
Function Get-KerberosDelegationInformation {
            Gets Kerberos delegation information for a delegated server and its target.
            The cmdlet retrieves the delegation information and UAC information for delegation permissions. It also retrieves the registered SPNs for the target servers.
        .PARAMETER DelegatedServer
            The server that is granted Kerberos delegation permissions.
        .PARAMETER TargetServer
            The server that is the target of the delegation.
        .PARAMETER Credential
            Optional. The credentials to use to query Active Directory for the AD Computers.
            Get-KerberosDelegationInformation -DelegatedServer WebServer1 -TargetServer AppServer1
            Gets the delegation information for WebServer1 to AppServer1.
            System.String, Systen.String, System.Management.Automation.PSCredential
            AUTHOR: Michael Haken
            LAST UPDATE: 2/27/2016

        [PSCredential]$Credential = [System.Management.Automation.PSCredential]::Empty

    Begin {
        if ($Credential -eq $null) {
            $Credential = [System.Management.Automation.PSCredential]::Empty

    Process {
        if ($Credential -ne [System.Management.Automation.PSCredential]::Empty) {
            $Delegation = Get-ADComputer -Identity $DelegatedServer -Credential $Credential -Properties msDS-AllowedToDelegateTo,UserAccountControl | Select-Object -Property msDS-AllowedToDelegateTo,UserAccountControl
            [string[]]$SPNs = (Get-ADComputer -Identity $TargetServer -Credential $Credential -Properties ServicePrincipalName | Select-Object -ExpandProperty ServicePrincipalName).Split("`n")
        else {
            $Delegation = Get-ADComputer -Identity $DelegatedServer -Properties msDS-AllowedToDelegateTo,UserAccountControl | Select-Object -Property msDS-AllowedToDelegateTo,UserAccountControl
            [string[]]$SPNs = (Get-ADComputer -Identity $TargetServer -Properties ServicePrincipalName | Select-Object -ExpandProperty ServicePrincipalName).Split("`n")

        $Matches = @()
        foreach ($Value in $script:UACValues) {
            #Perform bitwise and to compare the current UAC against each possible value and record matches
            if ($Delegation.UserAccountControl -band [System.Convert]::ToInt64($Value.Key, 16)) {
                $Matches += $Value

        [PSCustomObject]$DelegationInfo = @{DelegatedServer=$DelegatedServer;AllowedToDelegateTo=$Delegation.'msDS-AllowedToDelegateTo';UAC=$Matches;TargetServer=$TargetServer;TargetSPNs=$SPNs}

    End {
        Write-Output $DelegationInfo

Function Import-WmiFiltersFromJson {
            Imports WMI Filter information from a JSON file.
            The cmdlet uses a backup of WMI filters written to a json file to restore each WMI filter in the provided domain.
        .PARAMETER Path
            The location of the json file containing the WMI information. This file is created with the Export-GPOBackupsAndWmiFilters cmdlet. It can also be created manually.
        .PARAMETER Domain
            The domain to import the WMI filters. This defaults to the domain of the current user.
        .PARAMETER Force
            Overwrites any existing WMI filters.
        .PARAMETER Credential
            The credential to use to create the WMI filters.
            Import-WmiFiltersFromJson -Path "c:\GPOBackups\WmiFilters.json" -Domain ""
            Imports the WMI filters stored at c:\GPOBackups\WmiFilters.json that were backed up to that path with Export-GPOBackupsAndWmiFilters to
            System.String, System.String, System.Management.Automation.SwitchParameter
            AUTHOR: Michael Haken
            LAST UPDATE: 12/7/2015

    Param (
        [string]$Domain = [System.String]::Empty,

        Import-Module ActiveDirectory -ErrorAction Stop

        if ($Domain -eq [System.String]::Empty)
            $ADDomain = Get-ADDomain -Current LoggedOnUser
            $ADDomain = Get-ADDOmain -Identity $Domain

        $DomainDN = $ADDomain.DistinguishedName
        $DomainName = $ADDomain.DnsRoot

        $Server = $DomainName

        if ([System.Security.Principal.WindowsIdentity]::GetCurrent().IsSystem) {
            $Role = Get-WmiObject -Class Win32_OperatingSystem -Property ProductType | Select-Object -ExpandProperty ProductType
            if ($Role -eq 2) {
                $Server = $env:COMPUTERNAME

        $WmiPath = "CN=SOM,CN=WMIPolicy,CN=System,$DomainDN"

        $WmiFilters = Get-Content -Path $Path -Raw | ConvertFrom-Json

        foreach ($Filter in $WmiFilters)
            $Attr = @{
                "msWMI-Name" = $Filter."msWMI-Name";
                "msWMI-Parm1" = if ($Filter."msWMI-Parm1" -ne $null) { $Filter."msWMI-Param1"} else {$Filter."msWMI-Name"};
                "msWMI-Parm2" = $Filter."msWMI-Parm2";
                "msWMI-Author" = $Filter."msWMI-Author";
                "msWMI-ID"= $Filter."msWMI-ID";
                "instanceType" = 4;
                "showInAdvancedViewOnly" = "TRUE";
                "distinguishedname" = "CN=$($Filter."msWMI-ID"),$WmiPath";
                "msWMI-ChangeDate" = $Filter."msWMI-ChangeDate"; 
                "msWMI-CreationDate" = $Filter."msWMI-CreationDate"


            try {
                $ExistingFilter = Get-ADObject -Identity $Attr.distinguishedname -Server $Server -ErrorAction Stop
            catch [Exception] {
                $ExistingFilter = $null

            if ($ExistingFilter -ne $null)
                if ($Force)
                    Write-Host "Replacing $($Attr.'msWMI-Name') WMI Filter"
                    Remove-ADObject -Identity $Attr.distinguishedname -Credential $Credential -Confirm:$false -Server $Server                
                    New-ADObject -Name $Attr."msWMI-ID" -Type "msWMI-Som" -Path $WmiPath -OtherAttributes $Attr -Server $Server
                    Write-Warning "The WMI Filter $($Attr.'msWMI-Name') with this ID already exists."
                Write-Host "Importing $($Attr.'msWMI-Name') WMI Filter"
                New-ADObject -Name $Attr."msWMI-ID" -Type "msWMI-Som" -Path $WmiPath -OtherAttributes $Attr -Server $Server

    End {}

Function Import-GPPermissionsFromJson {
            Imports Group Policy object permissions information from a JSON file and applies them to applicable GPOs.
            The cmdlet uses a backup of GPO permissions written to a json file recreate permissions on exported GPOs.
        .PARAMETER Path
            The location of the json file containing the Group Policy permissions. This file is created with the Export-GPOBackupsAndWmiFilters cmdlet. It can also be created manually.
        .PARAMETER Domain
            The domain to import the Group Policy object permissions to. This defaults to the domain of the current user.
            Import-GPPermissionsFromJson -Path "c:\GPOBackups\GPPermissions.json" -Domain ""
            Imports the Group Policy permissions stored at c:\GPOBackups\GPPermissions.json that were backed up to that path with Export-GPOBackupsAndWmiFilters to
            System.String, System.String
            AUTHOR: Michael Haken
            LAST UPDATE: 12/7/2015

        [ValidateScript({Test-Path -Path $_ })]
        [string]$Domain = [System.String]::Empty

    Begin {
        if ([System.String]::IsNullOrEmpty($Domain)) {
            $Domain = (Get-ADDomain -Current LoggedOnUser).DnsRoot

        [String[]]$Drives = Get-PSDrive | Select-Object -ExpandProperty Name

        $TempDrive = "tempdrive"

        if ($Drives.Contains($TempDrive))
            Write-Host "An existing PSDrive exists with name $TempDrive, temporarily removing" -ForegroundColor Yellow
            $OldDrive = Get-PSDrive -Name $TempDrive
            Remove-PSDrive -Name $TempDrive

        $Drive = New-PSDrive -Name $TempDrive -Root "" -PSProvider ActiveDirectory -Server $Domain
        Push-Location -Path "$Drive`:\"

        $GPOs = Get-GPO -All -Domain $Domain

    Process {
        $Permissions = ConvertFrom-Json -InputObject (Get-Content -Path $Path -Raw)

        foreach ($Permission in ($Permissions | Where-Object {($GPOs | Select-Object -ExpandProperty DisplayName).Contains($_.Name) })) {
            Write-Host "******** Processing $($Permission.Name) ********"
            Write-Host ""

            $GPO = Get-GPO -Name $Permission.Name -Domain $Domain

            switch ($Permission.Type) {
                "ACL" {
                    Write-Host "Using ACL type permission."
                    $Name = $Permission.Trustee.Name

                    $ADObject = Get-ADObject -Filter {(name -eq $Name) -or (samAccountName -eq $Name)} -Properties *

                    if ($ADObject -ne $null) {
                        $GPOACL = Get-Acl -Path $GPO.Path

                        foreach ($Entry in $Item.Permission) {
                            [System.DirectoryServices.ActiveDirectoryAccessRule]$NewAce = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule( `
                                $ADObject.ObjectSID, $Entry.ActiveDirectoryRights, $Entry.AccessControlType, $Entry.InheritanceType)
                        # Commit the ACL
                        Set-Acl -Path $GPO.Path -AclObject $GPOACL -Passthru
                    else {
                        Write-Warning "Could not find an AD Object matching $Name."

                "GPPermission" {
                    Write-Host "Using GPPermission type permission."
                    $SidType =[Microsoft.GroupPolicy.SecurityIdentifierType]($Permission.Trustee.SidType)
                    $TrusteeName = $Permission.Trustee.Name
                    try {
                        switch ($SidType) {
                            ([Microsoft.GroupPolicy.SecurityIdentifierType]::Group) {
                                if ((Get-ADGroup -Filter {name -eq $TrusteeName}) -ne $null) {
                                    Set-GPPermission -Guid $GPO.Id -PermissionLevel $Permission.Permission -Replace -TargetType $Permission.Trustee.SidType -TargetName $Permission.Trustee.Name
                                else {
                                    Write-Warning "Could not find a group matching $($Permission.Trustee.Name)."
                            ([Microsoft.GroupPolicy.SecurityIdentifierType]::WellKnownGroup) {
                                Set-GPPermission -Guid $GPO.Id -PermissionLevel $Permission.Permission -Replace -TargetType ([Microsoft.GroupPolicy.Commands.PermissionTrusteeType]::Group) -TargetName $Permission.Trustee.Name
                            ([Microsoft.GroupPolicy.SecurityIdentifierType]::User) {
                                if ((Get-ADUser -Filter {(name -eq $TrusteeName) -or (displayName -eq $TrusteeName) -or (samAccountName -eq $TrusteeName)}) -ne $null) {
                                    Set-GPPermission -Guid $GPO.Id -PermissionLevel $Permission.Permission -Replace -TargetType $Permission.Trustee.SidType -TargetName $Permission.Trustee.Name
                                else {
                                    Write-Warning "Could not find a user matching $($Permission.Trustee.Name)."
                            ([Microsoft.GroupPolicy.SecurityIdentifierType]::Computer) {
                                if ((Get-ADComputer -Filter {(name -eq $TrusteeName) -or (displayName -eq $TrusteeName) -or (samAccountName -eq $TrusteeName) }) -ne $null) {
                                    Set-GPPermission -Guid $GPO.Id -PermissionLevel $Permission.Permission -Replace -TargetType $Permission.Trustee.SidType -TargetName $Permission.Trustee.Name
                                else {
                                    Write-Warning "Could not find a computer matching $TrusteeName."
                            default {
                                Write-Warning "The trustee type $SidType did not match an expected value of Group, WellKnownGroup, User, or Computer."
                    catch [Exception] {
                        Write-Warning "Set-GPPermission`n$($Permission.Name)`n$($Permission.Trustee.Name)`n$($Permission.Permission)`n$($_.Exception.Message)"
                default {
                    Write-Warning "The ACL type $($Permission.Type) did not match GPPermission or ACL."

    End {

        Remove-PSDrive $Drive

        if ($OldDrive -ne $null)
            Write-Host "Recreating original PSDrive" -ForegroundColor Yellow
            New-PSDrive -Name $OldDrive.Name -PSProvider $OldDrive.Provider -Root $OldDrive.Root | Out-Null
            $OldDrive = $null

Function Export-GPOBackupsAndWmiFilters {
            Backups all GPOs in a given domain and writes all WMI Filter information to a JSON file. The permissions for each GPO are also written to a JSON file.
            The cmdlet uses a native backup of every GPO in the domain. Then it queries all of the WMI filters and backs them up to a JSON files. The JSON file can be read later and used to restore all of the WMI filters.
            The permissions on each GPO are also backed up to a separate JSON file, which can be used later to set permissions on GPOs that have already been imported.
        .PARAMETER Path
            The directory location to store the backups. This directory will be created if it does not exist.
        .PARAMETER Domain
            The domain from which to backup GPOs. This defaults to the domain of the current user.
        .PARAMETER Credential
            The credential to use to perform all of the functions in the cmdlet. Requires the ability to create the folder the backups will be stored in and read Active Directory objects and attributes.
            Export-GPOBackupsAndWmiFilter -Path "c:\GPOBackups" -Domain ""
            Exports all of the GPO backups and WMI filter information for to the specified path.
            System.String, System.String, System.Management.Automation.PSCredential
            AUTHOR: Michael Haken
            LAST UPDATE: 12/7/2015

        [string]$Domain = [System.String]::Empty,
        [PSCredential]$Credential = [PSCredential]::Empty

        Import-Module ActiveDirectory -ErrorAction Stop
        Import-Module GroupPolicy -ErrorAction Stop

        if ($Credential -eq $null) {
            $Credential = [System.Management.Automation.PSCredetial]::Empty

        if ($Domain -eq [System.String]::Empty)
            $Domain = (Get-ADDomain -Current LoggedOnUser).DnsRoot

        $Server = $Domain

        if ((Test-IsDomainAdmin -Domain $Domain) -or (Test-IsEnterpriseAdmin))
            $GPOs = Get-GPO -All -Domain $Domain

            foreach($GPO in $GPOs)
                $BackupDirectory = ($Path + "\" + $GPO.DisplayName.Replace(",","").Replace(":","").Replace("*",""))
                if (!(Test-Path -Path $BackupDirectory))
                    New-Item -Path $BackupDirectory -ItemType Directory -Force -Credential $Credential | Out-Null
                Backup-GPO -Guid $GPO.Id -Path $BackupDirectory -Comment "Backed up on $(Get-Date)" -Server $Server -Domain $Domain 

            $PermissionsBackupFile = New-Item -Path "$Path\GPPermissions.json" -ItemType File -Force -Credential $Credential
            Export-GPOPermissions -All -Domain $Domain -Destination $PermissionsBackupFile.FullName

            if ($Credential -ne $null -and $Credential -ne [PSCredential]::Empty) {
                $WmiFilters = Get-ADObject -Filter {objectClass -eq "msWMI-Som"} -Properties "msWMI-Author","msWMI-ChangeDate","msWMI-CreationDate","msWMI-ID","msWMI-Name","msWMI-Parm1","msWMI-Parm2" -Server $Server -Credential $Credential
            else {
                $WmiFilters = Get-ADObject -Filter {objectClass -eq "msWMI-Som"} -Properties "msWMI-Author","msWMI-ChangeDate","msWMI-CreationDate","msWMI-ID","msWMI-Name","msWMI-Parm1","msWMI-Parm2" -Server $Server
            if ($WmiFilters -ne $null -and $WmiFilters.Count -gt 0) {
                Write-Host "Backing up WMI Filters."
                $WmiBackupFile = New-Item -Path "$Path\WmiFilters.json" -ItemType File -Force -Credential $Credential

                $WmiFilters = $WmiFilters | Select-Object -Property "msWMI-Author","msWMI-ChangeDate","msWMI-CreationDate","msWMI-ID","msWMI-Name","msWMI-Parm1","msWMI-Parm2"

                $Json = ConvertTo-Json -InputObject $WmiFilters 
                $Json = $Json.Replace("null", "`"`"")
                Set-Content -Value $Json -Path $WmiBackupFile -Force -Credential $Credential 

                Write-Host "Completed WMI Filter backup."
            } else {
                Write-Host "No WMI filters in the domain."
            throw [System.UnauthorizedAccessException]("You must be at least a Domain Admin to utilize this cmdlet.")

    End {}

Function Export-GPOPermissions {
            Exports all of the permission information of GPOs to a JSON file.
            The cmdlet uses the get Get-GPPermission command to get initial information. Any GPOs with custom permissions have their permissions enumerated via ACL. All of the permissions are written to a JSON file that can be used with Import-GPPermissionsFromJson.
        .PARAMETER DisplayNames
            The names of the GPOs whose permissions should be backed up.
        .PARAMETER All
            Specifies that all GPOs should have their permissions backed up.
        .PARAMETER Domain
            The domain from which to backup GPO permissions in. This defaults to the domain of the current user.
        .PARAMETER Destination
            The file that should be created with the permission information. If the file exists, the content will be overwritten.
            Export-GPOPermissions -All -Destination c:\GPPermissions.json
            Exports all of the GPO permissions to c:\GPPermissions.json
            Export-GPOPermissions -DisplayNames @("Default Domain Policy","Default Domain Controllers Policy") -Destination c:\GPPermissions.json
            Exports the permissions for the Default Domain Policy and Default Domain Controllers Policy to c:\GPPermissions.json
            System.String, System.String, System.Management.Automation.PSCredential
            AUTHOR: Michael Haken
            LAST UPDATE: 3/18/2016

        [ValidateScript({$_.Count -gt 0})]
        [string]$Domain = [System.String]::Empty,

    Begin {
        if ([System.String]::IsNullOrEmpty($Domain)) {
            $Domain = (Get-ADDomain -Current LoggedOnUser).DnsRoot

        $GPOs = @()

        if ($All) {
            $GPOs += Get-GPO -All
        else {
            foreach ($Name in $DisplayNames) {
                $GPOs += Get-GPO -Name $Name

        [PSCustomObject[]]$ACLs = @()

        [String[]]$Drives = Get-PSDrive | Select-Object -ExpandProperty Name

        $TempDrive = "tempdrive"

        if ($Drives.Contains($TempDrive))
            Write-Host "An existing PSDrive exists with name $TempDrive, temporarily removing" -ForegroundColor Yellow
            $OldDrive = Get-PSDrive -Name $TempDrive
            Remove-PSDrive -Name $TempDrive

        $Drive = New-PSDrive -Name $TempDrive -Root "" -PSProvider ActiveDirectory -Server $Domain
        Push-Location -Path "$Drive`:\"

    Process {
        foreach ($GPO in $GPOs) {
            Write-Host "Processing $($GPO.DisplayName) permissions."
            $Permissions = Get-GPPermission -Name $GPO.DisplayName -All 

            foreach ($Permission in $Permissions) {

                $Trustee = [PSCustomObject]@{"Domain" = $Permission.Trustee.Domain; "DSPath" = $Permission.Trustee.DSPath; "Name" = $Permission.Trustee.Name; "Sid" = $Permission.Trustee.Sid; "SidType" = $Permission.Trustee.SidType}

                if ($Permission.Permission -eq [Microsoft.GroupPolicy.GPPermissionType]::GpoCustom) {
                    [System.DirectoryServices.ActiveDirectoryAccessRule[]]$ACL = Get-Acl -Path "$($GPO.Path)" | Select-Object -ExpandProperty Access | Where-Object {$_.IdentityReference.ToString().Split("\\")[-1] -eq $Permission.Trustee.Name }

                    $Rights = @()

                    foreach ($ACE in $ACL) {
                        $Rights += [PSCustomObject]@{"ActiveDirectoryRights" = $ACE.ActiveDirectoryRights; "InheritanceType" = $ACE.InheritanceType; "AccessControlType" = $ACE.AccessControlType; "ObjectType" = $ACE.ObjectType; "InheritanceFlags" = $ACE.InheritanceFlags}

                    [PSCustomObject]$Entry = @{"Type" = "ACL";"Name" = $GPO.DisplayName; "Trustee" = $Trustee; "GPODistinguishedName" = $GPO.Path; "Permission" = $Rights; "Denied" = if ($ACE.AccessControlType -eq [System.Security.AccessControl.AccessControlType]::Deny) {$true} else {$false}}
                else {
                    [PSCustomObject]$Entry = @{"Type" = "GPPermission"; "Name" = $GPO.DisplayName; "Trustee" = $Trustee; "GPODistinguishedName" = $GPO.Path; "Permission" = $Permission.Permission; "Denied" = $Permission.Denied}
                $ACLs += $Entry            

    End {

        Remove-PSDrive $Drive

        if ($OldDrive -ne $null)
            Write-Host "Recreating original PSDrive" -ForegroundColor Yellow
            New-PSDrive -Name $OldDrive.Name -PSProvider $OldDrive.Provider -Root $OldDrive.Root | Out-Null
            $OldDrive = $null

        if ([System.String]::IsNullOrEmpty($Destination)) {
            Write-Output $ACLs
        else {
            Set-Content -Path $Destination -Value (ConvertTo-Json -InputObject $ACLs -Depth 5) -Force -Confirm:$false

Function Import-FullGPOBackups {
            Restores all most recent GPO backups stored under a given path and reassociates WMI filters to the GPO.
            The cmdlet recursively searches the provided path for GPO backups. Once a backup is found, it is imported into the provided domain. After the import, the GPO Report XML
            is utilized to identify any WMI filters that were used, and reassociates those WMI filters to the GPO if they exist in the domain. This command is useful for restoring GPOs that
            were backed up natively and restoring them to a new domain after the WMI filters have been imported.
        .PARAMETER Path
            The base path to start searching from.
        .PARAMETER Domain
            The domain to import the GPOs into. This defaults to the domain of the current user.
        .PARAMETER MigrationTablePath
            Optionally specify a migration table to be used to conduct the GPO import
            Import-FullGPOBackups -Path "c:\GPOBackups" -Domain ""
            Import all of the backups contained in the folder structure to and associate any WMI filters.
            System.String, System.String, System.String
            AUTHOR: Michael Haken
            LAST UPDATE: 3/24/2016

        [string]$Domain = [System.String]::Empty,
        [ValidateScript({Test-Path -Path $_})]
        [string]$MigrationTablePath = [System.String]::Empty

        Import-Module GroupPolicy -ErrorAction Stop

        if ($Domain -eq [System.String]::Empty)
            $DomainObject = Get-ADDomain -Current LoggedOnUser
            $DomainObject = Get-ADDomain -Identity $Domain

        $ADDomain = $DomainObject.DnsRoot
        $Server = $ADDomain
        $DomainDN = $DomainObject.DistinguishedName

        Write-Host "Importing GPOs to $DomainDN."

        $DomainController = [System.String]::Empty

        if ([System.Security.Principal.WindowsIdentity]::GetCurrent().IsSystem) {
            $Role = Get-WmiObject -Class Win32_OperatingSystem -Property ProductType | Select-Object -ExpandProperty ProductType
            if ($Role -eq 2) {
                $Server = $env:COMPUTERNAME

        $WmiFilters = Get-ADObject -Filter 'objectClass -eq "msWMI-SOM"' -Properties "msWMI-Author","msWMI-ChangeDate","msWMI-CreationDate","msWMI-ID","msWMI-Name","msWMI-Parm1","msWMI-Parm2" -Server $Server

        if ($WmiFilters -eq $null) {
            $WmiFilters = @()
        $Directories = Get-ChildItem -Path $Path -Recurse -Directory | Select-Object -ExpandProperty FullName

        foreach ($Directory in $Directories)
            [Microsoft.GroupPolicy.BackupDirectory]$BackupDirectory = New-Object Microsoft.GroupPolicy.BackupDirectory($Directory, [Microsoft.GroupPolicy.BackupType]::Gpo)
            [Microsoft.GroupPolicy.GPSearchCriteria]$SearchCriteria = New-Object Microsoft.GroupPolicy.GPSearchCriteria
            $SearchCriteria.Add([Microsoft.GroupPolicy.SearchProperty]::MostRecentBackup, [Microsoft.GroupPolicy.SearchOperator]::Equals, $true)
            [Microsoft.GroupPolicy.GpoBackupCollection]$Backups = $BackupDirectory.SearchGpoBackups($SearchCriteria)

            if ($Backups -ne $null -and $Backups.Count -gt 0)
                foreach($Backup in $Backups)
                    Write-Host "Importing $($Backup.BackupDirectory)"
                        if (![System.String]::IsNullOrEmpty($MigrationTablePath)) {
                            $Gpo = Import-GPO -Path $Backup.BackupDirectory -BackupGpoName $Backup.DisplayName -CreateIfNeeded -MigrationTable $MigrationTablePath -Server $Server -Domain $ADDomain -TargetName $Backup.DisplayName -ErrorAction Stop
                            Write-Host "Successfully imported $($Gpo.DisplayName) to $($Gpo.DomainName)."
                        else {
                            $Gpo = Import-GPO -Path $Backup.BackupDirectory -BackupGpoName $Backup.DisplayName -CreateIfNeeded -Server $Server -Domain $ADDomain -TargetName $Backup.DisplayName -ErrorAction Stop
                            Write-Host "Successfully imported $($Gpo.DisplayName) to $($Gpo.DomainName)."
                    catch [Exception] {
                        Write-Warning $_.Exception.Message
                        Write-Warning ($_.CategoryInfo.Category.ToString())
                        Write-Warning ($_.InvocationInfo | Format-List | Out-String)
                        Write-Warning ($_.ScriptStackTrace | Format-List | Out-String)        

                    $Counter = 0

                    while ($true) {
                        try {
                            $Temp = Get-ADObject -Identity "CN={$($Gpo.Id)},CN=Policies,CN=System,$DomainDN" -ErrorAction SilentlyContinue
                        catch [Exception] {
                            Write-Host "Waiting for GPO $($Gpo.DisplayName) : $($Gpo.Id) to finish creation..."
                            Start-Sleep -Seconds 1

                            if ($Counter -gt 60) {
                                Write-Warning "Timeout waiting for the GPO to finish creation."
                                $Gpo = $null

                    if ($WmiFilters.Count -gt 0) {

                        [Xml]$GpoReport = $Backup.GenerateReport([Microsoft.GroupPolicy.ReportType]::Xml)
                        $Namespace = New-Object System.Xml.XmlNamespaceManager($GpoReport.NameTable)
                        $Namespace.AddNamespace("ns", $GpoReport.DocumentElement.NamespaceURI)
                        [bool]$FilterDataAvailable = ($GpoReport.SelectSingleNode("//ns:FilterDataAvailable", $Namespace)).InnerText

                        if ($Gpo -ne $null -and $FilterDataAvailable)
                            $WmiFilterName = ($GpoReport.SelectSingleNode("//ns:FilterName", $Namespace)).InnerText

                            if (![System.String]::IsNullOrEmpty($WmiFilterName) -and $WmiFilters."msWMI-Name".Contains($WmiFilterName))
                                $WmiObject = $WmiFilters | Where-Object {$_."msWMI-Name" -eq $WmiFilterName} | Select-Object -First 1
                                if ($WmiObject -ne $null) {
                                    $WmiFilterId = $WmiObject."msWMI-ID"
                                    Write-Host "Using WMI Filter ID: $WmiFilterId for: `nCN={$($Gpo.Id)},CN=Policies,CN=System,$DomainDN"
                                    try {
                                        Set-ADObject -Identity "CN={$($Gpo.Id)},CN=Policies,CN=System,$DomainDN" -Replace @{gPCWQLFilter = "[$ADDomain;$WmiFilterId;0]"} -Server $Server
                                        Write-Host "Added existing WMI Filter $WmiFilterName to the GPO."
                                    catch [Exception] {
                                        Write-Warning $_.Exception.Message
                                        Write-Warning ($_.CategoryInfo.Category.ToString())
                                        Write-Warning ($_.InvocationInfo | Format-List | Out-String)
                                        Write-Warning ($_.ScriptStackTrace | Format-List | Out-String)                            
                                else {
                                    Write-Warning "Could not find the wmi filter even though the filter list contained a match."

    End {}

Function Get-WmiFilter {
            Gets WMI Filters in the domain.
            The Get-WmiFilter cmdlet returns a specific WMI Filter object based on a name or GUID or returns all WMI Filters. Optionally, link information for where each WMI filter is applied can be returned.
            The GUID of the WMI Filter to get.
        .PARAMETER Domain
            The domain to perform the search on. This defaults to the domain of the current user.
        .PARAMETER All
            Returns all WMI filters in the domain.
        .PARAMETER Name
            The "msWMI-Name" attribute of the WMI Filter to match.
        .PARAMETER IncludeLinkInformation
            If specified, information about where each WMI filter is applied is returned as well.
        .PARAMETER Credential
            The credential to use to connect to Active Directory to retrieve the object information.
            Get-WmiFilter -All -Domain
            Gets all of the WMI Filters in
            Get-WmiFilter -All -IncludeLinkInformation
            Gets all of the WMI filters and their link information for the domain of the current user.
            System.Guid, System.String
            System.String, System.String
            System.Management.Automation.SwitchParameter, System.String
            AUTHOR: Michael Haken
            LAST UPDATE: 3/24/2016

        [string]$Domain = [System.String]::Empty,
        [PSCredential]$Credential = [PSCredential]::Empty

    Begin {
        if ([System.String]::IsNullOrEmpty($Domain)) {
            $Domain = (Get-ADDomain -Current LoggedOnUser).DnsRoot

        if ($Credential -eq $null) {
            $Credential = [System.Management.Automation.PSCredential]::Empty

    Process {
        $WmiFilters = @()

        switch ($PSCmdlet.ParameterSetName) {
            "Guid" {
                [string]$Guid = "{" + $Guid.ToString() + "}"
                $Filter = {(objectClass -eq "msWMI-SOM") -and (msWMI-ID -eq $Guid)} 
            "Name" {
                $Filter = {(objectClass -eq "msWMI-SOM") -and (msWMI-Name -eq $Name)} 
            "All" {
                $Filter = {objectClass -eq "msWMI-SOM"} 
            default {
                throw "Could not determine parameter set name."

        [PSObject[]]$WmiFilters = Get-ADObject -Filter $Filter -Properties "msWMI-Author","msWMI-ChangeDate","msWMI-CreationDate","msWMI-ID","msWMI-Name","msWMI-Parm1","msWMI-Parm2","DistinguishedName" -Server $Domain

        if ($IncludeLinkInformation) {
            $GPOs = Get-ADObject -Filter {objectClass -eq "groupPolicyContainer"} -Properties "gPCWQLFilter","displayName","name" | 
                Where-Object {![System.String]::IsNullOrEmpty($_.gPCWQLFilter)} | 
                Select-Object -Property "gPCWQLFilter","displayName","name" 

            foreach ($Filter in $WmiFilters) {            
                Add-Member -InputObject $Filter -MemberType NoteProperty -Name "LinkInformation" -Value @() -TypeName [System.Management.Automation.PSObject[]] -Force            
                $Filter.LinkInformation += ($GPOs | Where-Object {$_.gPCWQLFilter.Split(";")[1] -eq $Filter.'msWMI-ID'} | Select-Object "DisplayName","name")

    End {
        Write-Output $WmiFilters

Function Get-GroupMembershipChanges {
            Finds all of the group membership changes in the logs on all of the domain controllers in a domain.
            Finds all of the group membership changes in the logs on all of the domain controllers in a domain. It returns these logs in several formats that can be selected. The default output is a custom object.
        .PARAMETER DaysAgo
            Specifies how many days in the past the search should start.
        .PARAMETER Domain
            The domain to perform the search on. This defaults to the domain of the current user.
        .PARAMETER AsJson
            Returns the report as a Json string.
        .PARAMETER AsXml
            Returns the report as an Xml string.
        .PARAMETER AsHtml
            Returns the report as a custom formatted html document.
        .PARAMETER Credential
            The credentials to use to perform the search and get the event log data.
            Get-GroupMembershipChanges -DaysAgo 1 -Domain ""
            Gets all of the group membership changes in the past day from
            System.Int32, System.String
            System.String, System.Management.Automation.PSObject
            AUTHOR: Michael Haken
            LAST UPDATE: 3/18/2016

        [int]$DaysAgo = 1,
        [string]$Domain = [System.String]::Empty,
        [PSCredential]$Credential = [PSCredential]::Empty

        Import-Module ActiveDirectory -ErrorAction Stop

        if ($Domain -eq [System.String]::Empty)
            $Domain = (Get-ADDomain -Current LoggedOnUser).DnsRoot

        $Context = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext([System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain, $Domain)
        $Report = New-Object -TypeName PSObject -Property @{"Added To Domain Local Group"=@();"Removed From Domain Local Group"=@();"Added To Global Group"=@();"Removed From Global Group"=@();"Added To Universal Group"=@();"Removed From Universal Group"=@()}

            Event ID 636 & 4732 - Member added to domain local group
            Event ID 637 & 4733 - Member removed from domain local group
            Event ID 632 & 4728 - Member added to global group
            Event ID 633 & 4729 - Member removed from domain local group
            Event ID 660 & 4756 - Member added to universal group
            Event ID 661 & 4757 - Member removed from universal group

        $Count = 0
        [System.DirectoryServices.ActiveDirectory.DomainController]::FindAll($Context) | ForEach-Object {

            [System.Diagnostics.Eventing.Reader.EventLogRecord]$Events = Get-WinEvent -ComputerName $_.Name -FilterHashtable @{LogName=@("Security");ID=@(636,4732,637,4733,632,4728,633,4729,660,4756,661,4757);StartTime=(Get-Date).AddDays($DaysAgo * -1)} -ErrorAction SilentlyContinue

            #Domain Local Groups
            $Report."Added To Domain Local Group" += $Events | Where-Object {$_.ID -eq 636 -or $_.ID -eq 4732} | Select-Object MachineName,TimeCreated,Message
            $Report."Removed From Domain Local Group" += $Events | Where-Object {$_.ID -eq 637 -or $_.ID -eq 4733} | Select-Object MachineName,TimeCreated,Message

            #Global Groups
            $Report."Added To Global Group" += $Events | Where-Object {$_.ID -eq 632 -or $_.ID -eq 4728} | Select-Object MachineName,TimeCreated,Message
            $Report."Removed From Global Group" += $Events | Where-Object {$_.ID -eq 633 -or $_.ID -eq 4729} | Select-Object MachineName,TimeCreated,Message

            #Universal Groups
            $Report."Added To Universal Group" += $Events | Where-Object {$_.ID -eq 660 -or $_.ID -eq 4756} | Select-Object MachineName,TimeCreated,Message
            $Report."Removed From Universal Group" += $Events | Where-Object {$_.ID -eq 661 -or $_.ID -eq 4757} | Select-Object MachineName,TimeCreated,Message

    End {
        switch ($PSCmdlet.ParameterSetName) {
            "Json" {
                Write-Output (ConvertTo-Json -InputObject $Report)
            "Xml" {
                Write-Output (ConvertTo-Xml -InputObject $Report -Depth 2 -As String)
            "Html" {
                $Date = (Get-Date).ToString()

                $HtmlString = @"
<!DOCTYPE html>
        <meta name="viewport" content="width=device-width" />
        <title>Group Membership Change Report</title>
        .logtable {
            border:1px solid black;
        .timecolumn {
        .messagecolumn {
        .logtable td {
        .logtable th {
    <body style=`"width:900px;margin-left:auto;margin-right:auto;`">
            Generated on $Date
                <label style=`"margin:0px;`">Domain:</label><span style=`"margin-left:5px;`">$Domain</span>
                <label style=`"margin:0px;`">Number Of Domain Controllers:</label><span style=`"margin-left:5px;`">$Count</span>

                foreach ($Property in (Get-Member -InputObject $Report -MemberType NoteProperty))
                    $HtmlString += "<h2 style=`"text-align:center`">" + $Property.Name + "</h2>"

                    $Grouping = $Report | Select-Object -ExpandProperty $Property.Name | Group-Object -Property MachineName     

                    foreach($Group in $Grouping)
                        $HtmlString += "<h3 style=`"color:red;`">DOMAIN CONTROLLER: " + $Group.Name + "</h3><br />"
                        $HtmlString += "<table class=`"logtable`"><thead><tr><th class=`"timecolumn`">Time Created</th><th class=`"messagecolumn`">Message</th></tr></thead><tbody>"

                        foreach($LogEntry in $Group.Group)
                            $HtmlString += "<tr><td>" + $LogEntry.TimeCreated + "</td><td>" + $LogEntry.Message + "</td>"

                        $HtmlString += "</tbody></table>"

                $HtmlString += "</div></body></html>"

                Write-Output $HtmlString
            default {
                Write-Output $Report

Function Get-UserObjectChangedLog {
            Finds when a particular object's property was last modified and where the change took place. Then it searches the logs on the server.
            The cmdlet finds out when an object's property was changed and what server it occured on so those logs can be searched.
        .PARAMETER UserName
            The identity of the user to find information about. This can be the SAM Account Name, Display Name, Name, or CN.
        .PARAMETER Property
            The property to search on to find when it was changed.
        .PARAMETER GetLog
            Indicates whether to try and retrieve any available log files from the server matching the change. Defaults to true.
        .PARAMETER Credential
            The credentials to use to make the search and get the event log data.
        .PARAMETER PassThru
            If specified, will return the log object and not just display data.
            Get-UserObjectChangedLog -UserName "john.smith" -Property "UserAccountControl"
            Gets log information about when the UAC was changed for john.smith
            System.String, System.String, System.Management.Automation.PSCredential
            System.Diagnostics.Eventing.Reader.EventLogRecord, System.Management.Automation.PSObject
            AUTHOR: Michael Haken
            LAST UPDATE: 12/7/2015

    Param (
        [bool]$GetLog = $true,
        [PSCredential]$Credential = [PSCredential]::Empty,

    Begin {}

        $ADUser = ""

        if ($Credential -ne [PSCredential]::Empty)
            $ADUser = (Get-ADUser -Filter {CN -eq $UserName -or SamAccountName -eq $UserName -or Name -eq $UserName -or DisplayName -eq $UserName} -Credential $Credential).DistinguishedName
            $ADUser = (Get-ADUser -Filter {CN -eq $UserName -or SamAccountName -eq $UserName -or Name -eq $UserName -or DisplayName -eq $UserName}).DistinguishedName
        if ($ADUser -ne [System.String]::Empty)
            [System.DirectoryServices.ActiveDirectory.DomainController]$DC = [System.DirectoryServices.ActiveDirectory.DomainController]::FindOne([System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain)

            if ($PSCmdlet.ParameterSetName -eq "Powershell")
                [Microsoft.ActiveDirectory.Management.ADReplicationAttributeMetadata[]]$ReplicationMetadata = Get-ADReplicationAttributeMetadata -Object $ADUser -ShowAllLinkedValues -Server $DC.Name 
                [Microsoft.ActiveDirectory.Management.ADReplicationAttributeMetadata]$Data = $ReplicationMetadata | Where-Object {$_.AttributeName -eq $Property}
                [string]$OriginatingServer = $Data.Server
                [DateTime]$OriginatingTime = $Data.LastOriginatingChangeTime
                [System.DirectoryServices.ActiveDirectory.ActiveDirectoryReplicationMetadata]$ReplicationMetadata = $DC.GetReplicationMetaData($ADUser)
                [System.DirectoryServices.ActiveDirectory.AttributeMetadata]$Data = $ReplicationMetadata.Values | Where-Object {$_.Name -eq $Property} 
                [string]$OriginatingServer = $Data.OriginatingServer
                [DateTime]$OriginatingTime = $Data.LastOriginatingChangeTime

            Write-Host "Originating Server: $OriginatingServer"
            Write-Host "Originating Time: $OriginatingTime"

            if ($GetLog)
                Write-Warning "Checking logs on $OriginatingServer, this could take awhile..."
                Write-Warning "Consider running this as a job: `$Job = Start-Job -ScriptBlock {Get-UserObjectChangedLog -UserName `$args[0] -Property `$args[1]} -ArgumentList `"$UserName`",`"$Property`""

                #Event Id 4738 - A User Account Was Changed
                [System.Diagnostics.Eventing.Reader.EventLogRecord]$Log = Get-WinEvent -ComputerName $OriginatingServer -MaxEvents 1 -FilterHashtable @{LogName=@("Security");ID=@(4738);StartTime=$OriginatingTime;EndTime=$OriginatingTime} -ErrorAction SilentlyContinue

                if ($Log -ne $null -and $Log.Count -ge 1)
                    Write-Host $Log.Message

                    if ($PassThru)
                        Write-Output $Log    
                    Write-Warning "No log files could be retrieved."
                if ($PassThru)
                    Write-Output (New-Object -TypeName PSObject -Property @{"Originating Server"=$OriginatingServer;"Originating Time"=$OriginatingTime})
            Write-Error "Could not retrieve the specified user, $UserName, from Active Directory."

    End {}

Function Get-WhenMemberAddedToGroup {
            Uses replication metadata to find when a member was added to a group.
            The cmdlet gathers the replication metadata to find when a member was added to a group. This data can be used to search the logs on the identified Domain Controller to find who added the member.
        .PARAMETER GroupMember
            The Identity of the group member that was added. This can be the SAM Account Name, Display Name, Name, or CN.
        .PARAMETER Group
            The Identity of the group. This can be the SAM Account Name, Display Name, Name, or CN.
        .PARAMETER GetLog
            Indicates whether to try and retrieve any available log files from the server matching the change. Defaults to true.
        .PARAMETER UseActiveDirectoryPowershell
            Uses the Active Directory Powershell module to retrieve replication metadata. The default selection.
        .PARAMETER UseRepAdmin
            Uses the repadmin command line function and parses the output.
            Get-WhenMemberAddedToGroup -GroupMember Administrator -Group "Account Operators" -GetLog
            Writes out the server and time the member was added and attempts to retrieve the log file from the specified server for additional information which is written out to the pipeline.
            System.String, System.String
            AUTHOR: Michael Haken
            LAST UPDATE: 12/7/2015

    Param (
        [Parameter(Position = 0, Mandatory = $true,ValueFromPipeLineByPropertyName=$true)]
        [Parameter(Position = 1, Mandatory = $true,ValueFromPipeLineByPropertyName=$true)]
        [bool]$GetLog = $true,

        Import-Module ActiveDirectory -ErrorAction Stop

        [string]$ADGroupMember = (Get-ADObject -Filter {CN -eq $GroupMember -or SamAccountName -eq $GroupMember -or Name -eq $GroupMember -or DisplayName -eq $GroupMember}).DistinguishedName
        [string]$ADGroup = (Get-ADGroup -Filter {CN -eq $Group -or SamAccountName -eq $Group -or Name -eq $Group -or DisplayName -eq $Group}).DistinguishedName
        [System.DirectoryServices.ActiveDirectory.DomainController]$DC = [System.DirectoryServices.ActiveDirectory.DomainController]::FindOne([System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain)

        if ($ADGroup -ne [System.String]::Empty)
            if ($ADGroupMember -ne [System.String]::Empty)
                if ($PSCmdlet.ParameterSetName -eq "RepAdmin")
                    $ReplicationMetaData = repadmin /showmeta $ADGroup $DC.Name

                    #List only returns the first match
                    #Context specifies the number of lines before and after that are returned around the matching line
                    [string]$Line = $ReplicationMetaData | Select-String -Pattern $ADGroupMember -List -Context 2,0 
                    $Content = $Line.Split(" ", [System.StringSplitOptions]::RemoveEmptyEntries)
                    [string]$OriginatingServer = $Content[4].Substring($Content[4].IndexOf("\") + 1).Trim()
                    [DateTime]$OriginatingTime = Get-Date($Content[2] + " " + $Content[3])

                if ($PSCmdlet.ParameterSetName -eq "Powershell")
                    [Microsoft.ActiveDirectory.Management.ADReplicationAttributeMetadata[]]$ReplicationMetadata = Get-ADReplicationAttributeMetadata -Object $ADGroup -ShowAllLinkedValues -Server $DC.Name -Properties *
                    [Microsoft.ActiveDirectory.Management.ADReplicationAttributeMetadata]$Result = $ReplicationMetaData | Where-Object {$_.AttributeName -eq "member" -and $_.AttributeValue -eq $ADGroupMember}
                    [DateTime]$OriginatingTime = $Result.LastOriginatingChangeTime
                    [string]$OriginatingServer = $Result.Server    

                Write-Host "Originating Server: $OriginatingServer"
                Write-Host "Originating Time: $OriginatingTime"

                if ($GetLog)
                    Write-Warning "Checking logs on $OriginatingServer, this could take awhile..."
                    Write-Warning "Consider running this as a job: `$Job = Start-Job -ScriptBlock {Get-WhenMemberAddedToGroup -Group `$args[0] -GroupMember `$args[1]} -ArgumentList `"$Group`",`"$GroupMember`""

                    # Event Id 4732 - Member added to a domain local group
                    # Event Id 4728 - Member added to a global group
                    # Event Id 4756 - Member added to a universal group

                    [System.Diagnostics.Eventing.Reader.EventLogRecord]$Log = Get-WinEvent -ComputerName $OriginatingServer -MaxEvents 1 -FilterHashtable @{LogName=@("Security");ID=@(4732,4728,4756);StartTime=$OriginatingTime;EndTime=$OriginatingTime} -ErrorAction SilentlyContinue

                    if ($Log -ne $null -and $Log.Count -ge 1)
                        Write-Host $Log.Message

                        if ($PassThru)
                            Write-Output $Log    
                        Write-Warning "No log files could be retrieved."
                Write-Error "Could not find the specified group member: $GroupMember"
            Write-Error "Could not find the specified group: $Group"

        if ($PassThru) {
            Write-Output (New-Object PSObject -Property @{"Originating Server"=$OriginatingServer;"Originating Time"=$OriginatingTime})

Function New-StandardGPOWmiFilters {
            Creates a standard set of WMI filters.
            The cmdlet creates a set of WMI filters for each domain in the forest, or a particular domain. Some of the software filters use custom WMI classes Win32_Software and Win32_Software64 that can be installed through the Set-Win32Software script on PowerShellGallery.
        .PARAMETER CurrentDomainOnly
            Specifies that the WMI filters are only created in the current user domain. Otherwise they are created in every domain in the forest.
        .PARAMETER Domain
            The domain to create the WMI filters in.
        .PARAMETER WithReplace
            If a WMI filters exists with the same name as ones in the standard set, the WMI query expression is updated.
            Creates standard WMI Filters in every domain in the current forest. The user must be an enterprise admin for this command to succeed.
            New-StandardGPOWmiFilters -Domain
            Creates standard WMI Filters in the domain
            New-StandardGPOWmiFilters -CurrentDomainOnly
            Creates standard WMI Filters in the current domain of the user. The user must be a domain admin for this command to succeed.
            AUTHOR: Michael Haken
            LAST UPDATE: 4/6/2016

        [string]$Domain = [System.String]::Empty,
        [PSCredential]$Credential = [System.Management.Automation.PSCredential]::Empty,

        $Domains = @()

        if ($Credential -eq $null) {
            $Credential = [System.Management.Automation.PSCredential]::Empty

        switch ($PSCmdlet.ParameterSetName) {
            "Forest" {
                if (!(Test-IsEnterpriseAdmin -Credential $Credential)) {
                    throw "The user must be an enterprise admin to create filters in every domain."
                else {
                    $Domains += (Get-ADForest -Current LoggedOnUser).Domains
            "SpecifyDomain" {            
                if ([System.String]::IsNullOrEmpty($Domain)) {
                    $Domain = Get-ADDomain -Current LoggedOnUser | Select-Object -ExpandProperty DnsRoot

                if (!(Test-IsDomainAdmin -Domain $Domain -Credential $Credential)) {
                    throw "The user must be a domain admin to create filters in the specified domain."
                else {
                    $Domains += $Domain

            default {
                throw "Could not determine parameter set."

#region Filters
        $Filters = @()

#region AD and NON AD Management Workstations

        $Expression = @"
SELECT * FROM Win32_Environment WHERE Name = "isADManagementSystem" and VariableValue=1

        $Expression2 = @"
SELECT * FROM Win32_OperatingSystem WHERE ProductType=1

        $ADManagementWorkstation=@{"Expression"=@($Expression,$Expression2);"Description"="Active Directory Management Workstation (Item Level Targetting)";"Name"="Active Directory Management Workstation (Item Level Targetting)";"Namespace"="ROOT\CIMV2";}
        $Filters += $ADManagementWorkstation

        $Expression = @"
SELECT * FROM Win32_Environment WHERE Name = "isADManagementSystem" and VariableValue=0

        $Expression2 = @"
SELECT * FROM Win32_OperatingSystem WHERE ProductType=1

        $NonADManagementWorkstation=@{"Expression"=@($Expression,$Expression2);"Description"="Non Active Directory Management Workstation (Item Level Targetting)";"Name"="Non Active Directory Management Workstation (Item Level Targetting)";"Namespace"="ROOT\CIMV2";}
        $Filters += $NonADManagementWorkstation

        $ADMgmtWorkstations = @(
            @{"Version" = "6.0."; "Name" = "Windows 7"},
            @{"Version" = "6.1."; "Name" = "Windows Vista"},
            @{"Version" = "6.2."; "Name" = "Windows 8"},
            @{"Version" = "6.3."; "Name" = "Windows 8.1"},
            @{"Version" = "10.0"; "Name" = "Windows 10"}

        foreach ($Item in $ADMgmtWorkstations) {

        $Expression = @"
SELECT * FROM Win32_Environment WHERE Name = "isADManagementSystem" and VariableValue=1

        $Expression2 = @"
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "$($Item.Version)%" AND ProductType=1

        $ADMgmt=@{"Expression"=@($Expression,$Expression2);"Description"="$($Item.Name) - Active Directory Management (Item Level Targetting)";"Name"="$($Item.Name) - Active Directory Management (Item Level Targetting)";"Namespace"="ROOT\CIMV2";}
        $Filters += $ADMgmt

        $Expression = @"
SELECT * FROM Win32_Environment WHERE Name = "isADManagementSystem" and VariableValue=0

        $Expression2 = @"
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "$($Item.Version)%" AND ProductType=1

        $NonADMgmt=@{"Expression"=@($Expression,$Expression2);"Description"="$($Item.Name) - Non Active Directory Management (Item Level Targetting)";"Name"="$($Item.Name) - Non Active Directory Management (Item Level Targetting)";"Namespace"="ROOT\CIMV2";}
        $Filters += $NonADMgmt



#region AD and NON AD Management Servers

        $Expression = @"
SELECT * FROM Win32_Environment WHERE Name = "isADManagementSystem" and VariableValue=1

        $Expression2 = @"
SELECT * FROM Win32_OperatingSystem WHERE (ProductType=2 OR ProductType=3)

        $ADManagementServer=@{"Expression"=@($Expression,$Expression2);"Description"="Active Directory Management Server (Item Level Targetting)";"Name"="Active Directory Management Server (Item Level Targetting)";"Namespace"="ROOT\CIMV2";}
        $Filters += $ADManagementServer

        $Expression = @"
SELECT * FROM Win32_Environment WHERE Name = "isADManagementSystem" and VariableValue=0

        $Expression2 = @"
SELECT * FROM Win32_OperatingSystem WHERE (ProductType=2 OR ProductType=3)

        $NonADManagementServer=@{"Expression"=@($Expression,$Expression2);"Description"="Non Active Directory Management Server (Item Level Targetting)";"Name"="Non Active Directory Management Server (Item Level Targetting)";"Namespace"="ROOT\CIMV2";}
        $Filters += $NonADManagementServer

        $ADMgmtServers = @(
            @{"Version" = "6.0."; "Name" = "Windows Server 2008"},
            @{"Version" = "6.1."; "Name" = "Windows Server 2008 R2"},
            @{"Version" = "6.2."; "Name" = "Windows Server 2012"},
            @{"Version" = "6.3."; "Name" = "Windows Server 2012 R2"},
            @{"Version" = "10.0"; "Name" = "Windows Server 2016"}

        foreach ($Item in $ADMgmtServers) {
        $Expression = @"
SELECT * FROM Win32_Environment WHERE Name = "isADManagementSystem" and VariableValue=1

        $Expression2 = @"
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "$($Item.Version)%" AND ProductType=3

        $ADMgmt=@{"Expression"=@($Expression,$Expression2);"Description"="$($Item.Name) - Active Directory Management (Item Level Targetting)";"Name"="$($Item.Name) - Active Directory Management (Item Level Targetting)";"Namespace"="ROOT\CIMV2";}
        $Filters += $ADMgmt

        $Expression = @"
SELECT * FROM Win32_Environment WHERE Name = "isADManagementSystem" and VariableValue=0

        $Expression2 = @"
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "$($Item.Version)%" AND ProductType=3

        $NonADMgmt=@{"Expression"=@($Expression,$Expression2);"Description"="$($Item.Name) - Non Active Directory Management (Item Level Targetting)";"Name"="$($Item.Name) - Non Active Directory Management (Item Level Targetting)";"Namespace"="ROOT\CIMV2";}
        $Filters += $NonADMgmt



#region Web Browsers

        $Expression = @"
SELECT path,filename,extension,version FROM CIM_DataFile where path="\\Program Files\\Internet Explorer\\" AND filename="iexplore" AND extension="exe" AND version>="10" AND version<"11"

        $IE10 = @{"Expression"=@($Expression);"Description"="Internet Explorer 10";"Name"="Internet Explorer 10";"Namespace"="ROOT\CIMV2";}
        $Filters += $IE10

        $Expression = @"
SELECT path,filename,extension,version FROM CIM_DataFile where path="\\Program Files\\Internet Explorer\\" AND filename="iexplore" AND extension="exe" AND version>="11" AND version<"12"

        $IE11 = @{"Expression"=@($Expression);"Description"="Internet Explorer 11";"Name"="Internet Explorer 11";"Namespace"="ROOT\CIMV2";}
        $Filters += $IE11

        $Expression = @"
SELECT * FROM win32_software WHERE DisplayName = "Google Chrome"

        $GoogleChrome = @{"Expression"=@($Expression);"Description"="Google Chrome";"Name"="Google Chrome";"Namespace"="ROOT\CIMV2";}
        $Filters += $GoogleChrome

        $Expression = @"
SELECT * from win32_software where DisplayName like "%Firefox%"

        $MozillaFirefox = @{"Expression"=@($Expression);"Description"="Mozilla Firefox";"Name"="Mozilla Firefox";"Namespace"="ROOT\CIMV2";}
        $Filters += $MozillaFirefox


#region Operating Systems
        $Expression = @"
SELECT * FROM Win32_OperatingSystem WHERE ProductType = "2" OR ProductType = "3"

        $WindowsServer = @{"Expression"=@($Expression);"Description"="Windows Server";"Name"="Windows Server";"Namespace"="ROOT\CIMV2";}
        $Filters += $WindowsServer

        $Expression = @"
SELECT * FROM Win32_OperatingSystem WHERE ProductType = "3"

        $MemberServer = @{"Expression"=@($Expression);"Description"="Member Server";"Name"="Member Server";"Namespace"="ROOT\CIMV2";}
        $Filters += $MemberServer
        $Expression = @"
SELECT * FROM Win32_OperatingSystem WHERE ProductType = "2"

        $DomainController = @{"Expression"=@($Expression);"Description"="Domain Controller";"Name"="Domain Controller";"Namespace"="ROOT\CIMV2";}
        $Filters += $DomainController

        $Expression = @"
SELECT * FROM Win32_OperatingSystem WHERE ProductType = "1"

        $WindowsClient = @{"Expression"=@($Expression);"Description"="Windows Client";"Name"="Windows Client";"Namespace"="ROOT\CIMV2";}
        $Filters += $WindowsClient

        $Workstations = @(
            @{"Version" = "6.0."; "Name" = "Windows 7"},
            @{"Version" = "6.1."; "Name" = "Windows Vista"},
            @{"Version" = "6.2."; "Name" = "Windows 8"},
            @{"Version" = "6.3."; "Name" = "Windows 8.1"},
            @{"Version" = "10.0"; "Name" = "Windows 10"}

        foreach ($Item in $Workstations) {
            $Expression = @"
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "$($Item.Version)%" AND ProductType = "1"

            $Workstation = @{"Expression"=@($Expression);"Description"="$($Item.Name)";"Name"="$($Item.Name)";"Namespace"="ROOT\CIMV2";}
            $Filters += $Workstation

        $Servers = @(
            @{"Version" = "6.0."; "Name" = "Windows Server 2008"; "ProductType" = "(ProductType = `"3`" OR ProductType = `"2`")" },
            @{"Version" = "6.0."; "Name" = "Windows Server 2008 Member Server"; "ProductType" = "ProductType = `"3`""},
            @{"Version" = "6.0."; "Name" = "Windows Server 2008 Domain Controller"; "ProductType" = "ProductType = `"2`""},
            @{"Version" = "6.1."; "Name" = "Windows Server 2008 R2"; "ProductType" = "(ProductType = `"3`" OR ProductType = `"2`")" },
            @{"Version" = "6.1."; "Name" = "Windows Server 2008 R2 Member Server"; "ProductType" = "ProductType = `"3`""},
            @{"Version" = "6.1."; "Name" = "Windows Server 2008 R2 Domain Controller"; "ProductType" = "ProductType = `"2`""},
            @{"Version" = "6.2."; "Name" = "Windows Server 2012"; "ProductType" = "(ProductType = `"3`" OR ProductType = `"2`")" },
            @{"Version" = "6.2."; "Name" = "Windows Server 2012 Member Server"; "ProductType" = "ProductType = `"3`""},
            @{"Version" = "6.2."; "Name" = "Windows Server 2012 Domain Controller"; "ProductType" = "ProductType = `"2`""},
            @{"Version" = "6.3."; "Name" = "Windows Server 2012 R2"; "ProductType" = "(ProductType = `"3`" OR ProductType = `"2`")" },
            @{"Version" = "6.3."; "Name" = "Windows Server 2012 R2 Member Server"; "ProductType" = "ProductType = `"3`""},
            @{"Version" = "6.3."; "Name" = "Windows Server 2012 R2 Domain Controller"; "ProductType" = "ProductType = `"2`""},
            @{"Version" = "10.0"; "Name" = "Windows Server 2016"; "ProductType" = "(ProductType = `"3`" OR ProductType = `"2`")" },
            @{"Version" = "10.0"; "Name" = "Windows Server 2016 Member Server"; "ProductType" = "ProductType = `"3`""},
            @{"Version" = "10.0"; "Name" = "Windows Server 2016 Domain Controller"; "ProductType" = "ProductType = `"2`""}

        foreach ($Item in $Servers) {
            $Expression = @"
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "$($Item.Version)%" AND $($Item.ProductType)

            $Server = @{"Expression"=@($Expression);"Description"="$($Item.Name)";"Name"="$($Item.Name)";"Namespace"="ROOT\CIMV2";}
            $Filters += $Server


#region Microsoft Office
        $Office = @(
            @{"Name" = "Access"; "File" = "MSACCESS"},
            @{"Name" = "Excel"; "File" = "EXCEL"},
            @{"Name" = "Groove"; "File" = "GROOVE"},
            @{"Name" = "Infopath"; "File" = "INFOPATH"},
            @{"Name" = "Lync"; "File" = "lync"},
            @{"Name" = "OneNote"; "File" = "ONENOTE"},
            @{"Name" = "Outlook"; "File" = "OUTLOOK"},
            @{"Name" = "Powerpoint"; "File" = "POWERPNT"},
            @{"Name" = "Project"; "File" = "WINPROJ"},
            @{"Name" = "Publisher"; "File" = "MSPUB"},
            @{"Name" = "Sharepoint Designer"; "File" = "SPDESIGN"},
            @{"Name" = "Visio"; "File" = "VISION"},
            @{"Name" = "Word"; "File" = "WINWORD"}

        foreach ($Item in $Office) {
            $Expression = @"
SELECT path,filename,extension,version FROM CIM_DataFile where path="\\Program Files (x86)\\Microsoft Office\\Office15\\" AND filename="$($Item.File)" AND extension="exe" AND version>="15" AND version<"16"

            $Office2013x86 = @{"Expression"=@($Expression);"Description"="Microsoft Office 2013 x86 - $($Item.Name)";"Name"="Microsoft Office 2013 x86 - $($Item.Name)";"Namespace"="ROOT\CIMV2";}
            $Filters += $Office2013x86

            $Expression = @"
SELECT path,filename,extension,version FROM CIM_DataFile where path="\\Program Files\\Microsoft Office\\Office15\\" AND filename="$($Item.File)" AND extension="exe" AND version>="15" AND version<"16"

            $Office2013x64 = @{"Expression"=@($Expression);"Description"="Microsoft Office 2013 x64 - $($Item.Name)";"Name"="Microsoft Office 2013 x64 - $($Item.Name)";"Namespace"="ROOT\CIMV2";}
            $Filters += $Office2013x64

            $Expression = @"
SELECT path,filename,extension,version FROM CIM_DataFile where path="\\Program Files (x86)\\Microsoft Office\\Office16\\" AND filename="$($Item.File)" AND extension="exe" AND version>="16" AND version<"17"

            $Office2016x86 = @{"Expression"=@($Expression);"Description"="Microsoft Office 2016 x86 - $($Item.Name)";"Name"="Microsoft Office 2016 x86 - $($Item.Name)";"Namespace"="ROOT\CIMV2";}
            $Filters += $Office2016x86

            $Expression = @"
SELECT path,filename,extension,version FROM CIM_DataFile where path="\\Program Files\\Microsoft Office\\Office16\\" AND filename="$($Item.File)" AND extension="exe" AND version>="16" AND version<"17"

            $Office2016x64 = @{"Expression"=@($Expression);"Description"="Microsoft Office 2016 x64 - $($Item.Name)";"Name"="Microsoft Office 2016 x64 - $($Item.Name)";"Namespace"="ROOT\CIMV2";}
            $Filters += $Office2016x64


        $Expression = @"
SELECT * from Win32_Software where displayname like "Microsoft Office%2013%"

        $Office2013x86System = @{"Expression"=@($Expression);"Description"="Microsoft Office 2013 x86 - System";"Name"="Microsoft Office 2013 x86 - System";"Namespace"="ROOT\CIMV2";}
        $Filters += $Office2013x86System

        $Expression = @"
SELECT * from Win32_Software64 where displayname like "Microsoft Office%2013%"

        $Office2013x64System = @{"Expression"=@($Expression);"Description"="Microsoft Office 2013 x64 - System";"Name"="Microsoft Office 2013 x64 - System";"Namespace"="ROOT\CIMV2";}
        $Filters += $Office2013x64System

        $Expression = @"
SELECT * from Win32_Software where displayname like "Microsoft Office%2016%"

        $Office2016x86System = @{"Expression"=@($Expression);"Description"="Microsoft Office 2016 x86 - System";"Name"="Microsoft Office 2016 x86 - System";"Namespace"="ROOT\CIMV2";}
        $Filters += $Office2016x86System

        $Expression = @"
SELECT * from Win32_Software64 where displayname like "Microsoft Office%2016%"

        $Office2016x64System = @{"Expression"=@($Expression);"Description"="Microsoft Office 2016 x64 - System";"Name"="Microsoft Office 2016 x64 - System";"Namespace"="ROOT\CIMV2";}
        $Filters += $Office2016x64System


#region Server Features

        $Expression = @"
SELECT * FROM Win32_OptionalFeature Where (Name = "IIS-WebServerRole" OR Name = "IIS-WebServer") AND InstallState = 1

        $IIS = @{"Expression"=@($Expression);"Description"="IIS";"Name"="IIS";"Namespace"="ROOT\CIMV2";}    
        $Filters += $IIS

        $Expression = @"
SELECT * FROM Win32_OptionalFeature WHERE (Name = "DNS-Server-Tools" OR Name = "RSAT-AD-Tools-Feature" OR Name = "RSAT-ADDS-Tools-Feature" OR Name = "DirectoryServices-DomainController-Tools" OR Name = "DirectorySerrvices-AdministrativeCenter") AND InstallState = 1

        $ADManagementSystem = @{"Expression"=@($Expression);"Description"="Active Directory Management System - Feature Query";"Name"="Active Directory Management System - Feature Query";"Namespace"="ROOT\CIMV2";}    
        $Filters += $ADManagementSystem

        $Expression = @"
SELECT * FROM Win32_Service WHERE Name = "WMSvc"

        $WebManagementService=@{"Expression"=@($Expression);"Description"="IIS Web Management Service";"Name"="IIS Web Management Service";"Namespace"="ROOT\CIMV2";}
        $Filters += $WebManagementService

        $Expression = @"
SELECT * FROM Win32_ComputerSystem where DomainRole = 5

        $PDC = @{"Expression"=@($Expression);"Description"="PDC Emulator";"Name"="PDC Emulator";"Namespace"="ROOT\CIMV2";}
        $Filters += $PDC

        $Expression = @"
SELECT * FROM win32_optionalfeature WHERE Name = "FailoverCluster-FullServer" AND InstallState = 1

        $WSFC = @{"Expression"=@($Expression);"Description"="Windows Server Failover Cluster Feature";"Name"="Windows Server Failover Cluster Feature";"Namespace"="ROOT\CIMV2";}
        $Filters += $WSFC

        $Expression = @"
SELECT * from win32_optionalfeature where name = "CertificateServices" AND installstate = 1

        $CA = @{"Expression"=@($Expression);"Description"="Active Directory Certificate Services";"Name"="Active Directory Certificate Services";"Namespace"="ROOT\CIMV2";}
        $Filters += $CA

        $Expression = @"
SELECT * from win32_optionalfeature WHERE (name = "WebEnrollmentServices" AND installstate = 1)

        $CAWebEnrollment = @{"Expression"=@($Expression);"Description"="Active Directory Certificate Services - CA Web Enrollment";"Name"="Active Directory Certificate Services - CA Web Enrollment";"Namespace"="ROOT\CIMV2";}
        $Filters += $CAWebEnrollment


#region Software

        $Expression = @"
select * from win32_software64 where DisplayName like "%Java%7%" AND VersionMajor = 7

        $JRE7x64 = @{"Expression"=@($Expression);"Description"="JRE 7 x64";"Name"="JRE 7 x64";"Namespace"="ROOT\CIMV2";}    
        $Filters += $JRE7x64

$Expression = @"
select * from win32_software where DisplayName like "%Java%7%" AND VersionMajor = 7

        $JRE7x86 = @{"Expression"=@($Expression);"Description"="JRE 7 x86";"Name"="JRE 7 x86";"Namespace"="ROOT\CIMV2";}    
        $Filters += $JRE7x86

        $Expression = @"
select * from win32_software64 where DisplayName like "%Java%8%" AND VersionMajor = 8

        $JRE8x64 = @{"Expression"=@($Expression);"Description"="JRE 8 x64";"Name"="JRE 8 x64";"Namespace"="ROOT\CIMV2";}    
        $Filters += $JRE8x64

$Expression = @"
select * from win32_software where DisplayName like "%Java%8%" AND VersionMajor = 8

        $JRE8x86 = @{"Expression"=@($Expression);"Description"="JRE 8 x86";"Name"="JRE 8 x86";"Namespace"="ROOT\CIMV2";}    
        $Filters += $JRE8x86



        $Filters = @()

        foreach ($Domain in $Domains) {
            foreach ($Filter in $Filters)
                $Filters += New-GPOWmiFilter -Name $Filter.Name -Description $Filter.Description -Expression $Filter.Expression -Domain $Domain -Namespace $Filter.Namespace -PassThru -WithReplace:$WithReplace -Credential $Credential

    End {
        if ($PassThru) {
            Write-Output $Filters

Function New-GPOWmiFilter {
            Creates a new WMI filter.
            The cmdlet takes in the WMI filter properties and produces a usable WMI filter.
        .PARAMETER Name
            The WMI filter name.
        .PARAMETER Expression
            The expressions to evaluate in the filter, can be multiple WMI queries for a single filter.
        .PARAMETER Namespace
            A dynamically generated parameter of the available WMI namespaces. Defaults to ROOT\CIMV2.
            The WMI filter description. This defaults to the WMI Filter Name.
        .PARAMETER Domain
            The domain the WMI filter is being created in, defaults to the domain of the local computer.
        .PARAMETER Author
            The author creating the WMI filter, defaults to the current user.
        .PARAMETER Credential
            The credential to use to create the filter.
        .PARAMETER WithReplace
            If a WMI filter exists with the same name, the WMI query expression is updated.
        .PARAMETER PassThru
            Determines whether to return the new WMI filter object.
            New-GPOWmiFilter -Name "Windows Server 2012 R2" -Expression @("Select * From Win32_OperatingSystem Where Version like '6.3%' and ProductType != 1")
            Creates a WMI filter to target Windows Server 2012 R2.
            System.String, System.String[], System.String, System.String
            AUTHOR: Michael Haken
            LAST UPDATE: 4/6/2016

        [string]$Description = [System.String]::Empty,
        [string]$Domain = [System.String]::Empty,
        [string]$Author = [System.String]::Empty,
        $Credential = [System.Management.Automation.PSCredential]::Empty,
        [System.Management.Automation.SwitchParameter]$PassThru = $false

        # Set the dynamic parameters' name
        $ParameterName = "Namespace"
        # Create the dictionary
        $RuntimeParameterDictionary = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameterDictionary

        # Create the collection of attributes
        $AttributeCollection = New-Object -TypeName System.Collections.ObjectModel.Collection[System.Attribute]
        # Create and set the parameters' attributes
        $ParameterAttribute = New-Object -TypeName System.Management.Automation.ParameterAttribute
        $ParameterAttribute.Mandatory = $false
        $ParameterAttribute.Position = 2
        $ParameterAttribute.ParameterSetName ="Default"

        # Add the attributes to the attributes collection

        # Generate and set the ValidateSet
        $ArraySet = Get-WMIObject -Class __Namespace -Namespace "ROOT" | Select-Object -ExpandProperty Name | ForEach-Object {return "ROOT\" + $_} 
        $ValidateSetAttribute = New-Object -TypeName System.Management.Automation.ValidateSetAttribute($ArraySet)

        # Add the ValidateSet to the attributes collection

        # Create and return the dynamic parameter
        $RuntimeParameter = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameter($ParameterName, [string], $AttributeCollection)
        $RuntimeParameterDictionary.Add($ParameterName, $RuntimeParameter)
        return $RuntimeParameterDictionary

        Import-Module ActiveDirectory -ErrorAction Stop

        if ($Credential -eq $null) {
            $Credential = [System.Management.Automation.PSCredential]::Empty

        if ($PSCmdlet.ParameterSetName -eq "InputObject")
            $Author = $InputObject.Author
            $Expression = $InputObject.Expression
            $Domain = $InputObject.Domain
            $Namespace = $InputObject.Namespace
            $Name = $InputObject.Name
            $Description = $InputObject.Description

        if ($Expression.Count -lt 1)
            throw [System.ArgumentException]("At least one Expression Method is required to create a WMI Filter.")

        if ([System.String]::IsNullOrEmpty($Domain))
            $ADDomain = Get-ADDomain -Current LocalComputer
            $ADDomain = Get-ADDomain -Identity $Domain

        $DefaultNamingContext = $ADDomain.DistinguishedName

        $Server = [System.String]::Empty

        if ([System.Security.Principal.WindowsIdentity]::GetCurrent().IsSystem) {
            $Role = Get-WmiObject -Class Win32_OperatingSystem -Property ProductType | Select-Object -ExpandProperty ProductType
            if ($Role -eq 2) {
                $Server = $env:COMPUTERNAME

        if ([System.String]::IsNullOrEmpty($Server)) {
            $ContextType = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain
            $Context = New-Object -TypeName System.DirectoryServices.ActiveDirectory.DirectoryContext($ContextType, $ADDomain.DnsRoot)
            $Server = ([System.DirectoryServices.ActiveDirectory.DomainController]::FindOne($Context)).Name

        if ([System.String]::IsNullOrEmpty($PSBoundParameters.Namespace))
            $Namespace = "ROOT\CIMv2"
        else {
            $Namespace = $PSBoundParameters.Namespace
        if (![System.String]::IsNullOrEmpty($Author))
            $msWMIAuthor = $Author
            $msWMIAuthor = Get-Author

        if ([System.String]::IsNullOrEmpty($Description)) {
            $Description = $Name

        $msWMIParm2 = $Expression.Count.ToString() + ";"

        foreach($Exp in $Expression)
            $msWMIParm2 += "3;10;$($Exp.Length);WQL;$Namespace;$Exp;"

        $msWMICreationDate = (Get-Date).ToUniversalTime().ToString("yyyyMMddhhmmss.ffffff-000")
        $msWMIChangeDate = $msWMICreationDate

        $Replaced = $false

        if ($WithReplace) {
            $Filter = Get-ADObject -Filter {(objectClass -eq "msWMI-SOM") -and (msWMI-Name -eq $Name)} -Server $Server
            if ($Filter -ne $null) {
                $Filter = $Filter | Select-Object -First 1

                if ($Credential -ne [System.Management.Automation.PSCredential]::Empty) {
                    $ADObject = Set-ADObject -Identity $Filter.DistinguishedName -Replace @{"msWMI-Parm2"=$msWMIParm2;"msWMI-ChangeDate"=$msWMIChangeDate} -Server $Server -Credential $Credential -PassThru
                    $Replaced = $true
                else {
                    $ADObject = Set-ADObject -Identity $Filter.DistinguishedName -Replace @{"msWMI-Parm2"=$msWMIParm2;"msWMI-ChangeDate"=$msWMIChangeDate} -Server $Server -PassThru
                    $Replaced = $true

        if ($Replaced -eq $false) {
            $WMIGUID = "{" + ([System.Guid]::NewGuid().ToString()) + "}"
            $msWMIParm1 = $Description
            $Attr = @{
                "msWMI-Name" = $Name;
                "msWMI-Parm1" = $msWMIParm1;
                "msWMI-Parm2" = $msWMIParm2;
                "msWMI-Author" = $msWMIAuthor;
                "msWMI-ID"= $WMIGUID;
                "instanceType" = 4;
                "showInAdvancedViewOnly" = "TRUE";
                "msWMI-ChangeDate" = $msWMICreationDate; 
                "msWMI-CreationDate" = $msWMICreationDate

            $WMIPath = "CN=SOM,CN=WMIPolicy,CN=System,$DefaultNamingContext"

            if ($Credential -ne [System.Management.Automation.PSCredential]::Empty)
                $ADObject = New-ADObject -Name $WMIGUID -Type "msWMI-Som" -Server $Server -Path $WMIPath -OtherAttributes $Attr -Credential $Credential -PassThru
                $ADObject = New-ADObject -Name $WMIGUID -Type "msWMI-Som" -Server $Server -Path $WMIPath -OtherAttributes $Attr -PassThru

        if ($PassThru)
            Write-Output $ADObject

Function Get-Author {
            Gets the user identity to use as an author attribute.
            Uses the current user environment variable to check active directory to get the user name.
            Returns the current user's UserPrincipalName if available, otherwise their SamAccountName or logged in user name.
            AUTHOR: Michael Haken
            LAST UPDATE: 2/27/2016


        $UseAD = $true

        Import-Module ActiveDirectory -ErrorAction Stop

        [string]$Author = [System.String]::Empty

        try {
            if ($UseAD) {
                $User = Get-ADUser $env:USERNAME -ErrorAction Stop

                if (![System.String]::IsNullOrEmpty($User.UserPrincipalName)) {
                    $Author = $User.UserPrincipalName
                else {
                    $Author = $User.SamAccountName
        catch [Exception] {
            $Author = ("$env:COMPUTERNAME\" + [System.Security.Principal.WindowsIdentity]::GetCurrent().Name)

        Write-Output $Author

Function Get-OldUsers {
            Get users that haven't logged in for the specified time.
            The cmdlet finds all users that haven't logged in for the specified time. It first looks for the msDS-LastSuccessfulInteractiveLogon if that has been enabled in the domain. If it is not present, it uses the LastLogonTimeStamp.
        .PARAMETER OlderThan
            The number of days since the last logon.
            Get-OldUsers -DaysOld 60
            Gets all users that haven't logged on in at least 60 days.
            Get-OldUsers -DaysOld 60 -SearchBase "OU=Finance,OU=HQ,DC=contoso,DC=com"
            Gets all users in the Finance OU and child OUs that haven't logged on in at least 60 days.
            System.Int32, System.String
            AUTHOR: Michael Haken
            LAST UPDATE: 12/5/2015

        [string]$SearchBase = [System.String]::Empty

        $Result = @()

        if ($SearchBase -eq [System.String]::Empty)
            $SearchBase = (Get-ADDomain -Current LoggedOnUser).DistinguishedName

        $Users = Get-ADUser -Filter * -Property UserAccountControl,"msDS-LastSuccessfulInteractiveLogonTime",LastLogonTimeStamp,LastLogon -SearchBase $SearchBase |
        Select-Object -Property DistinguishedName,Enabled,LastLogon,LastLogonTimeStamp,"msDS-LastSuccessfulInteractiveLogonTime",ObjectGUID,SID,UserAccountControl

        foreach ($User in $Users)
            $UserObject = New-Object -TypeName PSObject -Property @{"Days Since Last Logon"= 0; UserName = $User.SamAccountName; "Last Logon" = $null; UAC=$User.UserAccountControl}

            if ($User."msDS-LastSuccessfulInteractiveLogonTime" -ne $null -and $User."msDS-LastSuccessfulInteractiveLogonTime" -ne [System.String]::Empty -and 
                $User."msDS-LastSuccessfulInteractiveLogonTime" -ne 0)
                [DateTime]$UserObject."Last Logon" = (Get-Date -Date $User."msDS-LastSuccessfulInteractiveLogonTime").AddYears(1600) 
                [DateTime]$UserObject."Last Logon" = (Get-Date -Date $User.LastLogonTimeStamp)

            $UserObject."Day Since Last Logon" = ((Get-Date) - $User."Last Logon").TotalDays

            if ($UserObject."Day Since Last Logon" -ge $DaysOld)
                $Result += $UserObject

        Write-Output $Result

Function Set-PDCEmulatorSrvRecords {
            Changes the PDC Emulator Srv DNS Records for every domain in the forest.
            The cmdlet defaults to reducing the priority and increasing the weight of the PDC Emulator in every domain so that it does not process logons.
        .PARAMETER Priority
            The priority to set on the DNS Srv Records for each PDC.
        .PARAMETER Weight
            The weight to set on the DNS Srv Records for each PDC.
        .PARAMETER RestartServer
            Indicate whether to restart the server in order to complete the change.
        .PARAMETER Credential
            The credentials used to connect to the PDC Emulator, the user must have Enterprise Admin privileges.
            Sets the priority to 200 and weight to 25.
            Set-PDCEmulatorSrvRecords -Priority 150 -Weight 20
            Sets the priority to 150 and weight to 20.
            Set-PDCEmulatorSrvRecords -RestartServer
            Sets the priority to 200 and weight to 25 and restarts the server immediately to implement the change.
            System.Int32, System.Int32, System.Boolean, System.Management.Automation.PSCredential
            AUTHOR: Michael Haken
            LAST UPDATE: 12/5/2015

        [Parameter(Position = 0,ValueFromPipeLineByPropertyName=$true)]
        [int]$Priority = 200,
        [Parameter(Position = 1,ValueFromPipeLineByPropertyName=$true)]
        [int]$Weight = 25,
        [Parameter(Position = 2,ValueFromPipeLineByPropertyName=$true)]
        [bool]$RestartServer = $false,
        [Parameter(Position = 3,ValueFromPipeLineByPropertyName=$true)]
        $Credential = [System.Management.Automation.PSCredential]::Empty,

    Begin {
        Import-Module ActiveDirectory -ErrorAction Stop

        if ($Credential -eq $null) {
            $Credential = [System.Management.Automation.PSCredential]::Empty

    Process {

        $Forest = Get-ADForest -Current LoggedOnUser
        $Domains = $Forest.Domains

        foreach ($Domain in $Domains)
            $PDCEmulator = Get-ADDomain -Identity $Domain | Select-Object -ExpandProperty PDCEmulator

            $Result = Invoke-Command -ComputerName $PDCEmulator -ScriptBlock {
                Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -Name "LdapSrvPriority" -Value $args[0]
                Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -Name "LdapSrvWeight" -Value $args[1]

                $SrvPriority = Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -Name "LdapSrvPriority" | Select-Object -ExpandProperty LdapSrvPriority
                $SrvWeight = Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -Name "LdapSrvWeight" | Select-Object -ExpandProperty LdapSrvWeight

                return New-Object -TypeName PSCustomObject -Property @{"LdapSrvPriority" = $SrvPriority; "LdapSrvWeight" = $SrvWeight}
            } -ArgumentList $Priority,$Weight -Credential $Credential

    End {
        if ($RestartServer)
            Write-Host "Restarting " + $PDCEmulator + " now."
            Restart-Computer -ComputerName $PDCEmulator -Protocol WSMan -Impersonation Impersonate -Wait $false
            Write-Warning "The change will not take effect until the $PDCEmulator is restarted."

        if ($PassThru) {
            Write-Output (New-Object -TypeName PSCustomObject -Property @{"Domain" = $Domain; "PDC Emulator" = $PDCEmulator; "LdapSrvPriority" = $Result.LdapSrvPriority; "LdapSrvWeight" = $Result.LdapSrvWeight})

Function Start-SDProp {
            Runs the SDProp process immediately.
            The function sets the runProtectAdminGroupsTask on the RootDSE object to 1 and runs SDProp.
            Launches the SDProp process.
            AUTHOR: Michael Haken
            LAST UPDATE: 12/5/2015


    Begin {}

        $RootDSE = [ADSI]"LDAP://RootDSE"

    End {}

Function Set-AdminSDHolderPermissions {
            Enabling the NETWORK SERVICE account to write SPNs to the AdminSDHolder object prevents error 10154
            The Set-AdminSDHolderPermissions cmdlet allows the NETWORK SERVICE account to have "Validated Write to Service Principal Name".
            The error this is received will look like the following if this command needs to be run:
            The WinRM service failed to create the following SPNs: WSMAN/servername.fqdn; WSMAN/servername
            Additional Data
            The error received was 1355: %%1355.
            User Action
            The SPN can be created by an administrator using setspn.exe utility.
            A background process, Security Descriptor Propagator Update (SDProp), on the PDC emulator runs every 60 minutes and compares the ACL of the AdminSDHolder object with the ACL of the protected users, group and computers. If there are any differences it overwrites them.
            Configures the permissions on the object.
            AUTHOR: Michael Haken
            LAST UPDATE: 12/5/2015



        if (Test-IsEnterpriseAdmin)
            $Domains = Get-ForestDomains
            foreach ($Domain in $Domains)
                $DomainSID = Get-ADDomain $Domain | Select-Object -ExpandProperty DomainSID
                [System.DirectoryServices.ActiveDirectoryAccessRule[]] $Rules = New-NetworkServiceAccessRuleSet -DomainSID $DomainSID 
                Set-Permissions -Domain $Domain -Rules $Rules -ObjectCN "CN=AdminSDHolder,CN=System"
            Write-Error "Current user is not an Enterprise Admin, run the command again with Enterprise Admin credentials."
            throw [System.UnauthorizedAccessException]("Current user is not an Enterprise Admin, run the command again with Enterprise Admin credentials.")
    End {}

Function New-NetworkServiceAccessRuleSet {
            Creates the Active Directory Access Rule for the Network Service Account to modify the AdminSDHolder object.
            Creates the Active Directory Access Rule for the Network Service Account to modify the AdminSDHolder object.
            Creates the rule set for the domain of the current user.
        .PARAMETER DomainSID
            The Domain SID of the Domain being configured
            AUTHOR: Michael Haken
            LAST UPDATE: 3/18/2016

        [System.Security.Principal.SecurityIdentifier]$DomainSID = $null

    Begin {
        $Forest = Get-ADForest -Current LoggedOnUser
        $ForestDN = (Get-ADDomain -Identity ($Forest.RootDomain)).DistinguishedName

        if ($DomainSID -eq $null)
            $DomainSID = (Get-ADDomain -Current LoggedOnUser).DomainSID

    Process {
        $ExtendedRightGuid = Get-ADObject -Identity ("CN=Validated-SPN,CN=Extended-Rights,CN=Configuration," + $ForestDN) -Properties RightsGUID | Select-Object -ExpandProperty RightsGUID
        $NetworkService = New-Object Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::NetworkServiceSid, $DomainSID)

        $Ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($NetworkService, 

        [System.DirectoryServices.ActiveDirectoryAccessRule[]] $Rules = @($Ace)

    End {
        Write-Output $Rules

Function Set-Permissions {
            Sets permissions on an Active Directory object.
            Will set permissions on an Active Directory object with the provided rule set and Object CN.
            Set-Permissions -Domain -ObjectCN "CN=AdminSDHolder,CN=System" -Rules $Rules
            Sets permissions on the AdminSDHolder container in the domain with the ACL rules provided.
        .PARAMETER Domain
            The domain in which to configure the object's ACL.
        .PARAMETER ObjectCN
            The CN of the object being configured up to the domain part of the DN. This can be an empty string to configure the domain object.
        .PARAMETER Rules
            An array of Active Directory Access Rules
            System.String, System.String, System.DirectoryServices.ActiveDirectoryAccessRule[]
            AUTHOR: Michael Haken
            LAST UPDATE: 12/5/2015


        $DN = (Get-ADDomain -Identity $Domain).DistinguishedName
        $DC = Get-ADDomainController -DomainName $Domain -Discover
        [String[]]$Drives = Get-PSDrive | Select-Object -ExpandProperty Name

        if ($DC -ne $null)
            if (Test-Connection -ComputerName $DC)
                $TempDrive = "tempdrive"

                if ($Drives.Contains($TempDrive))
                    Write-Host "An existing PSDrive exists with name $TempDrive, temporarily removing" -ForegroundColor Yellow
                    $OldDrive = Get-PSDrive -Name $TempDrive
                    Remove-PSDrive -Name $TempDrive

                $Drive = New-PSDrive -Name $TempDrive -Root "" -PSProvider ActiveDirectory -Server $DC.Name

                Push-Location -Path "$Drive`:\"

                if ($ObjectCN -eq "")
                    $ObjectDN = $DN
                    $ObjectDN = $ObjectCN + "," + $DN

                [string[]]$Paths = @()

                $ObjectToChange = Get-ADObject -Identity $ObjectDN -Server $DC
                $Paths += $Drive.Name + ":" + $ObjectToChange.DistinguishedName

                $Context = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext(

                [System.DirectoryServices.ActiveDirectory.DomainControllerCollection]$DomainControllers = [System.DirectoryServices.ActiveDirectory.DomainController]::FindAll($Context)

                foreach ($DomainController in $DomainControllers)
                    $Paths += (Get-ADDomainController -Identity $DomainController.Name -Server $DC | Select-Object -ExpandProperty ComputerObjectDN)

                foreach ($Path in $Paths)
                        $Acl = Get-Acl -Path $Path

                        if ($Acl)
                            $OldAcls = $Acl.Access | Where-Object {$Rules.IdentityReference -eq  $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier])}

                            foreach ($Rule in $OldAcls)
                                $Acl.RemoveAccessRule($Rule) | Out-Null

                            foreach ($Rule in $Rules)
                                $Acl.AddAccessRule($Rule) | Out-Null

                            Set-Acl -Path $Path -AclObject $Acl
                            Write-Results -Path $Path -Domain $Domain
                            Write-Warning "Could not retrieve the ACL for $Path"
                    catch [System.Exception]
                        Write-Warning $_.ToString()


                Remove-PSDrive $Drive

                if ($OldDrive)
                    Write-Host "Recreating original PSDrive" -ForegroundColor Yellow
                    New-PSDrive -Name $OldDrive.Name -PSProvider $OldDrive.Provider -Root $OldDrive.Root | Out-Null
                    Remove-Variable -Name "OldDrive"
                Write-Warning "Could not contact domain controller $DC"

    End {}

function Write-Results {
            Writes the ACL configuration output results.
            The Write-Results cmdlet OUTPUTS the modified ACL.
            Write-Results -Path "c:\test.txt" -Domain ""
            Writes the current ACL of test.txt
            System.String, System.String
            AUTHOR: Michael Haken
            LAST UPDATE: 12/5/2015



    Process {
        try {
            $Acl = Get-Acl -Path $Path
        catch [Exception] {
            Write-Warning $_.Exception.Message
            throw $_.Exception

    End {
        Write-Host $Domain -ForegroundColor DarkRed -BackgroundColor White
        Write-Host ($Path.Substring($Path.IndexOf(":") + 1)) -ForegroundColor DarkRed -BackgroundColor White
        Write-Host ($Acl.Access | Format-List | Out-String)

Function Test-IsEnterpriseAdmin {
            Tests if a user is a member of the Enterprise Admins group.
            The Test-IsEnterpriseAdmin returns true if the user is in the group and false otherwise.
            Determines if the user credentials being used to run the cmdlet have Enterprise Admin privileges.
            Test-IsEnterpriseAdmin -UserName "John Smith"
            Determines if the user John Smith has Enterprise Admin privileges.
            Test-IsEnterpriseAdmin -Credential (Get-Credential)
            Determines if the entered user credentials have Enterprise Admin privileges.
        .PARAMETER UserName
            The user to test the group membership on. If no user name is specified, the cmdlet runs against WindowsIdentity Principal.
        .PARAMETER Credential
            The PSCredential to use to test if the user has Enterprise Admin credentials.
            System.Management.Automation.PSCredential, System.String
            System.String, System.String
            AUTHOR: Michael Haken
            LAST UPDATE: 2/24/2016

    Param (
        [string]$UserName = [System.String]::Empty,
        [PSCredential]$Credential = [PSCredential]::Empty

    Begin {
        Import-Module ActiveDirectory -ErrorAction Stop

        if ($Credential -eq $null) {
            $Credential = [System.Management.Automation.PSCredential]::Empty

        [bool]$IsAdmin = $false

        switch ($PSCmdlet.ParameterSetName)
            "Username" {
                if ($UserName -ne [System.String]::Empty)
                    $CurrentUser = $UserName
                    $Principal = [System.Security.Principal.WindowsIdentity]::GetCurrent()
                    if ($Principal.IsSystem) {
                        Write-Host "Current principal is the SYSTEM account."
                        $Role = Get-WmiObject -Class Win32_OperatingSystem -Property ProductType | Select-Object -ExpandProperty ProductType
                        if ($Role -eq 2) {
                            Write-Host "Current principal is a domain controller."
                            $IsAdmin = $true
                        else {
                            Write-Warning "Current principal is the SYSTEM account, but not a domain controller."
                            $CurrentUser = $Principal.Name
                    else {
                        $CurrentUser = $Principal.Name
            "Credential" {
                if ($Credential -ne [System.Management.Automation.PSCredential]::Empty) {
                    $CurrentUser = $Credential.UserName
                else {
                    $Principal = [System.Security.Principal.WindowsIdentity]::GetCurrent()
                    if ($Principal.IsSystem) {
                        Write-Host "Current principal is the SYSTEM account."
                        $Role = Get-WmiObject -Class Win32_OperatingSystem -Property ProductType | Select-Object -ExpandProperty ProductType
                        if ($Role -eq 2) {
                            Write-Host "Current principal is a domain controller."
                            $IsAdmin = $true
                        else {
                            Write-Warning "Current principal is the SYSTEM account, but not a domain controller."
                            $CurrentUser = $Principal.Name
                    else {
                        $CurrentUser = $Principal.Name
            default {
                throw "Could not determine parameter set name for Test-IsEnterpriseAdmin."

        if(!$IsAdmin) {
            if ($CurrentUser.IndexOf("\") -ne -1) {
                $Domain = $CurrentUser.Substring(0, $CurrentUser.IndexOf("\"))
                $Forest = (Get-ADDomain -Identity $Domain).Forest
                $CurrentUser = $CurrentUser.Substring($CurrentUser.IndexOf("\") + 1)
            elseif ($CurrentUser.IndexOf("@") -ne -1) {
                $Domain = $CurrentUser.Substring($CurrentUser.IndexOf("@") + 1)
                $Forest = (Get-ADDomain -Identity $Domain).Forest
                $CurrentUser = $CurrentUser.Substring(0, $CurrentUser.IndexOf("@"))
            else {
                $Forest = (Get-ADForest -Current LoggedOnUser).Name

            $Groups = Get-NestedGroupMembership -Principal $CurrentUser | Select-Object -Property Name,SID

            if($Credential -ne $null -and $Credential -ne [System.Management.Automation.PSCredential]::Empty) {
                $RootDomainSID = Get-ADDomain -Identity $Forest -Credential $Credential | Select-Object -ExpandProperty DomainSID
            else {
                $RootDomainSID = Get-ADDomain -Identity $Forest | Select-Object -ExpandProperty DomainSID
            [Security.Principal.SecurityIdentifier]$EnterpriseAdminSID = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::AccountEnterpriseAdminsSid, $RootDomainSID)
            foreach ($Group in $Groups)
                if ($Group.SID -eq $EnterpriseAdminSID) 
                    $IsAdmin = $true

    End {
        Write-Output $IsAdmin

Function Test-IsEnterpriseOrDomainAdmin {
            Tests whether the current user or provided credential is a Domain Admin or Enterprise Admin.
            The Test-IsEnterpriseOrDomainAdmin returns true if the user is in the group and false otherwise.
            Determines if the user credentials being used to run the cmdlet have Domain or Enterprise Admin privileges
            Test-IsEnterpriseOrDomainAdmin -Credential $Creds
            Determines if the credentials have Enterprise or Domain Admin privileges
        .PARAMETER UserName
            The user to test the group membership on. If no user name is specified, the cmdlet runs against WindowsIdentity Principal.
        .PARAMETER Credential
            The PSCredential to use to test if the user has Enterprise Admin credentials.
            System.Management.Automation.PSCredential, System.String
            System.String, System.String
            AUTHOR: Michael Haken
            LAST UPDATE: 4/6/2016

        $Credential = [System.Management.Automation.PSCredential]::Empty,
        [string]$Username = [System.String]::Empty

        Import-Module ActiveDirectory -ErrorAction Stop

        if ($Credential -eq $null) {
            $Credential = [System.Management.Automation.PSCredential]::Empty

        [bool]$IsAdmin = $false

        switch ($PSCmdlet.ParameterSetName)
            "Username" {
                if ($UserName -ne [System.String]::Empty)
                    $CurrentUser = $UserName
                    $Principal = [System.Security.Principal.WindowsIdentity]::GetCurrent()
                    if ($Principal.IsSystem) {
                        $Role = Get-WmiObject -Class Win32_OperatingSystem -Property ProductType | Select-Object -ExpandProperty ProductType
                        if ($Role -eq 2) {
                            $IsAdmin = $true
                        else {
                            Write-Warning "Current principal is the SYSTEM account, but not a domain controller."
                            $CurrentUser = $Principal.Name
                    else {
                        $CurrentUser = $Principal.Name

            "Credential" {
                if ($Credential -ne [System.Management.Automation.PSCredential]::Empty) {
                    $CurrentUser = $Credential.UserName
                else {
                    $Principal = [System.Security.Principal.WindowsIdentity]::GetCurrent()
                    if ($Principal.IsSystem) {
                        $Role = Get-WmiObject -Class Win32_OperatingSystem -Property ProductType | Select-Object -ExpandProperty ProductType
                        if ($Role -eq 2) {
                            $IsAdmin = $true
                        else {
                            Write-Warning "Current principal is the SYSTEM account, but not a domain controller."
                            $CurrentUser = $Principal.Name
                    else {
                        $CurrentUser = $Principal.Name

            default {
                throw "Could not determine parameter set name for Test-IsDomainAdmin."

        if (!$IsAdmin) {
                if ($CurrentUser.IndexOf("\") -ne -1) {
                    $Domain = $CurrentUser.Substring(0, $CurrentUser.IndexOf("\"))
                    $CurrentUser = $CurrentUser.Substring($CurrentUser.IndexOf("\") + 1)
                elseif ($CurrentUser.IndexOf("@") -ne -1) {
                    $Domain = $CurrentUser.Substring($CurrentUser.IndexOf("@") + 1)
                    $CurrentUser = $CurrentUser.Substring(0, $CurrentUser.IndexOf("@"))
                else {
                    $Domain = (Get-ADDomain -Current LoggedOnUser).DnsRoot

                $CurrentUser = $CurrentUser.Substring($CurrentUser.IndexOf("\") + 1)
                $Groups = Get-NestedGroupMembership -Principal $CurrentUser | Select-Object -Property Name,SID

                if ($Credential -ne $null -and $Credential -ne [System.Management.Automation.PSCredential]::Empty) {            
                    [Microsoft.ActiveDirectory.Management.ADPartition]$DomainPartition = Get-ADDomain -Identity $Domain -Credential $Credential 
                    $RootDomainSID = Get-ADDomain -Identity ($DomainPartition.Forest) -Credential $Credential | Select-Object -ExpandProperty DomainSID
                else {
                    [Microsoft.ActiveDirectory.Management.ADPartition]$DomainPartition = Get-ADDomain -Identity $Domain
                    $RootDomainSID = Get-ADDomain -Identity ($DomainPartition.Forest) | Select-Object -ExpandProperty DomainSID

                $DomainSID = $DomainPartition.DomainSID
                [Security.Principal.SecurityIdentifier]$EnterpriseAdminSID = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::AccountEnterpriseAdminsSid, $RootDomainSID)
                [Security.Principal.SecurityIdentifier]$DomainAdminSID = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::AccountDomainAdminsSid, $DomainSID)

                foreach ($Group in $Groups)
                    if ($Group.SID -eq $EnterpriseAdminSID -or $Group.SID -eq $DomainAdminSID) 
                        $IsAdmin = $true
            catch [Exception] 
                $IsAdmin = $false
    End {
        Write-Output $IsAdmin

Function Test-IsDomainAdmin {
            Tests if a user is a member of the Domain Admins group.
            The Test-IsDomainAdmin returns true if the user is in the group and false otherwise.
            Determines if the user credentials being used to run the cmdlet have Enterprise Admin privileges.
            Test-IsDomainAdmin -UserName "John Smith"
            Determines if the user John Smith has Domain Admin privileges
        .PARAMETER UserName
            The user to test the group membership on. If no user name is specified, the cmdlet runs against WindowsIdentity Principal.
        .PARAMETER Credential
            The PSCredential to use to test if the user has Enterprise Admin credentials.
            System.Management.Automation.PSCredential, System.String
            System.String, System.String
            AUTHOR: Michael Haken
            LAST UPDATE: 4/6/2016

    Param (
        [string]$UserName = [System.String]::Empty,
        [PSCredential]$Credential = [PSCredential]::Empty


    Begin {
        Import-Module ActiveDirectory -ErrorAction Stop

        if ($Credential -eq $null) {
            $Credential = [System.Management.Automation.PSCredential]::Empty

        [bool]$IsAdmin = $false

        switch ($PSCmdlet.ParameterSetName)
            "Username" {
                if ($UserName -ne [System.String]::Empty)
                    $CurrentUser = $UserName
                    $Principal = [System.Security.Principal.WindowsIdentity]::GetCurrent()

                    if ($Principal.IsSystem) {
                        $Role = Get-WmiObject -Class Win32_OperatingSystem -Property ProductType | Select-Object -ExpandProperty ProductType
                        if ($Role -eq 2) {
                            Write-Host "Current principal is a domain controller."
                            $IsAdmin = $true
                        else {
                            Write-Warning "Current principal is the SYSTEM account, but not a domain controller."
                            $CurrentUser = $Principal.Name
                    else {
                        $CurrentUser = $Principal.Name
            "Credential" {
                if ($Credential -ne [System.Management.Automation.PSCredential]::Empty) {
                    $CurrentUser = $Credential.UserName
                else {
                    $Principal = [System.Security.Principal.WindowsIdentity]::GetCurrent()
                    if ($Principal.IsSystem) {
                        $Role = Get-WmiObject -Class Win32_OperatingSystem -Property ProductType | Select-Object -ExpandProperty ProductType
                        if ($Role -eq 2) {
                            Write-Host "Current principal is a domain controller."
                            $IsAdmin = $true
                        else {
                            Write-Warning "Current principal is the SYSTEM account, but not a domain controller."
                            $CurrentUser = $Principal.Name
                    else {
                        $CurrentUser = $Principal.Name
            default {
                throw "Could not determine parameter set name for Test-IsDomainAdmin."

        if (!$IsAdmin) {
            if ($CurrentUser.IndexOf("\") -ne -1) {
                $Domain = $CurrentUser.Substring(0, $CurrentUser.IndexOf("\"))
                $CurrentUser = $CurrentUser.Substring($CurrentUser.IndexOf("\") + 1)
            elseif ($CurrentUser.IndexOf("@") -ne -1) {
                $Domain = $CurrentUser.Substring($CurrentUser.IndexOf("@") + 1)
                $CurrentUser = $CurrentUser.Substring(0, $CurrentUser.IndexOf("@"))
            else {
                $Domain = (Get-ADDomain -Current LoggedOnUser).DnsRoot

            $Groups = Get-NestedGroupMembership -Principal $CurrentUser | Select-Object -Property Name,SID

            if($Credential -ne $null -and $Credential -ne [System.Management.Automation.PSCredential]::Empty) {
                $DomainSID = Get-ADDomain -Identity $Domain -Credential $Credential | Select-Object -ExpandProperty DomainSID
            else {
                $DomainSID = Get-ADDomain -Identity $Domain | Select-Object -ExpandProperty DomainSID
            [Security.Principal.SecurityIdentifier]$DomainAdminSID = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::AccountDomainAdminsSid, $DomainSID)
            foreach ($Group in $Groups)
                if ($Group.SID -eq $DomainAdminSID) 
                    $IsAdmin = $true

    End {
        Write-Output $IsAdmin

Function Get-ADAccountControl {
            Gets an enumeration of a user's UserAccountControl attribute.
            The Get-ADAccountControl cmdlet gets the value from a user's UserAccountControl attribute and enumerates it to the different parts that create the bitwise value.
            Get-ADAccountControl -Identity "John Smith"
            Gets the UAC enumeration for John Smith.
        .PARAMETER Identity
            The identity of the user, can be a SamAccountName, DistinguishedName, or DisplayName property.
            AUTHOR: Michael Haken
            LAST UPDATE: 2/24/2016

    Param (

    Begin {

    Process {
        $UAC = Get-ADObject -Filter {(SamAccountName -eq $Identity) -or (DistinguishedName -eq $Identity) -or (DisplayName -eq $Identity)} -Properties UserAccountControl | Select-Object -ExpandProperty UserAccountControl
        Write-Host $Identity
        $Matches = @()
        foreach ($Value in $script:UACValues) {
            #Perform bitwise and to compare the current UAC against each possible value and record matches
            if ($UAC -band [System.Convert]::ToInt64($Value.Key, 16)) {
                $Matches += $Value
                Write-Host $Value.Value

    End {
        Write-Output $Matches

Function Get-NestedGroupMembership {
            Recursively gets the group membership of an AD principal.
            The Get-NestedGroupMembership gets all nested group membership of an AD principal.
            Get-NestedGroupMembership -Principal Administrator
            Gets all group membership for the Administrator account.
        .PARAMETER Principal
            The principal to get group membership for.
            AUTHOR: Michael Haken
            LAST UPDATE: 4/6/2016


    Begin {
        Import-Module ActiveDirectory -ErrorAction Stop

        if ($Groups -eq $null) {
            $Groups = @()

        if ([System.String]::IsNullOrEmpty($Principal)) {
            $Principal = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name

        if ($Principal.IndexOf("DC=") -ne -1) {
            #Pulls the DC=...,DC=...,DC=... info and turns it into an FQDN
            $Server = $Principal.Substring($Principal.IndexOf("DC=")).Replace("DC=","").Replace(",",".")
        else {
            if ($Principal.IndexOf("\") -ne -1) {
                $Domain = $Principal.Substring(0, $Principal.IndexOf("\"))        
                $Server = (Get-ADDomain -Identity $Domain).DnsRoot        
                $Principal = $Principal.Substring($Principal.IndexOf("\") + 1)
            elseif ($Principal.IndexOf("@") -ne -1) {
                $Domain = $Principal.Substring($Principal.IndexOf("@") + 1)
                $Server = (Get-ADDomain -Identity $Domain).DnsRoot
                $Principal = $Principal.Substring(0, $Principal.IndexOf("@"))
            else {
                $Server = (Get-ADDomain -Current LoggedOnUser).DnsRoot

        if ([System.String]::IsNullOrEmpty($Server)) {
            throw "Could not find a domain controller."

    Process {
        #Get the group membership of the evaluated principal
        $TempGroups = Get-ADPrincipalGroupMembership -Identity $Principal -Server $Server
        $GroupsToCheck = @()

        #Iterate through these groups, need to check if the Groups array already contains the group
        #If it doesn't, add the group since it is a newly discovered nested group, and also add it to the
        #array of groups to check for further nested group membership
        #We don't want to check the Groups array for nested membership since a lot of those groups have already been checked
        foreach($Group in $TempGroups) {
            if (!$Groups.Contains($Group)) {
                $Groups += $Group
                $GroupsToCheck += $Group

        #This array will hold newly discovered nested groups of the groups we need to check
        $NewGroups = @()

        #Get the nested group membership of each new group to check
        foreach ($Group in $GroupsToCheck) {
            $NewGroups += Get-NestedGroupMembership -Principal $Group.DistinguishedName -Groups $Groups

        #After getting the nested groups, check to see if that group may have been added already to Groups
        #through nested membership in some other group that was already checked
        foreach ($Group in $NewGroups) {
            if (!$Groups.Contains($Group)) {
                $Groups += $Group

    End {
        #Return the updated total group membership
        Write-Output $Groups

$script:UACValues = @(