top of page
Writer's pictureWill Francillette

MDI: PowerShell Configuration Checker



Defender for Identity is a solution that monitor your on-premises Active Directory Domain Services signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. (What is Microsoft Defender for Identity?)


The deployment and configuration of the events involve multiple manual steps and it's easy to miss some.

Raymond Roethof (Thalpius) has developed a C# application to check if all those events are configured properly. It is an amazing solution but I wanted to run the checker as a command line and thought why not use Raymond's work and adapt it as a script using PowerShell?!


The configuration checker looks at the following events:

  • LDAP queries: Event ID 1644

  • NTLM authentication activities: Event ID 8004

  • Audit policies: Event IDs 4776, 4741, 4743, 4753, 4763, 4728, 4729, 4730, 4732, 4733, 4756, 4757, 4758, 4726, 4662, 5136, 7045

  • Object auditing: Events ID 4662

  • ADFS objects audit: Event IDs 1202, 1203, 4624, 6425

  • Exchange object audit

You can download the script from my Github repository: French365Connection/ConfigurationChecker.ps1


The execution of the script is very simple:

  • a single parameter is needed AdvancedAuditGroupPolicyName: the display name of the policy that contains your advanced audit settings

  • run as Administrator

  • run on a Domain Controller


Run it as follow

.\ConfigurationChecker.ps1

You will be requested to enter the display name of your advanced audit policy

or that way

.\ConfigurationChecker.ps1 -AdvancedAuditGroupPolicyName "Default Domain Controllers Policy"

It is the first version of the script so it doesn't support advanced scenarios such as multiple domains.

If you find an issue with the script, feel free to raise it on my repo: Issues


A massive thanks to Raymond for allowing me to use his work as a baseline - Don't hesitate to visit his blog and repo - I learn so much from his posts, his expertise is just on another level 💪.


1,093 views0 comments

Comments


bottom of page