- improve
DCSMBSharesPermissionsfor multilanguage support as per #190
- added help to functions. by @neztach in #185
- Replaced TCIP typo with TCPIP by @SamErde in #186
- Fixed Importance value for NetBIOSOverTCPIP from 90 to 9. by @SamErde in #187
- Fixed Importance for Default SMB Shares Permissions by @SamErde in #188
- Fix a broken link to MS docs by @diecknet in #189
- Fixes around tags, areas, categories
- Added recycle bin to tombstone lifetime
- Removed dependency on PSWinDocumentation.DNS
- Bumped dependencies to the newest versions
- Improve HTML reporting
- Improve
ForestTomstoneLifetimeto check for 180 days in RecycleBin and not only for TombestoneLifetime - Improve HTML reports by hiding specific columns in tables
- @neztach made their first contribution in #185
- @SamErde made their first contribution in #186
- @diecknet made their first contribution in #189
Full Changelog: https://github.com/EvotecIT/Testimo/compare/v0.0.88...v0.0.89
- Added
WindowsSecureTimeSeedingcheck inDCTimeSettingscheck
- Fixes
DomainComputersUnsupported,DomainComputersUnsupportedMainstream - Add missing dependency PSSharedGoods
- Improve
DomainDomainControllersby adding checks for PasswordNotRequired/PasswordNeverExpires as those are critical for DCs - Tables in Testimo now use ScrollX to make it easier to read on smnaller screen
- Fixes
DCLDAPdate comparison - Improves
DCDiskSpaceto show more information - Improve
ForestOptionalFeaturesby adding WindowsLAPS detection - Rename
DomainSecurityKRBGTtoDomainSecurityKrbtgtas it should be - Improve
DomainSecurityKrbtgtto detect Azure AD Keberbos account and measure it/ignore - Added ability to use
IncludeTags,ExcludeTagsto filter tests (only on Source level, not on tests level)
- Improve
DCSMBShares - Improve
DCSMBSharesPermissions
- Improves error handling for DSC
- Fixes Get-Get-TestimoConfiguration
- Added
SplitReportstoInvoke-Testimoto allow splitting the reports into multiple files (1 per category) more easily - Added icons in
SplitReportstabs to make it easier to identify if there's a problem in given DC/Domain
- Fixes issue with some tests returning an error
You cannot call a method on a null-valued expression.
- Small fix for
DomainMachineQuotadisplaying unnessecary warnings and too many properties
- Added new test
ForestVulnerableSchemaClass
- Fixes
Results meet expected values, but test listed as failure in 0.0.79#165
- Fixes link to MSFT article on LDAP binding/signing in script is 404 #160
- Fixes
DomainWellKnownFolders#162 - Improves DSC comparison
- Fix PowerShell 2.0 detection #161 - tnx Sparticuz
- Fixes Well Know Folders test fails on ambiguous name #159
- Added ability to use
Compare-Testimoas a way to compare two DSC files (single object, can have nested properties)
- Added new test
DCWindowsFeaturesOptionalto check for PowerShell 2.0 on DCs - Updated test
DomainSecurityUsersAcccountAdministrator - Added ability to use
Compare-Testimoas a way to compare two JSON files (single object, can have nested properties)
- Fixes errors that could happen for some tests during HTML creation
- Improved test
ForestDuplicateSPNto check for duplicate SPNs in a forest - Added test
ForestRootKDSto check for a KDS Root Key - Fixes a typo in
DomainSecurityComputers#156 - Improved summary a bit (still requires work)
- Added support for external tests
- Added a new test
DomainMachineQuotato check forms-DS-MachineAccountQuota - Fixed
Windows Server 2022 version flagged as failed#141 - Fixed
Some tests report Fail but no reason why#143 - Fixed charts to show proper values (the ones from the table) #149
- Modified charts colors to more eye friendly (at least to me) #149
- Modified console output to show statuses the same as HTML version instead of Pass/Fail #145
- Modified console output to remove full stop from some statuses #147
- Added a new test
ForestDuplicateSPNto check for duplicate SPNs in a forest - Fixed
Skipped section in diagram but everything is True in report#151 - Improved
