Advertisement
Guest User

Untitled

a guest
Feb 20th, 2020
130
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.68 KB | None | 0 0
  1. function Get-WinADGPOMissingPermissions {
  2. [cmdletBinding()]
  3. param([alias('ForestName')][string] $Forest,
  4. [string[]] $ExcludeDomains,
  5. [alias('Domain', 'Domains')][string[]] $IncludeDomains,
  6. [switch] $SkipRODC,
  7. [System.Collections.IDictionary] $ExtendedForestInformation,
  8. [validateset('AuthenticatedUsers', 'DomainComputers', 'Either')][string] $Mode = 'Either')
  9. if (-not $ExtendedForestInformation) { $ForestInformation = Get-WinADForestDetails -Forest $Forest -IncludeDomains $IncludeDomains -ExcludeDomains $ExcludeDomains -ExcludeDomainControllers $ExcludeDomainControllers -IncludeDomainControllers $IncludeDomainControllers -SkipRODC:$SkipRODC } else { $ForestInformation = $ExtendedForestInformation }
  10. foreach ($Domain in $ForestInformation.Domains) {
  11. $QueryServer = $ForestInformation['QueryServers']["$Domain"].HostName[0]
  12. $GPOs = Get-GPO -All -Domain $Domain -Server $QueryServer
  13. $MissingPermissions = @(foreach ($GPO in $GPOs) {
  14. $Permissions = Get-GPPermission -Guid $GPO.Id -All -Server $QueryServer -DomainName $Domain | Select-Object -ExpandProperty Trustee
  15. if ($Mode -eq 'Either' -or $Mode -eq 'AuthenticatedUsers') { $GPOPermissionForAuthUsers = $Permissions | Where-Object { $_.Name -eq "Authenticated Users" } }
  16. if ($Mode -eq 'Either' -or $Mode -eq 'DomainComputers') { $GPOPermissionForDomainComputers = $Permissions | Where-Object { $_.Name -eq "Domain Computers" } }
  17. if ($Mode -eq 'Either') { If (-not $GPOPermissionForAuthUsers -and -not $GPOPermissionForDomainComputers) { $GPO } } elseif ($Mode -eq 'AuthenticatedUsers') { If (-not $GPOPermissionForAuthUsers) { $GPO } } elseif ($Mode -eq 'DomainComputers') { If (-not $GPOPermissionForDomainComputers) { $GPO } }
  18. })
  19. $MissingPermissions
  20. }
  21. }
  22. function Get-WinADForestDetails {
  23. [CmdletBinding()]
  24. param([alias('ForestName')][string] $Forest,
  25. [string[]] $ExcludeDomains,
  26. [string[]] $ExcludeDomainControllers,
  27. [alias('Domain', 'Domains')][string[]] $IncludeDomains,
  28. [alias('DomainControllers', 'ComputerName')][string[]] $IncludeDomainControllers,
  29. [switch] $SkipRODC,
  30. [string] $Filter = '*',
  31. [switch] $TestAvailability,
  32. [ValidateSet('All', 'Ping', 'WinRM', 'PortOpen', 'Ping+WinRM', 'Ping+PortOpen', 'WinRM+PortOpen')] $Test = 'All',
  33. [int[]] $Ports = 135,
  34. [int] $PortsTimeout = 100,
  35. [int] $PingCount = 1)
  36. if ($Global:ProgressPreference -ne 'SilentlyContinue') {
  37. $TemporaryProgress = $Global:ProgressPreference
  38. $Global:ProgressPreference = 'SilentlyContinue'
  39. }
  40. $Findings = [ordered] @{ }
  41. try { if ($Forest) { $ForestInformation = Get-ADForest -ErrorAction Stop -Identity $Forest } else { $ForestInformation = Get-ADForest -ErrorAction Stop } } catch {
  42. Write-Warning "Get-WinADForestDetails - Error discovering DC for Forest - $($_.Exception.Message)"
  43. return
  44. }
