When using Windows Server 2019 and up, the version of the AD DS schema is 88 or higher. From version 88 of the AD DS schema, the AccessMask does contain ExtendedRight and end up with an AccessMask of 852331 and not 852075 as in the script for "Descendant msDS-GroupManagedServiceAccount Objects".

Maybe use the function "Get-DomainSchemaVersion" to check the schema version and depending on the version check the correct AccessMask?

The script now results in an incorrect ObjectAuditing report for Windows Server 2019 and up.

Hi,

I have used the Readiness Script and am basically very enthusiastic about the result.
Unfortunately, I found two challenges.

First, the minimum system requirements are 2 CPU cores + 6GB RAM. For one of my customers, the evaluation for some DCs is marked as "False". Yet the DCs have exactly 6GB of RAM! On the systems themselves I noticed that 6144MB RAM are installed, but "only" 6143MB are available. If I adjust the script (6GB - 1MB), the fields turn green ;-)
If necessary, it makes sense to add a little buffer here in the evaluation?

The second problem is unfortunately more serious. In a larger customer environment I have 3 DCs where Advanced Auditing cannot be evaluated. In the resulting table the field remains empty. During the execution of the script the following error is displayed. Here I could not find out the reason unfortunately, hopefully there is an idea here?

+++++++++++++++++++++++

Get-Content : Cannot find path '\DCName.contoso.com\C$\Windows\Temp\mdi-GUID.tmp' because it does not exist. At C:\Install\Test-MdiReadiness\Test-MdiReadiness.ps1:77 char:19 + $return = Get-Content -Path $remoteFile + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (\DCName..........tmp:String) [Get-Content], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommandRemove-Item : Cannot find path '\DCName.contoso.com\C$\Windows\Temp\mdi-GUID.tmp' because it does not exist. At C:\Install\Test-MdiReadiness\Test-MdiReadiness.ps1:78 char:9 + Remove-Item -Path $remoteFile -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (\DCName...............tmp:String) [Remove-Item], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommandCompare-Object : Cannot bind argument to parameter 'DifferenceObject' because it is null. At C:\Install\Test-MdiReadiness\Test-MdiReadiness.ps1:383 char:55 + $isAdvancedAuditingOk = $null -eq (Compare-Object @compareParams) + ~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [Compare-Object], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.CompareObjectCommand

+++++++++++++++++++++++

A view in the JSON-file says:
"AdvancedAuditing": null,

Let's attach some informations from another customer. PowerSettings and Exchange Auditing are not correct evaluated with the script. I think, that is because of the localization of the Active Directory, it was/is (sadly) installed in german. I can see the following error while executing the script:

ISSUE 1:
Throughout the day this portal is timing out AATP portal way too frequently to be able to work efficiently. Then there's this issue that happens again and again for no apparent reason, trying to login with cached login and this is shown. The session is timed out after mere minutes I think 10-15min. This leads to a re-authentication issue with cached credentials, seen below.

ISSUE 2:
Now, honestly, what is up with Microsoft and forcefully deprecating stuff that needs no deprecation? Honestly, this is becoming tiresome and the M365 Defender support is lacking in basic information. I will not name names but you can do better. And certainly refrain from deprecating the traditional AATP portal until you ensure full functionality of traditional domain log data via M365 Defender portal.

Traditional portal finds computer object, new M365 portal doesn't even know computer exists. There's more examples I could make but this issue is already becoming a headache.

ISSUE 3:
On top of that I get repeated warnings of portal supposedly being removed, first in February. And I had to go to M365 Defender portal > Settings > Identities > Portal redirection to turn it of from going to the "modern" portal.

From warnings in February that the traditional AATP (and functional) portal to now in June, again Microsoft is threatening on removing yet another totally functioning portal to one that is poorly made, bad UI, and less domain logging data readily available.

Description

Running the "Test-MdiReadiness.ps1" on a local DC creates the following error message:

• "Unable to get the advanced auditing settings remotely."

