 81fZvAT6gt4y3wSJ8ADNXcL50CN/AAvkdgIm2fBldkKmKYcJRyvmfxqkhQ/8mJb2
# NH1MgFcSa0OamfLFOx/y78tHWhOmTLMBICXzENOLsvsI8IrgnQnAZaf6mIBJNYc9
# URnokCF4RS6hnyzhGMIazMXuk0lwQjKP+8bqHPNlaJGiTUyCEUhSaN4QvRRXXegY
# E2XFf7JPhSxIpFaENdb5LpyqABXRN/4aBpTCfMjqGzLmysL0p6MDDnSlrzm2q2AS
# 4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3SvUQakhCBj7A7CdfHmzJa
# wv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tvk2E0XLyTRSiDNipmKF+w
# c86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+960IHnWmZcy740hQ83eR
# Gv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3sMJN2FKZbS110YU0/EpF2
# ZFTBzCEa6DgZfGYczXg4RTCZT/9jT0y7qg0IU0F8WD1Hs/q27IwyCQLMbDwMVhEC
# O/hfEYb7/mF7CIhl9E5CMB8GA1UdIwQYMBaAFOzX44LScV1kTN8uZz/nupiuHA9P
# BgEFBQcwAoY1aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1
# c3RlZFJvb3RHNC5jcnQwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybDMuZGln
# mdNW4AIapfhINPMstuZ0ZveUcrEAyq9sMCcTEp6QRJ9L/Z6jfCbVN7w6XUhtldU/
# SfQnuxaBRVD9nL22heB2fjdxyyL3WqqQz/WTauPrINHVUHmImoqKwba9oUgYftzY
# gBoRGRjNYZmBVvbJ43bnxOQbX0P4PpT/djk9ntSZz0rdKOtfJqGVWEjVGv7XJz/9
# kNF2ht0csGBc8w2o7uCJob054ThO2m67Np375SFTWsPK6Wrxoj7bQ7gzyE84FJKZ
# 9d3OVG3ZXQIUH0AzfAPilbLCIXVzUstG2MQ0HKKlS43Nb3Y3LIU/Gs4m6Ri+kAew
# Q3+ViCCCcPDMyu/9KTVcH4k4Vfc3iosJocsL6TEa/y4ZXDlx4b6cpwoG1iZnt5Lm
# Tl/eeqxJzy6kdJKt2zyknIYf48FWGysj/4+16oh7cGvmoLr9Oj9FpsToFpFSi0HA
# SIRLlk2rREDjjfAVKM7t8RhWByovEMQMCGQ8M4+uKIw8y4+ICw2/O/TOHnuO77Xr
# y7fwdxPm5yg/rBKupS8ibEH5glwVZsxsDsrFhsP2JjMMB0ug0wcCampAMEhLNKhR
# ILutG4UI4lkNbcoFUCvqShyepf2gpx8GdOfy1lKQ/a+FSCH5Vzu0nAPthkX0tGFu
# v2jiJmCG6sivqf6UHedjGzqGVnhOMIIGwjCCBKqgAwIBAgIQBUSv85SdCDmmv9s/
# ejsqnGfcYhVYwamTEafNqrJq3RApih5iY2nTWJw1cb86l+uUUI8cIOrHmjsvlmbj
# aedp/lvD1isgHMGXlLSlUIHyz8sHpjBoyoNC2vx/CSSUpIIa2mq62DvKXd4ZGIX7
# ReoNYWyd/nFexAaaPPDFLnkPG2ZS48jWPl/aQ9OE9dDH9kgtXkV1lnX+3RChG4PB
# uOZSlbVH13gpOWvgeFmX40QrStWVzu8IF+qCZE3/I+PKhu60pCFkcOvV5aDaY7Mu
# 6QXuqvYk9R28mxyyt1/f8O52fTGZZUdVnUokL6wrl76f5P17cz4y7lI0+9S769Sg
# LDSb495uZBkHNwGRDxy1Uc2qTGaDiGhiu7xBG3gZbeTZD+BYQfvYsSzhUa+0rRUG
