Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
42 views253 pages

ADACLScan

Uploaded by

conapoh603
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
42 views253 pages

ADACLScan

Uploaded by

conapoh603
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 253

■<#

.Synopsis
ADACLScan.ps1

AUTHOR: Robin Granberg ([email protected])

THIS CODE-SAMPLE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPR
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTAB
FITNESS FOR A PARTICULAR PURPOSE.

.DESCRIPTION
A tool with GUI or command linte used to create reports of access control lists (DACLs) and system a
See https://github.com/canix1/ADACLScanner
.EXAMPLE
.\ADACLScan.ps1
Start in GUI mode.
.EXAMPLE
.\ADACLScan.ps1 -Base "OU=CORP,DC=CONTOS,DC=COM"
Returns the permissions of the object CORP.
.EXAMPLE
.\ADACLScan.ps1 -Base rootdse
Returns the ACL of the domain root.
.EXAMPLE
.\ADACLScan.ps1 -Base "OU=CORP,DC=CONTOS,DC=COM" -Credentials $CREDS -Server 10.0.0
Returns the permissions of the object CORP using credentials on Domain Controller 10.0.0.20.
.EXAMPLE
.\ADACLScan.ps1 -Base "OU=CORP,DC=CONTOS,DC=COM" -Output HTML
Create a HTML file with the permissions of the object CORP.
.EXAMPLE
.\ADACLScan.ps1 -Base "OU=CORP,DC=CONTOS,DC=COM" -Output EXCEL
Create a Excel file with the permissions of the object CORP.
.EXAMPLE
.\ADACLScan.ps1 -Base "OU=CORP,DC=CONTOS,DC=COM" -Output HTML -Show
Opens the HTML (HTA) file with the permissions of the object CORP.
.EXAMPLE
.\ADACLScan.ps1 -Base "OU=CORP,DC=CONTOS,DC=COM" -Output HTML -Show -SDDate
Opens the HTML (HTA) file with the permissions of the object CORP including the modified date of th
.EXAMPLE
.\ADACLScan.ps1 -Base "OU=CORP,DC=CONTOS,DC=COM" -OutputFolder C:\Temp
Create a CSV file in the folder C:\Temp, with the permissions of the object CORP.
.EXAMPLE
.\ADACLScan.ps1 -Base "OU=CORP,DC=CONTOS,DC=COM" -Scope subtree
Create a CSV file with the permissions of the object CORP and all child objects of type Organizationa
.EXAMPLE
.\ADACLScan.ps1 -Base "OU=CORP,DC=CONTOS,DC=COM" -Scope subtree -EffectiveRightsPrinc
Create a CSV file with the effective permissions of all the objects in the path for the user "joe".
.EXAMPLE
.\ADACLScan.ps1 -Base "OU=CORP,DC=CONTOS,DC=COM" -Scope subtree -Filter "(objectClass=
Create a CSV file with the permissions of all the objects in the path and below that matches the filter
.EXAMPLE
.\ADACLScan.ps1 -Base "OU=CORP,DC=CONTOS,DC=COM" -Scope subtree -Filter "(objectClass=
Targeted search against server "DC1" that will create a CSV file with the permissions of all the object
.EXAMPLE
.\ADACLScan.ps1 -Base "OU=CORP,DC=CONTOS,DC=COM" -Scope subtree -Filter "(objectClass=
Targeted search against server "DC1" on port 389 that will create a CSV file with the permissions of a
.EXAMPLE
.\ADACLScan.ps1 -Base "ou=mig,dc=contoso,dc=com" -Output CSVTEMPLATE

This will result in a CSV-file with a format adapted for comparing.


.EXAMPLE
.\ADACLScan.ps1 -Base "ou=mig,dc=contoso,dc=com" -Template C:\Scripts\mig_CONTOSO_adAcl
The following command will result in an output with the possibility to see the state of each ACE on the
.EXAMPLE
.\ADACLScan.ps1 -Base "ou=mig,dc=contoso,dc=com" -SDDL
The following command will result in an output with security descriptor in SDDL format.
.OUTPUTS
The output is an CSV,HTML or EXCEL report.
.LINK
https://github.com/canix1/ADACLScanner
.NOTES
**Version: 7.9**
**12 September, 2023**
**New Features**
* Show security descriptor in SDDL format
#>
Param
(
# DistinguishedName to start your search at or type RootDSE for the domain root. Will be included in
[Alias("b")]
[Parameter(Mandatory=$false,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
ValueFromRemainingArguments=$false,
Position=0,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$Base="",
# Targets allows you to use a predefined search for specific objects
[Parameter(Mandatory=$false,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
ValueFromRemainingArguments=$false,
Position=0,
ParameterSetName='Default')]
[ValidateSet("RiskyTemplates")]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$Targets,
# Filter. Specify your custom filter. Default is OrganizationalUnit.
[Alias("filter")]
[Parameter(Mandatory=$false,
Position=1,
ParameterSetName='Default')]
[validatescript({$_ -like "(*=*)"})]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$LDAPFilter,
# Scope. Set your scope. Default is base.
[Parameter(Mandatory=$false,
Position=2,
ParameterSetName='Default')]
[ValidateSet("base", "onelevel", "subtree")]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$Scope = "base",
# Server. Specify your specific server to target your search at.
[Parameter(Mandatory=$false,
Position=3,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$Server,
# Port. Specify your custom port.
[Parameter(Mandatory=$false,
Position=4,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$Port,
# Specify the samAccountName of a security principal to check for its effective permissions
[Parameter(Mandatory=$false,
Position=5,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$EffectiveRightsPrincipal,
# Generates a HTML report, default is a CSV.
[Parameter(Mandatory=$false,
Position=6,
ParameterSetName='Default')]
[ValidateSet("CSV","CSVTEMPLATE", "HTML", "EXCEL")]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$Output = "",
# Output folder path for where results are written.
[Parameter(Mandatory=$false,
Position=7,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$OutputFolder,
# Template to compare with.
# This parameter will allow you compare the current state of a security descriptor with a previos creat
[Parameter(Mandatory=$false,
Position=8,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$Template,
# Filter what to return when comparing with a template.
# This parameter will allow you to filter the out put on "ALL", "MATCH", "MISSING","NEW"
# Example 1. -Returns "ALL"
# Example 2. -Returns "MATCH"
# Example 3. -Returns "MISSING"
# Example 4. -Returns "NEW"
[Parameter(Mandatory=$false,
Position=8,
ParameterSetName='Default')]
[ValidateSet("ALL", "MATCH", "MISSING","NEW")]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$TemplateFilter="ALL",
# User ExcelFile to defined your own path for the excel output
# This parameter will allow you to type the excel file path.
# Example 1. -ExcelFile "C:\Temp\ExcelOutput.xlsx"
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$ExcelFile="",
# Filter on Criticality.
# This parameter will filter the result based on a defined criticality level
[Alias("c")]
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateSet("Critical", "Warning", "Medium","Low","Info")]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$Criticality="",

# Show color of criticality


# This parameter will add colors to the report if you selected HTML or EXCEL using the -OUTPUT pa
[Alias("color")]
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$ShowCriticalityColor,
# Skip default permissions
# This parameter will skip permissions that match the permissions defined in the schema partition for
[Alias("sd")]
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$SkipDefaults,
# Skip protected permissions
# This parameter will skip permissions that match the permissions set when selecting "protect object
[Alias("sp")]
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$SkipProtected,
# Skip Built-in security principals
# This parameter will skip permissions that match the built in groups
[Alias("sb")]
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$SkipBuiltIn,
# Filter the trustees on object type.
# This parameter will filter the result on an object type.
[Alias("rt")]
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateSet("user", "computer", "group","msds-groupmanagedserviceaccount","*")]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$ReturnObjectType="*",
# Expand groups
# This parameter will search any nested groups to show all security prinicpals that have access.
[Alias("rf")]
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$RecursiveFind,
# Filter on RecursiveObjectType.
# This parameter will filter the nested groups to show only users that have access.
[Alias("ro")]
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateSet("User", "Computer", "Group","*")]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$RecursiveObjectType="*",
# Translate GUIDs
# This parameter will translate any GUIDs if necessary
[Alias("tr")]
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$Translate,
# Get Group Policy Objects linked
# This parameter will let you search permissions on group policy objects that are linked to the path yo
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$GPO,

# Open HTML report


# This parameter will open the out report if you selected one using the -OUTPUT parameter
[Alias("s")]
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$Show,
# Include Security Descriptor modified date in report
# This parameter will include the date when the security descriptor was last changed
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$SDDate,
# Include Owner in report
# This parameter will make the scan to search the owner section in the security descriptor.
[Alias("o")]
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$Owner,
# Include Canonical Names in report
[Alias("cn")]
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$CanonicalNames,
# Include if inheritance is disabled in report
# This parameter will add information in the report whether the object have disabled it's inheritnace
[Alias("p")]
[Parameter(Mandatory=$false,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$Protected,
# Scan Default Security Descriptor
# This parameter will make AD ACL Scanner to search the schema partition for security descriptors o
[Alias("dsd")]
[Parameter(Mandatory=$false)]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$DefaultSecurityDescriptor,
# Filter Default Security Descriptor on a schema object
# This parameter let you select the schema object you would like to see the default security descripto
# Example 1. -SchemaObjectName "User"
# Example 2. -SchemaObjectName "Computer"
[Alias("son")]
[Parameter(Mandatory=$false)]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$SchemaObjectName="*",
# Filter Default Security Descriptor on modified with version number higher than 1
# This parameter will check the metadata of the NTSecurityDescriptor if it have ever been changed, b
[Alias("om")]
[Parameter(Mandatory=$false)]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$OnlyModified,
# Include inherited permissions
# By default only explicit permissions are shown
[Alias("in")]
[Parameter(Mandatory=$false)]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$IncludeInherited,
# Returns ACE's in the format that .Net presents access permissions
# Use this option if you would like to create a template for compairson
[Parameter(Mandatory=$false)]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$RAW,
# Returns ACE's in the SDDL format
[Parameter(Mandatory=$false)]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$SDDL,
# Filter ACL for access type
# Example 1. -AccessType "Allow"
# Example 2. -AccessType "Deny"
[Alias("acc")]
[Parameter(Mandatory=$false)]
[ValidateSet("Allow", "Deny")]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$AccessType,
# Filter ACL for a specific permission
# Example 1. -Permissions "GenericAll"
# Example 2. -Permissions "WriteProperty|ExtendedRight"
[Alias("perm")]
[Parameter(Mandatory=$false)]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$Permission,
# Filter ACL ObjectName
# Example 1. -ApplyTo user
# Example 2. -ApplyTo "user|computer"
[Alias("at")]
[Parameter(Mandatory=$false)]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$ApplyTo="",
# Filter ACL for matching strings in Trustee
# Example 1 -FilterTrustee "*Domain*"
# Example 1 -FilterTrustee "contoso\user1"
[Alias("ft")]
[Parameter(Mandatory=$false)]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$FilterTrustee="",
# Show the progressbar in the CLI
[Parameter(Mandatory=$false)]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[switch]
$ShowProgressBar,
# Add Credentials to the command by first creating a pscredential object like for example $CREDS =
[Parameter(Mandatory=$false)]
[PSCredential]
$Credentials
)
[string]$ADACLScanVersion = "-------`nAD ACL Scanner 7.9 , Author: Robin Granberg, @ipcdollar1, Git
[string]$global:SessionID = [GUID]::NewGuid().Guid
[string]$global:ACLHTMLFileName = "ACLHTML-$SessionID"
[string]$global:SPNHTMLFileName = "SPNHTML-$SessionID"
[string]$global:ModifiedDefSDAccessFileName = "ModifiedDefSDAccess-$SessionID"
[string]$global:LegendHTMLFileName = "LegendHTML-$SessionID"
if([threading.thread]::CurrentThread.ApartmentState.ToString() -eq 'MTA')
{
write-host -ForegroundColor RED "RUN PowerShell.exe with -STA switch"
write-host -ForegroundColor RED "Example:"
write-host -ForegroundColor RED " PowerShell -STA $PSCommandPath"
Write-Host "Press any key to continue ..."
[VOID]$host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

Exit
}
#Set global value for time out in paged searches
$global:TimeoutSeconds = 120
#Set global value for page size in paged searches
$global:PageSize = 1000
# Hash table for Forest Level
$global:ForestFLHashAD = @{
■0="Windows 2000 Server";
■1="Windows Server 2003/Interim";
■2="Windows Server 2003";
■3="Windows Server 2008";
■4="Windows Server 2008 R2";
■5="Windows Server 2012";
■6="Windows Server 2012 R2";
■7="Windows Server 2016";
■8="Windows Server 2019"
}
#Hash table for Domain Level
$global:DomainFLHashAD = @{
■0="Windows 2000 Server";
■1="Windows Server 2003/Interim";
■2="Windows Server 2003";
■3="Windows Server 2008";
■4="Windows Server 2008 R2";
■5="Windows Server 2012";
■6="Windows Server 2012 R2";
■7="Windows Server 2016";
■8="Windows Server 2019"
}
$global:SchemaHashAD = @{
■13="Windows 2000 Server";
■30="Windows Server 2003";
■31="Windows Server 2003 R2";
■44="Windows Server 2008";
■47="Windows Server 2008 R2";
■56="Windows Server 2012";
■69="Windows Server 2012 R2";
■72="Windows Server 2016 Technical Preview";
■81="Windows Server 2016 Technical Preview 2";
■82="Windows Server 2016 Technical Preview 3";
■85="Windows Server 2016 Technical Preview 4";
■87="Windows Server 2016";
■88="Windows Server 2019"
}

# List of Exchange Schema versions
$global:SchemaHashExchange = @{
■4397="Exchange Server 2000";
■4406="Exchange Server 2000 SP3";
■6870="Exchange Server 2003";
■6936="Exchange Server 2003 SP3";
■10628="Exchange Server 2007";
■10637="Exchange Server 2007";
■11116="Exchange Server 2007 SP1";
■14622="Exchange Server 2007 SP2 or Exchange Server 2010";
■14726="Exchange Server 2010 SP1";
■14732="Exchange Server 2010 SP2";
■14734="Exchange Server 2010 SP3";
■15137="Exchange Server 2013 RTM";
■15254="Exchange Server 2013 CU1";
■15281="Exchange Server 2013 CU2";
■15283="Exchange Server 2013 CU3";
■15292="Exchange Server 2013 SP1/CU4";
■15300="Exchange Server 2013 CU5";
■15303="Exchange Server 2013 CU6";
■15312="Exchange Server 2013 CU7";
■15317="Exchange Server 2016";
■15323="Exchange Server 2016 CU1";
■15325="Exchange Server 2016 CU2";
■15326="Exchange Server 2016 CU3-CU5";
■15330="Exchange Server 2016 CU6";
■15332="Exchange Server 2016 CU7-CU18";
■15333="Exchange Server 2016 CU19";
■17000="Exchange Server 2019";
■17001="Exchange Server 2019 CU2-CU7";
■17002="Exchange Server 2019 CU8"
}