ForestReplicationandForestReplicationStatus - Improved
DomainOrganizationalUnitsEmpty
- Fixes Group Policy SysvolDC checking for non-existent property - tnx jwmoss
- Tests
- General
- Small fix for reports
- Tests
- 📦 Added
ForestDHCP
- 📦 Added
- General
- 🐛 Small detection of problems with gathering information about Forest
- Tests
- 📦 Added
DomainSecurityDelegatedObjects
- 📦 Added
- Tests
- 💡 Improved
DomainGroupPolicyAssessment
- Tests
- Tests
- Improvement
DomainSecurityUsers - Improvement
DomainSecurityKRBGT
- Improvement
- General
- Improvement of HTML
- Tests
- Improvement
DomainSecurityUsers - Improvement
DomainSecurityKRBGT
- Improvement
- General
- Improvement of HTML
- Tests
- Improvement
ForestSubnets
- Improvement
- Tests
- Fixed
DCDNSResolveExternalreported in #122 - Improvement
ForestTrusts
- Fixed
- General
- Improvement of HTML
- Tests
- Improved
ForestTrusts - Improved
ForestRoles
- Improved
- General
- Improvement of HTML
- Tests
- Improved
ForestSubnets - Improved
ForestSites - Improved
ForestOptionalFeatures - Improved
ForestBackup - Improved
ForestTombstoneLifetime - Improved
DomainDomainControllers - Improved
DomainLDAP - Improved
DomainOrphanedSecurityPrincipals
- Improved
- General
- Added
AlwaysShowSteps - Improved support for new PSWriteHTML
- Added
- General
- Misspelled word in report (Extream -> Extreme) #120 - tnx mojomojoman
- Tests
- Added
ForestSubnets - Improved
DomainDomainControllers - Improved
DomainLDAP - Improved
ForestBackup - Improved
ForestOrphanedAdmins - Improved
ForestConfigurationPartitionOwners - Improved
DomainDuplicateObjects - Improved
ForestSites
- Added
- General
- Improved reporting
- Improved reporting status (assesment)
- Tests
- Added
DomainLDAP- takes overDCLDAP - Disabled
DCLDAPby default. Still there just not used. - Improved
ForestOrphanedAdmins - Improved
ForestConfigurationPartitionOwners - Improved
DomainDuplicateObjects - Improved
DomainDomainControllers
- Added
- General
- Renamed Parameter
ReturnResultstoPassThru(left as an alias) - Fixed loading configuration from JSON/File/HashTable - Configuration changed so much rebuild will be required
- Fixed saving configuration to JSON/File/HashTable - Configuration changed so much rebuild will be required
- Parameter for
Invoke-TestimoShowReport is deprecated and doesn't do anything - Parameter for
Invoke-TestimoHideHTML was added and prevents auto-opening of HTML - Parameter for
Invoke-TestimoHideSteps/HideSolution was added to hide solution/steps in case it's not needed - Added additional information about HTML report generating where the file was saved (useful if no FilePath was provided)
- Parameter
ReportPathwas renamed toFilePath,ReportPathis still an alias - to get it the same as GPOZaurr
- Renamed Parameter
- Reporting
- Solution/Steps added to Report when available for display
- Reporting is still getting more and more changes
- Tests
- Improved
ForestOrphanedAdmins - Added
ForestConfigurationPartitionOwners - Improved
DomainDuplicateObjects - Improved
DomainDomainControllers - Improved
DCTimeSynchronizationExternal
- Improved
- Reporting
- HTML report updated with new format, still not final
- Added Importance/Category visibility in HTML -> if only those were updated in all tests 🤣
- Added Description visibility in HTML -> if only those were updated in all tests 🤣
- Added Resources visibility in HTML -> if only those were updated in all tests 🤣
- Improvement to report (domain section)
- Improvement to
DomainDuplicateObjects - Improvement to
OrphanedForeignSecurityPrincipals - Removed
ForestDuplicateObjects- duplicate ofDomainDuplicateObjects
- Fixes report to work with IE 11 (not great, not bad either)
- Improved
DomainDomainControllers
- Improved
DCUNCHardenedPathsto check for multiple values
- Fix for Invoke-Testimo crashing on dead/non-responding/no-access DC #117
- Fix for Invoke-Testimo returning more than one line of error which would stop Testimo #116
- Fix for Invoke-Testimo not working correctly with some tests #116
- Improved some tests
