Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Take 3 🎬 Fix Protected Users check #119

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions Private/Test-IsMemberOfProtectedUsers.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
function Test-IsMemberOfProtectedUsers {
<#
.SYNOPSIS
Check to see if a user is a member of the Protected Users group.

.DESCRIPTION
This function checks to see if a specified user or the current user is a member of the Protected Users group in AD.
It also checked the user's primary group ID in case that is set to 525 (Protected Users).

.PARAMETER User
The user that will be checked for membership in the Protected Users group. This parameter accepts input from the pipeline.

.EXAMPLE
This example will check if JaneDoe is a member of the Protected Users group.

Test-IsMemberOfProtectedUsers -User JaneDoe

.EXAMPLE
This example will check if the current user is a member of the Protected Users group.

Test-IsMemberOfProtectedUsers

.INPUTS
Active Directory user object, user SID, SamAccountName, etc

.OUTPUTS
True, False
#>

[CmdletBinding()]
param (
# User parameter accepts any input that is valid for Get-ADUser
[Parameter(
ValueFromPipeline = $true
)]
$User
)

Import-Module ActiveDirectory

# Use the currently logged in user if none is specified
# Get the user from Active Directory
if (-not($User)) {
# These two are different types. Fixed by referencing $CheckUser.SID later, but should fix here by using one type.
$CurrentUser = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name).Split('\')[-1]
$CheckUser = Get-ADUser $CurrentUser -Properties primaryGroupID
}
else {
$CheckUser = Get-ADUser $User -Properties primaryGroupID
}

# Get the Protected Users group by SID instead of by its name to ensure compatibility with any locale or language.
$DomainSID = (Get-ADDomain).DomainSID.Value
$ProtectedUsersSID = "$DomainSID-525"

# Get members of the Protected Users group for the current domain. Recuse in case groups are nested in it.
$ProtectedUsers = Get-ADGroupMember -Identity $ProtectedUsersSID -Recursive | Select-Object -Unique

# Check if the current user is in the 'Protected Users' group
if ($ProtectedUsers.SID.Value -contains $CheckUser.SID) {
Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is a member of the Protected Users group."
$true
} else {
# Check if the user's PGID (primary group ID) is set to the Protected Users group RID (525).
if ( $CheckUser.primaryGroupID -eq '525' ) {
$true
} else {
Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is not a member of the Protected Users group."
$false
}
}
}
72 changes: 0 additions & 72 deletions Private/Test-IsProtectedUser.ps1

This file was deleted.

Loading