TaskServiceUserScan

0.1.0

functions/local/Get-LocalAdminPrincipal.ps1

                                function Get-LocalAdminPrincipal {

    [CmdletBinding()]

    param ()

    #region Functions

    function Get-LocalGroupMemberEx {

        [CmdletBinding()]

        param (

            [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]

            [string]

            $Group

        )

        process {

            $groupName = $Group

            if ($groupName -match '\\') { $groupName = ($groupName -split "\\")[1] }

            if ($groupName -as [System.Security.Principal.SecurityIdentifier]) {

                $groupName = ([System.Security.Principal.SecurityIdentifier]$groupName).Translate([System.Security.Principal.NTAccount]).ToString().Split('\')[-1]

            }

            # Get-LocalGroupMember fails when a member cannot be resolved

            $localGroup = [ADSI]"WinNT://localhost/$groupName,group"

            $members = $localGroup.psbase.Invoke("Members")

            foreach ($member in $members) {

                $name = $member.GetType().InvokeMember("Name", "GetProperty", $Null, $member, $Null)

                $adsPath = $member.GetType().InvokeMember("ADsPath", "GetProperty", $Null, $member, $Null)

                $sid = $name -as [System.Security.Principal.SecurityIdentifier]

                if (-not $sid) { $sid = ([System.Security.Principal.NTAccount]$name).Translate([System.Security.Principal.SecurityIdentifier]) }

                $isGroup = $member.GetType().InvokeMember("Class", "GetProperty", $Null, $member, $Null) -eq "group"

                $isLocal = ($adsPath -like "*/$env:COMPUTERNAME/*") -Or ($adsPath -like "WinNT://NT*")

                [PSCustomObject]@{

                    ComputerName = $env:COMPUTERNAME

                    Name         = $name

                    SID          = $sid

                    SidString    = "$sid"

                    Path         = $adsPath

                    Group        = $groupName

                    IsLocal      = $isLocal

                    IsGroup      = $isGroup

                }

            }

        }

    }

    #endregion Functions

    $builtIn = @(

        'S-1-5-18' # System

        'S-1-5-19' # NT AUTHORITY\LOCAL SERVICE

        'S-1-5-20' # NT AUTHORITY\NETWORK SERVICE

        'S-1-5-32-544' # Administrators

        'S-1-5-32-551' # Backup Operators

        'S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464' # 'NT SERVICE\TrustedInstaller'

        'S-1-3-0' # CREATOR OWNER (whitelisted, scan owner instead)

    )

    $builtInAdminGroups = @(

        'S-1-5-32-544' # Administrators

        'S-1-5-32-551' # Backup Operators

    )

    foreach ($principal in $builtIn) {

        [PSCustomObject]@{

            ComputerName = $env:COMPUTERNAME

            Name         = $(try { ([System.Security.Principal.SecurityIdentifier]$principal).Translate([System.Security.Principal.NTAccount]) } catch {})

            SID          = [System.Security.Principal.SecurityIdentifier]$principal

            SidString    = $principal

            Path         = ''

            IsLocal      = $true

            IsGroup      = $principal -in $builtInAdminGroups

        }

    }

    $builtInAdminGroups | Get-LocalGroupMemberEx

}