# List of Lync Schema versions
$global:SchemaHashLync = @{
■1006="LCS 2005";
■1007="OCS 2007 R1";
■1008="OCS 2007 R2";
■1100="Lync Server 2010";
■1150="Lync Server 2013/Skype for Business 2015"
}
Function BuildSchemaDic
{
$global:dicSchemaIDGUIDs = @{"BF967ABA-0DE6-11D0-A285-00AA003049E2" ="user";`
"BF967A86-0DE6-11D0-A285-00AA003049E2" = "computer";`
"BF967A9C-0DE6-11D0-A285-00AA003049E2" = "group";`
"BF967ABB-0DE6-11D0-A285-00AA003049E2" = "volume";`
"F30E3BBE-9FF0-11D1-B603-0000F80367C1" = "gPLink";`
"F30E3BBF-9FF0-11D1-B603-0000F80367C1" = "gPOptions";`
"BF967AA8-0DE6-11D0-A285-00AA003049E2" = "printQueue";`
"4828CC14-1437-45BC-9B07-AD6F015E5F28" = "inetOrgPerson";`
"5CB41ED0-0E4C-11D0-A286-00AA003049E2" = "contact";`
"BF967AA5-0DE6-11D0-A285-00AA003049E2" = "organizationalUnit";`
"BF967A0A-0DE6-11D0-A285-00AA003049E2" = "pwdLastSet"}
$global:dicNameToSchemaIDGUIDs = @{"user"="BF967ABA-0DE6-11D0-A285-00AA003049E2";`
"computer" = "BF967A86-0DE6-11D0-A285-00AA003049E2";`
"group" = "BF967A9C-0DE6-11D0-A285-00AA003049E2";`
"volume" = "BF967ABB-0DE6-11D0-A285-00AA003049E2";`
"gPLink" = "F30E3BBE-9FF0-11D1-B603-0000F80367C1";`
"gPOptions" = "F30E3BBF-9FF0-11D1-B603-0000F80367C1";`
"printQueue" = "BF967AA8-0DE6-11D0-A285-00AA003049E2";`
"inetOrgPerson" = "4828CC14-1437-45BC-9B07-AD6F015E5F28";`
"contact" = "5CB41ED0-0E4C-11D0-A286-00AA003049E2";`
"organizationalUnit" = "BF967AA5-0DE6-11D0-A285-00AA003049E2";`
"pwdLastSet" = "BF967A0A-0DE6-11D0-A285-00AA003049E2"}
}
BuildSchemaDic
$CurrentFSPath = $PSScriptRoot
Add-Type -Assembly PresentationFramework
$xamlBase = @"
<Window x:Class="ADACLScanXAMLProj.MainWindow"
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
Title="AD ACL Scanner" WindowStartupLocation="CenterScreen" Height="690" Width="1035" Re
<Window.Resources>
<XmlDataProvider x:Name="xmlprov" x:Key="DomainOUData"/>
<DrawingImage x:Name="FolderImage" x:Key="FolderImage" >
<DrawingImage.Drawing>
<DrawingGroup>
<GeometryDrawing Brush="#FF3D85F5">
<GeometryDrawing.Geometry>
<RectangleGeometry Rect="3,6,32,22" RadiusX="0" RadiusY="0" />
</GeometryDrawing.Geometry>
</GeometryDrawing>
<GeometryDrawing Brush="#FF3D81F5">
<GeometryDrawing.Geometry>
<RectangleGeometry Rect="18,3,13,5" RadiusX="2" RadiusY="2" />
</GeometryDrawing.Geometry>
</GeometryDrawing>
</DrawingGroup>
</DrawingImage.Drawing>
</DrawingImage>
<HierarchicalDataTemplate x:Key="NodeTemplate" ItemsSource="{Binding XPath=OU}">
<StackPanel Orientation="Horizontal">
<Image Width="16" Height="16" Stretch="Fill" Source="{Binding XPath=@Img}"/>
<TextBlock Text="{Binding XPath=@Name}" Margin="2,0,0,0" />
</StackPanel>
</HierarchicalDataTemplate>
</Window.Resources>
<ScrollViewer HorizontalScrollBarVisibility="Auto" VerticalScrollBarVisibility="Auto">
<Grid HorizontalAlignment="Left" VerticalAlignment="Top" Height="640" Width="1000">
<StackPanel Orientation="Vertical" Margin="10,0,0,0" >
<StackPanel Orientation="Horizontal">
<StackPanel Orientation="Vertical">
<TabControl x:Name="tabConnect" HorizontalAlignment="Left" Height="245" Margin="
<TabItem x:Name="tabNCSelect" Header="Connect" Width="85">
<StackPanel Orientation="Vertical" Margin="05,0">
<StackPanel Orientation="Horizontal">
<RadioButton x:Name="rdbDSdef" Content="Domain" HorizontalAlignment="L
<RadioButton x:Name="rdbDSConf" Content="Config" HorizontalAlignment="L
<RadioButton x:Name="rdbDSSchm" Content="Schema" HorizontalAlignment
<RadioButton x:Name="rdbCustomNC" Content="Custom" HorizontalAlignme
</StackPanel>
<StackPanel Orientation="Horizontal" Margin="05,05,0,0" >
<Label x:Name="lblServer" Content="Server:" HorizontalAlignment="Left" Hei
<TextBox x:Name="txtBdoxDSServer" HorizontalAlignment="Left" Height="18
<Label x:Name="lblPort" Content="Port:" HorizontalAlignment="Left" Height="
<TextBox x:Name="txtBdoxDSServerPort" HorizontalAlignment="Left" Height=
</StackPanel>
<StackPanel Orientation="Vertical" Margin="05,05,0,0" >
<StackPanel Orientation="Horizontal" Margin="0,0,0.0,0" >
<Label x:Name="lblDomain" Content="Naming Context:" HorizontalAlignme
<CheckBox x:Name="chkBoxCreds" Content="Credentials" HorizontalAlign
</StackPanel>
<TextBox x:Name="txtBoxDomainConnect" HorizontalAlignment="Left" Height
</StackPanel>
<StackPanel Orientation="Horizontal" Margin="05,05,0,0" >
<Button x:Name="btnDSConnect" Content="Connect" HorizontalAlignment="L
<Button x:Name="btnListDdomain" Content="List Domains" HorizontalAlignme
</StackPanel>
<GroupBox x:Name="gBoxBrowse" Grid.Column="0" Header="Browse Options"
<StackPanel Orientation="Vertical" Margin="0,0">
<StackPanel Orientation="Horizontal">
<RadioButton x:Name="rdbBrowseOU" Content="OU's" HorizontalAlignm
<RadioButton x:Name="rdbBrowseAll" Content="All Objects" HorizontalA
<CheckBox x:Name="chkBoxShowDel" Content="Show Deleted" Horizon
</StackPanel>
</StackPanel>
</GroupBox>
</StackPanel>
</TabItem>
<TabItem x:Name="tabForestInfo" Header="Forest Info" Width="85">
<StackPanel Orientation="Vertical" Margin="0,05" Width="345" HorizontalAlignmen
<Button x:Name="btnGetForestInfo" Content="Get Forest Info" Margin="0,0,0,0"
<StackPanel Orientation="Horizontal" Margin="0,05">
<Label x:Name="lblFFL" Content="Forest Functional Level:" Width="150" Heig
<TextBox x:Name="txtBoxFFL" Text="" Width="170" Margin="05,0" Height="1
</StackPanel>
<StackPanel Orientation="Horizontal" Margin="0,01">
<Label x:Name="lblDFL" Content="Domain Functional Level:" Width="150" He
<TextBox x:Name="txtBoxDFL" Text="" Width="170" Margin="05,0" Height="1
</StackPanel>
<StackPanel Orientation="Horizontal" Margin="0,01">
<Label x:Name="ldblADSchema" Content="AD Schema Version:" Width="150
<TextBox x:Name="txtBoxADSchema" Text="" Width="170" Margin="05,0" He
</StackPanel>
<StackPanel Orientation="Horizontal" Margin="0,01">
<Label x:Name="lblExchSchema" Content="Exchange Schema Version:" Wid
<TextBox x:Name="txtBoxExSchema" Text="" Width="170" Margin="05,0" He
</StackPanel>
<StackPanel Orientation="Horizontal" Margin="0,01">
<Label x:Name="lblLyncSchema" Content="Lync Schema Version:" Width="15
<TextBox x:Name="txtBoxLyncSchema" Text="" Width="170" Margin="05,0,0,
</StackPanel>
<StackPanel Orientation="Horizontal" Margin="0,01">
<Label x:Name="lblListObjectMode" Content="List Object Mode:" Width="150"
<TextBox x:Name="txtListObjectMode" Text="" Width="170" Margin="05,0,0,0
</StackPanel>
</StackPanel>
</TabItem>
<TabItem x:Name="tabConnectionInfo" Header="Connection Info" Width="100" Margi
<StackPanel Orientation="Vertical" Margin="0,0" HorizontalAlignment="Left" Width=
<Label x:Name="lblDC" Content="Domain Controller:" Width="175" Height="24"
<TextBox x:Name="txtDC" Text="" Width="320" Margin="05,0" Height="19" Hori
<Label x:Name="lbldefaultnamingcontext" Content="Default Naming Context:" W
<TextBox x:Name="txtdefaultnamingcontext" Text="" Width="320" Margin="05,0"
<Label x:Name="lblconfigurationnamingcontext" Content="Configuration Naming
<TextBox x:Name="txtconfigurationnamingcontext" Text="" Width="320" Margin=
<Label x:Name="lblschemanamingcontext" Content="Schema Naming Context:"
<TextBox x:Name="txtschemanamingcontext" Text="" Width="320" Margin="05,0
<Label x:Name="lblrootdomainnamingcontext" Content="Root Domain Naming C
<TextBox x:Name="txtrootdomainnamingcontext" Text="" Width="320" Margin="0
</StackPanel>
</TabItem>
</TabControl>
<GroupBox x:Name="gBoxSelectNodeTreeView" Grid.Column="0" Header="Nodes" Ho
<StackPanel Orientation="Vertical">
<TreeView x:Name="treeView1" Height="300" Width="340" Margin="0,5,0,0" Hori
DataContext="{Binding Source={StaticResource DomainOUData}, XPath=/DomainRoot}"
ItemTemplate="{StaticResource NodeTemplate}"
ItemsSource="{Binding}">
<TreeView.ContextMenu>
<ContextMenu x:Name="ContextMUpdateNode" >
<MenuItem Header="Refresh Childs">
<MenuItem.Icon>
<Image Width="15" Height="15" Source="{Binding XPath=@Icon}" />
</MenuItem.Icon>
</MenuItem>
<MenuItem Header="Exclude Node">
<MenuItem.Icon>
<Image Width="15" Height="15" Source="{Binding XPath=@Icon2}" />
</MenuItem.Icon>
</MenuItem>
</ContextMenu>
</TreeView.ContextMenu>
</TreeView>
</StackPanel>
</GroupBox>
<StackPanel Orientation="Horizontal" >
<StackPanel Orientation="Horizontal" Margin="0,0,0,0">
<StackPanel Orientation="Vertical" >
<StackPanel Orientation="Horizontal" >
<Label x:Name="lblStyleVersion1" Content="AD ACL Scanner 7.9" Horizontal
</StackPanel>
<StackPanel Orientation="Horizontal" >
<Label x:Name="lblStyleVersion2" Content="written by Robin Granberg " Hori
<Image x:Name="imgTwitter" HorizontalAlignment="Left" Height="15" Vertical
<Label x:Name="lblStyleVersion3" Content="@ipcdollar1" HorizontalAlignmen
<Image x:Name="imgGithub" HorizontalAlignment="Left" Height="15" VerticalA
<Label x:Name="lblStyleVersion4" Content="@canix1" HorizontalAlignment="
</StackPanel>
</StackPanel>
</StackPanel>
</StackPanel>
</StackPanel>
<StackPanel Orientation="Vertical">
<Label x:Name="lblSelectedNode" Content="Selected Object:" HorizontalAlignment="Le
<StackPanel Orientation="Horizontal" >
<TextBox x:Name="txtBoxSelected" HorizontalAlignment="Left" Height="20" Margin="
</StackPanel>
<Label x:Name="lblStatusBar" Content="Log:" HorizontalAlignment="Left" Height="26" M
<ListBox x:Name="TextBoxStatusMessage" DisplayMemberPath="Message" SelectionM
<ListBox.ItemContainerStyle>
<Style TargetType="{x:Type ListBoxItem}">
<Style.Triggers>
<DataTrigger Binding="{Binding Path=Type}" Value="Error">
<Setter Property="ListBoxItem.Foreground" Value="Red" />
<Setter Property="ListBoxItem.Background" Value="LightGray" />
</DataTrigger>
<DataTrigger Binding="{Binding Path=Type}" Value="Warning">
<Setter Property="ListBoxItem.Foreground" Value="Yellow" />
<Setter Property="ListBoxItem.Background" Value="Gray" />
</DataTrigger>
<DataTrigger Binding="{Binding Path=Type}" Value="Info">
<Setter Property="ListBoxItem.Foreground" Value="Black" />
<Setter Property="ListBoxItem.Background" Value="White" />
</DataTrigger>
</Style.Triggers>
</Style>
</ListBox.ItemContainerStyle>
</ListBox>
<TabControl x:Name="tabScanTop" HorizontalAlignment="Left" Height="405" VerticalA
<TabItem x:Name="tabScan" Header="Scan Options" Width="85">
<Grid >
<StackPanel Orientation="Vertical" Margin="0,0">
<StackPanel Orientation="Horizontal" Margin="0,0">
<StackPanel Orientation="Vertical" Margin="0,0">
<GroupBox x:Name="gBoxScanType" Header="Scan Type" HorizontalAl
<StackPanel Orientation="Vertical" Margin="0,0">
<StackPanel Orientation="Horizontal">
<RadioButton x:Name="rdbDACL" Content="DACL (Access)" Hor
<RadioButton x:Name="rdbSACL" Content="SACL (Audit)" Horizo
</StackPanel>
<StackPanel Orientation="Horizontal" Height="35" Margin="0,0,0.2,0
<CheckBox x:Name="chkBoxRAWSDDL" Content="RAW SDDL"
</StackPanel>
</StackPanel>
</GroupBox>
<GroupBox x:Name="gBoxScanDepth" Header="Scan Depth" Horizontal
<StackPanel Orientation="Vertical" Margin="0,0">
<StackPanel Orientation="Horizontal">
<RadioButton x:Name="rdbBase" Content="Base" HorizontalAlign
<RadioButton x:Name="rdbOneLevel" Content="One Level" Horiz
<RadioButton x:Name="rdbSubtree" Content="Subtree" Horizonta
</StackPanel>
</StackPanel>
</GroupBox>
<GroupBox x:Name="gBoxRdbFile" Header="Output Options" Horizontal
<StackPanel Orientation="Vertical" Margin="0,0">
<StackPanel Orientation="Horizontal">
<RadioButton x:Name="rdbOnlyHTA" Content="HTML" Horizonta
<RadioButton x:Name="rdbOnlyCSV" Content="CSV file" Horizon
<RadioButton x:Name="rdbOnlyCSVTEMPLATE" Content="CSV
</StackPanel>
<StackPanel Orientation="Horizontal">
<RadioButton x:Name="rdbEXcel" Content="Excel file" Horizonta
</StackPanel>
<CheckBox x:Name="chkBoxTranslateGUID" Content="Translate G
<Label x:Name="lblTempFolder" Content="CSV file destination" />
<TextBox x:Name="txtTempFolder" Margin="0,0,02,0"/>
<StackPanel Orientation="Horizontal" HorizontalAlignment="Right" >
<Button x:Name="btnGetTemplateFolder" Content="Change Fold
</StackPanel>
</StackPanel>
</GroupBox>
</StackPanel>
<StackPanel Orientation="Vertical" Margin="0,0">
<GroupBox x:Name="gBoxRdbScan" Header="Objects to scan" Horizont
<StackPanel Orientation="Vertical" Margin="0,0">
<StackPanel Orientation="Horizontal">
<RadioButton x:Name="rdbScanOU" Content="OUs" HorizontalA
<RadioButton x:Name="rdbScanContainer" Content="Containers"
<RadioButton x:Name="rdbScanAll" Content="All Objects" Horizo
<RadioButton x:Name="rdbGPO" Content="GPOs" HorizontalAlig
</StackPanel>
<StackPanel Orientation="Horizontal">
<RadioButton x:Name="rdbScanFilter" Content="" HorizontalAlign
<TextBox x:Name="txtCustomFilter" Text="(objectClass=*)" Horiz
</StackPanel>
</StackPanel>
</GroupBox>
<GroupBox x:Name="gBoxReportOpt" Header="View in report" Horizonta
<StackPanel Orientation="Vertical" Margin="0,0">
<StackPanel Orientation="Horizontal">
<CheckBox x:Name="chkBoxGetOwner" Content="View Owner" H
<CheckBox x:Name="chkBoxACLSize" Content="DACL Size" Ho
</StackPanel>
<StackPanel Orientation="Horizontal" Margin="0,0,0.2,0" Height="35
<CheckBox x:Name="chkInheritedPerm" Content="Inherited&#10
<CheckBox x:Name="chkBoxGetOUProtected" Content="Inherita
</StackPanel>
<StackPanel Orientation="Horizontal" Height="35" Margin="0,0,0.2,0
<CheckBox x:Name="chkBoxDefaultPerm" Content="Skip Defaul
<CheckBox x:Name="chkBoxReplMeta" Content="SD Modified da
</StackPanel>
<StackPanel Orientation="Horizontal" Height="35" Margin="0,0,0.2,0
<CheckBox x:Name="chkBoxSkipProtectedPerm" Content="Skip
<CheckBox x:Name="chkBoxObjType" Content="ObjectClass" Ho
</StackPanel>
<StackPanel Orientation="Vertical" Margin="0,0,0,0">
<StackPanel Orientation="Horizontal" Height="19" Margin="0,0,0.
<CheckBox x:Name="chkBoxUseCanonicalName" Content="C
<CheckBox x:Name="chkBoxSDDLView" Content="SDDL" Hor
</StackPanel>
<Label x:Name="lblReturnObjectType" Content="Filter report on s
<ComboBox x:Name="combReturnObjectType" HorizontalAlignm
</StackPanel>
</StackPanel>
</GroupBox>
</StackPanel>
</StackPanel>
<GroupBox x:Name="gBoxExclude" Header="Excluded Path (matching string
<StackPanel Orientation="Vertical">
<StackPanel Orientation="Vertical">
<TextBox x:Name="txtBoxExcluded" HorizontalAlignment="Left" Heigh
<Button x:Name="btnClearExcludedBox" Content="Clear" Height="21
</StackPanel>
</StackPanel>
</GroupBox>
</StackPanel>
</Grid>
</TabItem>
<TabItem x:Name="tabFilter" Header="Filter">
<Grid>
<StackPanel Orientation="Horizontal">
<StackPanel Orientation="Vertical" Margin="0,0">
<CheckBox x:Name="chkBoxFilter" Content="Enable Filter" HorizontalAlign
<Label x:Name="lblAccessCtrl" Content="Filter by Access Type:(example: A
<StackPanel Orientation="Horizontal" Margin="0,0">
<CheckBox x:Name="chkBoxType" Content="" HorizontalAlignment="Lef
<ComboBox x:Name="combAccessCtrl" HorizontalAlignment="Left" Marg
</StackPanel>
<Label x:Name="lblFilterExpl" Content="Filter by Object:&#10;Examples:&#
<StackPanel Orientation="Horizontal" Margin="0,0">
<CheckBox x:Name="chkBoxObject" Content="" HorizontalAlignment="L
<TextBox x:Name="txtBoxObjectFilter" HorizontalAlignment="Left" Margi
</StackPanel>
</StackPanel>
<StackPanel Orientation="Vertical" Margin="5,5,0,0" Width="320">
<Label x:Name="lblPermission" Content="Filter by permissions:&#10;Exam
<StackPanel Orientation="Horizontal" Margin="0,0">
<CheckBox x:Name="chkBoxPermission" Content="" HorizontalAlignmen
<TextBox x:Name="txtPermission" HorizontalAlignment="Left" Margin="5
</StackPanel>
<Label x:Name="lblFilterTrusteeExpl" Content="Filter by Trustee:&#10;Exam
<StackPanel Orientation="Horizontal" Margin="0,0">
<CheckBox x:Name="chkBoxTrustee" Content="" HorizontalAlignment="L
<TextBox x:Name="txtFilterTrustee" HorizontalAlignment="Left" Margin="
</StackPanel>
<StackPanel Orientation="Horizontal" Margin="0,0">
<CheckBox x:Name="chkBoxFilterBuiltin" Content="" HorizontalAlignmen
<Label x:Name="lblFilterBuiltin" Content="Exclude all built-in security prin
</StackPanel>
</StackPanel>
</StackPanel>
</Grid>
</TabItem>
<TabItem x:Name="tabAssess" Header="Assessment">
<Grid >
<StackPanel Orientation="Horizontal">
<StackPanel Orientation="Vertical" Margin="0,0">
<GroupBox x:Name="gBoxdCriticals" Header="Assessment Options" Horizo
<StackPanel>
<Label x:Name="lblFilterServerity" Content="Filter by Severity" />
<StackPanel Orientation="Horizontal" Margin="0,0">
<CheckBox x:Name="chkBoxSeverity" Content="" HorizontalAlignm
<ComboBox x:Name="combServerity" HorizontalAlignment="Left" M
</StackPanel>
<Label x:Name="lblRecursiveFind" Content="Perform a recursive searc
<StackPanel Orientation="Horizontal" Margin="0,0">
<CheckBox x:Name="chkBoxRecursiveFind" Content="" HorizontalA
<ComboBox x:Name="combRecursiveFind" HorizontalAlignment="L
</StackPanel>
</StackPanel>
</GroupBox>
</StackPanel>
<StackPanel Orientation="Vertical" Margin="5,5">
<GroupBox x:Name="gBoxCriticality" Header="Access Rights Criticality" Ho
<StackPanel Orientation="Vertical" Margin="0,0">
<CheckBox x:Name="chkBoxEffectiveRightsColor" Content="Show co
<Label x:Name="lblEffectiveRightsColor" Content="Use colors in repor
<Button x:Name="btnViewLegend" Content="View Color Legend" Hori
</StackPanel>
</GroupBox>
</StackPanel>
</StackPanel>
</Grid>
</TabItem>
<TabItem x:Name="tabEffectiveR" Header="Effective Rights">
<Grid >
<StackPanel Orientation="Horizontal">
<StackPanel Orientation="Vertical" Margin="0,0">
<CheckBox x:Name="chkBoxEffectiveRights" Content="Enable Effective Ri
<Label x:Name="lblEffectiveDescText" Content="Effective Access allows yo
<Label x:Name="lblEffectiveText" Content="Type the account name (samAc
<Label x:Name="lblSelectPrincipalDom" Content=":" />
<TextBox x:Name="txtBoxSelectPrincipal" IsEnabled="False" />
<StackPanel Orientation="Horizontal" Margin="0,0">
<Button x:Name="btnGetSPAccount" Content="Get Account" Margin="5,
<Button x:Name="btnListLocations" Content="Locations..." Margin="50,0
</StackPanel>
</StackPanel>
<StackPanel Orientation="Vertical" Margin="5,5,0,0" Width="320">
<StackPanel Orientation="Vertical" Margin="0,0" >
<GroupBox x:Name="gBoxEffectiveSelUser" Header="Selected Security
<StackPanel Orientation="Vertical" Margin="0,0">
<Label x:Name="lblEffectiveSelUser" Content="" />
</StackPanel>
</GroupBox>
<Button x:Name="btnGETSPNReport" HorizontalAlignment="Left" Conte
</StackPanel>
</StackPanel>
</StackPanel>
</Grid>
</TabItem>
<TabItem x:Name="tabCompare" Header="Compare">
<Grid>
<StackPanel Orientation="Horizontal">
<StackPanel Orientation="Vertical" Margin="0,0" HorizontalAlignment="Left">
<CheckBox x:Name="chkBoxCompare" Content="Enable Compare" Horizo
<Label x:Name="lblCompareDescText" Content="You can compare the cur
<Label x:Name="lblCompareTemplate" Content="CSV Template File" />
<TextBox x:Name="txtCompareTemplate" Margin="2,0,0,0" Width="275" IsE
<Button x:Name="btnGetCompareInput" Content="Select Template" Horizo
<StackPanel Orientation="Horizontal" Margin="5,5,0,0">
<Label x:Name="lblReturn" Content="Return:" />
<ComboBox x:Name="combReturns" HorizontalAlignment="Left" Margin=
</StackPanel>
<StackPanel Orientation="Vertical">
<CheckBox x:Name="chkBoxTemplateNodes" Content="Use nodes from
<CheckBox x:Name="chkBoxScanUsingUSN" Content="Faster compare
</StackPanel>
</StackPanel>
<StackPanel Orientation="Vertical" Width="300">
<Label x:Name="lblReplaceDN" Content="Replace DN in file with current do
<TextBox x:Name="txtReplaceDN" Margin="2,0,0,0" Width="250" IsEnabled
<Label x:Name="lblReplaceNetbios" Content="Replace principals prefixed d
<TextBox x:Name="txtReplaceNetbios" Margin="2,0,0,0" Width="250" IsEna
<Label x:Name="lblDownloadCSVDefACLs" Content="Download CSV temp
<Button x:Name="btnDownloadCSVDefACLs" Content="Download CSV Te
</StackPanel>
</StackPanel>
</Grid>
</TabItem>
<TabItem x:Name="tabOther" Header="Default SD">
<Grid>
<StackPanel Orientation="Horizontal">
<StackPanel Orientation="Vertical" Margin="0,0,0,-40">
<GroupBox x:Name="gBoxdDefSecDesc" Header="Output Format" Horizon
<StackPanel Orientation="Horizontal" Margin="0,0">
<RadioButton x:Name="rdbDefSD_Access" Content="DACL" Horizont
<RadioButton x:Name="rdbDefSD_SDDL" Content="SDDL" Horizonta
</StackPanel>
</GroupBox>
<CheckBox x:Name="chkModifedDefSD" Content="Only modified defaultSe
<Label x:Name="lblObjectDefSD" Content="Select objects to scan:" />
<StackPanel Orientation="Horizontal" Margin="0,0">
<ComboBox x:Name="combObjectDefSD" HorizontalAlignment="Left" M
<Button x:Name="btnScanDefSD" Content="Run Scan" HorizontalAlignm
</StackPanel>
<StackPanel Orientation="Horizontal" Margin="0,0">
<Button x:Name="btnGetSchemaClass" Content="Load all classSchema
<Button x:Name="btnExportDefSD" Content="Export to CSV" HorizontalA
</StackPanel>
</StackPanel>
<GroupBox x:Name="gBoxdDefSecDescCompare" Header="Compare" Horizo
<StackPanel Margin="0,0">
<Label x:Name="lblCompareDefSDText" Content="You can compare the
<Label x:Name="lblCompareDefSDTemplate" Content="CSV Template F
<TextBox x:Name="txtCompareDefSDTemplate" Margin="2,0,0,0" Width=
<Button x:Name="btnGetCompareDefSDInput" Content="Select Templat
<Button x:Name="btnCompDefSD" Content="Run Compare" HorizontalA
<Label x:Name="lblDownloadCSVDefSD" Content="Download CSV temp
<Button x:Name="btnDownloadCSVDefSD" Content="Download CSV Te
</StackPanel>
</GroupBox>
</StackPanel>
</Grid>
</TabItem>
<TabItem x:Name="tabOfflineScan" Header="Additional Options">
<Grid>
<StackPanel>
<GroupBox x:Name="gBoxImportCSV" Header="CSV to HTML" HorizontalAlig
<StackPanel Orientation="Vertical" Margin="0,0">
<Label x:Name="lblCSVImport" Content="This file will be converted HTM
<TextBox x:Name="txtCSVImport"/>
<StackPanel Orientation="Horizontal" HorizontalAlignment="Right">
<Button x:Name="btnGetCSVFile" Content="Select CSV" />
</StackPanel>
<CheckBox x:Name="chkBoxTranslateGUIDinCSV" Content="CSV file d
<StackPanel Orientation="Horizontal" HorizontalAlignment="Right">
<Button x:Name="btnCreateHTML" Content="Create HTML View" />
</StackPanel>
</StackPanel>
</GroupBox>
<GroupBox x:Name="gBoxProgress" Header="Progress Bar" HorizontalAlignm
<StackPanel Orientation="Vertical" Margin="0,0">
<CheckBox x:Name="chkBoxSkipProgressBar" Content="Use Progress B
<Label x:Name="lblSkipProgressBar" Content="For increased speed, tur
</StackPanel>
</GroupBox>
</StackPanel>
</Grid>
</TabItem>
</TabControl>
<StackPanel Orientation="Horizontal" Margin="5,5">
<Button x:Name="btnScan" Content="Run Scan" HorizontalAlignment="Left" Height="
<Button x:Name="btnExit" Content="Exit" HorizontalAlignment="Left" Margin="100,0,0
<Button x:Name="btnSupport" Height="23" Tag="Support Statement" Margin="270,0,
<TextBlock TextDecorations="Underline" Text="{Binding Path=Tag, RelativeSource
<Button.Template>
<ControlTemplate TargetType="{x:Type Button}">
<ContentPresenter />
</ControlTemplate>
</Button.Template>
</Button>
</StackPanel>
</StackPanel>
</StackPanel>
<StackPanel >
</StackPanel>
</StackPanel>
</Grid>
</ScrollViewer>
</Window>
"@
[XML] $XAML = $xamlBase
$xaml.Window.RemoveAttribute("x:Class")