- Reporting
- HTML report improved a bit for Domain based checks
- Fix for Invoke-Testimo not working when no tests are defined
- Tests
- Added
DomainDomainControllers- covers DC ACL owner, DC Manager, DC Password Last Set, DC Last Logon, Enabled
- Added
- Improvements
- Added warning & errors to HTML
- Removed dependency on
PSWinDocumentation.ADtemporary (no tests for now)
- Tests
- Removed
DomainGroupPolicyPermissionUnknown - Removed
GroupPolicyMissingPermissions - Added
DomainGroupPolicyPermissions- covers unknown, adminitrative, authenticated users and system (both removed + some) - Removed
DomainGroupPolicyEmptyUnlinked - Added
DomainGroupPolicyAssesment- covers empty, unlinked, disabled, with problem, optimized, no apply permission - Added
DomainNetLogonOwner - Improved
ForestSiteLinksConnections#92 - Improved
ForestTombstoneLifetime- support for forest
- Removed
- Improvement to
HTML- DataStore is now set to
JavaStorewhich allows handling of more data within single HTML file - Should have less errors on tab switching
- Known issue: with lots of tables/charts switching between tabs can take time, be patient
- DataStore is now set to
- Improvement to
DomainSecurityKRBGT - Improvement to
DCWindowsUpdates - Removed
DomainKerberosAccountAgeas it's identical toDomainSecurityKRBGT - Removed
DomainTrustsas it wasn't really working great - Added
ForestTrustswith improvements -
ForestObjectsWithConflictrenamed toForestDuplicateObjects -
ForestDuplicateObjectsdisabled by default (same thing asDomainDuplicateObjectsjust done forest wide) -
DomainDuplicateObjectsenabled by default (same thing as forest just done per domain) -
DCTimeSettingsupdated with proper NTP recommendation #65 - tnx SolidKnight, SUBnet192, itpro-tips
- Reversed on HTML change due to issues
- HTML
- HTML report should now be much faster to work with even with larger datasets
- Tests
-
DomainWellKnownFolders- removed duplicate code - Added some additional descriptions to tests, still long way to go
- Small name fix for
DomainGroupPolicySysvol -
DomainGroupPolicyEmptyUnlinked- added new test - Silent
GitHubversion check - Fixes working with lowercase source names
- Fixes issue
Service Status fails on value "Auto"#106 due to change inPSSharedGoods
-
- Tests
- Small name update to
OrganizationalUnitsEmptyandOrganizationalUnitsProtectedfixing #103
- Small name update to
- Tests
- Fix for
DCNetSessionEnumerationnot run against target #102
- Fix for
- Engine
- Better
Sourceshandling during typing
- Better
- Engine
- Renamed
MustExiststoExpectedOutputfor Parameters in Tests for unified experience - Added
ExpectedResultfor Parameters in Tests- This works in a way where if we use WhereObject filtering on Array you can check if output is given or not and fail/pass right away
- This brings 3 ways to test
ExpectedCount,ExpectedValueorExpectedResult -
ExpectedResultignores all other settings in parameters except forWhereObject
- Renamed
- Tests
- Added
DomainGroupPolicyPermissionConsistency(requiresGPOZaurrPowerShell module) - Added
DomainGroupPolicyOwner(requiresGPOZaurrPowerShell module)- Test for:
GPO: Owner Consistent - Test for:
GPO: Owner Administrative
- Test for:
- Added
DomainGroupPolicyPermissionUnknown(requiresGPOZaurrPowerShell module) - Added
DomainGroupPolicySysvol(requiresGPOZaurrPowerShell module) - Renamed
DCGroupPolicySYSVOLtoDCGroupPolicySYSVOLDCto prevent conflict with per Domain checks - Replaced
DomainGroupPolicyADMwithGPOZaurrcommand
- Added
- Engine
- ExpectedOutput is now required for Source
- Tests
- ExpectedOutput (true/false/null) added for all tests
- Fix regression
ForestReplicationStatusif multiple DC - Fix regression
ForestReplicationif multiple DC - Added
DomainDuplicateObjectstest - finds CNF objects
- Engine
- Add requirements (IsInternalForest = $true) for tests that do not support external forest (such as repadmin)
- Fixed
ExpectedCountnot working correctly for some values (no sure why it worked at all)
- Reporting
- Improved output to not include empty tabs