  45. if (-not $ForestInformation) { return }
  46. $Findings['Forest'] = $ForestInformation
  47. $Findings['ForestDomainControllers'] = @()
  48. $Findings['QueryServers'] = @{ }
  49. $Findings['QueryServers']['Forest'] = $DC
  50. $Findings.Domains = foreach ($_ in $ForestInformation.Domains) {
  51. if ($IncludeDomains) {
  52. if ($_ -in $IncludeDomains) { $_.ToLower() }
  53. continue
  54. }
  55. if ($_ -notin $ExcludeDomains) { $_.ToLower() }
  56. }
  57. $Findings['ForestDomainControllers'] = foreach ($Domain in $Findings.Domains) {
  58. try { $DC = Get-ADDomainController -DomainName $Domain -Discover -ErrorAction Stop } catch {
  59. Write-Warning "Get-WinADForestDetails - Error discovering DC for domain $Domain - $($_.Exception.Message)"
  60. continue
  61. }
  62. $Findings['QueryServers']["$Domain"] = $DC
  63. [Array] $AllDC = try {
  64. try { $DomainControllers = Get-ADDomainController -Filter $Filter -Server $DC.HostName[0] -ErrorAction Stop } catch {
  65. Write-Warning "Get-WinADForestDetails - Error listing DCs for domain $Domain - $($_.Exception.Message)"
  66. continue
  67. }
  68. foreach ($S in $DomainControllers) {
  69. if ($IncludeDomainControllers.Count -gt 0) { If (-not $IncludeDomainControllers[0].Contains('.')) { if ($S.Name -notin $IncludeDomainControllers) { continue } } else { if ($S.HostName -notin $IncludeDomainControllers) { continue } } }
  70. if ($ExcludeDomainControllers.Count -gt 0) { If (-not $ExcludeDomainControllers[0].Contains('.')) { if ($S.Name -notin $ExcludeDomainControllers) { continue } } else { if ($S.HostName -in $ExcludeDomainControllers) { continue } } }
  71. $Server = [ordered] @{Domain = $Domain
  72. HostName = $S.HostName
  73. Name = $S.Name
  74. Forest = $ForestInformation.RootDomain
  75. Site = $S.Site
  76. IPV4Address = $S.IPV4Address
  77. IPV6Address = $S.IPV6Address
  78. IsGlobalCatalog = $S.IsGlobalCatalog
  79. IsReadOnly = $S.IsReadOnly
  80. IsSchemaMaster = ($S.OperationMasterRoles -contains 'SchemaMaster')
  81. IsDomainNamingMaster = ($S.OperationMasterRoles -contains 'DomainNamingMaster')
  82. IsPDC = ($S.OperationMasterRoles -contains 'PDCEmulator')
  83. IsRIDMaster = ($S.OperationMasterRoles -contains 'RIDMaster')
  84. IsInfrastructureMaster = ($S.OperationMasterRoles -contains 'InfrastructureMaster')
  85. OperatingSystem = $S.OperatingSystem
  86. OperatingSystemVersion = $S.OperatingSystemVersion
  87. OperatingSystemLong = ConvertTo-OperatingSystem -OperatingSystem $S.OperatingSystem -OperatingSystemVersion $S.OperatingSystemVersion
  88. LdapPort = $S.LdapPort
  89. SslPort = $S.SslPort
  90. DistinguishedName = $S.ComputerObjectDN
  91. Pingable = $null
  92. WinRM = $null
  93. PortOpen = $null
  94. Comment = ''
  95. }
  96. if ($TestAvailability) {
  97. if ($Test -eq 'All' -or $Test -like 'Ping*') { $Server.Pingable = Test-Connection -ComputerName $Server.IPV4Address -Quiet -Count $PingCount }
  98. if ($Test -eq 'All' -or $Test -like '*WinRM*') { $Server.WinRM = (Test-WinRM -ComputerName $Server.HostName).Status }
