DSCResources/Resources/windows.UserRightsAssignment.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License.

$rules = $stig.RuleList | Select-Rule -Type UserRightRule

$domainGroupTranslation = @{
    'Administrators'            = 'Builtin\Administrators'
    'Auditors'                  = '{0}\auditors'
    'Authenticated Users'       = 'Authenticated Users'
    'Domain Admins'             = '{0}\Domain Admins'
    'Guests'                    = 'Guests'
    'Local Service'             = 'NT Authority\Local Service'
    'Network Service'           = 'NT Authority\Network Service'
    'NT Service\WdiServiceHost' = 'NT Service\WdiServiceHost'
    'NULL'                      = ''
    'Security'                  = '{0}\security'
    'Service'                   = 'Service'
    'Window Manager\Window Manager Group' = 'Window Manager\Window Manager Group'
}

$forestGroupTranslation = @{
    'Enterprise Admins'         = '{0}\Enterprise Admins'
    'Schema Admins'             = '{0}\Schema Admins'
}

if ($DomainName -and $ForestName)
{
    # This requires a local forest and/or domain name to be injected to ensure a valid account name.
    $DomainName = PowerStig\Get-DomainName -DomainName $DomainName -Format NetbiosName
    $ForestName = PowerStig\Get-DomainName -ForestName $ForestName -Format NetbiosName
}

foreach ($rule in $rules)
{
    Write-Verbose -Message $rule

    if ($rule.Identity -eq 'NULL')
    {
        $identityList = $null
    }
    else
    {
        $identitySplit = $rule.Identity -split ","
        [System.Collections.ArrayList] $identityList = @()

        foreach ($identity in $identitySplit)
        {
            if (-not ([string]::IsNullorWhitespace($domainName)) -and $domainGroupTranslation.Contains($identity))
            {
                [void] $identityList.Add($domainGroupTranslation.$identity -f $DomainName )
            }
            elseif (-not ([string]::IsNullorWhitespace($forestName)) -and $forestGroupTranslation.Contains($identity))
            {
                [void] $identityList.Add($forestGroupTranslation.$identity -f $ForestName )
            }
            # Default to adding the identify as provided for any non-default identities.
            else
            {
                if ($identity -notmatch "Schema Admins|Enterprise Admins|security|Domain Admins|auditors")
                {
                    [void] $identityList.Add($identity)
                }
            }
        }
    }

    $ruleForce = $null
    [void][bool]::TryParse($rule.Force, [ref] $ruleForce)

    UserRightsAssignment (Get-ResourceTitle -Rule $rule)
    {
        Policy   = ($rule.DisplayName -replace " ", "_")
        Identity = $identityList
        Force    = $ruleForce
    }
}