-
Notifications
You must be signed in to change notification settings - Fork 2
/
Tier0Watcher.ps1
53 lines (51 loc) · 1.87 KB
/
Tier0Watcher.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
$Tier0_SID = @(
'498',# Enterprise Read-only Domain Controllers
'512',# Domain Admins
'516',# Domain Controllers
'517',# Cert Publishers
'518',# Schema Admins
'519',# Enterprise Admins
'520',# Group Policy Creator Owners
'521',# Read-only Domain Controllers
'522',# Clonable Domain Controllers
'526',# Key Admins
'527',# Enterprise Key Admins
'S-1-5-9'# Enterprise Domain Controllers
'S-1-5-32-544',# Administrators
'S-1-5-32-547',# Power Users
'S-1-5-32-548',# Account Operators
'S-1-5-32-549',# Server Operators
'S-1-5-32-550',# Print Operators
'S-1-5-32-551',# Backup Operators
'S-1-5-32-552',# Replicator
'S-1-5-32-557' # BUILTIN\Incoming Forest Trust Builders
)
$Tier0_SAN = @(
'DNSADMINS',
'EXCHANGE WINDOWS PERMISSIONS'
)
$Tier0_SPN = @(
'AgpmServer'
)
$Tier0_SPN | %{
$spn = $_
Get-ADUser -Filter '*' | where { ($_.ServicePrincipalName -Join ',').Contains($spn) } | %{
[PSCustomObject]@{
'SPN'= $spn;
'User'= $_.DistinguishedName
}
}
} | ConvertTo-Json
Get-ADGroup -Filter '*' | where { $Tier0_SID.Contains($_.SID.tostring().split('-')[-1]) -or $Tier0_SID.Contains($_.SID.tostring()) -Or $Tier0_SAN.Contains($_.SamAccountName.ToUpper()) } | %{
[PSCustomObject]@{
'Group'=$_.SamAccountName;
'Members'=$_ | Get-ADGroupMember -Recursive | %{
$grp=$_
try{
$grp | Get-ADUser -ErrorAction Stop -Properties Name,SamAccountName,UserPrincipalName,Enabled,SID,AccountNotDelegated,DistinguishedName,ObjectClass,AllowReversiblePasswordEncryption,Certificates,DoesNotRequirePreAuth,userCertificate
}catch{
$grp.DistinguishedName | Get-ADComputer -Properties Name,SamAccountName,UserPrincipalName,Enabled,SID,DistinguishedName,ObjectClass,DNSHostName,AllowReversiblePasswordEncryption,Certificates,DoesNotRequirePreAuth,IPv4Address,PrincipalsAllowedToDelegateToAccount,servicePrincipalName,userCertificate
}
};
}
} | ConvertTo-Json