$reader=(New-Object System.Xml.XmlNodeReader $XAML)


$Window=[Windows.Markup.XamlReader]::Load( $reader )
#Replace x:Name to XML variable Name
$xamlBase = $xamlBase.Replace("x:Name","Name")
[XML] $XAML = $xamlBase
#Search the XML data for object and create variables
$XAML.SelectNodes("//*[@Name]")| %{set-variable -Name ($_.Name) -Value $Window.FindName($_.N
$Icon = @"
iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAMAAABHPGVmAAAABGdBTUEAALGPC/xhBQAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////AFP3ByUAAAAJcEhZcwAADsIAAA7CARUoSoAAAAAYdE
hwhFQb3k6/UDPCEpnpAUT0iKJyRFLuSrgRAj4eZ8AzlA1MrhAwx3xHzcdMCwJuLi3gRMKwIejilTacXW
8coj7qPO7yzSH+8r8YItuUnV8MobxANqQUgnRH7EBcfUkKi6NYvyCdBb1g+lrKO+BJdrMgbQdVMQqlP
x0LURn1TiN0617eGWAZdm46vdqIh6rO1wVc77kiXRoaBNB1XNORCTilajNqZcIg9Z/BU0SxeyME7tDQ
o4ErDMjk1kh4jHP+eKPiFTPWjMCMF13g2cbG7a6DbvDo7qWcpoRjjEXO4w2RIPOaUgB0hYDymIETJe
"@
$IconImage = New-Object System.Windows.Media.Imaging.BitmapImage
$IconImage.BeginInit()
$IconImage.StreamSource = [System.IO.MemoryStream][System.Convert]::FromBase64String($Icon)
$IconImage.EndInit()

# Freeze() prevents memory leaks.


$IconImage.Freeze()
$Window.Icon = $IconImage
$twittericon = @"
iVBORw0KGgoAAAANSUhEUgAAAC0AAAAtCAYAAAA6GuKaAAAAAXNSR0IArs4c6QAAAARnQU1B
w8YLja1e4QLDE7yaOFhHEORBoRiM9HVt6Fi7/DuhohRG2p7Yc1/N5JZNNoLLQUd0yJNMyBKsvpqyU
Ldh66JRXVz8DIl381I03ZjbE5VOzG2TxpIQkY76czuTlb6ez8kJnVgpaoQHYhhpf0nlWWR3FoUyn1/bEG
LuH66Ul57hOt8rkrUxJHUc4ffiQba9nUWuNxaahDsB/v75efvo4lyJiMZ2K5+tjiw+XBYz0UoGVi1qwO6O/H
HYyRoV5f+0ZZGmU5v/NEWtb9tUtyHOBlwLMd5zVPWDhy6kSW6nA8i8VXT0QuCQouMFIdoqJ9+uA5u
Iz98udvNqM1T+eKm9dCBZGxI1Hkzvr172K9tSECkCMep/iGPi49LUzIm8/Fb8brZKVm1qFEW4IEcC/qzB
qF55iAuFE36QH9mnmzucwjYkOkdlDOL6Njj7ThYhE0NJZZE4+o5heFxUp20oUz7SujpItB3J7/MLg2e3q
RtFXk7rzBJdgJH2okOn7et/jt24PtSGqZMI7x+oHPb9pzgo/2byS/5Ph/8Zh2ISI9XhAkxyDejI4EeWJSh1hK
"@
# Create a streaming image by streaming the base64 string to a bitmap streamsource
$Twitterbitmap = New-Object System.Windows.Media.Imaging.BitmapImage
$Twitterbitmap.BeginInit()
$Twitterbitmap.StreamSource = [System.IO.MemoryStream][System.Convert]::FromBase64String($twit
$Twitterbitmap.EndInit()

