PSWinDocumentation.AD icon indicating copy to clipboard operation
PSWinDocumentation.AD copied to clipboard

Published 20 hours ago verified publisher icon EvotecIT

Bug reported via email

Open PrzemyslawKlys opened this issue 4 years ago • 0 comments

I just started using your module, its very nice!

However, I found that there seems to be a bug in reporting password quality.

The function Get-WinADAccounts is trying to compare the user list to a SamAccountName, however DSInternals does not return the username in that format. It appears to return like Domain\User. To resolve this, I modified the function as below:

function Get-WinADAccounts {
    [CmdletBinding()]
    param([Array] $UserNameList,
        [Array[]] $ADCatalog)
    $Accounts = foreach ($User in $UserNameList) { foreach ($Catalog in $ADCatalog) { foreach ($_ in $Catalog) { if ($_.SamAccountName -eq $($User -replace "(\w+)(?:[\\\/])")) { $_ } } } }
    return $Accounts
}

I also found that Get-WinADDomainPasswordQuality had some brackets out of place, resulting in $Data.DomainPasswordEmptyPassword being empty.

Looks like $Data.DomainPasswordDuplicatePasswordGroups might suffer from the same bug.

    $Data.DomainPasswordDuplicatePasswordGroups = Invoke-Command -ScriptBlock { $DuplicateGroups = $Data.PasswordQuality.DuplicatePasswordGroups.ToArray()
        $Count = 0
        $Value = foreach ($DuplicateGroup in $DuplicateGroups) {
            $Count++
            $Name = "Duplicate $Count"
            foreach ($User in $DuplicateGroup) {
                $FoundUser = [pscustomobject] @{'Duplicate Group' = $Name }
                $FullUserInformation = foreach ($_ in $DomainUsersAll) { if ($_.SamAccountName -eq $($User -replace "(\w+)(?:[\\\/])")) { $_ } }
                $FullComputerInformation = foreach ($_ in $DomainComputersAll) { if ($_.SamAccountName -eq $($User -replace "(\w+)(?:[\\\/])")) { $_ } }
                if ($FullUserInformation) { $MergedObject = Merge-Objects -Object1 $FoundUser -Object2 $FullUserInformation }
                if ($FullComputerInformation) { $MergedObject = Merge-Objects -Object1 $MergedObject -Object2 $FullComputerInformation }
                $MergedObject
            }
        }
        return $Value | Select-Object -Property $Properties }

There is also a bug with Get-WinADDomainOrganizationalUnitsACL related to Get-ACL. Apparently if an OU has a "" as an escape character in it, it will give a syntax error. My solution for that is below:

function Get-WinADDomainOrganizationalUnitsACL {
    [cmdletbinding()]
    param([Array] $DomainOrganizationalUnitsClean,
        [string] $Domain = $Env:USERDNSDOMAIN,
        [string] $NetBiosName,
        [string] $RootDomainNamingContext)
    $OUs = @(foreach ($OU in $DomainOrganizationalUnitsClean) { @{Name = 'Organizational Unit'; Value = $OU.DistinguishedName } })
    #$null = New-PSDrive -Name $NetBiosName -Root '' -PsProvider ActiveDirectory -Server $Domain
    @(foreach ($OU in $OUs) {
            #$ACL = Get-Acl -Path "$NetBiosName`:\$($OU.Value)"
            $ACL = Get-Acl -Path "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$($OU.Value)"
            [PsCustomObject] @{'Distinguished Name' = $OU.Value
                'Type'                              = $OU.Name
                'Owner'                             = $ACL.Owner
                'Group'                             = $ACL.Group
                'Are AccessRules Protected'         = $ACL.AreAccessRulesProtected
                'Are AuditRules Protected'          = $ACL.AreAuditRulesProtected
                'Are AccessRules Canonical'         = $ACL.AreAccessRulesCanonical
                'Are AuditRules Canonical'          = $ACL.AreAuditRulesCanonical
            }
        })
}

PrzemyslawKlys avatar Dec 07 '20 09:12 PrzemyslawKlys