functions/Test-DbaValidLogin.ps1

Function Test-DbaValidLogin
{
<#
.SYNOPSIS
Test-DbaValidLogin Finds any logins on SQL instance that are AD logins with either disabled AD user accounts or ones that nolonger exist
 
.DESCRIPTION
The purpose of this function is to find SQL Server logins that are used by active directory users that are either disabled or removed from the domain. It allows you to
keep your logins accurate and up to date by removing accounts that are no longer needed.
 
.PARAMETER SQLServer
SQL Server.You must have sysadmin access and server version must be SQL Server version 2000 or greater.
 
.PARAMETER SqlCredential
Allows you to login to servers using SQL Logins as opposed to Windows Auth/Integrated/Trusted. To use:
 
.PARAMETER Logins
Filters the results to only the login you wish
 
.PARAMETER Exclude
Excludes any login you pass into it from the results.
 
.PARAMETER FilterBy
By default the function returns both Logins and Groups. you can use the FilterBy parameter to only return Groups (GroupsOnly) or Logins (LoginsOnly)
 
.PARAMETER ExcludeDomains
Bu default we tranverse all domains in the forest and all trusted domains. You can exclude domains by adding them to the ExcludeDomains
 
.PARAMETER Detailed
Returns a more detailed result, showing if the login on SQL Server is enabled or disabled and what type of account it is in AD
 
.NOTES
Author: Stephen Bennett: https://sqlnotesfromtheunderground.wordpress.com/
Author: Chrissy LeMaire (@cl), netnerds.net
 
dbatools PowerShell module (https://dbatools.io, clemaire@gmail.com)
 
Copyright (C) 2016 Chrissy LeMaire
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.
 
.LINK
https://dbatools.io/Test-DbaValidLogin
 
.EXAMPLE
Test-DbaValidLogin -SqlServer Dev01
 
Tests all logins in the domain ran from (check $env:domain) that are either disabled or do not exist
 
.EXAMPLE
Test-DbaValidLogin -SqlServer Dev01 -FilterBy GroupsOnly -Detailed
 
Tests all Active directory groups that have logins on Dev01 returning a detailed view.
 
.EXAMPLE
Test-DbaValidLogin -SqlServer Dev01 -ExcludeDomains subdomain.ad.local
 
Tests all logins excluding any that are from the mydomain Domain
 
#>

    [CmdletBinding()]
    Param (
        [parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $True)]
        [Alias("ServerInstance", "SqlInstance", "SqlServers")]
        [string[]]$SqlServer,
        [System.Management.Automation.PSCredential]$SqlCredential,
        [ValidateSet("LoginsOnly", "GroupsOnly")]
        [string]$FilterBy = "None",
        [string[]]$ExcludeDomains,
        [switch]$Detailed
    )
    
    DynamicParam { if ($SqlServer) { return Get-ParamSqlLogins -SqlServer $SqlServer[0] -SqlCredential $SqlCredential -WindowsOnly } }
    
    BEGIN
    {
        function ConvertTo-Dn ([string]$dns)
        {
            $array = $dns.Split(".")
            for ($x = 0; $x -lt $array.Length; $x++)
            {
                if ($x -eq ($array.Length - 1)) { $separator = "" }
                else { $separator = "," }
                [string]$dn += "DC=" + $array[$x] + $separator
            }
            return $dn
        }
        try
        {
            $alldomains = $domains = @()
            $currentforest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
            $alldomains += $currentforest.Domains.name | Where-Object { $_ -notin $excludedomains }
            
            $cd = $currentforest.Domains | Where-Object { $_.name -notin $excludedomains }
        }
        catch
        {
            Write-warning "No Active Directory domains Found."
            break
        }
    
    foreach ($domain in $cd)
        {
            try
            {
                $alldomains += ($Domain.GetAllTrustRelationships()).TargetName
            }
            catch
            {
                $alldomains = $alldomains | Where-Object { $_ -ne $domain.name }
                Write-Warning "Couldn't contact $domain"
            }
        }
        
        $alldomains = $alldomains | Select-Object -Unique
        
        foreach ($domain in $alldomains)
        {
            try
            {
                $dn = ConvertTo-Dn $domain
                $translate = New-Object -comObject NameTranslate
                $reflection = $translate.GetType()
                $reflection.InvokeMember("Init", "InvokeMethod", $Null, $translate, (3, $Null))
                $reflection.InvokeMember("Set", "InvokeMethod", $Null, $translate, (1, $dn))
                $netbios = $reflection.InvokeMember("Get", "InvokeMethod", $Null, $translate, 3).Trim("\")
                
