PSSA

SamErde · Dec 10, 2024 · 519331d · 519331d
1 parent c76f609
commit 519331d
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 39 deletions.
diff --git a/...rectory/AD Groups/Get-GroupFspMembers.ps1 → ...irectory/AD Groups/Get-GroupFspMember.ps1 b/...rectory/AD Groups/Get-GroupFspMembers.ps1 → ...irectory/AD Groups/Get-GroupFspMember.ps1
@@ -1,4 +1,4 @@
-function Get-GroupFspMembers {
+function Get-GroupFspMember {
     <#
     .SYNOPSIS
         Check Active Directory groups for members that are foreign security principals from other domains or forests.
@@ -18,12 +18,12 @@ function Get-GroupFspMembers {
     $GroupsWithForeignMembers = New-Object System.Collections.Generic.List[System.Object]
 
     foreach ($group in $Groups) {
-        $FspMembers = $group.members | Where-Object { $_ -like "CN=S-1-*" -and $_ -notlike "$DomainSID*" }
+        $FspMembers = $group.members | Where-Object { $_ -like 'CN=S-1-*' -and $_ -notlike "$DomainSID*" }
         if ($FspMembers.count -ne 0) {
             $tempgroup = New-Object -TypeName PSObject
-                $tempgroup | Add-Member -MemberType NoteProperty -Name 'GroupDN' -Value $group.distinguishedName
-                $tempgroup | Add-Member -MemberType NoteProperty -Name 'Description' -Value $group.Description
-                $tempgroup | Add-Member -MemberType NoteProperty -Name 'FspMembers' -Value ($FspMembers -join (', '))
+            $tempgroup | Add-Member -MemberType NoteProperty -Name 'GroupDN' -Value $group.distinguishedName
+            $tempgroup | Add-Member -MemberType NoteProperty -Name 'Description' -Value $group.Description
+            $tempgroup | Add-Member -MemberType NoteProperty -Name 'FspMembers' -Value ($FspMembers -join (', '))
             $GroupsWithForeignMembers.Add($tempgroup)
         }
     }

diff --git a/... Directory/AD Groups/Get-UnusedGroups.ps1 → ...e Directory/AD Groups/Get-UnusedGroup.ps1 b/... Directory/AD Groups/Get-UnusedGroups.ps1 → ...e Directory/AD Groups/Get-UnusedGroup.ps1
@@ -1,11 +1,11 @@
 Import-Module ActiveDirectory
 
-function Get-UnusedGroups {
+function Get-UnusedGroup {
     [CmdletBinding()]
     Param(
         [Parameter(Mandatory = $True)]
         [string]$SearchBase
-        )
+    )
 
     Get-ADGroup -Filter * -Properties members, isCriticalSystemObject -SearchBase $SearchBase | Where-Object {
         ($_.members.count -eq 0 `

diff --git a/Active Directory/AD Users/Test-IsMemberOfProtectedUsers.ps1 b/Active Directory/AD Users/Test-IsMemberOfProtectedUsers.ps1
@@ -47,36 +47,43 @@ function Test-IsMemberOfProtectedUsers {
         $User
     )
 
-    Import-Module ActiveDirectory
-
-    # Use the currently logged in user if none is specified
-    # Get the user from Active Directory
-    if (-not($User)) {
-        # These two are different types. Fixed by referencing $CheckUser.SID later, but should fix here by using one type.
-        $CurrentUser = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name).Split('\')[-1]
-        $CheckUser = Get-ADUser $CurrentUser -Properties primaryGroupID
-    } else {
-        $CheckUser = Get-ADUser $User -Properties primaryGroupID
+    begin {
+        Import-Module ActiveDirectory
     }
 
-    # Get the Protected Users group by SID instead of by its name to ensure compatibility with any locale or language.
-    $DomainSID = (Get-ADDomain).DomainSID.Value
-    $ProtectedUsersSID = "$DomainSID-525"
+    process {
+        # Use the currently logged in user if none is specified
+        # Get the user from Active Directory
+        if (-not($User)) {
+            # These two are different types. Fixed by referencing $CheckUser.SID later, but should fix here by using one type.
+            $CurrentUser = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name).Split('\')[-1]
+            $CheckUser = Get-ADUser $CurrentUser -Properties primaryGroupID
+        } else {
+            $CheckUser = Get-ADUser $User -Properties primaryGroupID
+        }
+
+        # Get the Protected Users group by SID instead of by its name to ensure compatibility with any locale or language.
+        $DomainSID = (Get-ADDomain).DomainSID.Value
+        $ProtectedUsersSID = "$DomainSID-525"
 
-    # Get members of the Protected Users group for the current domain. Recuse in case groups are nested in it.
-    $ProtectedUsers = Get-ADGroupMember -Identity $ProtectedUsersSID -Recursive | Select-Object -Unique
+        # Get members of the Protected Users group for the current domain. Recuse in case groups are nested in it.
+        $ProtectedUsers = Get-ADGroupMember -Identity $ProtectedUsersSID -Recursive | Select-Object -Unique
 
-    # Check if the current user is in the 'Protected Users' group
-    if ($ProtectedUsers.SID.Value -contains $CheckUser.SID) {
-        Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is a member of the Protected Users group."
-        $true
-    } else {
-        # Check if the user's PGID (primary group ID) is set to the Protected Users group RID (525).
-        if ( $CheckUser.primaryGroupID -eq '525' ) {
+        # Check if the current user is in the 'Protected Users' group
+        if ($ProtectedUsers.SID.Value -contains $CheckUser.SID) {
+            Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is a member of the Protected Users group."
             $true
         } else {
-            Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is not a member of the Protected Users group."
-            $false
+            # Check if the user's PGID (primary group ID) is set to the Protected Users group RID (525).
+            if ( $CheckUser.primaryGroupID -eq '525' ) {
+                $true
+            } else {
+                Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is not a member of the Protected Users group."
+                $false
+            }
         }
     }
+
+    end { }
+
 }
diff --git a/Entra/Get-DSReg.ps1 b/Entra/Get-DSReg.ps1
@@ -4,19 +4,19 @@ function Get-DSReg {
             Convert the output of dsregcmd.exe to a PowerShell object.
     #>
     $DSReg = [PSCustomObject]@{}
-    $DSRegCmdOutput = (dsregcmd /status | Select-String "(^.*?) : (.*$)").Matches.Value
+    $DSRegCmdOutput = (dsregcmd /status | Select-String '(^.*?) : (.*$)').Matches.Value
     foreach ($line in $DSRegCmdOutput) {
         $Detail = $line.Split(':', 2)
-        $DetailName = ($Detail[0]).Replace(' ','').Replace('-','').Trim()
+        $DetailName = ($Detail[0]).Replace(' ', '').Replace('-', '').Trim()
         $RawValue = ($Detail[1]).Trim()
         switch ($RawValue) {
-            'NO'        { $CleanValue = $false }
-            'YES'       { $CleanValue = $true }
-            'NOT SET'   { $CleanValue = $null }
-            'none'      { $CleanValue = $null }
-            Default     { $CleanValue = $RawValue }
+            'NO' { $CleanValue = $false }
+            'YES' { $CleanValue = $true }
+            'NOT SET' { $CleanValue = $null }
+            'none' { $CleanValue = $null }
+            Default { $CleanValue = $RawValue }
         }
-    
+
         $DSReg | Add-Member -MemberType NoteProperty -Name $DetailName -Value $CleanValue
     }