Skip to content

Commit

Permalink
Update
Browse files Browse the repository at this point in the history
  • Loading branch information
@PrzemyslawKlys
PrzemyslawKlys committed Apr 12, 2020
1 parent 02dcbda commit 4a1fa30
Show file tree
Hide file tree
Showing 5 changed files with 167 additions and 120 deletions.
4 changes: 3 additions & 1 deletion Examples/Example-08-ListingPermissions.ps1
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
Import-Module "$PSScriptRoot\..\GPoZaurr.psd1" -Force

$T = Get-GPOZaurrPermission #-SkipWellKnown #-SkipAdministrative # -ExcludePermissionType GpoRead,GpoApply #| Out-HtmlView
$T = Get-GPOZaurrPermission -GPOName 'DC | PowerShell Logging' -Type Unknown

#$T = Get-GPOZaurrPermission #-Type All #-SkipWellKnown -SkipAdministrative # -ExcludePermissionType GpoRead,GpoApply #| Out-HtmlView
$T | Format-Table -AutoSize *
#$T | Out-HtmlView -ScrollX -Filtering -Online -DisablePaging
2 changes: 1 addition & 1 deletion GPOZaurr.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
Description = 'Group Policy Eater'
FunctionsToExport = 'Backup-GPOZaurr', 'Get-GPOZaurr', 'Get-GPOZaurrBackupInformation', 'Get-GPOZaurrPassword', 'Get-GPOZaurrPermission', 'Get-GPOZaurrWMI', 'New-GPOZaurrWMI', 'Remove-GPOZaurr', 'Remove-GPOZaurrPermission', 'Remove-GPOZaurrWMI', 'Restore-GPOZaurr', 'Save-GPOZaurrFiles', 'Set-GPOZaurrOwner', 'Set-GPOZaurrWMI'
GUID = 'f7d4c9e4-0298-4f51-ad77-e8e3febebbde'
ModuleVersion = '0.0.10'
ModuleVersion = '0.0.11'
PowerShellVersion = '5.1'
PrivateData = @{
PSData = @{
Expand Down
112 changes: 112 additions & 0 deletions Private/Get-PrivPermission.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
function Get-PrivPermission {
[cmdletBinding()]
param(
[Microsoft.GroupPolicy.Gpo] $GPO,
[switch] $SkipWellKnown,
[switch] $SkipAdministrative,
[switch] $IncludeOwner,
[Microsoft.GroupPolicy.GPPermissionType[]] $IncludePermissionType,
[Microsoft.GroupPolicy.GPPermissionType[]] $ExcludePermissionType,
[switch] $IncludeGPOObject,
[System.Collections.IDictionary] $ADAdministrativeGroups,
[string[]] $Type
)

# $GPO = $_
Write-Verbose "Get-GPOZaurrPermission - Processing $($GPO.DisplayName) from $($GPO.DomainName)"
$SecurityRights = $GPO.GetSecurityInfo()
$SecurityRights | ForEach-Object -Process {
#Get-GPPermissions -Guid $GPO.ID -DomainName $GPO.DomainName -All -Server $QueryServer | ForEach-Object -Process {
$GPOPermission = $_
if ($ExcludePermissionType -contains $GPOPermission.Permission) {
return
}
if ($IncludePermissionType) {
if ($IncludePermissionType -notcontains $GPOPermission.Permission) {
return
}
}
if ($SkipWellKnown.IsPresent) {
if ($GPOPermission.Trustee.SidType -eq 'WellKnownGroup') {
return
}
}
if ($SkipAdministrative.IsPresent) {
$IsAdministrative = $ADAdministrativeGroups['BySID'][$GPOPermission.Trustee.Sid.Value]
if ($IsAdministrative) {
return
}
}
if ($Type -contains 'Unknown' -and $Type -notcontains 'All') {
# May need updates if there's more types
if ($GPOPermission.Trustee.SidType -ne 'Unknown') {
return
}
}

$ReturnObject = [ordered] @{
DisplayName = $GPO.DisplayName # : ALL | Enable RDP
GUID = $GPO.ID
DomainName = $GPO.DomainName # : ad.evotec.xyz
Enabled = $GPO.GpoStatus
Description = $GPO.Description
CreationDate = $GPO.CreationTime
ModificationTime = $GPO.ModificationTime
Permission = $GPOPermission.Permission # : GpoEditDeleteModifySecurity
Inherited = $GPOPermission.Inherited # : False
Domain = $GPOPermission.Trustee.Domain #: EVOTEC
DistinguishedName = $GPOPermission.Trustee.DSPath #: CN = Domain Admins, CN = Users, DC = ad, DC = evotec, DC = xyz
Name = $GPOPermission.Trustee.Name #: Domain Admins
Sid = $GPOPermission.Trustee.Sid.Value #: S - 1 - 5 - 21 - 853615985 - 2870445339 - 3163598659 - 512
SidType = $GPOPermission.Trustee.SidType #: Group