# Freeze() prevents memory leaks.


$Twitterbitmap.Freeze()
$imgTwitter.Source = $Twitterbitmap
$githubicon = @"
iVBORw0KGgoAAAANSUhEUgAAAC0AAAAtCAYAAAA6GuKaAAAAAXNSR0IArs4c6QAAAARnQU1B
isFbPE5JOJh6YYjG2fnmWZ0Z2H0kzGgkI3d5FcnABe8QjXUew2N3UcLBHXqdYorPY6UBVzwDj698q+
XktANCpVQYzPfVthx40dCw7yQxBk2IxabVVVDe3TjhudsPfpLEZ0TOQ2CkTZrFbrzlbUtGjuX6EQr+P+k
xH8VnmsoIUAmxWo1S8BwUbHbUB0YkoKHRjix0m6TZDgz0n0S9wFUKm1eRecEPxjfjVAgkLI8Ju4XYL
jfUFMDePiTHO6/oZ2RReEIEnvIfb2YDte2ZLDmHPsRs+sfnQgFYjZRFjZxDtPh+5g5JVYQxGAKRUal8H
eHCA8xOs68Wkp0sE6mmRx05PjPdjL+ftrs7akOz8rMwVXWzWMZNxxv3xD05FWaHLrkPlodPC/i7spYO
"@
# Create a streaming image by streaming the base64 string to a bitmap streamsource
$Githubbitmap = New-Object System.Windows.Media.Imaging.BitmapImage
$Githubbitmap.BeginInit()
$Githubbitmap.StreamSource = [System.IO.MemoryStream][System.Convert]::FromBase64String($gith
$Githubbitmap.EndInit()

# Freeze() prevents memory leaks.


$Githubbitmap.Freeze()
$imgGithub.Source = $Githubbitmap
# Base64 representation of Icon file from mmcndmgr.dll Index 0
$OUpng = @"
iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1B
uSCH6MZZkE00wpzRpDZ7E+Uc/NAU4nbIATzBg8KchzA3lhF1JBJ1JYFkGZ6DTswV2lFz/WuiVsBPhO
380Ugoi5O9yGjNLleG2kxBULxPlIYTpWE2nCaoBbPek4gEPVO2UkMQOEuCNmHILMzRoWVomjXlAT
BN0C0a0wBoWB1FkQSB35ZvTFIXR6v+/MALmH/SnnkD++x/nR2fSNdAYpTx/YQKdSP6CT3/jSiX3v00
"@
# Base64 representation of Icon file from mmcndmgr.dll Index 60
$Computerpng = @"
iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1B
"@
# Base64 representation of Icon file from mmcndmgr.dll Index 66
$Containerpng = @"
iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1B
"@
# Base64 representation of Icon file from mmcndmgr.dll Index 95
$DomainDNSpng = @"
iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1B
"@
# Base64 representation of Icon file from mmcndmgr.dll Index 59
$Grouppng = @"
iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1B
YUho1PtKcJ5vfcD1I8JC5DCG2q9UdJbn+guArsrCFS5Qe00gGFZYjOaRe185o2jc4183tCxfI3xJToZZFY
"@
# Base64 representation of Icon file from mmcndmgr.dll Index 58
$Userpng = @"
iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1B
"@
# Base64 representation of Icon file from mmcndmgr.dll Index 126
$Otherpng = @"
iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1B
AvMvoPO4LsK37Q0ZagAN4BkscgAAAABJRU5ErkJggg==
"@
# Base64 representation of Icon file from shell32.dll Index 234
$excludepng = @"
iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1B
u2kBk3BfAwRemhDAobJGwCzcd3uzAjcSAibh/FsIAiMGBXiksu3xOQr06oLHnDUysHe/xBzXNDgTwP+F
6MBTPR1QBdD2uPsKBGym4Ww7Z074POJGbFgDHYoluwSvUGx7SsAkvC+/WDx1ldKHt4Dwb8gMhL
"@
# Base64 representation of Icon file from mmcndmgr.dll Index 6
$Expandpng = @"
iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1B
"@
# Base64 representation of Icon file from shell32.dll Index 238
$refreshpng = @"
iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1B
ZBIT7OBn4d0jCr0o0phE8HmRlHdHFPvaPJ6f9SEJDm49G3p2RgKqLlSVg2PixDcElGBHoVSBfMlcBUW
4MTtFjg4uOBcwaEFdB++2O7H87TACTSrphgSaORzCxzcf87gUENqTzxbjYG+LT983bWYrcoh9cb/3s7
"@
$txtTempFolder.Text = $CurrentFSPath
$global:bolConnected = $false
$global:strPinDomDC = ""
$global:strPrinDomAttr = ""
$global:strPrinDomDir = ""
$global:strPrinDomFlat = ""
$global:strPrincipalDN =""
$global:strDomainPrinDNName = ""
$global:strEffectiveRightSP = ""
$global:strEffectiveRightAccount = ""
$global:strSPNobjectClass = ""
$global:tokens = New-Object System.Collections.ArrayList
$global:tokens.Clear()
$global:strDomainSelect = "rootDSE"
$global:bolTempValue_InhertiedChkBox = $false
[void]$combReturns.Items.Add("ALL")
[void]$combReturns.Items.Add("NEW")
[void]$combReturns.Items.Add("MATCH")
[void]$combReturns.Items.Add("MISSING")
[void]$combServerity.Items.Add("Critical")
[void]$combServerity.Items.Add("Warning")
[void]$combServerity.Items.Add("Medium")
[void]$combServerity.Items.Add("Low")
[void]$combServerity.Items.Add("Info")
[void]$combRecursiveFind.Items.Add("*")
[void]$combRecursiveFind.Items.Add("User")
[void]$combRecursiveFind.Items.Add("Group")
[void]$combRecursiveFind.Items.Add("Computer")
$combRecursiveFind.SelectedValue="*"
[void]$combReturnObjectType.Items.Add("*")
[void]$combReturnObjectType.Items.Add("user")
[void]$combReturnObjectType.Items.Add("group")
[void]$combReturnObjectType.Items.Add("computer")
[void]$combReturnObjectType.Items.Add("msds-groupmanagedserviceaccount")
$combReturnObjectType.SelectedValue="*"
[void]$combAccessCtrl.Items.Add("Allow")
[void]$combAccessCtrl.Items.Add("Deny")
[void]$combObjectDefSD.Items.Add("All Objects")
$combObjectDefSD.SelectedValue="All Objects"
$CREDS = $null
$script:CREDS = $null
###################
#TODO: Place custom script here
#### Check if UI should be loaded
if((!($base) -and (!($GPO)) -and (!($Targets))))
{
$Window.Add_Loaded({
$Global:observableCollection = New-Object System.Collections.ObjectModel.ObservableCollection[S
$TextBoxStatusMessage.ItemsSource = $Global:observableCollection
})
if ($PSVersionTable.PSVersion -gt "2.0")
{
try
{
Add-Type @"
public class DelegateCommand : System.Windows.Input.ICommand
{
private System.Action<object> _action;
public DelegateCommand(System.Action<object> action)
{
_action = action;
}
public bool CanExecute(object parameter)
{
return true;
}
public event System.EventHandler CanExecuteChanged = delegate { };
public void Execute(object parameter)
{
_action(parameter);
}
}
"@
}catch
{}
}
try{
Add-Type @"
using System;
using System.Runtime.InteropServices;
public class SFW {
[DllImport("user32.dll")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool SetForegroundWindow(IntPtr hWnd);
}
"@
}
catch
{}
Add-Type -AssemblyName System.Windows.Forms | Out-Null
$chkBoxShowDel.add_Checked({
$global:bolShowDeleted= $true
})
$chkBoxShowDel.add_UnChecked({
$global:bolShowDeleted= $false
})
$btnDownloadCSVDefACLs.add_Click({
GenerateTemplateDownloader
})
$btnDownloadCSVDefSD.add_Click({
GenerateTemplateDownloaderSchemaDefSD
})
$rdbScanOU.add_Click({
$txtCustomFilter.IsEnabled = $false
})
$rdbScanContainer.add_Click({
$txtCustomFilter.IsEnabled = $false
})
$rdbScanAll.add_Click({
$txtCustomFilter.IsEnabled = $false
})
$rdbScanFilter.add_Click({
$txtCustomFilter.IsEnabled = $true
})
$rdbEXcel.add_Click({
if(!$(get-module ImportExcel))
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Checking for ImportExcel PowerSh
if(!$(get-module -ListAvailable | Where-Object name -eq "ImportExcel"))
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "You need to install the PowerSh
$rdbOnlyHTA.IsChecked = $true
}
else
{
Import-Module ImportExcel
}
}
})
$btnGetForestInfo.add_Click({
if ($global:bolConnected -eq $true)
{
Get-SchemaData -CREDS $CREDS
$global:observableCollection.Insert(0,(LogMessage -strMessage "Information collected!" -strType
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Connect to your naming context
}
})
$btnClearExcludedBox.add_Click({
$txtBoxExcluded.text = ""
})
$btnGetSchemaClass.add_Click(
{
if ($global:bolConnected -eq $true)
{
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:st
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$SearchFilter = "(objectClass=classSchema)"
$request = New-Object System.directoryServices.Protocols.SearchRequest("$global:SchemaDN",
[System.DirectoryServices.Protocols.PageResultRequestControl]$pagedRqc = new-object System
$request.Controls.Add($pagedRqc) | Out-Null
[void]$request.Attributes.Add("name")
$arrSchemaObjects = New-Object System.Collections.ArrayList
while ($true)
{
$response = $LdapConnection.SendRequest($request, (new-object System.Timespan(0,0,$glob

#for paged search, the response for paged search result control - we will need a cookie from res
if($global:PageSize -gt 0) {
[System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$null;
if ($response.Controls.Length -gt 0)
{
foreach ($ctrl in $response.Controls)
{
if ($ctrl -is [System.DirectoryServices.Protocols.PageResultResponseControl])
{
$prrc = $ctrl;
break;
}
}
}
if($null -eq $prrc) {
#server was unable to process paged search
throw "Find-LdapObject: Server failed to return paged response for request $SearchFilter"
}
}
#now process the returned list of distinguishedNames and fetch required properties using range
$colResults = $response.Entries
■ foreach ($objResult in $colResults)
■ {
■■ [void]$arrSchemaObjects.Add($objResult.attributes.name[0])
}
if($global:PageSize -gt 0) {
if ($prrc.Cookie.Length -eq 0) {
#last page --> we're done
break;
}
#pass the search cookie back to server in next paged request
$pagedRqc.Cookie = $prrc.Cookie;
} else {
#exit the processing for non-paged search
break;
}
}#End While
$arrSchemaObjects.Sort()
foreach ($object in $arrSchemaObjects)
{
[void]$combObjectDefSD.Items.Add($object)
}
$global:observableCollection.Insert(0,(LogMessage -strMessage "All classSchema collected!" -strT
$object = $null
Remove-Variable object
$arrSchemaObjects = $null
Remove-Variable arrSchemaObjects
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Connect to your naming context
}
})
$btnExportDefSD.add_Click(
{
$global:bolProgressBar = $chkBoxSkipProgressBar.IsChecked
if ($global:bolConnected -eq $true)
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Scanning..." -strType "Info" -Dat
$strFileCSV = $txtTempFolder.Text + "\" +$global:strDomainShortName + "_DefaultSecDescriptor
Write-DefaultSDCSV -fileout $strFileCSV -CREDS $CREDS
$global:observableCollection.Insert(0,(LogMessage -strMessage "Finished" -strType "Info" -DateS
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Connect to your naming context
}
})
$btnCompDefSD.add_Click(
{
$global:bolProgressBar = $chkBoxSkipProgressBar.IsChecked
if ($global:bolConnected -eq $true)
{

if ($txtCompareDefSDTemplate.Text -eq "")


{
$global:observableCollection.Insert(0,(LogMessage -strMessage "No Template CSV file selecte
}
else
{
$global:bolProgressBar = $chkBoxSkipProgressBar.IsChecked
$global:bolDefaultSDCSVLoaded = $false
$strDefaultSDCompareFile = $txtCompareDefSDTemplate.Text
&{#Try
$global:bolDefaultSDCSVLoaded = $true
$global:csvdefSDTemplate = import-Csv $strDefaultSDCompareFile
}
Trap [SystemException]
{
$strCSVErr = $_.Exception.Message
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed to load CSV. $strCS
$global:bolDefaultSDCSVLoaded = $false
continue
}
if($bolDefaultSDCSVLoaded)
{
if(TestCSVColumnsDefaultSD $global:csvdefSDTemplate)
{
$strSelectedItem = $combObjectDefSD.SelectedItem
if($strSelectedItem -eq "All Objects")
{
$strSelectedItem = "*"
}
$global:observableCollection.Insert(0,(LogMessage -strMessage "Scanning..." -strType "In
Get-DefaultSDCompare -strObjectClass $strSelectedItem -strTemplate $strDefaultSDCom
$global:observableCollection.Insert(0,(LogMessage -strMessage "Finished" -strType "Info"
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "CSV file got wrong forma
} #End if test column names exist
}
}#end if txtCompareDefSDTemplate.Text is empty
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Connect to your naming context
}
})
$btnScanDefSD.add_Click(
{
$global:bolProgressBar = $chkBoxSkipProgressBar.IsChecked
$bolReplMeta = $true

$strFileDefSDHTA = $env:temp + "\"+$global:ACLHTMLFileName+".hta"


#Set the path for the HTM file name
if($OutputFolder -gt "")
{
#Check if foler exist if not use current folder
if(Test-Path $OutputFolder)
{
$strFileDefSDHTM = $OutputFolder + "\"+"$global:strDomainShortName-$strSelectedItem-$glo
}
else
{
Write-host "Path:$OutputFolder was not found! Writting to current folder." -ForegroundColor red
$strFileDefSDHTM = $CurrentFSPath + "\"+"$global:strDomainShortName-$strSelectedItem-$g
}
}
else
{
$strFileDefSDHTM = $CurrentFSPath + "\"+"$global:strDomainShortName-$strSelectedItem-$glob
}
if ($global:bolConnected -eq $true)
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Scanning..." -strType "Info" -Dat
$strSelectedItem = $combObjectDefSD.SelectedItem
if($strSelectedItem -eq "All Objects")
{
$strSelectedItem = "*"
}
if($chkBoxSeverity.isChecked -or $chkBoxEffectiveRightsColor.isChecked)
{
$bolShowCriticalityColor = $true
}
else
{
$bolShowCriticalityColor = $false
}
$bolSDDL = $rdbDefSD_SDDL.IsChecked
if($bolSDDL -eq $true)
{
CreateDefaultSDReportHTA $global:strDomainLongName $strFileDefSDHTA $strFileDefSDH
CreateDefSDHTM $global:strDomainLongName $strFileDefSDHTM
InitiateDefSDHTM $strFileDefSDHTM $strSelectedItem
InitiateDefSDHTM $strFileDefSDHTA $strSelectedItem
}
else
{
CreateHTM $strSelectedItem $strFileDefSDHTM■■■■■
CreateHTA $strSelectedItem $strFileDefSDHTA $strFileDefSDHTM $CurrentFSPath $global:str
InitiateDefSDAccessHTM $strFileDefSDHTA $strSelectedItem $bolReplMeta $false "" $bolShow
InitiateDefSDAccessHTM $strFileDefSDHTM $strSelectedItem $bolReplMeta $false "" $bolShow
}
Get-DefaultSD -strObjectClass $strSelectedItem -bolChangedDefSD $chkModifedDefSD.IsChecke

$global:observableCollection.Insert(0,(LogMessage -strMessage "Finished" -strType "Info" -DateS


}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Connect to your naming context
}

})
$btnGETSPNReport.add_Click(
{
If(($global:strEffectiveRightSP -ne "") -and ($global:tokens.count -gt 0))
{

$strFileSPNHTA = $env:temp + "\"+$global:SPNHTMLFileName+".hta"


■ $strFileSPNHTM = $env:temp + "\"+"$global:strEffectiveRightAccount"+".htm"
CreateServicePrincipalReportHTA $global:strEffectiveRightSP $strFileSPNHTA $strFileSPNHTM
CreateSPNHTM $global:strEffectiveRightSP $strFileSPNHTM
InitiateSPNHTM $strFileSPNHTA
$strColorTemp = 1
WriteSPNHTM $global:strEffectiveRightSP $global:tokens $global:strSPNobjectClass $($global:to
Invoke-Item $strFileSPNHTA
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "No service principal selected!" -s
}
})
$btnViewLegend.add_Click(
{