Reproduction steps

1. Log onto DC locally then launch PowerShell and run "Test-MdiReadiness.ps1."

Logs (from .JSON output)

{ "DomainSchemaVersion": { "schemaVersion": 88, "details": "Windows Server 2019 / 2022" }, "DomainAdfsAuditing": { "details": "Microsoft ADFS Program Data container not found", "isAdfsAuditingOk": true }, "Domain": “XXX”, "DomainControllers": { "OS": "Windows Server 2016 Standard", "CapturingComponent": "Npcap (1.70), WinPcap 4.1.3 (4.1.0.2980)", "IP": “xx”x, "NtlmAuditing": true, "PowerSettings": false, "ServerRequirements": true, "RootCertificates": true, "FQDN": “XXX, "OSVersion": true, "Details": { "ServerRequirementsDetails": { "NumberOfLogicalProcessors": 2, "TotalPhysicalMemory": 8588820480, "OsDiskDeviceID": "C:", "OsDiskFreeSpace": 65774243840 }, "PowerSettingsDetails": null, "AdvancedAuditingDetails": "Unable to get the advanced auditing settings remotely", "NtlmAuditingDetails": [ { "regKey": "System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\AuditReceivingNTLMTraffic", "value": 2 }, { "regKey": "System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\RestrictSendingNTLMTraffic", "value": 1 }, { "regKey": "System\\CurrentControlSet\\Services\\Netlogon\\Parameters\\AuditNTLMInDomain", "value": 7 } ], "RootCertificatesDetails": [ { "Thumbprint": "DF3C24F9BFD666761B268073FE06D1CC8D4F82A4", "Subject": "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US", "Issuer": "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US", "NotBefore": "\/Date(1375358400000)\/", "NotAfter": "\/Date(2147169600000)\/" }, { "Thumbprint": "D4DE20D05E66FC53FE1A50882C78DB2852CAE474", "Subject": "CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE", "Issuer": "CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE", "NotBefore": "\/Date(958157160000)\/", "NotAfter": "\/Date(1747094340000)\/" }, { "Thumbprint": "A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436", "Subject": "CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US", "Issuer": "CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US", "NotBefore": "\/Date(1163116800000)\/", "NotAfter": "\/Date(1952035200000)\/" } ], "OSVersionDetails": { "Caption": "Microsoft Windows Server 2016 Standard", "Version": "10.0.14393" } }, "MachineType": "Hyper-V", "SensorVersion": "2.215.17148.48037", "AdvancedAuditing": false }, "DomainExchangeAuditing": { "details": [ { "ObjectAceFlags": 1, "ObjectAceType": "45ec5156-db7e-47bb-b53f-dbeb2d03c40f", "InheritedObjectAceType": "00000000-0000-0000-0000-000000000000", "BinaryLength": 40, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 256, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 64, "IsInherited": false, "InheritanceFlags": 0, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "ExtendedRight", "AuditFlagsValue": 1, "AceFlagsValue": 64 }, { "BinaryLength": 36, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 256, "SecurityIdentifier": { "BinaryLength": 28, "AccountDomainSid": { "BinaryLength": 24, "AccountDomainSid": "S-1-5-21-1929213017-1124552077-618671499", "Value": "S-1-5-21-1929213017-1124552077-618671499" }, "Value": "S-1-5-21-1929213017-1124552077-618671499-513" }, "AceType": 2, "AceFlags": 64, "IsInherited": false, "InheritanceFlags": 0, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "ExtendedRight", "AuditFlagsValue": 1, "AceFlagsValue": 64 }, { "BinaryLength": 24, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 256, "SecurityIdentifier": { "BinaryLength": 16, "AccountDomainSid": null, "Value": "S-1-5-32-544" }, "AceType": 2, "AceFlags": 64, "IsInherited": false, "InheritanceFlags": 0, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "ExtendedRight", "AuditFlagsValue": 1, "AceFlagsValue": 64 }, { "BinaryLength": 20, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 786464, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 2, "AceFlags": 64, "IsInherited": false, "InheritanceFlags": 0, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "WriteProperty, WriteDacl, WriteOwner", "AuditFlagsValue": 1, "AceFlagsValue": 64 } ], "isExchangeAuditingOk": false }, "CAServers": { "OS": "Windows Server 2016 Standard", "CapturingComponent": "", "IP": “xx”x, "PowerSettings": false, "ServerRequirements": true, "RootCertificates": true, "FQDN": “XX”X, "CAAuditing": true, "OSVersion": true, "Details": { "ServerRequirementsDetails": { "NumberOfLogicalProcessors": 2, "TotalPhysicalMemory": 8588869632, "OsDiskDeviceID": "C:", "OsDiskFreeSpace": 13454467072 }, "PowerSettingsDetails": null, "AdvancedAuditingCADetails": "Unable to get the advanced auditing settings remotely", "CAAuditingDetails": { "regKey": "System\\CurrentControlSet\\Services\\CertSvc\\Configuration\\XXX\\AuditFilter", "value": 127 }, "RootCertificatesDetails": [ { "Thumbprint": "DF3C24F9BFD666761B268073FE06D1CC8D4F82A4", "Subject": "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US", "Issuer": "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US", "NotBefore": "\/Date(1375358400000)\/", "NotAfter": "\/Date(2147169600000)\/" }, { "Thumbprint": "D4DE20D05E66FC53FE1A50882C78DB2852CAE474", "Subject": "CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE", "Issuer": "CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE", "NotBefore": "\/Date(958157160000)\/", "NotAfter": "\/Date(1747094340000)\/" }, { "Thumbprint": "A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436", "Subject": "CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US", "Issuer": "CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US", "NotBefore": "\/Date(1163116800000)\/", "NotAfter": "\/Date(1952035200000)\/" } ], "OSVersionDetails": { "Caption": "Microsoft