Skip checks for DC if server is not domain controller

[alexmateescu]

HI.
Would it be possible to add a check for the type of server and if not domain controller to skip the checks that only apply to the DCs?

Your tool is great but it yields some false positives if the Server is a Member and not DC. Example below:

[*] Domain role: MemberServer [$] ID 2.3.5.1, Domain controller: Allow server operators to schedule tasks (DC), Result=, Recommended=0, Severity=Medium

[0x6d69636b]

I think the easiest way is to split the CIS lists into member server and DC, similar to the Microsoft Security Baselines. I'll look into it

[alexmateescu]

also related to the above and why i think there should be some flags to turn on or off checks is because there 2 other checks that only apply if servers are running IIS or HyperV and again the results can show the setting as being wrong but is not actually. 2.2.18.2 and 2.2.32.

[lordfiSh]

I think the easiest way is to split the CIS lists into member server and DC, similar to the Microsoft Security Baselines. I'll look into it

Just a suggestion to have fewer files to maintain: add a column "applies to" (like from the MS Security Baseline Windows 10)

That column then could be compared to $MachineInformation.CsDomainRole. Also since there is e.g. no MSFT auditconfig for the StandaloneWorkstation Type some checks wouldn't fail if you audit them against a non-Domain Member Server

[0x6d69636b]

@lordfiSh's suggestion would be a plausible approach. I don't want to introduce too much complexity, besides everyone has the possibility to create their own lists and remove findings or define recommendations according to their own needs. I am still considering a solution