functions/Get-GptPrincipal.ps1
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 |
function Get-GptPrincipal { <# .SYNOPSIS Generates a list of principals relevant to the specified GPO. .DESCRIPTION Generates a list of principals relevant to the specified GPO. This is used internally to generate the identities export. It can also be used directly, to assess needed identities (for example when setting up a test domain). .PARAMETER Path Path to an already existing GPO backup. Using this will have the module scan a backup, rather than live GPO. .PARAMETER Name The name to filter GPOs by. Defaults to '*' Accepts multiple strings, a single wildcard match is needed for a GPO to be selected. .PARAMETER GpoObject The GPO to process, as returned by Get-Gpo. .PARAMETER Domain The domain to connect to. Defaults to the user dns domain. .PARAMETER IncludeUNC By default, UNC paths are not included in the output. These too can be read from GPO and might be relevant. .EXAMPLE PS C:\> Get-GptPrincipal Returns the relevant principals from all GPOs in the current domain. #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSPossibleIncorrectUsageOfAssignmentOperator', '')] [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', '')] [CmdletBinding(DefaultParameterSetName = 'GPO')] param ( [Parameter(ParameterSetName = "Path")] [ValidateScript({ Test-Path -Path $_ })] [string] $Path, [Parameter(ParameterSetName = 'GPO')] [string[]] $Name = '*', [Parameter(ParameterSetName = 'GPO', ValueFromPipeline = $true)] $GpoObject, [string] $Domain = $env:USERDNSDOMAIN, [switch] $IncludeUNC ) begin { if (-not $Path) { $tempPath = New-Item -Path $env:TEMP -ItemType Directory -Name "Gpo_TempBackup_$(Get-Random -Maximum 999999 -Minimum 100000)" -Force $backupPath = $tempPath.FullName } else { $backupPath = (Resolve-Path -Path $Path).ProviderPath } $entryType = @{ 0 = 'User' 1 = 'Computer' 2 = 'LocalGroup' 3 = 'DomainGroup' 4 = 'UniversalGroup' 5 = 'UNCPath' 6 = 'Unknown' } } process { #region Export GPO to temporary path if (-not $Path) { $gpoObjects = $GpoObject | Where-Object { Test-Overlap -ReferenceObject $_.DisplayName -DifferenceObject $Name -Operator Like } if (-not $GpoObject) { $gpoObjects = Get-GPO -All -Domain $Domain | Where-Object { Test-Overlap -ReferenceObject $_.DisplayName -DifferenceObject $Name -Operator Like } } $null = $gpoObjects | Backup-GPO -Path $backupPath } #endregion Export GPO to temporary path } end { $groupPolicyManager = New-Object -ComObject GPMgmt.GPM $migrationTable = $groupPolicyManager.CreateMigrationTable() $constants = $groupPolicyManager.getConstants() $backupDirectory = $groupPolicyManager.GetBackupDir($backupPath) $backupList = $backupDirectory.SearchBackups($groupPolicyManager.CreateSearchCriteria()) foreach ($policyBackup in $backupList) { $migrationTable.Add(0, $policyBackup) $migrationTable.Add($constants.ProcessSecurity, $policyBackup) } foreach ($entry in $migrationTable.GetEntries()) { $paramAddMember = @{ MemberType = 'NoteProperty' Name = 'EntryType' Value = $entryType[$entry.EntryType] PassThru = $true Force = $true } switch ($entry.EntryType) { $constants.EntryTypeUNCPath { if (-not $IncludeUNC) { break } [PSCustomObject]@{ EntryType = $entryType[$entry.EntryType] Path = $entry.Source } } default { #region SID if ($sid = $entry.Source -as [System.Security.Principal.SecurityIdentifier]) { if ($sid.DomainSID) { Resolve-ADPrincipal -Name $sid -Domain $sid.DomainSID | Add-Member @paramAddMember continue } Resolve-ADPrincipal -Name $sid -Domain $Domain | Add-Member @paramAddMember continue } #endregion SID #region Name try { $sid = ([System.Security.Principal.NTAccount]$entry.Source).Translate([System.Security.Principal.SecurityIdentifier]) if ($sid.DomainSID) { Resolve-ADPrincipal -Name $sid -Domain $sid.DomainSID | Add-Member @paramAddMember continue } Resolve-ADPrincipal -Name $sid -Domain $Domain | Add-Member @paramAddMember continue } catch { if ($entry.Source -like '*@*') { $entity, $domainName = $entry.Source -split '@' Resolve-ADPrincipal -Name $entity -Domain $domainName | Add-Member @paramAddMember continue } else { Resolve-ADPrincipal -Name $entry.Source -Domain $Domain | Add-Member @paramAddMember continue } } #endregion Name } } } if (-not $Path) { Remove-Item -Path $tempPath -Recurse -Force } } } |