  99. if ($Test -eq 'All' -or '*PortOpen*') { $Server.PortOpen = (Test-ComputerPort -Server $Server.HostName -PortTCP $Ports -Timeout $PortsTimeout).Status }
  100. }
  101. [PSCustomObject] $Server
  102. }
  103. } catch {
  104. [PSCustomObject]@{Domain = $Domain
  105. HostName = ''
  106. Name = ''
  107. Forest = $ForestInformation.RootDomain
  108. IPV4Address = ''
  109. IPV6Address = ''
  110. IsGlobalCatalog = ''
  111. IsReadOnly = ''
  112. Site = ''
  113. SchemaMaster = $false
  114. DomainNamingMasterMaster = $false
  115. PDCEmulator = $false
  116. RIDMaster = $false
  117. InfrastructureMaster = $false
  118. LdapPort = ''
  119. SslPort = ''
  120. DistinguishedName = ''
  121. Pingable = $null
  122. WinRM = $null
  123. PortOpen = $null
  124. Comment = $_.Exception.Message -replace "`n", " " -replace "`r", " "
  125. }
  126. }
  127. if ($SkipRODC) { $Findings[$Domain] = $AllDC | Where-Object { $_.IsReadOnly -eq $false } } else { $Findings[$Domain] = $AllDC }
  128. $Findings[$Domain]
  129. }
  130. if ($TemporaryProgress) { $Global:ProgressPreference = $TemporaryProgress }
  131. $Findings
  132. }
  133. function ConvertTo-OperatingSystem {
  134. [CmdletBinding()]
  135. param([string] $OperatingSystem,
  136. [string] $OperatingSystemVersion)
  137. if ($OperatingSystem -like '*Windows 10*') {
  138. $Systems = @{'10.0 (18363)' = "Windows 10 1909"
  139. '10.0 (18362)' = "Windows 10 1903"
  140. '10.0 (17763)' = "Windows 10 1809"
  141. '10.0 (17134)' = "Windows 10 1803"
  142. '10.0 (16299)' = "Windows 10 1709"
  143. '10.0 (15063)' = "Windows 10 1703"
  144. '10.0 (14393)' = "Windows 10 1607"
  145. '10.0 (10586)' = "Windows 10 1511"
  146. '10.0 (10240)' = "Windows 10 1507"
  147. '10.0 (18898)' = 'Windows 10 Insider Preview'
  148. '10.0.18363' = "Windows 10 1909"
  149. '10.0.18362' = "Windows 10 1903"
  150. '10.0.17763' = "Windows 10 1809"
  151. '10.0.17134' = "Windows 10 1803"
  152. '10.0.16299' = "Windows 10 1709"
  153. '10.0.15063' = "Windows 10 1703"
  154. '10.0.14393' = "Windows 10 1607"
  155. '10.0.10586' = "Windows 10 1511"
  156. '10.0.10240' = "Windows 10 1507"
  157. '10.0.18898' = 'Windows 10 Insider Preview'
  158. }
  159. $System = $Systems[$OperatingSystemVersion]
  160. if (-not $System) { $System = $OperatingSystem }
  161. } elseif ($OperatingSystem -like '*Windows Server*') {
  162. $Systems = @{'5.2 (3790)' = 'Windows Server 2003'
  163. '6.1 (7601)' = 'Windows Server 2008 R2'
  164. '10.0 (18362)' = "Windows Server, version 1903 (Semi-Annual Channel) 1903"
  165. '10.0 (17763)' = "Windows Server 2019 (Long-Term Servicing Channel) 1809"
  166. '10.0 (17134)' = "Windows Server, version 1803 (Semi-Annual Channel) 1803"
  167. '10.0 (14393)' = "Windows Server 2016 (Long-Term Servicing Channel) 1607"
  168. '10.0.18362' = "Windows Server, version 1903 (Semi-Annual Channel) 1903"
  169. '10.0.17763' = "Windows Server 2019 (Long-Term Servicing Channel) 1809"
  170. '10.0.17134' = "Windows Server, version 1803 (Semi-Annual Channel) 1803"
  171. '10.0.14393' = "Windows Server 2016 (Long-Term Servicing Channel) 1607"
  172. }
  173. $System = $Systems[$OperatingSystemVersion]
