From 519331dfbcd75c6de134dc916e1129beacd73e1b Mon Sep 17 00:00:00 2001 From: Sam Erde Date: Tue, 10 Dec 2024 09:46:56 -0500 Subject: [PATCH] PSSA --- ...pFspMembers.ps1 => Get-GroupFspMember.ps1} | 10 ++-- ...t-UnusedGroups.ps1 => Get-UnusedGroup.ps1} | 4 +- .../Test-IsMemberOfProtectedUsers.ps1 | 55 +++++++++++-------- Entra/Get-DSReg.ps1 | 16 +++--- 4 files changed, 46 insertions(+), 39 deletions(-) rename Active Directory/AD Groups/{Get-GroupFspMembers.ps1 => Get-GroupFspMember.ps1} (72%) rename Active Directory/AD Groups/{Get-UnusedGroups.ps1 => Get-UnusedGroup.ps1} (93%) diff --git a/Active Directory/AD Groups/Get-GroupFspMembers.ps1 b/Active Directory/AD Groups/Get-GroupFspMember.ps1 similarity index 72% rename from Active Directory/AD Groups/Get-GroupFspMembers.ps1 rename to Active Directory/AD Groups/Get-GroupFspMember.ps1 index 1f4a513..3571680 100644 --- a/Active Directory/AD Groups/Get-GroupFspMembers.ps1 +++ b/Active Directory/AD Groups/Get-GroupFspMember.ps1 @@ -1,4 +1,4 @@ -function Get-GroupFspMembers { +function Get-GroupFspMember { <# .SYNOPSIS Check Active Directory groups for members that are foreign security principals from other domains or forests. @@ -18,12 +18,12 @@ function Get-GroupFspMembers { $GroupsWithForeignMembers = New-Object System.Collections.Generic.List[System.Object] foreach ($group in $Groups) { - $FspMembers = $group.members | Where-Object { $_ -like "CN=S-1-*" -and $_ -notlike "$DomainSID*" } + $FspMembers = $group.members | Where-Object { $_ -like 'CN=S-1-*' -and $_ -notlike "$DomainSID*" } if ($FspMembers.count -ne 0) { $tempgroup = New-Object -TypeName PSObject - $tempgroup | Add-Member -MemberType NoteProperty -Name 'GroupDN' -Value $group.distinguishedName - $tempgroup | Add-Member -MemberType NoteProperty -Name 'Description' -Value $group.Description - $tempgroup | Add-Member -MemberType NoteProperty -Name 'FspMembers' -Value ($FspMembers -join (', ')) + $tempgroup | Add-Member -MemberType NoteProperty -Name 'GroupDN' -Value $group.distinguishedName + $tempgroup | Add-Member -MemberType NoteProperty -Name 'Description' -Value $group.Description + $tempgroup | Add-Member -MemberType NoteProperty -Name 'FspMembers' -Value ($FspMembers -join (', ')) $GroupsWithForeignMembers.Add($tempgroup) } } diff --git a/Active Directory/AD Groups/Get-UnusedGroups.ps1 b/Active Directory/AD Groups/Get-UnusedGroup.ps1 similarity index 93% rename from Active Directory/AD Groups/Get-UnusedGroups.ps1 rename to Active Directory/AD Groups/Get-UnusedGroup.ps1 index 695154d..3bd94ed 100644 --- a/Active Directory/AD Groups/Get-UnusedGroups.ps1 +++ b/Active Directory/AD Groups/Get-UnusedGroup.ps1 @@ -1,11 +1,11 @@ Import-Module ActiveDirectory -function Get-UnusedGroups { +function Get-UnusedGroup { [CmdletBinding()] Param( [Parameter(Mandatory = $True)] [string]$SearchBase - ) + ) Get-ADGroup -Filter * -Properties members, isCriticalSystemObject -SearchBase $SearchBase | Where-Object { ($_.members.count -eq 0 ` diff --git a/Active Directory/AD Users/Test-IsMemberOfProtectedUsers.ps1 b/Active Directory/AD Users/Test-IsMemberOfProtectedUsers.ps1 index a7cf3f7..6c06739 100644 --- a/Active Directory/AD Users/Test-IsMemberOfProtectedUsers.ps1 +++ b/Active Directory/AD Users/Test-IsMemberOfProtectedUsers.ps1 @@ -47,36 +47,43 @@ function Test-IsMemberOfProtectedUsers { $User ) - Import-Module ActiveDirectory - - # Use the currently logged in user if none is specified - # Get the user from Active Directory - if (-not($User)) { - # These two are different types. Fixed by referencing $CheckUser.SID later, but should fix here by using one type. - $CurrentUser = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name).Split('\')[-1] - $CheckUser = Get-ADUser $CurrentUser -Properties primaryGroupID - } else { - $CheckUser = Get-ADUser $User -Properties primaryGroupID + begin { + Import-Module ActiveDirectory } - # Get the Protected Users group by SID instead of by its name to ensure compatibility with any locale or language. - $DomainSID = (Get-ADDomain).DomainSID.Value - $ProtectedUsersSID = "$DomainSID-525" + process { + # Use the currently logged in user if none is specified + # Get the user from Active Directory + if (-not($User)) { + # These two are different types. Fixed by referencing $CheckUser.SID later, but should fix here by using one type. + $CurrentUser = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name).Split('\')[-1] + $CheckUser = Get-ADUser $CurrentUser -Properties primaryGroupID + } else { + $CheckUser = Get-ADUser $User -Properties primaryGroupID + } + + # Get the Protected Users group by SID instead of by its name to ensure compatibility with any locale or language. + $DomainSID = (Get-ADDomain).DomainSID.Value + $ProtectedUsersSID = "$DomainSID-525" - # Get members of the Protected Users group for the current domain. Recuse in case groups are nested in it. - $ProtectedUsers = Get-ADGroupMember -Identity $ProtectedUsersSID -Recursive | Select-Object -Unique + # Get members of the Protected Users group for the current domain. Recuse in case groups are nested in it. + $ProtectedUsers = Get-ADGroupMember -Identity $ProtectedUsersSID -Recursive | Select-Object -Unique - # Check if the current user is in the 'Protected Users' group - if ($ProtectedUsers.SID.Value -contains $CheckUser.SID) { - Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is a member of the Protected Users group." - $true - } else { - # Check if the user's PGID (primary group ID) is set to the Protected Users group RID (525). - if ( $CheckUser.primaryGroupID -eq '525' ) { + # Check if the current user is in the 'Protected Users' group + if ($ProtectedUsers.SID.Value -contains $CheckUser.SID) { + Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is a member of the Protected Users group." $true } else { - Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is not a member of the Protected Users group." - $false + # Check if the user's PGID (primary group ID) is set to the Protected Users group RID (525). + if ( $CheckUser.primaryGroupID -eq '525' ) { + $true + } else { + Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is not a member of the Protected Users group." + $false + } } } + + end { } + } diff --git a/Entra/Get-DSReg.ps1 b/Entra/Get-DSReg.ps1 index f3c3f67..3487028 100644 --- a/Entra/Get-DSReg.ps1 +++ b/Entra/Get-DSReg.ps1 @@ -4,19 +4,19 @@ function Get-DSReg { Convert the output of dsregcmd.exe to a PowerShell object. #> $DSReg = [PSCustomObject]@{} - $DSRegCmdOutput = (dsregcmd /status | Select-String "(^.*?) : (.*$)").Matches.Value + $DSRegCmdOutput = (dsregcmd /status | Select-String '(^.*?) : (.*$)').Matches.Value foreach ($line in $DSRegCmdOutput) { $Detail = $line.Split(':', 2) - $DetailName = ($Detail[0]).Replace(' ','').Replace('-','').Trim() + $DetailName = ($Detail[0]).Replace(' ', '').Replace('-', '').Trim() $RawValue = ($Detail[1]).Trim() switch ($RawValue) { - 'NO' { $CleanValue = $false } - 'YES' { $CleanValue = $true } - 'NOT SET' { $CleanValue = $null } - 'none' { $CleanValue = $null } - Default { $CleanValue = $RawValue } + 'NO' { $CleanValue = $false } + 'YES' { $CleanValue = $true } + 'NOT SET' { $CleanValue = $null } + 'none' { $CleanValue = $null } + Default { $CleanValue = $RawValue } } - + $DSReg | Add-Member -MemberType NoteProperty -Name $DetailName -Value $CleanValue }