Get the Active Directory risk level

Use PingCastle to perform the Active Directory risk level analysis. Get a score without setup nor privileges.

Operations to perform

The report can be generated in the interactive mode by choosing “healthcheck” or just by pressing Enter. Indeed it is the default analysis mode.

It can be run using the command:

PingCastle --healthcheck --server

Active Directory risk level analysis

When the health check is run, an html file and an xml file are generated. The html file represent the report of the active directory. It is designed for humans. The xml contains some of the data used to generate the html file and can be used to consolidate date on multiple active directories. It is designed to be computer read (PingCastle). The xml file is required for all analysis, including global overview or cartography.

The report is divided in 3 parts:

1) Scores

The Score is computed by the maximum of the 4 sub scores:

  • Privileged accounts
    It is about administrators.
  • Trusts
    It is about the links between Active Directories (reminder: one AD can compromise one other via trusts).
  • Stale objects
    Stale objects represent everything about the AD objects and their life cycle: computer and user creation, delegation.
  • Security anomalies
    Everything that doesn’t fit into the previous categories. For example the krbtgt password change.


The details of the rules triggered is shown with some indication and the number of points calculated (the total cannot be above 100).

When the button “solve it” is clicked, a short explanation of the rule is shown with some indication on how to solve the situation.

2) General information

Contains the generated date, domain

3) Details

The Detail zone shows general information about users, computers, trusts, group policies, …

Some information can be seen in detail by clicking on the associated link. It contains data to help identify the underlying objects.