}
if ($IncludeGPOObject) {
$ReturnObject.GPOObject = $GPO
$ReturnObject.GPOSecurity = $SecurityRights
}
[PSCustomObject] $ReturnObject
}
if ($IncludeOwner.IsPresent) {
if ($GPO.Owner) {
$SplittedOwner = $GPO.Owner.Split('\')
$DomainOwner = $SplittedOwner[0] #: EVOTEC
$DomainUserName = $SplittedOwner[1] #: Domain Admins
$SID = $ADAdministrativeGroups['ByNetBIOS']["$($GPO.Owner)"].Sid.Value
if ($SID) {
$SIDType = 'Group'
$DistinguishedName = $ADAdministrativeGroups['ByNetBIOS']["$($GPO.Owner)"].DistinguishedName
} else {
$SIDType = ''
$DistinguishedName = ''
}
} else {
$DomainOwner = $GPO.Owner
$DomainUserName = ''
$SID = ''
$SIDType = ''
$DistinguishedName = ''
}
$ReturnObject = [ordered] @{
DisplayName = $GPO.DisplayName # : ALL | Enable RDP
GUID = $GPO.GUID
DomainName = $GPO.DomainName # : ad.evotec.xyz
Enabled = $GPO.GpoStatus
Description = $GPO.Description
CreationDate = $GPO.CreationTime
ModificationTime = $GPO.ModificationTime
Permission = 'GpoOwner' # : GpoEditDeleteModifySecurity
Inherited = $false # : False
Domain = $DomainOwner
DistinguishedName = $DistinguishedName #: CN = Domain Admins, CN = Users, DC = ad, DC = evotec, DC = xyz
Name = $DomainUserName
Sid = $SID #: S - 1 - 5 - 21 - 853615985 - 2870445339 - 3163598659 - 512
SidType = $SIDType # #: Group
}
if ($IncludeGPOObject) {
$ReturnObject.GPOObject = $GPO
$ReturnObject.GPOSecurity = $SecurityRights
}
[PSCustomObject] $ReturnObject
}
}
134 changes: 31 additions & 103 deletions Public/Get-GPOZaurrPermission.ps1
View file
Original file line number Diff line number Diff line change
@@ -1,122 +1,50 @@
function Get-GPOZaurrPermission {
[cmdletBinding()]
[cmdletBinding(DefaultParameterSetName = 'GPO' )]
param(
[string[]]$NamedObjects,
[Parameter(ParameterSetName = 'GPOName')]
[string] $GPOName,

[Parameter(ParameterSetName = 'GPOGUID')]
[alias('GUID', 'GPOID')][string] $GPOGuid,

[validateSet('Unknown', 'All')][string[]] $Type = 'All',

[switch] $SkipWellKnown,
[switch] $SkipAdministrative,

[alias('ForestName')][string] $Forest,
[string[]] $ExcludeDomains,
[alias('Domain', 'Domains')][string[]] $IncludeDomains,
[System.Collections.IDictionary] $ExtendedForestInformation,

[alias('Unknown', 'All')][string[]] $Type = 'All',
[switch] $IncludeOwner,
[Microsoft.GroupPolicy.GPPermissionType[]] $IncludePermissionType,
[Microsoft.GroupPolicy.GPPermissionType[]] $ExcludePermissionType,
[switch] $IncludeGPOObject
[switch] $IncludeGPOObject,

