maester365 · soulemike · Dec 8, 2025 · Dec 8, 2025 · Dec 8, 2025 · Dec 8, 2025
@@ -184,7 +184,17 @@
     'Test-MtXspmCriticalCredsOnDevicesWithNonCriticalAccounts',
     'Test-MtXspmPublicRemotelyExploitableHighExposureDevices',
     'Test-MtXspmCriticalCredentialsOnNonTpmProtectedDevices',
-    'Test-MtXspmCriticalCredentialsOnNonCredGuardProtectedDevices'
+    'Test-MtXspmCriticalCredentialsOnNonCredGuardProtectedDevices',
+    'Set-MtAdCache','Clear-MtAdCache',
+    'Test-MtAdComputerContainer','Test-MtAdComputerCreatorSid','Test-MtAdComputerDns',
+    'Test-MtAdComputerDomainController','Test-MtAdComputerKerberos',
+    'Test-MtAdComputerOperatingSystem','Test-MtAdComputerPrimaryGroup',
+    'Test-MtAdComputerService','Test-MtAdComputerSidHistory','Test-MtAdComputerStatus',
+    'Test-MtAdForestDomain','Test-MtAdForestExternalLdap','Test-MtAdForestFsmoStatus',
+    'Test-MtAdForestFunctionalLevel','Test-MtAdForestSite','Test-MtAdForestSuffix',
+    'Test-MtAdDomainContainer','Test-MtAdDomainFsmoStatus','Test-MtAdDomainFunctionalLevel',
+    'Test-MtAdDomainMachineAccountQuota','Test-MtAdDomainManagedBy','Test-MtAdDomainNaming',
+    'Test-MtAdDomainPasswordPolicy','Test-MtAdDomainStructure'
 
     # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
     CmdletsToExport      = @()

@@ -14,6 +14,9 @@
 ## Initialize Module Variables
 ## Update Clear-ModuleVariable function in internal/Clear-ModuleVariable.ps1 if you add new variables here
 $__MtSession = @{
+	AdCredential = $null
+	AdServer = $null
+	AdCache = @{}
 	GraphCache = @{}
 	GraphBaseUri = $null
 	TestResultDetail = @{}

@@ -9,6 +9,7 @@ function Get-MtSkippedReason {
     )
 
     switch($SkippedBecause){
+        "NotConnectedActiveDirectory" { "Not connected to Active Directory. See [Connecting to Active Directory](https://maester.dev/docs/connect-maester/#todo)"; break}
         "NotConnectedAzure" { "Not connected to Azure. See [Connecting to Azure](https://maester.dev/docs/connect-maester/#connect-to-azure-exchange-online-and-teams)"; break}
         "NotConnectedExchange" { "Not connected to Exchange Online. See [Connecting to Exchange Online](https://maester.dev/docs/connect-maester/#connect-to-azure-exchange-online-and-teams)"; break}
         "NotConnectedSecurityCompliance" { "Not connected to Security & Compliance. See [Connecting to Security & Compliance](https://maester.dev/docs/connect-maester/#connect-to-azure-exchange-online-and-teams)"; break}

@@ -74,7 +74,7 @@ function Add-MtTestResultDetail {
 
         # Common reasons for why the test was skipped.
         [Parameter(Mandatory = $false)]
-        [ValidateSet('NotConnectedAzure', 'NotConnectedExchange', 'NotConnectedGraph', 'NotDotGovDomain', 'NotLicensedEntraIDP1', 'NotConnectedSecurityCompliance', 'NotConnectedTeams',
+        [ValidateSet('NotConnectedActiveDirectory', 'NotConnectedAzure', 'NotConnectedExchange', 'NotConnectedGraph', 'NotDotGovDomain', 'NotLicensedEntraIDP1', 'NotConnectedSecurityCompliance', 'NotConnectedTeams',
             'NotLicensedEntraIDP2', 'NotLicensedEntraIDGovernance', 'NotLicensedEntraWorkloadID', 'NotLicensedExoDlp', "LicensedEntraIDPremium", 'NotSupported', 'Custom',
             'NotLicensedMdo', 'NotLicensedMdoP2', 'NotLicensedMdoP1', 'NotLicensedAdvAudit', 'NotLicensedEop', 'Error', 'NotSupportedAppPermission', 'LimitedPermissions', 'NotLicensedDefenderXDR',
             'NotLicensedCustomerLockbox','NotAuthorized', 'NotLicensedIntune'

@@ -0,0 +1,26 @@
+<#
+.SYNOPSIS
+    Resets the local cache of AD lookups. Use this if you need to force a refresh of the cache in the current session.
+
+.DESCRIPTION
+    By default all AD queries are cached and re-used for the duration of the session.
+
+    Use this function to clear the cache and force a refresh of the data.
+
+.EXAMPLE
+    Clear-MtAdCache
+
+    This example clears the cache of all AD queries.
+
+.LINK
+    https://maester.dev/docs/commands/Clear-MtAdCache
+#>
+function Clear-MtAdCache {
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '', Justification='Setting module level variable')]
+    [CmdletBinding()]
+    param()
+
+    Write-Verbose -Message "Clearing the results cached from DNS lookups in this session"
+
+    $__MtSession.AdCache = @{}
+}
@@ -103,8 +103,14 @@
       [ValidateSet('TeamsChina', 'TeamsGCCH', 'TeamsDOD')]
       [string]$TeamsEnvironmentName = $null, #ToValidate: Don't use this parameter, this is the default.
 