                $domains += [pscustomobject]@{
                    DNS = $domain
                    DN = $dn
                    NetBios = $netbios
                    LDAP = "LDAP://" + $netbios + "/" + $DN
                }
            }
            catch
            {
                Write-Warning "Removing $domain from domain list"
            }
        }
        
        $Logins = $psboundparameters.Logins
        $Exclude = $psboundparameters.Exclude
    }
    
    PROCESS
    {
        foreach ($instance in $sqlserver)
        {
            try
            {
                $server = Connect-SqlServer -SqlServer $instance -SqlCredential $sqlcredential
                Write-Verbose "Connected to: $instance"
            }
            catch
            {
                Write-Warning "Failed to connect to: $instance"
                continue
            }
            
            if ($Logins)
            {
                $windowslogins = $server.Logins | Where-Object { $Logins -contains $_.Name }
            }
            else
            {
                switch ($FilterBy)
                {
                    "LoginsOnly"
                    {
                        Write-Verbose "connecting to logins"
                        $windowslogins = $server.Logins | Where-Object { $_.LoginType -eq 'WindowsUser' }
                        $windowslogins = $windowslogins | Where-Object { $_.Name.StartsWith("NT ") -eq $false -and $_.Name.StartsWith($SqlServer) -eq $false -and $_.Name.StartsWith("BUILTIN") -eq $false }
                    }
                    "GroupsOnly"
                    {
                        Write-Verbose "connecting to groups"
                        $windowsGroups = $server.Logins | Where-Object { $_.LoginType -eq 'WindowsGroup' }
                        $windowsGroups = $windowsGroups | Where-Object { $_.Name.StartsWith("NT ") -eq $false -and $_.Name -notmatch $SqlServer -and $_.Name.StartsWith("BUILTIN") -eq $false }
                    }
                    "None"
                    {
                        Write-Verbose  "connecting to both logins and groups"
                        $allwindowsloginsgroups = $server.Logins | Where-Object { $_.LoginType -eq 'WindowsUser' -or $_.LoginType -eq 'WindowsGroup' }
                        $windowslogins = $allwindowsloginsgroups | Where-Object { $_.LoginType -eq 'WindowsUser' }
                        $windowslogins = $windowslogins | Where-Object { $_.Name.StartsWith("NT ") -eq $false -and $_.Name.StartsWith($SqlServer) -eq $false -and $_.Name.StartsWith("BUILTIN") -eq $false }
                        $windowsGroups = $allwindowsloginsgroups | Where-Object { $_.LoginType -eq 'WindowsGroup' }
                        $windowsGroups = $windowsGroups | Where-Object { $_.Name.StartsWith("NT ") -eq $false -and $_.Name -notmatch $SqlServer.Split("\\")[0] -and $_.Name.StartsWith("BUILTIN") -eq $false }
                    }
                    
                }
            }
            
            if ($exclude)
            {
                $windowslogins = $windowslogins | Where-Object { $Logins -notcontains $_.Name }
                $windowsGroups = $windowsGroups | Where-Object { $Logins -notcontains $_.Name }
                
            }
            
            foreach ($login in $windowslogins)
            {
                
                $adlogin = $login.Name
                Write-Verbose "Parsing Login $adlogin"
                $domain, $username = $adlogin.Split("\")
                $filter = "(&(objectCategory=User)(sAMAccountName=$username))" # won't work with groups
                Write-Verbose $filter
                
                if ($env:USERDOMAIN -eq $domain)
                {
                    $searcher = New-Object System.DirectoryServices.DirectorySearcher
                    $searcher.Filter = $filter
                }
                else
                {
                    $LDAP = ($domains | Where-Object NetBios -eq $domain).LDAP
                    $ad = New-Object System.DirectoryServices.DirectoryEntry $LDAP
                    $searcher = New-Object System.DirectoryServices.DirectorySearcher
                    $searcher.SearchRoot = $ad
                    $searcher.Filter = $filter
                }
                try
                {
                    $founduser = $searcher.findOne()
                }
                catch
                {
                    Write-Warning "AD Searcher Error for $username"
                }
                $value = $founduser.Properties.useraccountcontrol
                
                $enabled = $exists = $false
                $adlogindetails = 'unknown'
                