- Tests
- Improved
ForestReplicationStatusif only 1 DC, disabled if asking for external forest - Improved
ForestReplicationif only 1 DC - Renamed
DomainEmptyOrganizationalUnitstoDomainOrganizationalUnitsEmpty - Added
DomainOrganizationalUnitsProtected - Improved
DCServicesfor non-existing spooler service - Changed
DomainPasswordComplexityLockout Treshold changed to 5+ - Renamed
DCNetSessionEnumarationtoDCNetSessionEnumeration- tnx subnet192 #99 - Added
DCDNSForwarders- DNS: More than one forwarding server should be configured - Added
DomainExchangeUsers- Exchange Users: Missing MailNickName monitors for issue described on blog - Improved
DNSScavengingForPrimaryDNSServer
- Improved
- Other
- Fix typos - tnx subnet192 #99
- Added GroupPolicy and ActiveDirectory to RequiredModules and ExternalModuleDependencies preventing error reported in #91
- Engine
- Update to
DomainSecurityUsersto exclude DomainGuests - Fix for ExpectedOutput $false
- Update to
- Tests
- Fix for
DomainSecurityUsers- tnx itpro-tips #89 - Added DomainSecurityKRBGT
- Improved
DCNetworkSettings- DNS: DNS servers on Ethernet should include the loopback address, but not as the first entry - #90 - tnx itpro-tips - Improved
DCNetworkSettings- DNS: Ethernet should have static IPv4 settings (disabled by default) - #90 - tnx itpro-tips - Improved
DCLanManServer- ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression - Disabled by default, as patch is available
- Fix for
- Engine
- Fix for broken tests
- Engine
- Added MustExists (True/False) for Parameters
- Fixes for In/NotIn
- Fixes for Inclusion/Exclusion DC/Domain
- Fixes for ExpectedCount 0 not working
- Tests
- DCServices Improvement with XBOX Service
- Added DCSMBSharesPermissions
- Added DomainSecurityUsers
- Added DCUNCHardenedPaths - read potential issues of implementing UNC Hardened Paths. If you enable and things go south GPOs won't work.
- Tests
- Modify repadmin (ForestReplicationStatus) for non-english OS #86 - tnx Fiyorden
- Tests
- Fixing legacy ADM files check - #84 - tnx PMORMR
- Tests
- Fix for DCGroupPolicySYSVOL - #83 - tnx PMORMR
- Engine
- Fix for loading configuration
- Engine
- Fix for version checks
- Engine
- Added IncludeDomain, IncludeDomainControllers (when used skips Exclusions)
- This requires heavy improvements - soon enough
- Fixes issue when first running single source and then running all tests (it would use the "old source" instead of using defaults)
- Added IncludeDomain, IncludeDomainControllers (when used skips Exclusions)
- Tests
- Fix for Windows Roles and Feature for other language (non-english) #79 - tnx Fiyorden
- Added LDAPInsecureBindings
- Engine
- Fix for not running tests for DC if no Forest/Domain tests are present
- Added -SkipRODC parameter to skip DCs that are RODC
- Engine
- Better support for Portable Testimo
- Engine
- Improvments to some error handling
- Added Version/Date Published (#72)
- Do not run Tests for Domain/DomainControllers if not enabled
- Updated modules
- ADEssentials to 0.0.27 (Get-WinADDFSHealth fixed)
- Other dependencies also updated
- Tests
- Fix for DNSForwarders
- Added DomainComputersUnsupported (older than 2008)
- Added DomainComputersUnsupportedMainstream (2008 computers with support from Microsoft)
- Engine
- Small configuration saving fixes
- Added version
- Tests
- ForestObjectsWithConflict - Added
- DCRDPSecurity - Added
- Minimum Encryption Level
- DCServiceWINRM - Added
- DisableRunAS
- DCSMBProtocols - added BPA findings - Added
- AutoDisconnectTimeout
- CachedOpenLimit
- DurableHandleV2TimeoutInSeconds
- EnableSMB1Protocol
- EnableSMB2Protocol
- MaxThreadsPerQueue
- Smb2CreditsMin
- Smb2CreditsMax
- RequireSecuritySignature
- DCNetSessionEnumeration (Net Cease) - Added
- Hardening Net Session Enumeration
- DCLanManServer - Added
- Microsoft network server: Digitally sign communications (if client agrees)
- Microsoft network server: Digitally sign communications (always)
- Users are not forcibly disconnected when logon hours expire.