# FOpiCBPTaR58ZE2dD9/O0V6MqqtQFcmzyrzXxDtoRKOlO0L9c33u3Qr/eTQQfqZc
# ClhMAD6FaXXHg2TWdc2PEnZWpST618RrIbroHzSYLzrqawGw9/sqhux7UjipmAmh
# cbJsca8+uG+W1eEQE/5hRwqM/vC2x9XH3mwk8L9CgsqgcT2ckpMEtGlwJw1Pt7U2
# 0clfCKRwo+wK8REuZODLIivK8SgTIUlRfgZm0zu++uuRONhRB8qUt+JQofM604qD
# hkgBhv1sBwEwHwYDVR0jBBgwFoAUuhbZbU2FL3MpdpovdYxqII+eyG8wHQYDVR0O
# BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wWAYIKwYBBQUHMAKGTGh0dHA6
# qbWYF7xwjU+KPGic2CX/yyzkzepdIpLsjCICqbjPgKjZ5+PF7SaCinEvGN1Ott5s
# 1+FgnCvt7T1IjrhrunxdvcJhN2hJd6PrkKoS1yeF844ektrCQDifXcigLiV4JZ0q
# BXqEKZi2V3mP2yZWK7Dzp703DNiYdk9WuVLCtp04qYHnbUFcjGnRuSvExnvPnPp4
# 4pMadqJpddNQ5EQSviANnqlE0PjlSXcIWiHFtM+YlRpUurm8wWkZus8W8oM3NG6w
# iQPq1JE3701S88lgIcRWR+3aEUuMMsOI5ljitts++V+wQtaP4xeR0arAVeOGv6wn
# LEHQmjNKqDbUuXKWfpd5OEhfysLcPTLfddY2Z1qJ+Panx+VPNTwAvb6cKmx5Adza
# ROY63jg7B145WPR8czFVoIARyxQMfq68/qTreWWqaNYiyjvrmoI1VygWy2nyMpqy
# 0tg6uLFGhmu6F/3Ed2wVbK6rr3M66ElGt9V/zLY4wNjsHPW2obhDLN9OTH0eaHDA
# dwrUAuBcYLso/zjlUlrWrBciI0707NMX+1Br/wd3H3GXREHJuEbTbDJ8WC9nR2Xl
# A4ICDwAwggIKAoICAQCUmgeXMQtIaKaSkKvbAt8GFZJ1ywOH8SwxlTus4McyrWmV
# OrRBVRQA8ApF9FaeobwmkZxvkxQTFLHKm+8knwomEUslca8CqSOI0YwELv5EwTVE
# h0C/Daehvxo6tkmNPF9/SP1KC3c0l1vO+M7vdNVGKQIQrhxq7EG0iezBZOAiukNd
# GVXRYOLn47V3qL5PwG/ou2alJ/vifIDad81qFb+QkUh02Jo24SMjWdKDytdrMXi0
# 235CN4RrW+8gjfRJ+fKKjgMImbuceCsi9Iv1a66bUc9anAemObT4mF5U/yQBgAuA
# o3+jVB8wiUd87kUQO0zJCF8vq2YrVOz8OJmMX8ggIsEEUZ3CZKD0hVc3dm7cWSAw
# 8/FNzGNPlAaIxzXX9qeD0EgaCLRkItA3t3eQW+IAXyS/9ZnnpFUoDvQGbK+Q4/bP
# 0ib98XLfQpxVGRu0cCV0Ng77DIkRF+IyR1PcwVAq+OzVU3vKeo25v/rntiXCmCxi
# W4oHYO28eSQ/eIAcnii+3uKDNZrI15P7VxDrkUIc6FtiSvOhwc3AzY+vEfivUkFK
# RqwvSSr4fCrrkk7z2Qe72Zwlw2EDRVHyy0fUVGO9QMuh6E3RwnJL96ip0alcmhKA
# BGoIqSW05nXdCUbkXmhPCTT5naQDuZ1UkAXbZPShKjbPwzdXP2b8I9nQ89VSgQID
# My5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQw
# Y29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAy
# cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGUBggrBgEFBQcBAQSBhzCBhDAkBggr
# dHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2Rl
# ZHzoWs6EBlTFyohvkpclVCuRdQW33tS6vtKPOucpDDv4wsA+6zkJYI8fHouW6Tqa
