{"id":48874891,"url":"https://github.com/pm-global/monarch-kit","last_synced_at":"2026-04-16T00:02:00.900Z","repository":{"id":347474059,"uuid":"1183806337","full_name":"pm-global/monarch-kit","owner":"pm-global","description":"PowerShell module for Active Directory auditing — structured discovery, graded findings, HTML reports","archived":false,"fork":false,"pushed_at":"2026-04-15T20:25:14.000Z","size":685,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-04-15T21:03:25.364Z","etag":null,"topics":["active-directory","ad-security","audit","pester","powershell","security","sysadmin","winows"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pm-global.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-17T01:03:01.000Z","updated_at":"2026-04-15T20:25:19.000Z","dependencies_parsed_at":"2026-04-15T21:00:36.989Z","dependency_job_id":null,"html_url":"https://github.com/pm-global/monarch-kit","commit_stats":null,"previous_names":["pm-global/monarch-kit"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/pm-global/monarch-kit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pm-global%2Fmonarch-kit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pm-global%2Fmonarch-kit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pm-global%2Fmonarch-kit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pm-global%2Fmonarch-kit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pm-global","download_url":"https://codeload.github.com/pm-global/monarch-kit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pm-global%2Fmonarch-kit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31865078,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-15T15:24:51.572Z","status":"ssl_error","status_checked_at":"2026-04-15T15:24:39.138Z","response_time":63,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","ad-security","audit","pester","powershell","security","sysadmin","winows"],"created_at":"2026-04-16T00:01:58.803Z","updated_at":"2026-04-16T00:02:00.890Z","avatar_url":"https://github.com/pm-global.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# monarch-kit\n\nA multi-phase Active Directory audit and administration suite. The Discovery phase — currently complete — documents your domain's health across eight audit categories with graded findings and a single-page HTML report. Remediation, monitoring, and cleanup phases are in development, building toward a complete AD management workflow for mid-market domains.\n\n**v0.5.1-beta** — Discovery phase complete (28 functions, 346 tests). Remediation, interactive wrapper, and remaining phases are planned.\n\n## Requirements\n\n- Windows Server 2016+ or Windows 10/11\n- PowerShell 5.1+\n- RSAT: Active Directory Domain Services Tools (`Get-WindowsCapability -Online -Name Rsat.ActiveDirectory*`)\n- RSAT: Group Policy Management Tools (for GPO functions)\n- Must run on a domain-joined machine with Domain Admin or equivalent rights\n\n## Installation\n\n```powershell\ngit clone https://github.com/pm-global/monarch-kit.git\ncd monarch-kit\n```\n\n## Quick Start\n\nOpen an **administrator PowerShell window**, navigate to the repo root, and run:\n\n```powershell\n.\\preflight-win.ps1\n```\n\nPreflight checks your environment, installs any missing RSAT components, and imports the module. Then run the audit:\n\n```powershell\n# interactive — clean console, follow the report path on the OK line\nInvoke-DomainAudit -Phase Discovery\n\n# automation — capture findings, failures, dispositions\n$result = Invoke-DomainAudit -Phase Discovery -PassThru\n```\n\nWhen it finishes, the console prints the report path. Open it in any browser.\n\n**One-liner option** — preflight and launch in a single step (opens in a new window):\n\n```powershell\n.\\preflight-win.ps1 -AndMonarch\n```\n\nThe audit runs 25 checks sequentially — expect 1–3 minutes on a typical domain. When it finishes, a folder named `Monarch-Audit-YYYYMMDD` appears in your current directory containing the HTML report (`00-Discovery-Report.html`) and per-function CSV/JSON output files.\n\n\u003e **Note:** monarch-kit hashes `Monarch.psm1` at import time and rechecks on every run. If the file on disk has changed — e.g. after a `git pull` — `Invoke-DomainAudit` spawns a new elevated PowerShell window running `.\\preflight-win.ps1 -AndMonarch`, then exits with code `3`. The new window reloads the module and relaunches the audit automatically. monarch-kit will never run a version of itself that differs from what is on disk. Automation scripts can detect this cycle by checking for exit code `3`.\n\n## What You'll See\n\nConsole output during the run (default `Info` verbosity):\n\n```\naudit: corp.example.com  ·  DC: dc01.corp.example.com  ·  25 checks\n\n  audit: Get-FSMORolePlacement...\n  audit: Get-ReplicationHealth...\n  ...