Windows Server 2016 Standard", "Version": "10.0.14393" } }, "MachineType": "Hyper-V", "SensorVersion": "N/A", "AdvancedAuditingCA": false }, "DomainObjectAuditing": { "isObjectAuditingOk": true, "details": [ { "ObjectAceFlags": 3, "ObjectAceType": "f30e3bbe-9ff0-11d1-b603-0000f80367c1", "InheritedObjectAceType": "bf967aa5-0de6-11d0-a285-00aa003049e2", "BinaryLength": 56, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 32, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 66, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "WriteProperty", "AuditFlagsValue": 1, "AceFlagsValue": 66 }, { "ObjectAceFlags": 3, "ObjectAceType": "f30e3bbf-9ff0-11d1-b603-0000f80367c1", "InheritedObjectAceType": "bf967aa5-0de6-11d0-a285-00aa003049e2", "BinaryLength": 56, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 32, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 66, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "WriteProperty", "AuditFlagsValue": 1, "AceFlagsValue": 66 }, { "ObjectAceFlags": 2, "ObjectAceType": "00000000-0000-0000-0000-000000000000", "InheritedObjectAceType": "ce206244-5827-4a86-ba1c-1c0c386c1b64", "BinaryLength": 40, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 852331, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 74, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 2, "AuditFlags": 1, "AccessMaskDetails": "CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, ExtendedRight, Delete, WriteDacl, WriteOwner", "AuditFlagsValue": 1, "AceFlagsValue": 74 }, { "ObjectAceFlags": 2, "ObjectAceType": "00000000-0000-0000-0000-000000000000", "InheritedObjectAceType": "bf967a86-0de6-11d0-a285-00aa003049e2", "BinaryLength": 40, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 852331, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 74, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 2, "AuditFlags": 1, "AccessMaskDetails": "CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, ExtendedRight, Delete, WriteDacl, WriteOwner", "AuditFlagsValue": 1, "AceFlagsValue": 74 }, { "ObjectAceFlags": 2, "ObjectAceType": "00000000-0000-0000-0000-000000000000", "InheritedObjectAceType": "7b8b558a-93a5-4af7-adca-c017e67f1057", "BinaryLength": 40, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 852331, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 74, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 2, "AuditFlags": 1, "AccessMaskDetails": "CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, ExtendedRight, Delete, WriteDacl, WriteOwner", "AuditFlagsValue": 1, "AceFlagsValue": 74 }, { "ObjectAceFlags": 2, "ObjectAceType": "00000000-0000-0000-0000-000000000000", "InheritedObjectAceType": "bf967a9c-0de6-11d0-a285-00aa003049e2", "BinaryLength": 40, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 852331, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 74, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 2, "AuditFlags": 1, "AccessMaskDetails": "CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, ExtendedRight, Delete, WriteDacl, WriteOwner", "AuditFlagsValue": 1, "AceFlagsValue": 74 }, { "ObjectAceFlags": 2, "ObjectAceType": "00000000-0000-0000-0000-000000000000", "InheritedObjectAceType": "bf967aba-0de6-11d0-a285-00aa003049e2", "BinaryLength": 40, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 852331, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 74, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 2, "AuditFlags": 1, "AccessMaskDetails": "CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, ExtendedRight, Delete, WriteDacl, WriteOwner", "AuditFlagsValue": 1, "AceFlagsValue": 74 }, { "BinaryLength": 36, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 256, "SecurityIdentifier": { "BinaryLength": 28, "AccountDomainSid": { "BinaryLength": 24, "AccountDomainSid": "S-1-5-21-1929213017-1124552077-618671499", "Value": "S-1-5-21-1929213017-1124552077-618671499" }, "Value": "S-1-5-21-1929213017-1124552077-618671499-513" }, "AceType": 2, "AceFlags": 64, "IsInherited": false, "InheritanceFlags": 0, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "ExtendedRight", "AuditFlagsValue": 1, "AceFlagsValue": 64 }, { "BinaryLength": 24, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 256, "SecurityIdentifier": { "BinaryLength": 16, "AccountDomainSid": null, "Value": "S-1-5-32-544" }, "AceType": 2, "AceFlags": 64, "IsInherited": false, "InheritanceFlags": 0, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "ExtendedRight", "AuditFlagsValue": 1, "AceFlagsValue": 64 }, { "BinaryLength": 20, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 786464, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 2, "AceFlags": 64, "IsInherited": false, "InheritanceFlags": 0, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "WriteProperty, WriteDacl, WriteOwner", "AuditFlagsValue": 1, "AceFlagsValue": 64 }, { "BinaryLength": 20, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 32, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 2, "AceFlags": 194, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 0, "AuditFlags": 3, "AccessMaskDetails": "WriteProperty", "AuditFlagsValue": 3, "AceFlagsValue": 194 } ] } }

