From 490f95cc5b1c2345809eff23a9b0f142bcae1191 Mon Sep 17 00:00:00 2001 From: Sam Erde <20478745+SamErde@users.noreply.github.com> Date: Mon, 26 Feb 2024 17:02:01 -0500 Subject: [PATCH 1/2] Fix Protected Users check Uploaded a renamed, working Protected Users check. The rename aligns the PS1 filename with the function name. I fixed a gap in the SID matching and also added a check for primaryGroupID (525). The function is maintained at https://github.com/samerde/active-directory. --- Private/Test-IsMemberOfProtectedUsers.ps1 | 72 +++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 Private/Test-IsMemberOfProtectedUsers.ps1 diff --git a/Private/Test-IsMemberOfProtectedUsers.ps1 b/Private/Test-IsMemberOfProtectedUsers.ps1 new file mode 100644 index 0000000..f23f1b5 --- /dev/null +++ b/Private/Test-IsMemberOfProtectedUsers.ps1 @@ -0,0 +1,72 @@ +function Test-IsMemberOfProtectedUsers { + <# + .SYNOPSIS + Check to see if a user is a member of the Protected Users group. + + .DESCRIPTION + This function checks to see if a specified user or the current user is a member of the Protected Users group in AD. + It also checked the user's primary group ID in case that is set to 525 (Protected Users). + + .PARAMETER User + The user that will be checked for membership in the Protected Users group. This parameter accepts input from the pipeline. + + .EXAMPLE + This example will check if JaneDoe is a member of the Protected Users group. + + Test-IsMemberOfProtectedUsers -User JaneDoe + + .EXAMPLE + This example will check if the current user is a member of the Protected Users group. + + Test-IsMemberOfProtectedUsers + + .INPUTS + Active Directory user object, user SID, SamAccountName, etc + + .OUTPUTS + True, False + #> + + [CmdletBinding()] + param ( + # User parameter accepts any input that is valid for Get-ADUser + [Parameter( + ValueFromPipeline = $true + )] + $User + ) + + Import-Module ActiveDirectory + + # Use the currently logged in user if none is specified + # Get the user from Active Directory + if (-not($User)) { + # These two are different types. Fixed by referencing $CheckUser.SID later, but should fix here by using one type. + $CurrentUser = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name).Split('\')[-1] + $CheckUser = Get-ADUser $CurrentUser -Properties primaryGroupID + } + else { + $CheckUser = Get-ADUser $User -Properties primaryGroupID + } + + # Get the Protected Users group by SID instead of by its name to ensure compatibility with any locale or language. + $DomainSID = (Get-ADDomain).DomainSID.Value + $ProtectedUsersSID = "$DomainSID-525" + + # Get members of the Protected Users group for the current domain. Recuse in case groups are nested in it. + $ProtectedUsers = Get-ADGroupMember -Identity $ProtectedUsersSID -Recursive | Select-Object -Unique + + # Check if the current user is in the 'Protected Users' group + if ($ProtectedUsers.SID.Value -contains $CheckUser.SID) { + Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is a member of the Protected Users group." + $true + } else { + # Check if the user's PGID (primary group ID) is set to the Protected Users group RID (525). + if ( $CheckUser.primaryGroupID -eq '525' ) { + $true + } else { + Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is not a member of the Protected Users group." + $false + } + } +} From 94af26887d957931fbec3d3cab0bec871239fd92 Mon Sep 17 00:00:00 2001 From: Sam Erde <20478745+SamErde@users.noreply.github.com> Date: Mon, 26 Feb 2024 17:03:09 -0500 Subject: [PATCH 2/2] Delete Private/Test-IsProtectedUser.ps1 Renamed to align with function name --- Private/Test-IsProtectedUser.ps1 | 72 -------------------------------- 1 file changed, 72 deletions(-) delete mode 100644 Private/Test-IsProtectedUser.ps1 diff --git a/Private/Test-IsProtectedUser.ps1 b/Private/Test-IsProtectedUser.ps1 deleted file mode 100644 index d9deb06..0000000 --- a/Private/Test-IsProtectedUser.ps1 +++ /dev/null @@ -1,72 +0,0 @@ -function Test-IsMemberOfProtectedUsers { - <# - .SYNOPSIS - Check to see if a user is a member of the Protected Users group. - - .DESCRIPTION - This function checks to see if a specified user or the current user is a member of the Protected Users group in AD. - - .PARAMETER User - The user that will be checked for membership in the Protected Users group. This parameter accepts input from the pipeline. - - .EXAMPLE - This example will check if JaneDoe is a member of the Protected Users group. - - Test-IsMemberOfProtectedUsers -User JaneDoe - - .EXAMPLE - This example will check if the current user is a member of the Protected Users group. - - Test-IsMemberOfProtectedUsers - - .INPUTS - Active Directory user object, user SID, SamAccountName, etc - - .OUTPUTS - Boolean - - .NOTES - Membership in Active Directory's Protected Users group can have implications for anything that relies on NTLM authentication. - - .LINK - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-group - - #> - - [CmdletBinding()] - param ( - # User parameter accepts any input that is valid for Get-ADUser - [Parameter( - ValueFromPipeline = $true - )] - $User - ) - - Import-Module ActiveDirectory - - # Use the currently logged in user if none is specified - # Get the user from Active Directory - if (-not($User)) { - $CurrentUser = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name).Split('\')[-1] - $CheckUser = Get-ADUser $CurrentUser - } - else { - $CheckUser = Get-ADUser $User - } - - # Get the Protected Users group by SID instead of by its name to ensure compatibility with any locale or language. - $DomainSID = (Get-ADDomain).DomainSID.Value - $ProtectedUsersSID = "$DomainSID-525" - - # Get members of the Protected Users group for the current domain. Recurse in case groups are nested in it. - $ProtectedUsers = Get-ADGroupMember -Identity $ProtectedUsersSID -Recursive | Select-Object -Unique - - # Check if the current user is in the 'Protected Users' group - if ($ProtectedUsers -contains $CheckUser) { - Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is a member of the Protected Users group." - $true - } else { - Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is not a member of the Protected Users group." - $false - } -}