DisplayLegend
})
$btnGetSPAccount.add_Click(
{
if ($global:bolConnected -eq $true)
{
If (!($txtBoxSelectPrincipal.Text -eq ""))
{
GetEffectiveRightSP $txtBoxSelectPrincipal.Text $global:strDomainPrinDNName -CREDS $CR
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Enter a principal name!" -strT
}
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Connect to your naming context
}
})
$btnListDdomain.add_Click(
{
GenerateDomainPicker
$txtBoxDomainConnect.Text = $global:strDomainSelect
})
$btnListLocations.add_Click(
{
if ($global:bolConnected -eq $true)
{
GenerateTrustedDomainPicker -CREDS $CREDS
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Connect to your naming context
}
})
$chkBoxScanUsingUSN.add_Click(
{
If($chkBoxScanUsingUSN.IsChecked)
{
$global:bolTempValue_chkBoxReplMeta = $chkBoxReplMeta.IsChecked
$chkBoxReplMeta.IsChecked = $true

}
else
{
if ($null -ne $global:bolTempValue_chkBoxReplMeta)
{
$chkBoxReplMeta.IsChecked = $global:bolTempValue_chkBoxReplMeta
}

}
})
$chkBoxCompare.add_Click(
{
If($chkBoxCompare.IsChecked)
{
if ($null -ne $global:bolTempValue_InhertiedChkBox)
{
$chkInheritedPerm.IsChecked = $global:bolTempValue_InhertiedChkBox
}

if ($null -ne $global:bolTempValue_chkBoxGetOwner)


{
$chkBoxGetOwner.IsChecked = $global:bolTempValue_chkBoxGetOwner
}
$chkInheritedPerm.IsEnabled = $true
$chkBoxGetOwner.IsEnabled = $true
#Activate Compare Objects
$txtCompareTemplate.IsEnabled = $true
$combReturns.IsEnabled = $true
$chkBoxTemplateNodes.IsEnabled = $true
$chkBoxScanUsingUSN.IsEnabled = $true
$btnGetCompareInput.IsEnabled = $true
$txtReplaceDN.IsEnabled = $true
$txtReplaceNetbios.IsEnabled = $true
#Deactivate Effective Rights and Filter objects
$chkBoxFilter.IsChecked = $false
$chkBoxEffectiveRights.IsChecked = $false
$txtBoxSelectPrincipal.IsEnabled = $false
$btnGetSPAccount.IsEnabled = $false
$btnListLocations.IsEnabled = $false
$btnGETSPNReport.IsEnabled = $false
$chkBoxType.IsEnabled = $false
$chkBoxObject.IsEnabled = $false
$chkBoxTrustee.IsEnabled = $false
$chkBoxPermission.IsEnabled = $false
$chkBoxPermission.IsChecked = $false
$txtPermission.IsEnabled = $false
$chkBoxFilterBuiltin.IsEnabled = $false
$chkBoxType.IsChecked = $false
$chkBoxObject.IsChecked = $false
$txtBoxObjectFilter.IsEnabled = $false
$txtFilterTrustee.IsEnabled = $false
$combAccessCtrl.IsEnabled = $false

}
else
{
#Deactivate Compare Objects
$txtCompareTemplate.IsEnabled = $false
$combReturns.IsEnabled = $false
$chkBoxTemplateNodes.IsEnabled = $false
$chkBoxScanUsingUSN.IsEnabled = $false
$btnGetCompareInput.IsEnabled = $false
$txtReplaceDN.IsEnabled = $false
$txtReplaceNetbios.IsEnabled = $false
}
})
$chkBoxEffectiveRights.add_Click(
{
If($chkBoxEffectiveRights.IsChecked)
{

$global:bolTempValue_InhertiedChkBox = $chkInheritedPerm.IsChecked
$global:bolTempValue_chkBoxGetOwner = $chkBoxGetOwner.IsChecked
$chkBoxFilter.IsChecked = $false
#Deactivate Compare Objects
$chkBoxCompare.IsChecked = $false
$txtCompareTemplate.IsEnabled = $false
$combReturns.IsEnabled = $false
$chkBoxTemplateNodes.IsEnabled = $false
$chkBoxScanUsingUSN.IsEnabled = $false
$btnGetCompareInput.IsEnabled = $false
$txtReplaceDN.IsEnabled = $false
$txtReplaceNetbios.IsEnabled = $false
$txtBoxSelectPrincipal.IsEnabled = $true
$btnGetSPAccount.IsEnabled = $true
$btnListLocations.IsEnabled = $true
$btnGETSPNReport.IsEnabled = $true
$chkInheritedPerm.IsEnabled = $false
$chkInheritedPerm.IsChecked = $true
$chkBoxGetOwner.IsEnabled = $false
$chkBoxGetOwner.IsChecked= $true

$chkBoxType.IsEnabled = $false
$chkBoxObject.IsEnabled = $false
$chkBoxTrustee.IsEnabled = $false
$chkBoxPermission.IsEnabled = $false
$chkBoxPermission.IsChecked = $false
$txtPermission.IsEnabled = $false
$chkBoxType.IsChecked = $false
$chkBoxObject.IsChecked = $false
$chkBoxFilterBuiltin.IsChecked = $false
$txtBoxObjectFilter.IsEnabled = $false
$txtFilterTrustee.IsEnabled = $false
$combAccessCtrl.IsEnabled = $false

}
else
{
$txtBoxSelectPrincipal.IsEnabled = $false
$btnGetSPAccount.IsEnabled = $false
$btnListLocations.IsEnabled = $false
$btnGETSPNReport.IsEnabled = $false
$chkInheritedPerm.IsEnabled = $true
$chkInheritedPerm.IsChecked = $global:bolTempValue_InhertiedChkBox
$chkBoxGetOwner.IsEnabled = $true
$chkBoxGetOwner.IsChecked = $global:bolTempValue_chkBoxGetOwner
}
})
$chkBoxSeverity.add_Click(
{
If($chkBoxSeverity.IsChecked -eq $true)
{
$combServerity.IsEnabled = $true
}
else
{
$combServerity.IsEnabled = $false
}
})
$chkBoxRecursiveFind.add_Click(
{
If($chkBoxRecursiveFind.IsChecked -eq $true)
{
$combRecursiveFind.IsEnabled = $true
}
else
{
$combRecursiveFind.IsEnabled = $false
}
})
$chkBoxFilter.add_Click(
{
If($chkBoxFilter.IsChecked -eq $true)
{
#Deactivate Compare Objects
$chkBoxCompare.IsChecked = $false
$txtCompareTemplate.IsEnabled = $false
$combReturns.IsEnabled = $false
$chkBoxTemplateNodes.IsEnabled = $false
$chkBoxScanUsingUSN.IsEnabled = $false
$btnGetCompareInput.IsEnabled = $false
$txtReplaceDN.IsEnabled = $false
$txtReplaceNetbios.IsEnabled = $false
$chkBoxEffectiveRights.IsChecked = $false
$chkBoxType.IsEnabled = $true
$chkBoxObject.IsEnabled = $true
$chkBoxTrustee.IsEnabled = $true
$chkBoxPermission.IsEnabled = $true
$txtPermission.IsEnabled = $true
$chkBoxFilterBuiltin.IsEnabled = $true
$txtBoxObjectFilter.IsEnabled = $true
$txtFilterTrustee.IsEnabled = $true
$combAccessCtrl.IsEnabled = $true
$txtBoxSelectPrincipal.IsEnabled = $false
$btnGetSPAccount.IsEnabled = $false
$btnListLocations.IsEnabled = $false
$btnGETSPNReport.IsEnabled = $false
$chkInheritedPerm.IsEnabled = $true
$chkInheritedPerm.IsChecked = $global:bolTempValue_InhertiedChkBox
$chkBoxGetOwner.IsEnabled = $true
if ($null -ne $global:bolTempValue_chkBoxGetOwner)
{
$chkBoxGetOwner.IsChecked = $global:bolTempValue_chkBoxGetOwner
}

}
else
{
$chkBoxType.IsEnabled = $false
$chkBoxObject.IsEnabled = $false
$chkBoxTrustee.IsEnabled = $false
$chkBoxPermission.IsEnabled = $false
$chkBoxPermission.IsChecked = $false
$txtPermission.IsEnabled = $false
$chkBoxFilterBuiltin.IsEnabled = $false
$chkBoxType.IsChecked = $false
$chkBoxObject.IsChecked = $false
$txtBoxObjectFilter.IsEnabled = $false
$txtFilterTrustee.IsEnabled = $false
$combAccessCtrl.IsEnabled = $false
}
})
$rdbDSSchm.add_Click(
{
If($rdbCustomNC.IsChecked -eq $true)
{
$txtBoxDomainConnect.IsEnabled = $true
$btnListDdomain.IsEnabled = $false
if (($txtBoxDomainConnect.Text -eq "rootDSE") -or ($txtBoxDomainConnect.Text -eq "config") -or
{
$txtBoxDomainConnect.Text = ""
}
}
else
{
$btnListDdomain.IsEnabled = $false
If($rdbDSdef.IsChecked -eq $true)
{
$txtBoxDomainConnect.Text = $global:strDomainSelect
$btnListDdomain.IsEnabled = $true
$txtBdoxDSServerPort.IsEnabled = $false
$txtBdoxDSServer.IsEnabled = $false
}
If($rdbDSConf.IsChecked -eq $true)
{
$txtBoxDomainConnect.Text = "config"
$txtBdoxDSServerPort.IsEnabled = $false
$txtBdoxDSServer.IsEnabled = $false

}
If($rdbDSSchm.IsChecked -eq $true)
{
$txtBoxDomainConnect.Text = "schema"
$txtBdoxDSServerPort.IsEnabled = $false
$txtBdoxDSServer.IsEnabled = $false
}
$txtBoxDomainConnect.IsEnabled = $false
}
})
$rdbDSConf.add_Click(
{
If($rdbCustomNC.IsChecked -eq $true)
{
$txtBoxDomainConnect.IsEnabled = $true
$btnListDdomain.IsEnabled = $false
if (($txtBoxDomainConnect.Text -eq "rootDSE") -or ($txtBoxDomainConnect.Text -eq "config") -or
{
$txtBoxDomainConnect.Text = ""
}
}
else
{
$btnListDdomain.IsEnabled = $false
If($rdbDSdef.IsChecked -eq $true)
{
$txtBoxDomainConnect.Text = $global:strDommainSelect
$btnListDdomain.IsEnabled = $true
$txtBdoxDSServerPort.IsEnabled = $false
$txtBdoxDSServer.IsEnabled = $false
}
If($rdbDSConf.IsChecked -eq $true)
{
$txtBoxDomainConnect.Text = "config"
$txtBdoxDSServerPort.IsEnabled = $false
$txtBdoxDSServer.IsEnabled = $false

}
If($rdbDSSchm.IsChecked -eq $true)
{
$txtBoxDomainConnect.Text = "schema"
$txtBdoxDSServerPort.IsEnabled = $false
$txtBdoxDSServer.IsEnabled = $false
}
$txtBoxDomainConnect.IsEnabled = $false
}
})
$rdbDSdef.add_Click(
{
If($rdbCustomNC.IsChecked -eq $true)
{
$txtBoxDomainConnect.IsEnabled = $true
$btnListDdomain.IsEnabled = $false
if (($txtBoxDomainConnect.Text -eq "rootDSE") -or ($txtBoxDomainConnect.Text -eq "config") -or
{
$txtBoxDomainConnect.Text = ""
}
}
else
{
$btnListDdomain.IsEnabled = $false
If($rdbDSdef.IsChecked -eq $true)
{
$txtBdoxDSServerPort.IsEnabled = $false
$txtBdoxDSServer.IsEnabled = $false
$txtBoxDomainConnect.Text = $global:strDomainSelect
$btnListDdomain.IsEnabled = $true
}
If($rdbDSConf.IsChecked -eq $true)
{
$txtBoxDomainConnect.Text = "config"

}
If($rdbDSSchm.IsChecked -eq $true)
{
$txtBoxDomainConnect.Text = "schema"
}
$txtBoxDomainConnect.IsEnabled = $false
}
})
$rdbCustomNC.add_Click(
{
If($rdbCustomNC.IsChecked -eq $true)
{
$txtBdoxDSServerPort.IsEnabled = $true
$txtBdoxDSServer.IsEnabled = $true
$txtBoxDomainConnect.IsEnabled = $true
$btnListDdomain.IsEnabled = $false
if (($txtBoxDomainConnect.Text -eq "rootDSE") -or ($txtBoxDomainConnect.Text -eq "config") -or
{
$txtBoxDomainConnect.Text = ""
}
}
else
{
$btnListDdomain.IsEnabled = $false
If($rdbDSdef.IsChecked -eq $true)
{
$txtBoxDomainConnect.Text = $global:strDommainSelect
$btnListDdomain.IsEnabled = $true
}
If($rdbDSConf.IsChecked -eq $true)
{
$txtBoxDomainConnect.Text = "config"
}
If($rdbDSSchm.IsChecked -eq $true)
{
$txtBoxDomainConnect.Text = "schema"
}
$txtBoxDomainConnect.IsEnabled = $false
}
})
$btnGetTemplateFolder.add_Click(
{

$strFolderPath = Select-Folder
$txtTempFolder.Text = $strFolderPath
})
$btnGetCompareDefSDInput.add_Click(
{
$strFilePath = Select-File
$txtCompareDefSDTemplate.Text = $strFilePath
})
$btnGetCompareInput.add_Click(
{
$strFilePath = Select-File
$txtCompareTemplate.Text = $strFilePath
})
$btnGetCSVFile.add_Click(
{
$strFilePath = Select-File
$txtCSVImport.Text = $strFilePath
})
$btnDSConnect.add_Click(
{
if($chkBoxCreds.IsChecked)
{
$script:CREDS = Get-Credential -Message "Type User Name and Password"
$Window.Activate()
}
$global:bolRoot = $true
$NCSelect = $false
$global:DSType = ""
$global:strDC = ""
$global:strDomainDNName = ""
$global:ConfigDN = ""
$global:SchemaDN = ""
$global:ForestRootDomainDN = ""
$global:IS_GC = ""
$txtDC.text = ""
$txtdefaultnamingcontext.text = ""
$txtconfigurationnamingcontext.text = ""
$txtschemanamingcontext.text = ""
$txtrootdomainnamingcontext.text = ""
■If ($rdbDSdef.IsChecked)
■{
if (!($txtBoxDomainConnect.Text -eq "rootDSE"))
{
if ($null -eq $global:TempDC)
{
$strNamingContextDN = $txtBoxDomainConnect.Text
If(CheckDNExist -sADobjectName $strNamingContextDN -strDC "" -CREDS $CREDS)
{
$root = New-Object system.directoryservices.directoryEntry("LDAP://"+$strNamingContextDN
$global:strDomainDNName = $root.distinguishedName.tostring()
$global:strDomainPrinDNName = $global:strDomainDNName
$global:strDomainLongName = $global:strDomainDNName.Replace("DC=","")
$global:strDomainLongName = $global:strDomainLongName.Replace(",",".")
$Context = New-Object DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$global
$ojbDomain = [DirectoryServices.ActiveDirectory.Domain]::GetDomain($Context)
$global:strDC = $($ojbDomain.FindDomainController()).name
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($glob
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($null, "(objectCla
[void]$request.Attributes.Add("dnshostname")
[void]$request.Attributes.Add("supportedcapabilities")
[void]$request.Attributes.Add("namingcontexts")
[void]$request.Attributes.Add("defaultnamingcontext")
[void]$request.Attributes.Add("schemanamingcontext")
[void]$request.Attributes.Add("configurationnamingcontext")
[void]$request.Attributes.Add("rootdomainnamingcontext")
[void]$request.Attributes.Add("isGlobalCatalogReady")