  174. if (-not $System) { $System = $OperatingSystem }
  175. } else { $System = $OperatingSystem }
  176. if ($System) { $System } else { 'Unknown' }
  177. }
  178. function Test-ComputerPort {
  179. [CmdletBinding()]
  180. param ([alias('Server')][string[]] $ComputerName,
  181. [int[]] $PortTCP,
  182. [int[]] $PortUDP,
  183. [int]$Timeout = 5000)
  184. begin {
  185. if ($Global:ProgressPreference -ne 'SilentlyContinue') {
  186. $TemporaryProgress = $Global:ProgressPreference
  187. $Global:ProgressPreference = 'SilentlyContinue'
  188. }
  189. }
  190. process {
  191. foreach ($Computer in $ComputerName) {
  192. foreach ($P in $PortTCP) {
  193. $Output = [ordered] @{'ComputerName' = $Computer
  194. 'Port' = $P
  195. 'Protocol' = 'TCP'
  196. 'Status' = $null
  197. 'Summary' = $null
  198. 'Response' = $null
  199. }
  200. $TcpClient = Test-NetConnection -ComputerName $Computer -Port $P -InformationLevel Detailed -WarningAction SilentlyContinue
  201. if ($TcpClient.TcpTestSucceeded) {
  202. $Output['Status'] = $TcpClient.TcpTestSucceeded
  203. $Output['Summary'] = "TCP $P Successful"
  204. } else {
  205. $Output['Status'] = $false
  206. $Output['Summary'] = "TCP $P Failed"
  207. $Output['Response'] = $Warnings
  208. }
  209. [PSCustomObject]$Output
  210. }
  211. foreach ($P in $PortUDP) {
  212. $Output = [ordered] @{'ComputerName' = $Computer
  213. 'Port' = $P
  214. 'Protocol' = 'UDP'
  215. 'Status' = $null
  216. 'Summary' = $null
  217. }
  218. $UdpClient = [System.Net.Sockets.UdpClient]::new($Computer, $P)
  219. $UdpClient.Client.ReceiveTimeout = $Timeout
  220. $Encoding = [System.Text.ASCIIEncoding]::new()
  221. $byte = $Encoding.GetBytes("Evotec")
  222. [void]$UdpClient.Send($byte, $byte.length)
  223. $RemoteEndpoint = [System.Net.IPEndPoint]::new([System.Net.IPAddress]::Any, 0)
  224. try {
  225. $Bytes = $UdpClient.Receive([ref]$RemoteEndpoint)
  226. [string]$Data = $Encoding.GetString($Bytes)
  227. If ($Data) {
  228. $Output['Status'] = $true
  229. $Output['Summary'] = "UDP $P Successful"
  230. $Output['Response'] = $Data
  231. }
  232. } catch {
  233. $Output['Status'] = $false
  234. $Output['Summary'] = "UDP $P Failed"
  235. $Output['Response'] = $_.Exception.Message
  236. }
  237. $UdpClient.Close()
  238. $UdpClient.Dispose()
  239. [PSCustomObject]$Output
  240. }
  241. }
  242. }
  243. end { if ($TemporaryProgress) { $Global:ProgressPreference = $TemporaryProgress } }
  244. }
  245. function Test-WinRM {
  246. [CmdletBinding()]
  247. param ([alias('Server')][string[]] $ComputerName)
  248. $Output = foreach ($Computer in $ComputerName) {
  249. $Test = [PSCustomObject] @{Output = $null
  250. Status = $null
  251. ComputerName = $Computer
  252. }
  253. try {
  254. $Test.Output = Test-WSMan -ComputerName $Computer -ErrorAction Stop
  255. $Test.Status = $true
  256. } catch { $Test.Status = $false }
  257. $Test
  258. }
  259. $Output
  260. }
  261. $MissingPermissions = Get-WinADGPOMissingPermissions -Mode Either
  262. $MissingPermissions | Format-Table -AutoSize
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement