Functions/HealthCheck/Users/Get-AMHCUsersNoAccess.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
function Get-AMHCUsersNoAccess {
    <#
        .SYNOPSIS
            Users Without Access
 
        .DESCRIPTION
            Users that have not been granted system permissions
 
        .PARAMETER AllUsers
            The users and user groups to perform health check against
 
        .PARAMETER SystemPermissions
            The system permissions to perform health check against
    #>

    [CmdletBinding()]
    param (
        $AllUsers,

        $SystemPermissions
    )

    $acls = "EditDashboardPermission" ,"EditDefaultPropertiesPermission" ,"EditLicensingPermission" ,"EditPreferencesPermission" ,"EditServerSettingsPermission" ,"ToggleTriggeringPermission" ,"ViewCalendarPermission" ,"ViewDashboardPermission" ,"ViewDefaultPropertiesPermission" ,"ViewLicensingPermission" ,"ViewPreferencesPermission" ,"ViewReportsPermission" ,"ViewServerSettingsPermission"
    $usersWithAccess = @()
    foreach ($permission in $SystemPermissions) {
        $aclHasAllow = $false
        foreach ($acl in $acls) {
            if ($permission.$acl) {
                $aclHasAllow = $true
                break
            }
        }
        if ($aclHasAllow) {
            $object = $AllUsers | Where-Object {$_.ID -eq $permission.GroupID}
            if ($object.Type -eq "User") {
                $usersWithAccess += $object
            } elseif ($object.Type -eq "UserGroup") {
                $usersWithAccess += $AllUsers | Where-Object {$_.ID -in $object.UserIDs -and $_.Type -eq "User"}
            }
        }
    }
    foreach ($user in ($AllUsers | Where-Object {($_.Type -eq "User") -and ($_ -notin $usersWithAccess) -and ($_.Name -ne "Administrator")})) {
        [AMConstructHealthCheckItem]::New($user, "No access")
    }
}