Skip to content

Add Authentication Policy and Authentication Policy Silos reporting#235

Merged
rebelinux merged 2 commits intodevfrom
copilot/add-authentication-policy-silos-support
Feb 28, 2026
Merged

Add Authentication Policy and Authentication Policy Silos reporting#235
rebelinux merged 2 commits intodevfrom
copilot/add-authentication-policy-silos-support

Conversation

Copy link
Contributor

Copilot AI commented Feb 27, 2026
edited
Loading

Adds reporting support for AD Authentication Policies and Authentication Policy Silos — a Windows Server security feature that restricts privileged account sign-in scope and controls Kerberos TGT lifetimes.

New: Get-AbrADAuthenticationPolicy

  • Queries Get-ADAuthenticationPolicySilo and Get-ADAuthenticationPolicy with targeted property lists (no -Properties *)
  • Silos: name, enforce mode, description, associated user/service/computer policies
  • Silo Members: resolves assigned accounts via Get-ADObject, shows ObjectClass + DN
  • Policies: name, enforce mode, TGT lifetime per account type (user/service/computer)
  • InfoLevel 1 → summary table; InfoLevel ≥ 2 → per-object list view
  • Health check warning when silos or policies are in audit mode (not enforced)

Integration

Inserted between Trust and Hardening in Get-AbrDomainSection, consistent with existing section ordering. Section is silently skipped when no silos or policies are configured.

Get-AbrADTrust -Domain $DomainInfo -ValidDcFromDomain $ValidDC
Get-AbrADAuthenticationPolicy -Domain $DomainInfo -ValidDcFromDomain $ValidDC  # new
Get-AbrADHardening -Domain $DomainInfo -ValidDcFromDomain $ValidDC
Original prompt

This section details on the original issue you should resolve

<issue_title>Add Athentication Policy Silos Support</issue_title>
<issue_description>### Description

Powershell CMDLET

https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adauthenticationpolicysilo?view=windowsserver2022-ps

Must Read

https://github.com/MicrosoftDocs/windowsserverdocs/blob/main/WindowsServerDocs/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos.md

Additional Context

No response

Before submitting

  • I have read the documentation, and referred to the known issues before submitting this change request.
  • I have checked for previously opened & closed issues before submitting this change request.</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@rebelinux
Add Authentication Policy Silos support (Get-AbrADAuthenticationPolicy)
c88adc6 
Co-authored-by: rebelinux <1002783+rebelinux@users.noreply.github.com>
@github-actions
Copy link

github-actions bot commented Feb 27, 2026

PSScriptAnalyzer results:

Errors: [0], Warnings: [14], Information: [0]


RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADGPO.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADDomainObject.ps1
Line       : 19
Message    : The parameter 'ValidDcFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADTrust.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADCACRLSetting.ps1
Line       : 22
Message    : The parameter 'CA' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : ConvertTo-ADObjectName.ps1
Line       : 21
Message    : The parameter 'DC' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADDomain.ps1
Line       : 20
Message    : The parameter 'ValidDcFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADKerberosAudit.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADOU.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-ADObjectSearch.ps1
Line       : 21
Message    : The parameter 'Filter' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-ADObjectSearch.ps1
Line       : 22
Message    : The parameter 'Properties' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-ADObjectSearch.ps1
Line       : 23
Message    : The parameter 'SelectPrty' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : ConvertTo-ADCanonicalName.ps1
Line       : 20
Message    : The parameter 'Domain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADDFSHealth.ps1
Line       : 20
Message    : The parameter 'DCs' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Invoke-AsBuiltReport.Microsoft.AD.ps1
Line       : 21
Message    : The parameter 'Credential' has been declared but not used.

Copilot AI changed the title [WIP] Add authentication policy silos support for PowerShell CMDLET Add Authentication Policy and Authentication Policy Silos reporting Feb 27, 2026
@github-actions
Copy link

github-actions bot commented Feb 28, 2026

PSScriptAnalyzer results:

Errors: [0], Warnings: [15], Information: [0]


RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADGPO.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADDomainObject.ps1
Line       : 19
Message    : The parameter 'ValidDcFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADAuthenticationPolicy.ps1
Line       : 20
Message    : The parameter 'ValidDcFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADTrust.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADCACRLSetting.ps1
Line       : 22
Message    : The parameter 'CA' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : ConvertTo-ADObjectName.ps1
Line       : 21
Message    : The parameter 'DC' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADDomain.ps1
Line       : 20
Message    : The parameter 'ValidDcFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADKerberosAudit.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADOU.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-ADObjectSearch.ps1
Line       : 21
Message    : The parameter 'Filter' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-ADObjectSearch.ps1
Line       : 22
Message    : The parameter 'Properties' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-ADObjectSearch.ps1
Line       : 23
Message    : The parameter 'SelectPrty' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : ConvertTo-ADCanonicalName.ps1
Line       : 20
Message    : The parameter 'Domain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADDFSHealth.ps1
Line       : 20
Message    : The parameter 'DCs' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Invoke-AsBuiltReport.Microsoft.AD.ps1
Line       : 21
Message    : The parameter 'Credential' has been declared but not used.

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 28, 2026
View reviewed changes
@rebelinux rebelinux marked this pull request as ready for review February 28, 2026 00:49
@rebelinux rebelinux merged commit 601ef63 into dev Feb 28, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@rebelinux rebelinux rebelinux approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@rebelinux rebelinux

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Athentication Policy Silos Support

2 participants

@rebelinux