try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does not
■ }
if($global:bolLDAPConnection -eq $true)
{
$global:ForestRootDomainDN = $response.Entries[0].attributes.rootdomainnamingcontext[
$global:SchemaDN = $response.Entries[0].attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].attributes.configurationnamingcontext[0]
$global:strDomainDNName = $response.Entries[0].attributes.defaultnamingcontext[0]
$global:IS_GC = $response.Entries[0].Attributes.isglobalcatalogready[0]
}
$global:DirContext = Get-DirContext $global:strDC -CREDS $CREDS
$global:strDomainShortName = GetDomainShortName -strDomain $global:strDomainDNNam
$global:strRootDomainShortName = GetDomainShortName -strDomain $global:ForestRootD
$global:DSType = "AD DS"
$global:bolADDSType = $true
$lblSelectPrincipalDom.Content = $global:strDomainShortName+":"
$NCSelect = $true
$strNamingContextDN = $global:strDomainDNName
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does not
$global:bolConnected = $false
}
}
else
{
$strNamingContextDN = $txtBoxDomainConnect.Text
If(CheckDNExist -sADobjectName $strNamingContextDN -strDC "$global:TempDC" -CREDS
{
$Context = New-Object DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$global
$global:TempDC = $null
$ojbDomain = [DirectoryServices.ActiveDirectory.Domain]::GetDomain($Context)
$global:strDC = $($ojbDomain.FindDomainController()).name
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($glob
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($null, "(objectCla
[void]$request.Attributes.Add("dnshostname")
[void]$request.Attributes.Add("supportedcapabilities")
[void]$request.Attributes.Add("namingcontexts")
[void]$request.Attributes.Add("defaultnamingcontext")
[void]$request.Attributes.Add("schemanamingcontext")
[void]$request.Attributes.Add("configurationnamingcontext")
[void]$request.Attributes.Add("rootdomainnamingcontext")
[void]$request.Attributes.Add("isGlobalCatalogReady")

try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does not
■ }
if($global:bolLDAPConnection -eq $true)
{
$global:ForestRootDomainDN = $response.Entries[0].attributes.rootdomainnamingcontext[
$global:SchemaDN = $response.Entries[0].attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].attributes.configurationnamingcontext[0]
$global:strDomainDNName = $response.Entries[0].attributes.defaultnamingcontext[0]
$global:IS_GC = $response.Entries[0].Attributes.isglobalcatalogready[0]
}
$global:DirContext = Get-DirContext $global:strDC $CREDS
$global:strDomainShortName = GetDomainShortName -strDomain $global:strDomainDNNam
$global:strRootDomainShortName = GetDomainShortName -strDomain $global:ForestRootD
$global:DSType = "AD DS"
$global:bolADDSType = $true
$lblSelectPrincipalDom.Content = $global:strDomainShortName+":"
$NCSelect = $true
$strNamingContextDN = $global:strDomainDNName
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does not
$global:bolConnected = $false
}
}
}
else
{
if ($global:bolRoot -eq $true)
{
$LDAPConnection = $null
$request = $null
$response = $null
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection("")
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($null, "(objectCla
[void]$request.Attributes.Add("defaultnamingcontext")
try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:strDomainDNName = $response.Entries[0].Attributes.defaultnamingcontext[0]
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does not
■ }
if($global:bolLDAPConnection)
{
$global:strDomainPrinDNName = $global:strDomainDNName
$global:strDomainLongName = $global:strDomainDNName.Replace("DC=","")
$global:strDomainLongName = $global:strDomainLongName.Replace(",",".")
$Context = New-Object DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$glob
$ojbDomain = [DirectoryServices.ActiveDirectory.Domain]::GetDomain($Context)
$global:strDC = $($ojbDomain.FindDomainController()).name
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($g
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($null, "(objectC
[void]$request.Attributes.Add("dnshostname")
[void]$request.Attributes.Add("supportedcapabilities")
[void]$request.Attributes.Add("namingcontexts")
[void]$request.Attributes.Add("defaultnamingcontext")
[void]$request.Attributes.Add("schemanamingcontext")
[void]$request.Attributes.Add("configurationnamingcontext")
[void]$request.Attributes.Add("rootdomainnamingcontext")
[void]$request.Attributes.Add("isGlobalCatalogReady")

try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does n
■ }
if($global:bolLDAPConnection -eq $true)
{
$global:ForestRootDomainDN = $response.Entries[0].attributes.rootdomainnamingconte
$global:SchemaDN = $response.Entries[0].attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].attributes.configurationnamingcontext[0]
$global:strDomainDNName = $response.Entries[0].attributes.defaultnamingcontext[0]
$global:IS_GC = $response.Entries[0].Attributes.isglobalcatalogready[0]
}
$global:DirContext = Get-DirContext $global:strDC $CREDS
$global:strDomainShortName = GetDomainShortName -strDomain $global:strDomainDNN
$global:strRootDomainShortName = GetDomainShortName -strDomain $global:ForestRoo
$global:DSType = "AD DS"
$global:bolADDSType = $true
$lblSelectPrincipalDom.Content = $global:strDomainShortName+":"
$NCSelect = $true
$strNamingContextDN = $global:strDomainDNName
}
}
}
■}
#Connect to Config Naming Context
■If ($rdbDSConf.IsChecked)
■{
if ($global:bolRoot -eq $true)
{
if($global:strDomainSelect.Contains("."))
{
$global:TempDC = $global:strDomainSelect
$strSelectedDomain = "DC=" + $global:strDomainSelect.Replace(".",",DC=")
}
if ($null -eq $global:TempDC)
{
$LDAPConnection = $null
$request = $null
$response = $null
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection("")
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($null, "(objectCla
[void]$request.Attributes.Add("defaultnamingcontext")
try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:strDomainDNName = $response.Entries[0].attributes.defaultnamingcontext[0]
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does not
}
if($global:bolLDAPConnection)
{
$global:strDomainPrinDNName = $global:strDomainDNName
$global:strDomainLongName = $global:strDomainDNName.Replace("DC=","")
$global:strDomainLongName = $global:strDomainLongName.Replace(",",".")
$Context = New-Object DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$glob
$ojbDomain = [DirectoryServices.ActiveDirectory.Domain]::GetDomain($Context)
$global:strDC = $($ojbDomain.FindDomainController()).name
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($g
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($null, "(objectC
[void]$request.Attributes.Add("dnshostname")
[void]$request.Attributes.Add("supportedcapabilities")
[void]$request.Attributes.Add("namingcontexts")
[void]$request.Attributes.Add("defaultnamingcontext")
[void]$request.Attributes.Add("schemanamingcontext")
[void]$request.Attributes.Add("configurationnamingcontext")
[void]$request.Attributes.Add("rootdomainnamingcontext")
[void]$request.Attributes.Add("isGlobalCatalogReady")
try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does n
■ }
if($global:bolLDAPConnection -eq $true)
{
$global:ForestRootDomainDN = $response.Entries[0].attributes.rootdomainnamingconte
$global:SchemaDN = $response.Entries[0].attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].attributes.configurationnamingcontext[0]
$global:strDomainDNName = $response.Entries[0].attributes.defaultnamingcontext[0]
$global:IS_GC = $response.Entries[0].Attributes.isglobalcatalogready[0]
}
$global:DirContext = Get-DirContext $global:strDC -CREDS $CREDS
$global:strDomainShortName = GetDomainShortName -strDomain $global:strDomainDNN
$global:strRootDomainShortName = GetDomainShortName -strDomain $global:ForestRoo
$global:DSType = "AD DS"
$global:bolADDSType = $true
$lblSelectPrincipalDom.Content = $global:strDomainShortName+":"
$NCSelect = $true
$strNamingContextDN = $global:ConfigDN
}
}
else
{
$strNamingContextDN = $global:strDomainSelect
If(CheckDNExist -sADobjectName $strNamingContextDN -strDC $global:TempDC -CREDS $
{
$root = New-Object system.directoryservices.directoryEntry("LDAP://"+$strNamingContextDN
$global:strDomainDNName = $root.distinguishedName.tostring()
$global:strDomainPrinDNName = $global:strDomainDNName
$global:strDomainLongName = $global:strDomainDNName.Replace("DC=","")
$global:strDomainLongName = $global:strDomainLongName.Replace(",",".")
$Context = New-Object DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$global
$ojbDomain = [DirectoryServices.ActiveDirectory.Domain]::GetDomain($Context)
$global:strDC = $($ojbDomain.FindDomainController()).name
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($glob
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($null, "(objectCla
[void]$request.Attributes.Add("dnshostname")
[void]$request.Attributes.Add("supportedcapabilities")
[void]$request.Attributes.Add("namingcontexts")
[void]$request.Attributes.Add("defaultnamingcontext")
[void]$request.Attributes.Add("schemanamingcontext")
[void]$request.Attributes.Add("configurationnamingcontext")
[void]$request.Attributes.Add("rootdomainnamingcontext")
[void]$request.Attributes.Add("isGlobalCatalogReady")

try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does not
■ }
if($global:bolLDAPConnection -eq $true)
{
$global:ForestRootDomainDN = $response.Entries[0].attributes.rootdomainnamingcontext[
$global:SchemaDN = $response.Entries[0].attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].attributes.configurationnamingcontext[0]
$global:strDomainDNName = $response.Entries[0].attributes.defaultnamingcontext[0]
$global:IS_GC = $response.Entries[0].Attributes.isglobalcatalogready[0]
}
$global:DirContext = Get-DirContext $global:strDC -CREDS $CREDS
$global:strDomainShortName = GetDomainShortName -strDomain $global:strDomainDNNam
$global:strRootDomainShortName = GetDomainShortName -strDomain $global:ForestRootD
$global:DSType = "AD DS"
$global:bolADDSType = $true
$lblSelectPrincipalDom.Content = $global:strDomainShortName+":"
$NCSelect = $true
$strNamingContextDN = $global:ConfigDN
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does not
$global:bolConnected = $false
}

}
}
■}
#Connect to Schema Naming Context
■If ($rdbDSSchm.IsChecked)
■{
if ($global:bolRoot -eq $true)
{
$LDAPConnection = $null
$request = $null
$response = $null
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection("")
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($null, "(objectClass
[void]$request.Attributes.Add("defaultnamingcontext")
try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:strDomainDNName = $response.Entries[0].Attributes.defaultnamingcontext[0]
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does not ex
}
if($global:bolLDAPConnection)
{
$global:strDomainPrinDNName = $global:strDomainDNName
$global:strDomainLongName = $global:strDomainDNName.Replace("DC=","")
$global:strDomainLongName = $global:strDomainLongName.Replace(",",".")
$Context = New-Object DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$global
$ojbDomain = [DirectoryServices.ActiveDirectory.Domain]::GetDomain($Context)
$global:strDC = $($ojbDomain.FindDomainController()).name
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($glob
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($null, "(objectCla
[void]$request.Attributes.Add("dnshostname")
[void]$request.Attributes.Add("supportedcapabilities")
[void]$request.Attributes.Add("namingcontexts")
[void]$request.Attributes.Add("defaultnamingcontext")
[void]$request.Attributes.Add("schemanamingcontext")
[void]$request.Attributes.Add("configurationnamingcontext")
[void]$request.Attributes.Add("rootdomainnamingcontext")
[void]$request.Attributes.Add("isGlobalCatalogReady")

try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does not
■ }
if($global:bolLDAPConnection -eq $true)
{
$global:ForestRootDomainDN = $response.Entries[0].attributes.rootdomainnamingcontext[
$global:SchemaDN = $response.Entries[0].attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].attributes.configurationnamingcontext[0]
$global:strDomainDNName = $response.Entries[0].attributes.defaultnamingcontext[0]
$global:IS_GC = $response.Entries[0].Attributes.isglobalcatalogready[0]
}
$global:DirContext = Get-DirContext $global:strDC $CREDS
$global:strDomainShortName = GetDomainShortName -strDomain $global:strDomainDNNam
$global:strRootDomainShortName = GetDomainShortName -strDomain $global:ForestRootD
$global:DSType = "AD DS"
$global:bolADDSType = $true
$lblSelectPrincipalDom.Content = $global:strDomainShortName+":"
$NCSelect = $true
$strNamingContextDN = $global:SchemaDN
}
}
■}
#Connect to Custom Naming Context■
If ($rdbCustomNC.IsChecked)
■{
if (($txtBoxDomainConnect.Text.Length -gt 0) -or ($txtBdoxDSServer.Text.Length -gt 0) -or ($txtBd
{
$strNamingContextDN = $txtBoxDomainConnect.Text
if($txtBdoxDSServer.Text -eq "")
{
if($txtBdoxDSServerPort.Text -eq "")
{
$global:strDC = ""
}
else
{
$global:strDC = "localhost:" +$txtBdoxDSServerPort.text
}
}
else
{
$global:strDC = $txtBdoxDSServer.Text +":" +$txtBdoxDSServerPort.text
if($txtBdoxDSServerPort.Text -eq "")
{
$global:strDC = $txtBdoxDSServer.Text
}
else
{
$global:strDC = $txtBdoxDSServer.Text +":" +$txtBdoxDSServerPort.text
}
}
$global:bolLDAPConnection = $false
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($g
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest("", "(objectCla
if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.Directory
}
[void]$request.Attributes.Add("dnshostname")
[void]$request.Attributes.Add("supportedcapabilities")
[void]$request.Attributes.Add("namingcontexts")
[void]$request.Attributes.Add("defaultnamingcontext")
[void]$request.Attributes.Add("schemanamingcontext")
[void]$request.Attributes.Add("configurationnamingcontext")
[void]$request.Attributes.Add("rootdomainnamingcontext")
[void]$request.Attributes.Add("isGlobalCatalogReady")

■ try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does n
■ }
if($global:bolLDAPConnection -eq $true)
{
$strPrimaryCapability= $response.Entries[0].attributes.supportedcapabilities[0]
Switch ($strPrimaryCapability)
{
"1.2.840.113556.1.4.1851"
{
$global:DSType = "AD LDS"
$global:bolADDSType = $false
$global:strDomainDNName = $response.Entries[0].Attributes.namingcontexts[-1]
$global:SchemaDN = $response.Entries[0].Attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].Attributes.configurationnamingcontext[0]
if($txtBdoxDSServerPort.Text -eq "")
{
if(Test-ResolveDNS $response.Entries[0].Attributes.dnshostname[0])
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0]
}
}
else
{
if(Test-ResolveDNS $response.Entries[0].Attributes.dnshostname[0])
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0] +":" +$txtBdo
}
}
}
"1.2.840.113556.1.4.800"
{
$global:DSType = "AD DS"
$global:bolADDSType = $true
$global:ForestRootDomainDN = $response.Entries[0].Attributes.rootdomainnaming
$global:strDomainDNName = $response.Entries[0].Attributes.defaultnamingcontext
$global:SchemaDN = $response.Entries[0].Attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].Attributes.configurationnamingcontext[0]
$global:IS_GC = $response.Entries[0].Attributes.isglobalcatalogready[0]
if($txtBdoxDSServerPort.Text -eq "")
{
if(Test-ResolveDNS $response.Entries[0].Attributes.dnshostname[0])
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0]
}
}
else
{
if(Test-ResolveDNS $response.Entries[0].Attributes.dnshostname[0])
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0] +":" +$txtBdo
}

}
$global:strDomainPrinDNName = $global:strDomainDNName
$global:strDomainShortName = GetDomainShortName -strDomain $global:strDoma
$global:strRootDomainShortName = GetDomainShortName -strDomain $global:Fo
$lblSelectPrincipalDom.Content = $global:strDomainShortName+":"
}
default
{
$global:ForestRootDomainDN = $response.Entries[0].Attributes.rootdomainnaming
$global:strDomainDNName = $response.Entries[0].Attributes.defaultnamingcontext
$global:SchemaDN = $response.Entries[0].Attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].Attributes.configurationnamingcontext[0]
$global:IS_GC = $response.Entries[0].Attributes.isglobalcatalogready[0]
if($txtBdoxDSServerPort.Text -eq "")
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0]
}
else
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0] +":" +$txtBdoxD
}
}
}
if($strNamingContextDN -eq "")
{
$strNamingContextDN = $global:strDomainDNName
}
If(CheckDNExist -sADobjectName $strNamingContextDN -strDC $global:strDC -CREDS
{
$NCSelect = $true
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain doe
$global:bolConnected = $false
}

}#bolLDAPConnection

}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! No naming context or
$global:bolConnected = $false
}
■}
If ($NCSelect -eq $true)
{
■ If (!($strLastCacheGuidsDom -eq $global:strDomainDNName))
■ {
■ $global:dicRightsGuids = @{"Seed" = "xxx"}
■ CacheRightsGuids -CREDS $CREDS
■ $strLastCacheGuidsDom = $global:strDomainDNName

