tests/Test-HostServiceAccounts.ps1

function Test-HostServiceAccounts {
    [CmdletBinding()]
    param (
        [parameter()][string] $TestName = "Service Account Permissions",
        [parameter()][string] $TestGroup = "configuration",
        [parameter()][string] $Description = "Validate services accounts and permissions",
        [parameter()][hashtable] $ScriptParams
    )
    $privs = ('SeServiceLogonRight','SeAssignPrimaryTokenPrivilege','SeChangeNotifyPrivilege','SeIncreaseQuotaPrivilege')
    $builtin = ('LocalSystem','NT AUTHORITY\NetworkService','NT AUTHORITY\LocalService')
    try {
        $startTime = (Get-Date)
        $svcConfig = @(Get-CmHealthDefaultValue -KeySet "services" -DataSet $CmHealthConfig)
        [System.Collections.Generic.List[PSObject]]$tempdata = @() # for detailed test output to return if needed
        $stat   = "PASS"
        $except = "FAIL"
        $msg    = "No issues found"
        foreach ($service in $svcConfig) {
            $svcName = $service.Name
            $svcRef  = $service.Reference
            $privs   = $service.Privileges
            $startup = $service.StartMode
            $delayed = if ($service.DelayedAutoStart -eq 'true') { $True } else { $False }
            Write-Log -Message "service name: $svcName"
            try {
                $svc = Get-WmiQueryResult -ClassName "Win32_Service" -Query "Name = '$svcName'" -Params $ScriptParams
                if ($null -ne $svc) {
                    $svcAcct  = $svc.StartName
                    $svcStart = $svc.StartMode
                    $svcDelay = $svc.DelayedAutoStart
                    Write-Log -Message "checking service account: $svcAcct"
                    if ($svcAcct -in $builtin) {
                        Write-Log -Message "built-in account with default privileges"
                        $tempdata.Add(
                            [pscustomobject]@{
                                ServiceName = $svcName
                                ServiceAcct = $svcAcct
                                Reference   = $svcRef
                                Privilege   = 'default'
                                StartMode   = $startup
                                DelayStart  = $delayed
                                Compliant   = 'true'
                                Status      = 'PASS'
                                Reason      = 'Default configuration'
                            }
                        )
                    }
                    else {
                        $cprivs = Get-CPrivilege -Identity $svcAcct
                        $privs -split ',' | Foreach-Object {
                            $priv = $_
                            if ($priv -notin $cprivs) {
                                $res  = $except
                                $stat = $except
                                $msgx = 'Insufficient privileges'
                            } else {
                                $res  = 'PASS'
                                $msgx = 'Correct configuration'
                            }
                            Write-Log -Message "service account privileges: $res"
                            if ($svcStart -ne $startup) {
                                $res  = $except
                                $stat = $except
                                $msgx = 'Startup type'
                            } else {
                                $res  = 'PASS'
                                $msgx = 'Correct configuration'
                            }
                            Write-Log -Message "startup mode = $res"
                            if ($svcDelay -ne $delayed) {
                                $res  = $except
                                $stat = $except
                                $msgx = 'Delayed start'
                            } else {
                                $res  = 'PASS'
                                $msgx = 'Correct configuration'
                            }
                            Write-Log -Message "startup delay = $res"
                            $tempdata.Add(
                                [pscustomobject]@{
                                    ServiceName = $svcName
                                    ServiceAcct = $svcAcct
                                    Reference   = $svcRef
                                    Privilege   = $priv
                                    StartMode   = $startup
                                    DelayStart  = $delayed
                                    Compliant   = $res
                                    Status      = $stat
                                    Reason      = $msgx
                                }
                            )
                        }
                    }
                } else {
                    Write-Log -Message "service not found: $svcName"
                }
            }
            catch {
                Write-Error "$svcName = $($_.Exception.Message -join ';')"
            }
        }
    }
    catch {
        $stat = 'ERROR'
        $msg  = $_.Exception.Message -join ';'
    }
    finally {
        if ($cs) { $cs.Close(); $cs = $null }
        Write-Output $([pscustomobject]@{
            TestName    = $TestName
            TestGroup   = $TestGroup
            TestData    = $tempdata
            Description = $Description
            Status      = $stat
            Message     = $msg
            RunTime     = $(Get-RunTime -BaseTime $startTime)
            Credential  = $(if($ScriptParams.Credential){$($ScriptParams.Credential).UserName} else { $env:USERNAME })
        })
    }
}