                ## values from http://www.netvision.com/ad_useraccountcontrol.php
                switch ($value)
                {
                    512      {
                        $enabled = $true
                        $adlogindetails = 'Enabled Account'
                    }
                    514      {
                        $enabled = $false
                        $adlogindetails = 'Disabled Account'
                    }
                    544      {
                        $enabled = $true
                        $adlogindetails = 'Enabled, Password Not Required'
                    }
                    546      {
                        $enabled = $false
                        $adlogindetails = 'Disabled, Password Not Required'
                    }
                    66048    {
                        $enabled = $true
                        $adlogindetails = 'Enabled, Password Doesnt Expire'
                    }
                    66050    {
                        $enabled = $false
                        $adlogindetails = 'Disabled, Password Doesnt Expire'
                    }
                    66080    {
                        $enabled = $true
                        $adlogindetails = 'Enabled, Password Doesnt Expire & Not Required'
                    }
                    66082    {
                        $enabled = $false
                        $adlogindetails = 'Disabled, Password Doesnt Expire & Not Required'
                    }
                    262656   {
                        $enabled = $true
                        $adlogindetails = 'Enabled, Smartcard Required'
                    }
                    262658   {
                        $enabled = $false
                        $adlogindetails = 'Disabled, Smartcard Required'
                    }
                    262688   {
                        $enabled = $true
                        $adlogindetails = 'Enabled, Smartcard Required, Password Not Required'
                    }
                    262690   {
                        $enabled = $false
                        $adlogindetails = 'Disabled, Smartcard Required, Password Not Required'
                    }
                    328192   {
                        $enabled = $true
                        $adlogindetails = 'Enabled, Smartcard Required, Password Doesnt Expire'
                    }
                    328194   {
                        $enabled = $false
                        $adlogindetails = 'Disabled, Smartcard Required, Password Doesnt Expire'
                    }
                    328224   {
                        $enabled = $true
                        $adlogindetails = 'Enabled, Smartcard Required, Password Doesnt Expire & Not Required'
                    }
                    328226   {
                        $enabled = $false
                        $adlogindetails = 'Disabled, Smartcard Required, Password Doesnt Expire & Not Required'
                    }
                    590336
                    {
                        $enabled = $true
                        $adlogindetails = 'Enabled, User Cannot Change Password & Password Never Expires'
                    }
                    $null
                    {
                        $exists = $true
                    }
                    default
                    {
                        Write-Verbose "unknown value passed from useraccountcontrol Server: $sqlServer Login: $username Domain: $domain Value: $value"
                        $exists = 'Unknown'
                        $enabled = 'Unknown'
                    }
                }
                
                if ($Detailed)
                {
                    [PSCustomObject]@{
                        Server = $server.Name
                        Domain = $domain
                        Login = $username
                        Type = "User"
                        Found = $exists -ne $true
                        Enabled = $enabled
                        DisabledInSQLServer = $login.IsDisabled
                        ADLoginDetails = $adlogindetails
                    }
                }
                else
                {
                    [PSCustomObject]@{
                        Server = $server.Name
                        Domain = $domain
                        Login = $username
                        Type = "User"
                        Found = $exists -ne $true
                        Enabled = $enabled
                    }
                }
            } # foreach login
            
            foreach ($login in $windowsGroups)
            {
                $adlogin = $login.Name
                Write-Verbose "Parsing Group $adlogin"
                $domain, $username = $adlogin.Split("\")
                $filter = "(&(objectCategory=group)(sAMAccountName=$username))" # won't work with groups
                Write-Verbose $filter
                
                if ($env:USERDOMAIN -eq $domain)
                {
                    $searcher = New-Object System.DirectoryServices.DirectorySearcher
                    $searcher.Filter = $filter
                }
                else
                {
                    $LDAP = ($domains | Where-Object NetBios -eq $domain).LDAP
                    $ad = New-Object System.DirectoryServices.DirectoryEntry $LDAP
                    $searcher = New-Object System.DirectoryServices.DirectorySearcher($ad)
                    $searcher.SearchRoot = $ad
                    $searcher.Filter = $filter
                }
                try
                {
                    $founduser = $searcher.findOne()
                }
                catch
                {
                    Write-Warning "AD Searcher Error for $username on $SqlServer"
                }
                
                $enabled = $exists = $false
                
                if ($founduser)
                {
                    $enabled = $true
                }
                else
                {
                    $exists = $true
                }
                if ($Detailed)
                {
                    [PSCustomObject]@{
                        Server = $server.Name
                        Domain = $domain
                        Login = $username
                        Type = "Group"
                        Found = $exists -ne $true
                        Enabled = $enabled
                        DisabledInSQLServer = $login.IsDisabled
                        ADLoginDetails = 'AD group'
                    }
                }
                else
                {
                    [PSCustomObject]@{
                        Server = $server.Name
                        Domain = $domain
                        Login = $username
                        Type = "Group"
                        Found = $exists -ne $true
                        Enabled = $enabled
                    }
                }
            } # foreach group
        }
    }
}