■ }
#Check Directory Service type
$global:DSType = ""
$global:bolADDSType = $false
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:st
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest("", "(objectClass=*)", "
$response = $LDAPConnection.SendRequest($request)
$strPrimaryCapability= $response.Entries[0].attributes.supportedcapabilities[0]
Switch ($strPrimaryCapability)
{
"1.2.840.113556.1.4.1851"
{
$global:DSType = "AD LDS"
}
"1.2.840.113556.1.4.800"
{
$global:DSType = "AD DS"
$global:bolADDSType = $true
}
default
{
$global:DSType = "Unknown"
}
}
$global:observableCollection.Insert(0,(LogMessage -strMessage "Connected to directory service
#Plaing with AD LDS Locally
$global:TreeViewRootPath = $strNamingContextDN
$xml = Get-XMLDomainOUTree $global:TreeViewRootPath -CREDS $CREDS
# Change XML Document, XPath and Refresh
$xmlprov.Document = $xml
$xmlProv.XPath = "/DomainRoot"
$xmlProv.Refresh()
$global:bolConnected = $true
If (!(Test-Path ($env:temp + "\OU.png")))
{
$IconFilePath = $env:temp + "\OU.png"
$bytes = [Convert]::FromBase64String($OUpng)
[IO.File]::WriteAllBytes($IconFilePath, $bytes)
}
If (!(Test-Path ($env:temp + "\Expand.png")))
{
$IconFilePath = $env:temp + "\Expand.png"
$bytes = [Convert]::FromBase64String($Expandpng)
[IO.File]::WriteAllBytes($IconFilePath, $bytes)
}
If (!(Test-Path ($env:temp + "\User.png")))
{
$IconFilePath = $env:temp + "\User.png"
$bytes = [Convert]::FromBase64String($Userpng)
[IO.File]::WriteAllBytes($IconFilePath, $bytes)
}
If (!(Test-Path ($env:temp + "\Group.png")))
{
$IconFilePath = $env:temp + "\Group.png"
$bytes = [Convert]::FromBase64String($Grouppng)
[IO.File]::WriteAllBytes($IconFilePath, $bytes)
}
If (!(Test-Path ($env:temp + "\Computer.png")))
{
$IconFilePath = $env:temp + "\Computer.png"
$bytes = [Convert]::FromBase64String($Computerpng)
[IO.File]::WriteAllBytes($IconFilePath, $bytes)
}
If (!(Test-Path ($env:temp + "\Container.png")))
{
$IconFilePath = $env:temp + "\Container.png"
$bytes = [Convert]::FromBase64String($Containerpng)
[IO.File]::WriteAllBytes($IconFilePath, $bytes)
}
If (!(Test-Path ($env:temp + "\DomainDNS.png")))
{
$IconFilePath = $env:temp + "\DomainDNS.png"
$bytes = [Convert]::FromBase64String($DomainDNSpng)
[IO.File]::WriteAllBytes($IconFilePath, $bytes)
}
If (!(Test-Path ($env:temp + "\Other.png")))
{
$IconFilePath = $env:temp + "\Other.png"
$bytes = [Convert]::FromBase64String($Otherpng)
[IO.File]::WriteAllBytes($IconFilePath, $bytes)
}
If (!(Test-Path ($env:temp + "\refresh.png")))
{
$IconFilePath = $env:temp + "\refresh.png"
$bytes = [Convert]::FromBase64String($refreshpng)
[IO.File]::WriteAllBytes($IconFilePath, $bytes)
}
If (!(Test-Path ($env:temp + "\exclude.png")))
{
$IconFilePath = $env:temp + "\exclude.png"
$bytes = [Convert]::FromBase64String($excludepng)
[IO.File]::WriteAllBytes($IconFilePath, $bytes)
}
#Test PS Version DeleteCommand requries PS 3.0 and above
if ($PSVersionTable.PSVersion -gt "2.0")
{

$TreeView1.ContextMenu.Items[0].Command = New-Object DelegateCommand( { Add-Refresh


$TreeView1.ContextMenu.Items[1].Command = New-Object DelegateCommand( { Add-Exclude
}
else
{
Write-Error "Requries PS 3.0 and above"
break
}
#Update Connection Info
$txtDC.text = $global:strDC
$txtdefaultnamingcontext.text = $global:strDomainDNName
$txtconfigurationnamingcontext.text = $global:ConfigDN
$txtschemanamingcontext.text = $global:SchemaDN
$txtrootdomainnamingcontext.text = $global:ForestRootDomainDN
}#End If NCSelect

#Get Forest Root Domain ObjectSID


if ($global:DSType -eq "AD DS")
{
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strD
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($global:strDomainDNNa
[void]$request.Attributes.Add("objectsid")

try
■{
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
■}
■catch
■{
■■$global:bolLDAPConnection = $false
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does not exist or
■}
if($global:bolLDAPConnection -eq $true)
{
$global:DomainSID = GetSidStringFromSidByte $response.Entries[0].attributes.objectsid.GetValue
}

if($global:ForestRootDomainDN -ne $global:strDomainDNName)


{
$global:strForestDomainLongName = $global:ForestRootDomainDN.Replace("DC=","")
$global:strForestDomainLongName = $global:strForestDomainLongName.Replace(",",".")
if($CREDS.UserName)
{
$Context = New-Object DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$global:st
}
else
{
$Context = New-Object DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$global:st
}
$ojbDomain = [DirectoryServices.ActiveDirectory.Domain]::GetDomain($Context)
$global:strForestDC = $($ojbDomain.FindDomainController()).name
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:st
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($global:ForestRootDo
[void]$request.Attributes.Add("objectsid")

try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does not exist
■ }
if($global:bolLDAPConnection -eq $true)
{
$global:ForestRootDomainSID = GetSidStringFromSidByte $response.Entries[0].attributes.obje
}
}
else
{
$global:strForestDC = $global:strDC
$global:ForestRootDomainSID = $global:DomainSID
}

}
})
$chkBoxCreds.add_UnChecked({
$script:CREDS = $null
})
$btnScan.add_Click(
{

$UseCanonicalName = $chkBoxUseCanonicalName.IsChecked
$Protected = $chkBoxGetOUProtected.IsChecked
If($chkBoxCompare.IsChecked)
{
RunCompare -CREDS $script:CREDS
}
else
{
RunScan -CREDS $script:CREDS
}
})
$btnCreateHTML.add_Click(
{
if ($txtCSVImport.Text -eq "")
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "No Template CSV file selected!" -s
}
else
{
#if ($global:bolConnected -eq $true)
#{
ConvertCSVtoHTM $txtCSVImport.Text $chkBoxTranslateGUIDinCSV.isChecked -CREDS $CRED
#}
#else
#{
#$global:observableCollection.Insert(0,(LogMessage -strMessage "You need to connect to a director
#}
}
})
$btnSupport.add_Click(
{
GenerateSupportStatement
})
$btnExit.add_Click(
{
#TODO: Place custom script here
#$ErrorActionPreference = "SilentlyContinue"
$bolConnected= $null
$bolTempValue_InhertiedChkBox= $null
$dicDCSpecialSids= $null
$dicNameToSchemaIDGUIDs= $null
$dicRightsGuids= $null
$dicSchemaIDGUIDs= $null
$dicSidToName= $null
$dicWellKnownSids= $null
$myPID= $null
$observableCollection= $null
$strDomainPrinDNName= $null
$strDomainSelect= $null
$strEffectiveRightAccount= $null
$strEffectiveRightSP= $null
$strPinDomDC= $null
$strPrincipalDN= $null
$strPrinDomAttr= $null
$strPrinDomDir= $null
$strPrinDomFlat= $null
$strSPNobjectClass= $null
$tokens= $null
$strDC = $null
$strDomainDNName = $null
$strDomainLongName = $null
$strDomainShortName = $null
$strOwner = $null
#$CREDS = $null
#remove-variable -name "CREDS"
remove-variable -name "bolConnected" -Scope Global
remove-variable -name "bolTempValue_InhertiedChkBox" -Scope Global
remove-variable -name "dicDCSpecialSids" -Scope Global
remove-variable -name "dicNameToSchemaIDGUIDs" -Scope Global
remove-variable -name "dicRightsGuids" -Scope Global
remove-variable -name "dicSchemaIDGUIDs" -Scope Global
remove-variable -name "dicSidToName" -Scope Global
remove-variable -name "dicWellKnownSids" -Scope Global
remove-variable -name "myPID" -Scope Global
remove-variable -name "observableCollection" -Scope Global
remove-variable -name "strDomainPrinDNName" -Scope Global
remove-variable -name "strDomainSelect" -Scope Global
remove-variable -name "strEffectiveRightAccount" -Scope Global
remove-variable -name "strEffectiveRightSP" -Scope Global
remove-variable -name "strPinDomDC" -Scope Global
remove-variable -name "strPrincipalDN" -Scope Global
remove-variable -name "strPrinDomAttr" -Scope Global
remove-variable -name "strPrinDomDir" -Scope Global
remove-variable -name "strPrinDomFlat" -Scope Global
remove-variable -name "strSPNobjectClass" -Scope Global
remove-variable -name "tokens" -Scope Global
$ErrorActionPreference = "SilentlyContinue"
&{#Try
$xmlDoc = $null
remove-variable -name "xmlDoc" -Scope Global
}
Trap [SystemException]
{
SilentlyContinue
}
$ErrorActionPreference = "Continue"
$Window.close()
})
$treeView1.add_SelectedItemChanged({
$txtBoxSelected.Text = (Get-XMLPath -xmlElement ($this.SelectedItem))
if ($this.SelectedItem.Tag -eq "NotEnumerated")
{
$xmlNode = $global:xmlDoc

$NodeDNPath = $($this.SelectedItem.ParentNode.Text.toString())
[void]$this.SelectedItem.ParentNode.removeChild($this.SelectedItem);
$Mynodes = $xmlNode.SelectNodes("//OU[@Text='$NodeDNPath']")
$treeNodePath = $NodeDNPath

# Initialize and Build Domain OU Tree


ProcessOUTree -node $($Mynodes) -ADSObject $treeNodePath -CREDS $CREDS
# Set tag to show this node is already enumerated
$this.SelectedItem.Tag = "Enumerated"

}
})
}#### End of if $base , check if UI should be loaded
<######################################################################
Functions to Build Domains OU Tree XML Document
######################################################################>
#region
function RunCompare
{
param(
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
if($chkBoxSeverity.isChecked -or $chkBoxEffectiveRightsColor.isChecked)
{
$bolShowCriticalityColor = $true
}
else
{
$bolShowCriticalityColor = $false
}
If ($txtBoxSelected.Text -or $chkBoxTemplateNodes.IsChecked )
{
#If the DC string is changed during the compre ti will be restored to it's orgi value
$global:ResetDCvalue = ""
$global:ResetDCvalue = $global:strDC
$allSubOU = New-Object System.Collections.ArrayList
$allSubOU.Clear()
if ($txtCompareTemplate.Text -eq "")
{
■$global:observableCollection.Insert(0,(LogMessage -strMessage "No Template CSV file selected!"
}
else
{
if ($(Test-Path $txtCompareTemplate.Text) -eq $true)
{
if (($chkBoxEffectiveRights.isChecked -eq $true) -or ($chkBoxFilter.isChecked -eq $true))
{
if ($chkBoxEffectiveRights.isChecked)
{
■ $global:observableCollection.Insert(0,(LogMessage -strMessage "Can't compare while Effe
}
if ($chkBoxFilter.isChecked)
{
■ $global:observableCollection.Insert(0,(LogMessage -strMessage "Can't compare while Filte
}
}
else
{
$global:bolCSVLoaded = $false
$strCompareFile = $txtCompareTemplate.Text
&{#Try
$global:bolCSVLoaded = $true
$global:csvHistACLs = import-Csv $strCompareFile
}
Trap [SystemException]
{
$strCSVErr = $_.Exception.Message
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed to load CSV. $strC
$global:bolCSVLoaded = $false
continue
}
#Verify that a successful CSV import is performed before continue
if($global:bolCSVLoaded)
{
#Test CSV file format
if(TestCSVColumns $global:csvHistACLs)

■ $global:observableCollection.Insert(0,(LogMessage -strMessage "Scanning..." -strType "Info


■ $BolSkipDefPerm = $chkBoxDefaultPerm.IsChecked
$BolSkipProtectedPerm = $chkBoxSkipProtectedPerm.IsChecked
$global:bolProgressBar = $chkBoxSkipProgressBar.IsChecked
if(($rdbOnlyCSV.IsChecked) -or ($rdbOnlyCSVTEMPLATE.IsChecked))
{
$bolCSV = $true
}
else
{
$bolCSV = $false
}
■ if ($chkBoxTemplateNodes.IsChecked -eq $false)
{
$sADobjectName = $txtBoxSelected.Text.ToString()
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection(
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.Directo
}
$request.DistinguishedName = $sADobjectName
$request.Filter = "(name=*)"
$request.Scope = "Base"
[void]$request.Attributes.Add("name")
$response = $LDAPConnection.SendRequest($request)
$ADobject = $response.Entries[0]
if($null -ne $ADobject.Attributes.name)
{
$strNode = fixfilename $ADobject.attributes.name[0]
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Could not read o
}

}
else
{
#Set the bolean to true so connection will be performed unless an error occur
$bolContinue = $true
if($global:csvHistACLs[0].Object)
{
$strOUcol = $global:csvHistACLs[0].Object
}
else
{
$strOUcol = $global:csvHistACLs[0].OU
}
if($strOUcol.Contains("<DOMAIN-DN>") -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace "<DOMAIN-DN>",$global:strDomainDNName)
}
if($strOUcol.Contains("<ROOT-DN>") -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace "<ROOT-DN>",$global:ForestRootDomainDN)
if($global:strDomainDNName -ne $global:ForestRootDomainDN)
{
if($global:IS_GC -eq "TRUE")
{
$MsgBox = [System.Windows.Forms.MessageBox]::Show("You are not connecte
if($MsgBox -eq "Yes")
{
if($global:strDC.contains(":"))
{
$global:strDC = $global:strDC.split(":")[0] + ":3268"
}
else
{
$global:strDC = $global:strDC + ":3268"
}

}
else
{
$bolContinue = $false
}
}
else
{
$MsgBox = [System.Windows.Forms.MessageBox]::Show("You are not connecte
$bolContinue = $false
}
}
}

if($txtReplaceDN.text.Length -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace $txtReplaceDN.text,$global:strDomainDNName)
}
$sADobjectName = $strOUcol
#Verify if the connection can be done
if($bolContinue)
{
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnectio
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.Dire
}
$request.DistinguishedName = $sADobjectName
$request.Filter = "(name=*)"
$request.Scope = "Base"
[void]$request.Attributes.Add("name")