+      # The AD Server to connect to.
+      [string]$AdServer = $null,
+
+      # The AD Credential object.
+      [pscredential]$AdCredential = $null,
+
       # The services to connect to such as Azure and EXO. Default is Graph.
-      [ValidateSet('All', 'Azure', 'ExchangeOnline', 'Graph', 'SecurityCompliance', 'Teams')]
+      [ValidateSet('ActiveDirectory', 'All', 'Azure', 'ExchangeOnline', 'Graph', 'SecurityCompliance', 'Teams')]
       [string[]]$Service = 'Graph',
 
       # The Tenant ID to connect to, if not specified the sign-in user's default tenant is used.
@@ -116,11 +122,44 @@
 
    $__MtSession.Connections = $Service
 
-   $OrderedImport = Get-ModuleImportOrder -Name @('Az.Accounts', 'ExchangeOnlineManagement', 'Microsoft.Graph.Authentication', 'MicrosoftTeams')
+   $OrderedImport = Get-ModuleImportOrder -Name @('ActiveDirectory', 'Az.Accounts', 'ExchangeOnlineManagement', 'Microsoft.Graph.Authentication', 'MicrosoftTeams')
    switch ($OrderedImport.Name) {
 
+      'ActiveDirectory' {
+         if ($Service -contains 'ActiveDirectory' -or $Service -contains 'All') {
+            Write-Verbose 'Connecting to Active Directory'
+            $adWarning = @()
+            try {
+               if($AdServer -and $AdCredential){
+                  $rootDse = Get-ADRootDSE -Server $AdServer -Credential $AdCredential -WarningAction SilentlyContinue -WarningVariable adWarning
+                  $__MtSession.AdServer = $AdServer
+                  $__MtSession.AdCredential = $AdCredential
+               }elseif($AdServer){
+                  $rootDse = Get-ADRootDSE -Server $AdServer -WarningAction SilentlyContinue -WarningVariable adWarning
+                  $__MtSession.AdServer = $AdServer
+                  $__MtSession.AdCredential = $null
+               }elseif($AdCredential){
+                  $rootDse = Get-ADRootDSE -Credential $AdCredential -WarningAction SilentlyContinue -WarningVariable adWarning
+                  $__MtSession.AdServer = $rootDse.dnsHostName
+                  $__MtSession.AdCredential = $AdCredential
+               }else{
+                  $rootDse = Get-ADRootDSE -WarningAction SilentlyContinue -WarningVariable adWarning
+                  $__MtSession.AdServer = $rootDse.dnsHostName
+                  $__MtSession.AdCredential = $null
+               }
+               if ($adWarning.Count -gt 0) {
+                  foreach ($warning in $adWarning) {
+                     Write-Verbose $warning.Message
+                  }
+               }
+            } catch [Management.Automation.CommandNotFoundException] {
+               Write-Host "`nThe ActiveDirectory PowerShell module is not installed. Please install the module using the following information https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/remote-server-administration-tools#rsat-for-windows-10-version-1809-or-later-versions" -ForegroundColor Red
+            }
+         }
+      }
+
       'Az.Accounts' {
-         if ($Service -contains 'Azure' -or $Service -contains 'All') {
+         if ($Service -contains 'Azure' -or $Service -contains 'All' -or $Service -contains 'Cloud') {
             Write-Verbose 'Connecting to Microsoft Azure'
             try {
                $azWarning = @()
@@ -143,7 +182,7 @@
 
       'ExchangeOnlineManagement' {
          $ExchangeModuleNotInstalledWarningShown = $false
-         if ($Service -contains 'ExchangeOnline' -or $Service -contains 'All') {
+         if ($Service -contains 'ExchangeOnline' -or $Service -contains 'All' -or $Service -contains 'Cloud') {
             Write-Verbose 'Connecting to Microsoft Exchange Online'
             try {
                if ($UseDeviceCode -and $PSVersionTable.PSEdition -eq 'Desktop') {
@@ -161,7 +200,7 @@
             }
          }
 
-         if ($Service -contains 'SecurityCompliance' -or $Service -contains 'All') {
+         if ($Service -contains 'SecurityCompliance' -or $Service -contains 'All' -or $Service -contains 'Cloud') {
             $Environments = @{
                'O365China'         = @{
                   ConnectionUri    = 'https://ps.compliance.protection.partner.outlook.cn/powershell-liveid'
@@ -189,7 +228,7 @@
                }
             }
             Write-Verbose 'Connecting to Microsoft Security & Compliance PowerShell'
-            if ($Service -notcontains 'ExchangeOnline' -and $Service -notcontains 'All') {
+            if ($Service -notcontains 'ExchangeOnline' -and $Service -notcontains 'All' -or $Service -notcontains 'Cloud') {
                Write-Host "`nThe Security & Compliance module is dependent on the Exchange Online module. Please include ExchangeOnline when specifying the services.`nFor more information see https://learn.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell" -ForegroundColor Red
             } else {
                if ($UseDeviceCode) {
@@ -236,7 +275,7 @@
       }
 
       'Microsoft.Graph.Authentication' {
-         if ($Service -contains 'Graph' -or $Service -contains 'All') {
+         if ($Service -contains 'Graph' -or $Service -contains 'All' -or $Service -contains 'Cloud') {
             Write-Verbose 'Connecting to Microsoft Graph'
             try {
 
@@ -273,7 +312,7 @@
       }
 
       'MicrosoftTeams' {
-         if ($Service -contains 'Teams' -or $Service -contains 'All') {
+         if ($Service -contains 'Teams' -or $Service -contains 'All' -or $Service -contains 'Cloud') {
             Write-Verbose 'Connecting to Microsoft Teams'
             try {
                if ($UseDeviceCode) {