sthAdminSDHolder

1.0

Functions/Get-sthAdminSDHolderProtectedUserAccount.ps1

                                # .externalhelp ..\sthAdminSDHolder.psm1-help.xml

function Get-sthAdminSDHolderProtectedUserAccount

{

    [CmdletBinding(DefaultParameterSetName='default',PositionalBinding=$false)]

    Param(

        # Ambiguous Name Resolution

        [Parameter(ParameterSetName='ANR',Position=0)]

        [string]$ANR,

        # SamAccountName

        [Parameter(ParameterSetName='SamAccountName')]

        [string]$SamAccountName,

        # UserPrincipalName

        [Parameter(ParameterSetName='UserPrincipalName')]

        [string]$UserPrincipalName,

        [switch]$EnabledOnly

    )

    $RootDSE = New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList "LDAP://RootDSE"

    $defaultNamingContext = "LDAP://$($RootDSE.Properties.Item('defaultNamingContext'))"

    $AdminSDHolderProtectedGroups = (Get-sthAdminSDHolderGroup -RootDSE $RootDSE).ProtectedGroups

    # Create ADSISearcher

    $ADSISearcher = New-Object -TypeName System.DirectoryServices.DirectorySearcher

    $ADSISearcher.SearchRoot = $defaultNamingContext

    # Find Users with AdminCount = 1 and not krbgtg

    $Filter = '(&(objectCategory=person)(adminCount=1)(!samAccountName=krbtgt)'

    if ($EnabledOnly)

    {

        $Filter += "(!userAccountControl:1.2.840.113556.1.4.803:=2)"

    }

    switch ($PSCmdlet.ParameterSetName)

    {

        'ANR'

        {

            $Filter += "(anr=$ANR))"

        }

        'SamAccountName'

        {

            $Filter += "(samaccountname=$SamAccountName))"

        }

        'UserPrincipalName'

        {

            $Filter += "(userprincipalname=$UserPrincipalName))"

        }

        'default'

        {

            $Filter += ')'

        }    

    }

    Write-Verbose -Message $Filter

    $ADSISearcher.Filter = $Filter

    $UsersWithAdminCountAttribute = $ADSISearcher.FindAll()

    if ($UsersWithAdminCountAttribute)

    {

        foreach ($user in $UsersWithAdminCountAttribute)

        {

            $SearchRoot = "LDAP://$($user.Properties.Item('distinguishedName')[0])"

            $ADSISearcher.SearchRoot = $SearchRoot

            $MemberOf = @()

            foreach ($group in $AdminSDHolderProtectedGroups)

            {

                $Filter = "(&(objectCategory=person)(Memberof:1.2.840.113556.1.4.1941:=$($group.distinguishedName)))"

                $ADSISearcher.Filter = $Filter

                if ($($ADSISearcher.FindAll()))

                {

                    $MemberOf += $group.Name

                }

            }

            $hash = [ordered]@{

                Name = $user.Properties.Item('Name')[0]

                SamAccountName = $user.Properties.Item('SamAccountName')[0]

                UserPrincipalName = $user.Properties.Item('UserPrincipalName')[0]

                Enabled = $(-not ($user.Properties.Item('UserAccountControl')[0] -band 2))

                AdminCountAttribute = 1

                InheritanceEnabled = -not (([ADSI]"LDAP://$($user.Properties.Item('distinguishedName')[0])").psbase.objectSecurity.AreAccessRulesProtected)

                AdminSDHolderGroups = @($MemberOf)

                DistinguishedName = $user.Properties.Item('DistinguishedName')[0]

            }

            $PSObject = New-Object -TypeName System.Management.Automation.PSObject -Property $hash | Add-Member -TypeName 'sth.AdminSDHolderProtectedUserAccount' -PassThru

            $PSObject

        }

    }

}