Run Windows Best Practices Analyzer for Active Directory using PowerShell

Spread the words

Starting with Windows 2008 R2, Microsoft introduced a Best Practices Analyzer (BPA) for Active Directory that is included as part of the operating system. The tool analyzes many of the most common issues that administrators typically run into.

To access BPA, go to server manager, click on ADDS node, scroll down the panel.


To run a BPA scan click Task / Start BPA Scan on the right. You can select one or more domain controller then start scan.


Once the scan completes, you’ll see the result. Each result gives you the server exhibiting the issue, a severity level, the name of the issue and an overall category. When you select an issue, a description of the issue is shown below with a link to more information and remediation steps.


How to run BPA with PowerShell:

First get the available BPA models. Use the cmdlet Get-BpaModel



Now you can run the BPA on one of the model ID. Use the Invoke-BPAModel cmdlet. For instance to run BPA on Directory services execute the cmdlet

Invoke-BPAModel “Microsoft/Windows/DirectoryServices”


To run BPA on all roles execute the cmdlet

Get-BPAModel | Invoke-BPAModel


How to run BPA remotely:

Connect to remote server using

Enter-PSSession Computername –Credential Username


Then run the Invoke-BPAModel


Retrieve results from BPA:

Use the cmdlet Get-BPAResult

Get-BpaResult “Microsoft/Windows/DirectoryServices”


You can also filter the results

Get-BpaResult “Microsoft/Windows/DirectoryServices” | where severity –eq Warning


Cheers 😉

2 Comments on "Run Windows Best Practices Analyzer for Active Directory using PowerShell"

  1. This website is really interesting. I have bookmarked
    it. Do you allow guest post on your website ? I can provide high quality posts for you.
    Let me know.

Leave a comment

Your email address will not be published.