Beyond the Perimeter: Auditing Active Directory Security with ADPulse’s 35-Point Automated Scan
ADPulse — Active Directory Security Scanner
ADPulse is an open-source Active Directory security auditing tool that connects to a domain controller via LDAP(S), runs 35 automated security checks, and produces detailed reports in console, JSON, and HTML formats.
It is designed for IT administrators, penetration testers, and security teams who need a fast, read-only assessment of AD misconfigurations and attack surface.
A PowerShell script named test_environment.ps1 is also included if you wish to set up your own vulnerable domain controller to test with.
Features
Security Checks (35 total)
| # | Check | Description |
|---|---|---|
| 1 | Password Policy | Minimum length, history, complexity, lockout threshold, reversible encryption, fine-grained PSOs |
| 2 | Privileged Accounts | Membership of Domain Admins, Enterprise Admins, Schema Admins, and other sensitive groups; stale members, non-expiring passwords, passwords in descriptions, built-in Administrator status, krbtgt age |
| 3 | Kerberos | Kerberoastable accounts (SPNs on user objects), AS-REP roastable accounts, DES-only encryption, high-value targets combining adminCount=1 + SPN + PasswordNeverExpires |
| 4 | Unconstrained Delegation | Non-DC computers and user accounts trusted for unconstrained Kerberos delegation |
| 5 | Constrained Delegation | Accounts with protocol transition (S4U2Self) and standard constrained delegation targets |
| 6 | ADCS / PKI | ESC1, ESC2, ESC3, ESC6, ESC8, ESC9, ESC10, ESC11, ESC13, ESC15, weak key sizes, enrollee ACL enumeration |
| 7 | Domain Trusts | Bidirectional trusts without SID filtering, forest trusts, external trusts |
| 8 | Account Hygiene | Stale users/computers, never-logged-in accounts, PASSWD_NOTREQD flag, reversible encryption per-account, old passwords, duplicate SPNs |
| 9 | Protocol Security | LDAP signing/channel binding, DC operating system versions, domain/forest functional level, NTLMv1/WDigest guidance |
| 10 | Group Policy Objects | Disabled, orphaned, unlinked, and empty GPOs; excessive GPO count |
| 11 | LAPS | Legacy LAPS and Windows LAPS schema detection; computers without LAPS passwords |
| 12 | LAPS Coverage | Percentage-based coverage of all non-DC computers with a LAPS-managed password |
| 13 | DNS & Infrastructure | Wildcard DNS records, LLMNR/NetBIOS-NS poisoning guidance |
| 14 | Domain Controllers | Single-DC detection, legacy OS on DCs, FSMO roles, RODC password replication policy |
| 15 | ACL / Permissions | ESC4, ESC5, ESC7, DCSync rights on non-privileged principals, Protected Users group, delegation ACLs |
| 16 | Optional Features | AD Recycle Bin, Privileged Access Management (PAM) |
| 17 | Replication Health | Site count, site link replication intervals, nTDSDSA objects |
| 18 | Service Accounts | gMSA adoption, regular user service accounts, service accounts with adminCount=1 |
| 19 | Miscellaneous Hardening | Machine account quota, tombstone lifetime, Schema Admins/Enterprise Admins membership, Guest account, audit policy guidance |
| 20 | Deprecated Operating Systems | Enabled computer accounts reporting end-of-life Windows versions |
| 21 | Legacy Protocols | SMBv1 detection, SMB signing enforcement, null session acceptance (live network probes) |
| 22 | Exchange | Exchange Windows Permissions group (PrivExchange / CVE-2019-0686), Exchange Trusted Subsystem |
| 23 | Protected Admin Users | adminCount=1 inventory — orphaned, ghost (disabled), and stale accounts |
| 24 | Passwords in Descriptions | Keyword-based detection of credentials stored in the Description field of users, admins, and computers |
| 25 | GPP / cpassword (MS14-025) | Walks SYSVOL for Group Policy Preferences XML files containing cpassword attributes and decrypts them using Microsoft’s publicly-known AES key |
| 26 | AdminSDHolder ACL | Reads the binary DACL on CN=AdminSDHolder and flags non-privileged principals with write access — these ACEs auto-propagate to all protected accounts every 60 minutes via SDProp |
| 27 | SID History | Detects accounts with sIDHistory populated; escalates to CRITICAL if any injected SID maps to a privileged group (Domain Admins, Enterprise Admins, etc.) |
| 28 | Shadow Credentials | Flags unexpected msDS-KeyCredentialLink entries on user and computer objects, enabling certificate-based authentication without knowing the account password |
| 29 | RC4 / Legacy Kerberos Encryption | Checks msDS-SupportedEncryptionTypes on service accounts, DCs, and admin accounts to identify those still permitting RC4-HMAC — the weak enctype attackers specifically request for offline cracking |
| 30 | Foreign Security Principals in Privileged Groups | Enumerates CN=ForeignSecurityPrincipals and flags any FSP from a trusted domain that is a member of a sensitive local group (Domain Admins, Backup Operators, etc.) |
| 31 | Pre-Windows 2000 Compatible Access | Checks whether Everyone or Anonymous Logon are members of this group, which enables unauthenticated SAMR/LSARPC enumeration from anywhere on the network |
| 32 | Dangerous Constrained Delegation Targets | Cross-references delegation targets against DC hostnames and flags accounts delegating to high-value service classes (ldap/, cifs/, host/, gc/, krbtgt/) on Domain Controllers |
| 33 | Orphaned AD Subnets | Finds subnets with no siteObject assignment, causing clients to receive a random DC and potentially routing authentication traffic across WAN links |
| 34 | Legacy FRS SYSVOL Replication | Detects whether SYSVOL is still replicating via the deprecated File Replication Service instead of DFSR, and flags stalled mid-migration states |
| 35 | RBCD on Domain Object / DCs | Checks msDS-AllowedToActOnBehalfOfOtherIdentity on the domain NC head and all DC computer objects — either configuration grants effective Domain Admin to the permitted principals via S4U2Proxy |
Reporting
- Console — colour-coded terminal output with at-a-glance critical findings and key metrics
- JSON — machine-readable export for integration with SIEMs, ticketing systems, or custom dashboards
- HTML — self-contained dark-themed report with collapsible sections, severity badges, stat cards, scoring legend, and an ADCS template inventory
Scoring
Every finding carries a risk-score deduction. The overall score starts at 100 and is reduced per finding:
| Score | Risk Level | Meaning |
|---|---|---|
| 80–100 | LOW | Good security posture, minor issues only |
| 60–79 | MEDIUM | Notable weaknesses that should be addressed |
| 40–59 | HIGH | Significant vulnerabilities present |
| 0–39 | CRITICAL | Severe risks — immediate remediation required |
Download & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