[alias('ForestName')][string] $Forest,
[string[]] $ExcludeDomains,
[alias('Domain', 'Domains')][string[]] $IncludeDomains,
[System.Collections.IDictionary] $ExtendedForestInformation
)
Begin {
# if ($Type -contains 'NonAdministrative') {
$ADAdministrativeGroups = Get-ADADministrativeGroups -Type DomainAdmins, EnterpriseAdmins -Forest $Forest -IncludeDomains $IncludeDomains -ExcludeDomains $ExcludeDomains -ExtendedForestInformation $ExtendedForestInformation
#}
#$Count = 0
$ADAdministrativeGroups = Get-ADADministrativeGroups -Type DomainAdmins, EnterpriseAdmins -Forest $Forest -IncludeDomains $IncludeDomains -ExcludeDomains $ExcludeDomains -ExtendedForestInformation $ExtendedForestInformation
if ($Type -eq 'Unknown') {
if ($SkipAdministrative -or $SkipWellKnown) {
Write-Warning "Get-GPOZaurrPermission - Using SkipAdministrative or SkipWellKnown while looking for Unknown doesn't make sense as only Unknown will be displayed."
}
}
}
Process {
$ForestInformation = Get-WinADForestDetails -Forest $Forest -IncludeDomains $IncludeDomains -ExcludeDomains $ExcludeDomains -ExtendedForestInformation $ExtendedForestInformation
foreach ($Domain in $ForestInformation.Domains) {
$QueryServer = $ForestInformation['QueryServers'][$Domain]['HostName'][0]
Get-GPO -All -Domain $Domain -Server $QueryServer | ForEach-Object -Process {
$GPO = $_
Write-Verbose "Get-GPOZaurrPermission - Processing $($GPO.DisplayName) from $($GPO.DomainName)"
$SecurityRights = $GPO.GetSecurityInfo()
$SecurityRights | ForEach-Object -Process {
#Get-GPPermissions -Guid $GPO.ID -DomainName $GPO.DomainName -All -Server $QueryServer | ForEach-Object -Process {
$GPOPermission = $_
if ($ExcludePermissionType -contains $GPOPermission.Permission) {
return
}
if ($IncludePermissionType) {
if ($IncludePermissionType -notcontains $GPOPermission.Permission) {
return
}
}
if ($SkipWellKnown.IsPresent) {
if ($GPOPermission.Trustee.SidType -eq 'WellKnownGroup') {
return
}
}
if ($SkipAdministrative.IsPresent) {
$IsAdministrative = $ADAdministrativeGroups['BySID'][$GPOPermission.Trustee.Sid.Value]
if ($IsAdministrative) {
return
}
}

$ReturnObject = [ordered] @{
DisplayName = $GPO.DisplayName # : ALL | Enable RDP
GUID = $GPO.ID
DomainName = $GPO.DomainName # : ad.evotec.xyz
Enabled = $GPO.GpoStatus
Description = $GPO.Description
CreationDate = $GPO.CreationTime
ModificationTime = $GPO.ModificationTime
Permission = $GPOPermission.Permission # : GpoEditDeleteModifySecurity
Inherited = $GPOPermission.Inherited # : False
Domain = $GPOPermission.Trustee.Domain #: EVOTEC
DistinguishedName = $GPOPermission.Trustee.DSPath #: CN = Domain Admins, CN = Users, DC = ad, DC = evotec, DC = xyz
Name = $GPOPermission.Trustee.Name #: Domain Admins
Sid = $GPOPermission.Trustee.Sid.Value #: S - 1 - 5 - 21 - 853615985 - 2870445339 - 3163598659 - 512
SidType = $GPOPermission.Trustee.SidType #: Group