- Tests
- DCDiagnostics - Added
- Basically wrapper over DcDiag
- Checks Connectivity
- Checks Advertising
- Checks CheckSecurityError
- Checks CutoffServers
- Checks FrsEvent
- Checks DFSREvent
- Checks SysVolCheck
- Checks FrsSysVol
- Checks KccEvent
- Checks KnowsOfRoleHolders
- Checks MachineAccount
- Checks NCSecDesc
- Checks NetLogons
- Checks ObjectsReplicated
- Checks Replications
- Checks RidManager
- Checks Services
- Checks SystemLog
- Checks Topology
- Checks VerifyEnterpriseReferences
- Checks VerifyReferences
- Checks VerifyReplicas
- Checks DNS
- Checks ForestDnsZonesCheckSDRefDom
- Checks ForestDnsZonesCrossRefValidation
- Checks DomainDnsZonesCheckSDRefDom
- Checks DomainDnsZonesCrossRefValidation
- Checks SchemaCheckSDRefDom
- Checks SchemaCrossRefValidation
- Checks ConfigurationCheckSDRefDom
- Checks ConfigurationCrossRefValidation
- Checks NetbiosCheckSDRefDom
- Checks NetbiosCrossRefValidation
- Checks DNSDomain
- Checks LocatorCheck
- Checks FsmoCheck
- Checks Intersite
- Basically wrapper over DcDiag
- DCEventLog - Added
- Check for Application Log - LogMode/LogFull
- Check for System Log - LogMode/LogFull
- Check for PowerShell Log - LogMode/LogFull
- Check for Security Log - Size/SizeMax/LogMode/LogFull
- Check for Security Log - Default Security Permissions
- DCTimeSynchronizationExternal
- Supports parameters #41 - tnx James Rudd
- DCDFS - Added
- DFS should be Healthy
- Central Repository for GPO for Domain should be available
- Central Repository for GPO for DC should be available
- GPO Count should match folder count
- MemberReference should return TRUE
- DFSErrors should be 0
- DFSLocalSetting should be TRUE
- DomainSystemVolume should be TRUE
- SYSVOLSubscription should be TRUE
- DFSR AutoRecovery should be enabled (not stopped)
- DCDFSRAutoRecovery - DELETED
- Moved to DCDFS
- DomainDHCPAuthorized - Added but DISABLED
- Check added, by default disabled.
- DCTimeSettings
- Fix for Incorrect NTP Interval #42 - tnx Jakob West
- Added test for checking NTP Incorrect Interval #42 - tnx Jakob West
- Should properly read settings via Policy (GPO) - change in PSSharedGoods #41 - tnx James Rudd
- DomainGroupPolicyADM - Added
- Added check for legacy ADM files
- DCGroupPolicySYSVOL - Added
- Added check if all GPO's have their folder on SYSVOL
- DCLanManagerSettings - Added
- Added checks for Lan Manager Settings
- DCTimeSynchronizationInternal
- Added check for LastBootUpTime be less than X (60) days
- DCDiagnostics - Added
- Engine
- Added checks for potential NULL after Where-Object (fails tests now, while before it would ignore it)
- Added parameters for SourceParameters for use within Sources #41 - tnx James Rudd
- Changed export / import configuration to support SourceParameters/ExpectedOutput. #41 - tnx James Rudd
- Support for Requirements/CommandAvailable
- Tests
- DCPorts - typo fix OPEN vs CLOSED
- Tests
- DCPorts - Checking for port 139 - Require PORT CLOSED (#29 - tnx SP3269)
- DCNetworkSettings - Netbios TCPIP settings on network card - Require DISABLED (#29 - tnx SP3269)
- DCWindowsFirewall - was renamed to DCNetworkSettings
- DomainEmptyOrganizationalUnits - fix for lacking Contacts (#32 - tnx JasonCook599)
- DNSScavengingForPrimaryDNSServer - fix LT should be GT (#33 - tnx JasonCook599)
- DomainDNSZonesForest0ADEL - Added new test
- DomainDNSZonesDomain0ADEL - Added new test
- Engine
- Support for match/notmatch/notcontains
- Fix for configuration loading from JSON file (#30 - tnx Alex)
- First public release - More information in blog post!