ScriptsPowershell/AD_Audit_Report.ps1 at main · Null-bin/ScriptsPowershell · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
<#
.SYNOPSIS
  Active Directory Audit Report - Eventos críticos de DCs.
.DESCRIPTION
  Coleta contagem de eventos por categoria e gera relatório HTML.
#>

param(
    [string[]]$DomainControllers = @("DC01","DC02"),
    [int]$Hours = 24
)

$eventMap = @{
    "User Management" = @{
        "User Creation"             = 4720
        "User Deletion"             = 4726
        "User Modification"         = 4738
        "User Enabled"              = 4722
        "User Disabled"             = 4725
        "User Password Set"         = 4724
        "User Password Change"      = @(628,4723)
        "Locked out Users"          = 4740
        "Unlocked Users"            = 4767
    }
    "Group Management" = @{
        "Security Group Creation"       = 4731
        "Security Group Deletion"       = 4734
        "Distribution Group Creation"   = 4744
        "Distribution Group Deletion"   = 4747
        "Member Added To Security Group" = 4732
        "Member Removed From Security Group" = 4733
        "Member Added To Distribution Group" = 4745
        "Member Removed From Distribution Group" = 4746
    }
    "Computer Management" = @{
        "Computer Creation"     = 4741
        "Computer Deletion"     = 4743
        "Computer Modification" = 4742
    }
    "GPO Management" = @{
        "GPO Creation/Modification" = 5136
        "GPO Deletion"              = 5141
        "GPO Link Changes"          = 5137
    }
    "Domain Policy Changes" = @{
        "Domain Policy Changes" = 4739
    }
    "LDAP Auditing" = @{
        "Unsecure LDAP Binds" = 2889
    }
}

$results = @()
$startTime = (Get-Date).AddHours(-$Hours)

function Get-EventCount {
    param (
        [string]$ComputerName,
        [int[]]$EventIDs,
        [datetime]$StartTime
    )
    try {
        $filter = @{
            LogName = "Security"
            Id = $EventIDs
            StartTime = $StartTime
        }
        return (Get-WinEvent -ComputerName $ComputerName -FilterHashtable $filter -ErrorAction Stop).Count
    } catch {
        Write-Warning "Erro em $ComputerName para IDs $EventIDs: $_"
        return 0
    }
}

foreach ($dc in $DomainControllers) {
    foreach ($category in $eventMap.Keys) {
        foreach ($eventName in $eventMap[$category].Keys) {
            $eventIDs = $eventMap[$category][$eventName]
            $count = Get-EventCount -ComputerName $dc -EventIDs $eventIDs -StartTime $startTime

            $results += [PSCustomObject]@{
                DC        = $dc
                Category  = $category
                Event     = $eventName
                Count     = $count
            }
        }
    }
}

# ============ HTML Report ==============
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputPath = "AD_Audit_Report_$timestamp.html"

$style = @"
<style>
body { font-family: Arial; }
h1 { color: #003366; }
table { border-collapse: collapse; width: 100%; }
th, td { border: 1px solid #ccc; padding: 6px; }
th { background-color: #003366; color: #fff; }
tr:nth-child(even) {background-color: #f2f2f2;}
</style>
"@

$html = $results |
    Sort-Object Category, Event |
    ConvertTo-Html -Title "AD Audit Report - $timestamp" -Head $style -PreContent "<h1>AD Audit Summary Report</h1><h3>Gerado: $timestamp (últimas $Hours horas)</h3>" -PostContent "<footer>Gerado por PowerShell</footer>" |
    Out-String

$html | Out-File $outputPath -Encoding UTF8

Write-Host "`nRelatório gerado: $outputPath" -ForegroundColor Green
Start-Process $outputPath