}
if ($IncludeGPOObject) {
$ReturnObject.GPOObject = $GPO
$ReturnObject.GPOSecurity = $SecurityRights
}
[PSCustomObject] $ReturnObject
if ($GPOName) {
Get-GPO -Name $GPOName -Domain $Domain -Server $QueryServer -ErrorAction SilentlyContinue | ForEach-Object -Process {
Get-PrivPermission -Type $Type -GPO $_ -SkipWellKnown:$SkipWellKnown.IsPresent -SkipAdministrative:$SkipAdministrative.IsPresent -IncludeOwner:$IncludeOwner.IsPresent -IncludeGPOObject:$IncludeGPOObject.IsPresent -IncludePermissionType $IncludePermissionType -ExcludePermissionType $ExcludePermissionType -ADAdministrativeGroups $ADAdministrativeGroups
}
} elseif ($GPOGuid) {
Get-GPO -Guid $GPOGuid -Domain $Domain -Server $QueryServer -ErrorAction SilentlyContinue | ForEach-Object -Process {
Get-PrivPermission -Type $Type -GPO $_ -SkipWellKnown:$SkipWellKnown.IsPresent -SkipAdministrative:$SkipAdministrative.IsPresent -IncludeOwner:$IncludeOwner.IsPresent -IncludeGPOObject:$IncludeGPOObject.IsPresent -IncludePermissionType $IncludePermissionType -ExcludePermissionType $ExcludePermissionType -ADAdministrativeGroups $ADAdministrativeGroups
}
if ($IncludeOwner.IsPresent) {
if ($GPO.Owner) {
$SplittedOwner = $GPO.Owner.Split('\')
$DomainOwner = $SplittedOwner[0] #: EVOTEC
$DomainUserName = $SplittedOwner[1] #: Domain Admins
$SID = $ADAdministrativeGroups['ByNetBIOS']["$($GPO.Owner)"].Sid.Value
if ($SID) {
$SIDType = 'Group'
$DistinguishedName = $ADAdministrativeGroups['ByNetBIOS']["$($GPO.Owner)"].DistinguishedName
} else {
$SIDType = ''
$DistinguishedName = ''
}
} else {
$DomainOwner = $GPO.Owner
$DomainUserName = ''
$SID = ''
$SIDType = ''
$DistinguishedName = ''
}
$ReturnObject = [ordered] @{
DisplayName = $GPO.DisplayName # : ALL | Enable RDP
GUID = $GPO.GUID
DomainName = $GPO.DomainName # : ad.evotec.xyz
Enabled = $GPO.GpoStatus
Description = $GPO.Description
CreationDate = $GPO.CreationTime
ModificationTime = $GPO.ModificationTime
Permission = 'GpoOwner' # : GpoEditDeleteModifySecurity
Inherited = $false # : False
Domain = $DomainOwner
DistinguishedName = $DistinguishedName #: CN = Domain Admins, CN = Users, DC = ad, DC = evotec, DC = xyz
Name = $DomainUserName
Sid = $SID #: S - 1 - 5 - 21 - 853615985 - 2870445339 - 3163598659 - 512
SidType = $SIDType # #: Group
}
if ($IncludeGPOObject) {
$ReturnObject.GPOObject = $GPO
$ReturnObject.GPOSecurity = $SecurityRights
}
[PSCustomObject] $ReturnObject
} else {
Get-GPO -All -Domain $Domain -Server $QueryServer | ForEach-Object -Process {
Get-PrivPermission -Type $Type -GPO $_ -SkipWellKnown:$SkipWellKnown.IsPresent -SkipAdministrative:$SkipAdministrative.IsPresent -IncludeOwner:$IncludeOwner.IsPresent -IncludeGPOObject:$IncludeGPOObject.IsPresent -IncludePermissionType $IncludePermissionType -ExcludePermissionType $ExcludePermissionType -ADAdministrativeGroups $ADAdministrativeGroups
}
}
}
Expand Down
35 changes: 20 additions & 15 deletions Public/Remove-GPOZaurrPermission.ps1
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,16 @@
function Remove-GPOZaurrPermission {
[cmdletBinding(SupportsShouldProcess)]
param(
[alias('Unknown', 'Named')][string[]] $Type,
[Parameter(ParameterSetName = 'GPOName', Mandatory)]
[string] $GPOName,

[Parameter(ParameterSetName = 'GPOGUID', Mandatory)]
[alias('GUID', 'GPOID')][string] $GPOGuid,

[Parameter(ParameterSetName = 'GPOGUID', Mandatory)]
[validateset('Unknown', 'Named')][string[]] $Type,


[Microsoft.GroupPolicy.GPPermissionType[]] $IncludePermissionType,
[Microsoft.GroupPolicy.GPPermissionType[]] $ExcludePermissionType,
[switch] $SkipWellKnown,
Expand Down Expand Up @@ -33,11 +42,11 @@
$GPOPermission.GPOSecurity.RemoveTrustee($GPOPermission.Sid)
$GPOPermission.GPOObject.SetSecurityInfo($GPOPermission.GPOSecurity)
# Set-GPPPermission doesn't work on Unknown Accounts
$Count++
if ($Count -eq $LimitProcessing) {
# skipping skips per removed permission not per gpo.
break
}
}
$Count++
if ($Count -eq $LimitProcessing) {
# skipping skips per removed permission not per gpo.
break
}
}
}
Expand All @@ -49,17 +58,13 @@
$GPOPermission.GPOSecurity.RemoveTrustee($GPOPermission.Sid)
$GPOPermission.GPOObject.SetSecurityInfo($GPOPermission.GPOSecurity)
# Set-GPPPermission doesn't work on Unknown Accounts
$Count++
if ($Count -eq $LimitProcessing) {
# skipping skips per removed permission not per gpo.
break
}
}

$Count++
if ($Count -eq $LimitProcessing) {
# skipping skips per removed permission not per gpo.
break
}
}



}
#Set-GPPermission -PermissionLevel None -TargetName $GPOPermission.Sid -Verbose -DomainName $GPOPermission.DomainName -Guid $GPOPermission.GUID #-WhatIf
#Set-GPPermission -PermissionLevel GpoRead -TargetName 'Authenticated Users' -TargetType Group -Verbose -DomainName $Domain -Guid $_.GUID -WhatIf
Expand Down

0 comments on commit 4a1fa30

Please sign in to comment.