Some Additional Context:

https://learn.microsoft.com/en-us/answers/questions/1377287/defender-for-identity-directory-services-advanced?comment=question#newest-question-comment

The HTML report is being generated successfully, but getting this error with JSON object:

PS C:\Temp\Test-MdiReadiness> .\Test-MdiReadiness.ps1 -Verbose
VERBOSE: Performing the operation "Create MDI related configuration reports" on target "SFS.COM".
VERBOSE: Searching for Domain Controllers in SFS.COM
VERBOSE: Found 1 Domain Controller(s)
VERBOSE: Testing server requirements for SFSDC01.SFS.com
VERBOSE: Testing power settings for SFSDC01.SFS.com
VERBOSE: Testing advanced auditing for SFSDC01.SFS.com
VERBOSE: Testing NTLM auditing for SFSDC01.SFS.com
VERBOSE: Testing certificates readiness for SFSDC01.SFS.com
VERBOSE: Testing MDI sensor for SFSDC01.SFS.com
VERBOSE: Testing capturing component for SFSDC01.SFS.com
VERBOSE: Getting virtualization platform for SFSDC01.SFS.com
VERBOSE: Getting Operating System for SFSDC01.SFS.com
VERBOSE: Searching for CA servers in SFS.COM
VERBOSE: Cannot validate argument on parameter 'Identity'. The argument is null or an element of the argument
collection contains a null value.
VERBOSE: Found 0 CA server(s)
VERBOSE: Getting MDI related ADFS auditing configuration
VERBOSE: Getting MDI related DS Object auditing configuration
VERBOSE: Getting MDI related Exchange auditing configuration
VERBOSE: Getting AD Schema Version
VERBOSE: Creating detailed json report: .\mdi-SFS.COM.json
Get-Member : You must specify an object for the Get-Member cmdlet.
At C:\Temp\Test-MdiReadiness\Test-MdiReadiness.ps1:887 char:69
+ ... list] @($ReportData.CAServers | Get-Member -MemberType NoteProperty |
+                                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Get-Member], InvalidOperationException
    + FullyQualifiedErrorId : NoObjectInGetMember,Microsoft.PowerShell.Commands.GetMemberCommand

You cannot call a method on a null-valued expression.
At C:\Temp\Test-MdiReadiness\Test-MdiReadiness.ps1:889 char:5
+     $properties.Insert(0, 'FQDN')
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression.
At C:\Temp\Test-MdiReadiness\Test-MdiReadiness.ps1:891 char:5
+     [void] $properties.AddRange($propsToAdd)
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

VERBOSE: Creating html report: .\mdi-SFS.COM.html

Hello, one of my customers tried this script before introducing MDI into his environment.
He got the following error while he ran the script, then the result has blanks in "AdvancedAuditing" of DCs

Error Message :

Compare-Object : Cannot bind argument to parameter 'DifferenceObject' because it is null.
+... $isAdvancedAuditingOk = $null -eq (Compare-Object @compareParams)
+CategoryInfo : InvalidData : ( : ) [Compare-Object ], ParametaerBindingValidiationException
+FullyQualifiedErrorId : ParameterArgumentValidiationErrorNullNotAllowed,Microsoft.Powershell.Commands.CompareObjectCommand

I want to figure out what happened and resolve this problem.
What can I do for him? Thank you