Add Interactive Dialog For ESC1-3 in Modes 1,3,4

[jakehildreth]

The current remediation code for ESC1-3 is pretty heavy-handed and could result in a serious impact on operations.

Locksmith should ask the user questions to generate the best remediation code. For example:

1. Does this principal administer this template?
2. Does this principal need to Enroll/AutoEnroll in this template?
3. Is this principal a service account that should be allowed to enroll in a template on behalf of other principals?

• If the principal administers the template, check privileges already assigned.
  • If the principal doesn't have GenericAll/WriteOwner/WriteDacl/WriteProperty on non-Enroll/AutoEnroll rights, question the user's answers.
  • If the principal has required rights, mark as expected but highlight risk. IE if AD Admin group, low risk. If single service account, medium risk.
• If the principal doesn't administer the template, ask if they need to Enroll/AutoEnroll for themselves or others.
  • if self, mark template as possibly needing Manager Approval
  • if others, check/ask if principal is a service account.
    • if service account, highlight risk. (Eventually, check password age and other attributes that make service account more dangerous.)
    • if not, highlight risk?