private/Get-RBACOrphanedEndpointRights.ps1
|
Function Get-RBACOrphanedEndpointRights { [CmdletBinding(SupportsShouldProcess=$true,ConfirmImpact='high')] Param ( [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true, Position=0)] [ArgumentCompleter( {(get-RBACComponent).Component})] [String]$Component, [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true, Position=2)] [ValidateScript({[Bool](get-adorganizationalUnit -identity "OU=$_,OU=$($OrgsOUStruct.Name),$($OrgsOUStruct.Path)")})] [ArgumentCompleter( {(get-RBACOrg).Org})] [String]$Org, [switch]$Remove ) BEGIN { $LocalRightsOU = "OU=LocalRights" $endpointsOU = "OU=Endpoints" <#$shouldProcess = @{ Confirm = [bool]($ConfirmPreference -ne "low") Whatif = [bool]($WhatIfPreference.IsPresent) }#> } PROCESS { if ($PsItem.org) { $Org = $_.Org} if ($PsItem.Component) {$Component = $_.Component} $OrgPath = "OU=$Org,OU=$($OrgsOUStruct.Name),$($OrgsOUStruct.Path)" $ComponentPath = "OU=$Component,OU=$($ComponentsOUStruct.Name),$OrgPath" $LocalRightsPath = "$LocalRightsOU,$ComponentPath" $endpointsPath = "$EndpointsOU,$ComponentPath" $EndpointList = (get-adComputer -searchbase $endpointsPath -filter *).name $RightsShouldExist = foreach ($endpoint in $EndpointList) { foreach ($right in $EndpointRightsList) { "localright-$endpoint-$($right.name)" } } $groupsThatExist = (get-adgroup -searchBase $localRightsPath -filter *) | select-object name,distinguishedName $Report = foreach ($group in $groupsThatExist) { if ($RightsShouldExist -notcontains $group.name ) { $group | Select-Object name,@{n="Status";e={"MissingEndpoint"}},@{n="Identity";e={$_.DistinguishedName}} } else { write-Verbose "valid $($group.name)" } } $report if ($remove) { $report | ForEach-Object { remove-adgroup $_.identity } } } } |