# 1W47YSrc5AOShIcJ9+NpNbKNGih3doSlcio2mUKCX5I/ZrzJBkQpJ0kYha/pUST2
# CbE3JroJf2vQWGUiI+J3LdiPNHmhO1l+zaQkSxv0cVDETMfQGZKKRVESZ6Fg61b0
# djvQSx510MdbxtKMjvS3ZtAytqnQHk1ipP+Rg+M5lFHrSkUlnpGa+f3nuQhxDb7N
# 9E8hUVevxALTrFifg8zhslVRH5/Df/CxlMKXC7op30/AyQsOQxHW1uNx3tG1DMgi
# zpwBasrxh6wa7iaA+Lp07q1I92eLhrYbtw3xC2vNIGdMdN7nd76yMIjdYnAn7r38
# wwtaJ3KYD0QTl77EB8u/5cCs3ShZdDdyg4K7NoJl8iEHrbqtooAHOMLiJpiL2i9Y
# n8kQMB6/Q6RMO3IUPLuycB9o6DNiwQHf6Jt5oW7P09k5NxxBEmksxwNbmZvNQ65Z
# n3exUAKqG+x31Egz5IZ4U/jPzRalElEIpS0rgrVg8R8pEOhd95mEzp5WERKFyXhe
# 6nB6bSYHv8clLAV0iMku308rpfjMiQkqS3LLzfUJ5OHqtKKQNMLxz9z185UCszGC
# BgkqhkiG9w0BAQEFAASCAgBUTVpI3O1yGUtuTGO0J85gBxVcotFPae+jlEEQVtkd
# 1ZR3PlYj8PtIWSwIJf1rP/DyrTeNUoB1R5y7dxQ8WShb1YekGAqDDe+rp5DDy1Oz
# MHHgBI/Qvf58aZjGw+AuYmDPeTPIssfkonHEzPdJPKEcdDJ0QzlE4qLCIThMO75v
# dJGdpeSrkoRbE4C8VgJbLz3AObE5wUZXURRJTj1ZvRVyaLm+v9WyuZ/spoi1ef/l
# vt6rsA6F8azbqVvvrvJEQTO6O/UOwQk78cAJlnVw0QvTpa9KHB3TBBQQbuFRU0Ur
# iV654x61oV8WmD+fC6r1TChhUxUYYDRb9XiwVrvc28CYDDOJvZGVLsmf7/9DRDGY
# 6/esTp/7115MSqnVyluWPDDLDRNr5E446163C4pHzjqudIsA1lYtxaCqqMYKXJ43
# gv7Ubo2z7JsyFilhYH0mq1yLK2ahSL9kqoS7M2ms9RETUYmH4Lb6ck0h7s/d/K5f
# MqdG/OvZWWPPUnCVjReEhzfNdUOEJc5JS9zpe1ytTM35WY6UJi4UM0Ss1mCN/d3t
# s9+KbfSWPxXXJYyDSTUV2b2jjqs+Ov/Pg2F8w3PYluLCitHk0NDWUswY8GENl5nW
# BCD62C7eFwpvbrGoukB/BqPfz+tRCrEfQcGTs0gOGahdgTANBgkqhkiG9w0BAQEF
# qJLhQQ7vnf1VfcPDHOc1MhzHyjoTzs+POu4iw1skr3fhhmoheUQ6jhgncLem9eTW
# wZf8+yk/ehCa1/f9qGSDHxDXH118ip/ibfRPYb/lDilWN7ig8HBzjB64P8oPk1CP
# yazPMqIJOSBMExZ5Jog5odzqA1aDkj7oSFUsDNwyg88T/0TnirHSFNMG+wFr4zBA
# qijvcEiCERClp9CgpwgyA8pMK1NRq+LZzcPrpG6lGLuCNBBiEriOxisFIMLS/lbU
# EWUqGWHgE1kgQykfHMDDhPlM1xvY8XHjTB04rfA6EShuUDrGmFAd5Qc+4xhPOIFX
# JEEdzap58RaOKGMG3Nr5+Hq4yQVuLQPepa4nHM8tYfu3P36kmB7v8VWO0clap18/
# iQHojZHcNAM3u/5Gd4ulx4rJPi9JAm0inJbpq+jkMGm2kkt4FshuvdUV+YhyaCL9
# OlaAnDbhlKa0st9EymO3Chv9MI9vYswyajGrRFNrcez4SVd7bj6y7qVfdDiJUrm6
# 8Pk064sdgPt7RMXjLRZGIrk0/ldYo82Y8Gt1E6hIppHyn0L/6/nk5JOw+cRliOSm
# eD4vUL8hzVRtbJSdnta6YllHpPmUGyh/OTs8tbAfLJslg/lASA==
# SIG # End signature block