\naudit OK: 25/25 checks (1m 42s)\n```\n\nThe HTML report contains:\n- **Header** — domain, DC used, audit duration, pass/fail summary\n- **Critical findings** — items requiring immediate attention, with remediation hints\n- **Advisory findings** — lower-severity items worth reviewing\n- **Per-category sections** — detailed results for each of the eight audit categories\n- **Output file tree** — links to all generated CSV/JSON files\n\n## Verbosity\n\nControl console output with `-Verbosity`:\n\n| Level | Progress bar | Per-function narration | Failure blocks | OK line |\n|-------|-------------|----------------------|----------------|---------|\n| `Silent` | No | No | No | No |\n| `Error` | Yes | No | Yes | No |\n| `Warn` | Yes | No | Yes | Yes |\n| `Info` (default) | Yes | Yes | Yes | Yes |\n\n```powershell\nInvoke-DomainAudit -Phase Discovery -Verbosity Silent   # zero output, report still generated\nInvoke-DomainAudit -Phase Discovery -Verbosity Warn     # progress bar + summary only\n```\n\n## Architecture\n\n```\nMonarch API functions (25) — interpret AD state, return graded answers per category\n    ↓\nInvoke-DomainAudit — orchestrator, coordinates Discovery phase\n    ↓\nNew-MonarchReport — single-page HTML report from orchestrator results\n```\n\nAPI functions return structured objects. The orchestrator calls them in sequence, isolates failures, and generates the report. A failed check does not stop the run — it's recorded and reported.\n\n## Audit Categories\n\n| Category | Functions | Covers |\n|----------|-----------|--------|\n| Infrastructure Health | 4 | FSMO roles, replication health, site/subnet topology, functional levels |\n| Identity Lifecycle | 1 | Dormant account discovery with CSV export |\n| Privileged Access | 4 | Group membership, AdminCount orphans, Kerberoastable, AS-REP roastable |\n| Group Policy | 3 | GPO export (HTML/XML/CSV), unlinked GPOs, permission anomalies |\n| Security Posture | 4 | Password policies, weak account flags, Protected Users gaps, legacy protocols |\n| Backup \u0026 Recovery | 2 | Three-tier backup detection, tombstone gap analysis |\n| Audit \u0026 Compliance | 3 | Domain baselines, audit policy consistency, event log configuration |\n| DNS (AD-Integrated) | 4 | SRV record completeness, scavenging, zone replication, forwarder consistency |\n\nPlus `Invoke-DomainAudit` (orchestrator), `New-MonarchReport` (HTML reporting), and `Resolve-MonarchDC` (DC selection). 28 functions total.\n\n## Phases\n\n| Phase | Status | Purpose |\n|-------|--------|---------|\n| Discovery | **Complete** | Document current state across all eight audit categories |\n| Review | Human activity | Review findings, validate exclusions, approve plan ([checklists](docs/checklists.md)) |\n| Remediation | Planned | Execute approved changes with WhatIf gates |\n| Monitoring | Planned | Track metrics during hold period |\n| Cleanup | Planned | Permanent deletion after hold period |\n\nDiscovery is entirely read-only. No operations modify AD state.\n\n## Configuration\n\nAll defaults are built in. A fresh install works without configuration. [`Monarch-Config.psd1`](Monarch-Config.psd1) ships with every default commented out — uncomment and modify values for your environment. Key areas: dormancy thresholds, privileged group thresholds, service account keywords, backup vendor integration, report accent colors.\n\n## Troubleshooting\n\n**\"Cannot find domain controllers\"** — run on a domain-joined machine, verify DNS resolution, check firewall rules for AD ports.\n\n**\"Access denied\" errors** — need Domain Admin or equivalent. Check UAC (run as administrator).\n\n**\"LastLogon always null\"** — account truly never logged on, or all DCs were unreachable during query.\n\n**GPO export fails for specific GPO** — likely corrupted GPO or DENY ACL. Check Event Viewer.\n\n## Calling Functions Directly\n\nEvery function returns structured PowerShell objects. Pipe to `Format-Table`, `Export-Csv`, or consume programmatically.\n\n```powershell\nImport-Module .\\Monarch.psd1\nGet-PrivilegedGroupMembership -Server dc01.contoso.com\nFind-DormantAccount -Server dc01.contoso.com -OutputPath .\\dormant-accounts\n```\n\n## Project Artifacts\n\nThis repo includes development artifacts alongside the module code:\n\n- [`CLAUDE.md`](CLAUDE.md) — machine-readable project specification (architecture, conventions, probe contracts)\n- [`docs/domain-specs.md`](docs/domain-specs.md) — audit categories with function lists and return contracts\n- [`docs/mechanism-decisions.md`](docs/mechanism-decisions.md) — technical decisions with rationale\n- [`docs/design-system.md`](docs/design-system.md) — visual language specification for report output\n- [`docs/checklists.md`](docs/checklists.md) — expert-curated review phase checklists\n\nReading order for contributors: this README, then [`CLAUDE.md`](CLAUDE.md), then [`docs/domain-specs.md`](docs/domain-specs.md) for the category you're working on.\n\n## Compliance\n\nDormant account policy aligns with PCI DSS v4.0.1, NIST SP 800-53 Rev 5, and Microsoft 2026 guidance. See [`docs/dormant-account-policy.md`](docs/dormant-account-policy.md).\n\n## Related Tools\n\n- **Ping Castle** — AD security scoring and hardening assessment\n- **BloodHound** — attack path mapping\n- **Microsoft Policy Analyzer** — GPO baseline comparison\n\n## License\n\nMIT\n\n---\n\nDesigned and developed with Claude Sonnet and Opus, directed by human input with ❤️ and a genuine commitment to holding the models to the highest standard of craft and code quality achievable.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpm-global%2Fmonarch-kit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpm-global%2Fmonarch-kit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpm-global%2Fmonarch-kit/lists"}