$response = $LDAPConnection.SendRequest($request)
$ADobject = $response.Entries[0]
$strNode = fixfilename $ADobject.attributes.name[0]
}
else
{
#Set the node to empty , no connection will be done
$strNode = ""
}
}
#if not is empty continue
if($strNode -ne "")
{
$bolTranslateGUIDStoObject = $false
$date= get-date -uformat %Y%m%d_%H%M%S
$strNode = fixfilename $strNode
■ $strFileCSV = $txtTempFolder.Text + "\" +$strNode + "_" + $global:strDomainShortName
$strFileEXCEL = $txtTempFolder.Text + "\" +$strNode + "_" + $global:strDomainShortNa
$strFileHTA = $env:temp + "\"+$global:ACLHTMLFileName+".hta"
$strFileHTM = $env:temp + "\"+"$global:strDomainShortName-$strNode-$global:Session
if(!($bolCSV))
{■■
if(!($rdbEXcel.IsChecked))
{■■ ■
if ($chkBoxFilter.IsChecked)
{
■■ CreateHTA "$global:strDomainShortName-$strNode Filtered" $strFileHTA $strFile
■■ CreateHTM "$global:strDomainShortName-$strNode Filtered" $strFileHTM■
}
else
{
CreateHTA "$global:strDomainShortName-$strNode" $strFileHTA $strFileHTM $
■■ CreateHTM "$global:strDomainShortName-$strNode" $strFileHTM■
}
■ InitiateHTM $strFileHTA $strNode $txtBoxSelected.Text.ToString() $chkBoxReplMe
■ InitiateHTM $strFileHTM $strNode $txtBoxSelected.Text.ToString() $chkBoxReplMe
$Format = "HTML"
$Show = $true
}
else
{
$Format = "EXCEL"
$Show = $false
}
}
else
{
if($rdbOnlyCSV.IsChecked)
{
$Format = "CSV"
}
if($rdbOnlyCSVTEMPLATE.IsChecked)
{
$Format = "CSVTEMPLATE"
}
$Show = $false
}
If (($txtBoxSelected.Text.ToString().Length -gt 0) -or (($chkBoxTemplateNodes.IsCheck
{
#Select type of scope
■■ If ($rdbBase.IsChecked -eq $False)
■■ {
If ($rdbSubtree.IsChecked -eq $true)
■■ {
■■■ if($rdbScanFilter.IsChecked -eq $true)
{
$allSubOU = GetAllChildNodes -firstnode $txtBoxSelected.Text -scope "subtre
}
else
{
$allSubOU = GetAllChildNodes -firstnode $txtBoxSelected.Text -scope "subtre
}
}
else
{
■■■ if($rdbScanFilter.IsChecked -eq $true)
{
$allSubOU = GetAllChildNodes -firstnode $txtBoxSelected.Text -scope "onele
}
else
{
$allSubOU = GetAllChildNodes -firstnode $txtBoxSelected.Text -scope "onelev
}
}■
}
■■ else
■■ {
■■■ $allSubOU = @($txtBoxSelected.Text)
■■ }
#if any objects found compare ACLs
if($allSubOU.count -gt 0)
{■■■
$TemplateFilter = $combReturns.SelectedItem
$bolToFile = $true
#Used from comand line only
$FilterBuiltin = $false
Get-PermCompare $allSubOU $BolSkipDefPerm $BolSkipProtectedPerm $chkBox
}■
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "No objects return
}
■■ $global:observableCollection.Insert(0,(LogMessage -strMessage "Finished" -strType "In
■ }# End If txtBoxSelected or chkBoxTemplateNodes
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Could not connect to $
}#End if not is empty
}#else if test column names exist
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "CSV file got wrong for
} #End if test column names exist
} # End If Verify that a successful CSV import is performed before continue
}#End If $chkBoxEffectiveRights.isChecked -or $chkBoxFilter.isChecked

}#End If Test-Path
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "CSV file not found!" -strType
}#End If Test-Path Else
}# End If
#Restore the DC string to its original
$global:strDC = $global:ResetDCvalue
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "No object selected!" -strType "E
}
$allSubOU = ""
$strFileCSV = ""
$strFileHTA = ""
$strFileHTM = ""
$sADobjectName = ""
$date= ""
}
function RunScan
{
param(
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
if($rdbGPO.isChecked)
{
$GPO = $true
}
if($chkBoxSeverity.isChecked -or $chkBoxEffectiveRightsColor.isChecked)
{
$bolShowCriticalityColor = $true
}
else
{
$bolShowCriticalityColor = $false
}
$bolPreChecks = $true
If ($txtBoxSelected.Text)
{
If(($chkBoxFilter.IsChecked -eq $true) -and (($chkBoxType.IsChecked -eq $false) -and ($chkBoxOb
{

$global:observableCollection.Insert(0,(LogMessage -strMessage "Filter Enabled , but no filt


$bolPreChecks = $false
}
else
{
If(($chkBoxFilter.IsChecked -eq $true) -and (($combAccessCtrl.SelectedIndex -eq -1) -and ($txtBo
{

$global:observableCollection.Insert(0,(LogMessage -strMessage "Filter Enabled , but no


$bolPreChecks = $false
}
}

If(($chkBoxEffectiveRights.IsChecked -eq $true) -and ($global:tokens.count -eq 0))


{

$global:observableCollection.Insert(0,(LogMessage -strMessage "Effective rights enabled ,


$bolPreChecks = $false
}
$global:intShowCriticalityLevel = 0
if ($bolPreChecks -eq $true)
{
$strCompareFile = ""
$allSubOU = New-Object System.Collections.ArrayList
$allSubOU.Clear()
$global:observableCollection.Insert(0,(LogMessage -strMessage "Scanning..." -strType "Info" -Dat
■ $BolSkipDefPerm = $chkBoxDefaultPerm.IsChecked
$BolSkipProtectedPerm = $chkBoxSkipProtectedPerm.IsChecked
$global:bolProgressBar = $chkBoxSkipProgressBar.IsChecked
$bolSDDL = $chkBoxSDDLView.IsChecked
if(($rdbOnlyCSV.IsChecked) -or ($rdbOnlyCSVTEMPLATE.IsChecked))
{
$bolCSV = $true
}
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:st
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.DirectoryControl
}
$request.DistinguishedName = $txtBoxSelected.Text.ToString()
$request.Filter = "(name=*)"
$request.Scope = "Base"
[void]$request.Attributes.Add("name")

$response = $LDAPConnection.SendRequest($request)
$ADobject = $response.Entries[0]
#Verify that attributes can be read
if($null -ne $ADobject.distinguishedName)
{
if($null -ne $ADobject.Attributes.name)
{
$strNode = $ADobject.Attributes.name[0]
}
else
{
$strNode = $ADobject.distinguishedName
}
■ if($GPO)
{
$strNode = $strNode + "_GPOs"
}

$bolTranslateGUIDStoObject = $false
$date= get-date -uformat %Y%m%d_%H%M%S
$strNode = fixfilename $strNode
■ $strFileCSV = $txtTempFolder.Text + "\" +$strNode + "_" + $global:strDomainShortName + "_ad
$strFileEXCEL = $txtTempFolder.Text + "\" +$strNode + "_" + $global:strDomainShortName + "
■ $strFileHTA = $env:temp + "\"+$global:ACLHTMLFileName+".hta"
■ $strFileHTM = $env:temp + "\"+"$global:strDomainShortName-$strNode-$global:SessionID"+".ht
if(!($bolCSV))
{■■
if(!($rdbEXcel.IsChecked))
{■■ ■
if ($chkBoxFilter.IsChecked)
{
■■ CreateHTA "$global:strDomainShortName-$strNode Filtered" $strFileHTA $strFileHTM $
■■ CreateHTM "$global:strDomainShortName-$strNode Filtered" $strFileHTM■
}
else
{
CreateHTA "$global:strDomainShortName-$strNode" $strFileHTA $strFileHTM $Current
■■ CreateHTM "$global:strDomainShortName-$strNode" $strFileHTM■
}
■ InitiateHTM $strFileHTA $strNode $txtBoxSelected.Text.ToString() $chkBoxReplMeta.IsChe
■ InitiateHTM $strFileHTM $strNode $txtBoxSelected.Text.ToString() $chkBoxReplMeta.IsCh
$Format = "HTML"
$Show = $true
}
else
{
$Format = "EXCEL"
$Show = $false
}
}
else
{
if($rdbOnlyCSV.IsChecked)
{
$Format = "CSV"
}
if($rdbOnlyCSVTEMPLATE.IsChecked)
{
$Format = "CSVTEMPLATE"
}
$Show = $false
} ■■
■ If ($txtBoxSelected.Text.ToString().Length -gt 0)
{
#Select type of scope
■■ If ($rdbBase.IsChecked -eq $true)
■■ {
$Scope = "base"
}
If ($rdbOneLevel.IsChecked -eq $true)
■■ {
■■■ $Scope = "onelevel"
}
If ($rdbSubtree.IsChecked -eq $true)
■■ {
■■■ $Scope = "subtree"
}
$IncludeInherited = $chkInheritedPerm.IsChecked

■■■ if($rdbScanFilter.IsChecked -eq $true)


{
$allSubOU = @(GetAllChildNodes -firstnode $txtBoxSelected.Text -scope $Scope -Exclud
}
else
{
$allSubOU = @(GetAllChildNodes -firstnode $txtBoxSelected.Text -scope $Scope -Exclud
}
#if any objects found read ACLs
if($allSubOU.count -gt 0)
{■■■
$bolToFile = $true
#Used from comand line only
$FilterBuiltin = $chkBoxFilterBuiltin.IsChecked
Get-Perm -AllObjectDn $allSubOU -DomainNetbiosName $global:strDomainShortName -In
e $Format -bolToFile $bolToFile -bolAssess $chkBoxSeverity.IsChecked -AssessLevel $combServerity
d -AccessType $combAccessCtrl.SelectedItem -AccessFilter $chkBoxType.IsChecked -BolACLPermiss
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "No objects returned! Doe
} ■■
■ }
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Could not read object $($tx
}
}
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "No object selected!" -strType "E
}
$global:observableCollection.Insert(0,(LogMessage -strMessage "Finished" -strType "Info" -DateStamp
$allSubOU = ""
$strFileCSV = ""
$strFileHTA = ""
$strFileHTM = ""
$sADobjectName = ""
$date= ""
}
function Get-XMLPath
{
Param($xmlElement)
$Path = ""
$FQDN = $xmlElement.Text
return $FQDN
}
function AddXMLAttribute
{
Param([ref]$node, $szName, $value)
■$attribute = $global:xmlDoc.createAttribute($szName);
■[void]$node.value.setAttributeNode($attribute);
■$node.value.setAttribute($szName, $value);
■#return $node;
}
function Add-ExcludeChild
{
# Test if any node is selected
if($txtBoxSelected.Text.Length -gt 0)
{
if($txtBoxExcluded.Text.Length -gt 0)
{
$txtBoxExcluded.Text = $txtBoxExcluded.Text + ";" + $txtBoxSelected.Text
}
else
{
$txtBoxExcluded.Text = $txtBoxSelected.Text
}
}
}
function Add-RefreshChild
{
# Test if any node is selected
if($txtBoxSelected.Text.Length -gt 0)
{
$xmlNode = $global:xmlDoc
$NodeDNPath = $txtBoxSelected.Text
if($global:TreeViewRootPath -eq $NodeDNPath)
{
$Mynodes = $xmlNode.SelectSingleNode("//DomainRoot[@Text='$NodeDNPath']")
# Make sure a node was found
if($Mynodes.Name.Length -gt 0)
{
$Mynodes.IsEmpty = $true
$treeNodePath = $NodeDNPath

# Initialize and Build Domain OU Tree


ProcessOUTree -node $($Mynodes) -ADSObject $treeNodePath -CREDS $CREDS
# Set tag to show this node is already enumerated
}
}
else
{
$Mynodes = $xmlNode.SelectSingleNode("//OU[@Text='$NodeDNPath']")
# Make sure a node was found
if($Mynodes.Name.Length -gt 0)
{
$Mynodes.IsEmpty = $true
$treeNodePath = $NodeDNPath

# Initialize and Build Domain OU Tree


ProcessOUTree -node $($Mynodes) -ADSObject $treeNodePath -CREDS $CREDS
# Set tag to show this node is already enumerated
}
}
}
}
# Processes an OU tree
function ProcessOUTree
{
■Param(
$node,
$ADSObject,
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
■# Increment the node count to indicate we are done with the domain level

■$strFilterOUCont = "(&(|(objectClass=organizationalUnit)(objectClass=container)(objectClass=domain
■$strFilterAll = "(objectClass=*)"

$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strD


$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
[System.DirectoryServices.Protocols.PageResultRequestControl]$pagedRqc = new-object System.D
$request.Controls.Add($pagedRqc) | Out-Null

if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.DirectoryControl" -
}
$request.DistinguishedName = $ADSObject
# Single line Directory searcher
# set a filter
■If ($rdbBrowseAll.IsChecked -eq $true)
■{
■$request.Filter = $strFilterAll
■■
■}
■else
■{
■$request.Filter = $strFilterOUCont
■}
# set search scope
$request.Scope = "OneLevel"
[void]$request.Attributes.Add("name")
[void]$request.Attributes.Add("objectclass")

■# Now walk the list and recursively process each child


while ($true)
{
$response = $LdapConnection.SendRequest($request, (new-object System.Timespan(0,0,$glob

#for paged search, the response for paged search result control - we will need a cookie from res
if($global:PageSize -gt 0) {
[System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$null;
if ($response.Controls.Length -gt 0)
{
foreach ($ctrl in $response.Controls)
{
if ($ctrl -is [System.DirectoryServices.Protocols.PageResultResponseControl])
{
$prrc = $ctrl;
break;
}
}
}
if($null -eq $prrc) {
#server was unable to process paged search
throw "Find-LdapObject: Server failed to return paged response for request $SearchFilter"
}
}
#now process the returned list of distinguishedNames and fetch required properties using range
$colResults = $response.Entries
■ foreach ($objResult in $colResults)
■ {
■■ $NewOUNode = $global:xmlDoc.createElement("OU");
if ($objResult.attributes.Count -ne 0)
{
# Add an Attribute for the Name
if (($null -ne $($objResult.attributes.name[0])))
■■ {
# Add an Attribute for the Name
$OUName = "$($objResult.attributes.name[0])"
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Name" -value $OUName
$DNName = $objResult.distinguishedname
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Text" -value $DNName
Switch ($objResult.attributes.objectclass[$objResult.attributes.objectclass.count-1])
{
"domainDNS"
{
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Img" -value "$env:temp\Doma
}
"OrganizationalUnit"
{
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Img" -value "$env:temp\OU.pn
}
"user"
{
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Img" -value "$env:temp\User.
}
"group"
{
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Img" -value "$env:temp\Group
}
"computer"
{
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Img" -value "$env:temp\Comp
}
"container"
{
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Img" -value "$env:temp\Conta
}
default
{
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Img" -value "$env:temp\Other.
}
}
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Tag" -value "Enumerated"
$child = $node.appendChild($NewOUNode);
ProcessOUTreeStep2OnlyShow -node $NewOUNode -DNName $DNName -CREDS $C
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Could not read object
}
}
else
{
if ($null -ne $objResult.distinguishedname)
■■ {
# Add an Attribute for the Name
$DNName = $objResult.distinguishedname
$OUName = $DNName.toString().Split(",")[0]
if($OUName -match "=")
{
$OUName = $OUName.Split("=")[1]
}

AddXMLAttribute -node ([ref]$NewOUNode) -szName "Name" -value $OUName


AddXMLAttribute -node ([ref]$NewOUNode) -szName "Text" -value $DNName
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Img" -value "$env:temp\Conta
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Tag" -value "Enumerated"
$child = $node.appendChild($NewOUNode);
ProcessOUTreeStep2OnlyShow -node $NewOUNode -DNName $DNName -CREDS
}
$global:observableCollection.Insert(0,(LogMessage -strMessage "Could not read object
}
}
if($global:PageSize -gt 0) {
if ($prrc.Cookie.Length -eq 0) {
#last page --> we're done
break;
}
#pass the search cookie back to server in next paged request
$pagedRqc.Cookie = $prrc.Cookie;
} else {
#exit the processing for non-paged search
break;
}
}
}
function ProcessOUTreeStep2OnlyShow
{
Param(
$node,
[string]
$DNName,
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
■# Increment the node count to indicate we are done with the domain level
$strFilterOUCont = "(&(|(objectClass=organizationalUnit)(objectClass=container)(objectClass=domai
■$strFilterAll = "(&(name=*))"
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strD
$LDAPConnection.SessionOptions.ReferralChasing = "None"
#$request = New-Object System.directoryServices.Protocols.SearchRequest("$global:SchemaDN", "
$request = New-Object System.directoryServices.Protocols.SearchRequest
$request.distinguishedName = $DNName
[System.DirectoryServices.Protocols.PageResultRequestControl]$pagedRqc = new-object System.D
$request.Controls.Add($pagedRqc) | Out-Null
if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.DirectoryControl" -
}
# Single line Directory searcher
# set a filter
■If ($rdbBrowseAll.IsChecked -eq $true)
■{
■$request.Filter = $strFilterAll
■■
■}
■else
■{
■$request.Filter = $strFilterOUCont
■}
# set search scope
$request.Scope = "oneLevel"
[void]$request.Attributes.Add("name")
$arrSchemaObjects = New-Object System.Collections.ArrayList
$intStop = 0
while ($true)
{
$response = $LdapConnection.SendRequest($request, (new-object System.Timespan(0,0,$global

#for paged search, the response for paged search result control - we will need a cookie from resul
if($global:PageSize -gt 0)
{
[System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$null;
if ($response.Controls.Length -gt 0)
{
foreach ($ctrl in $response.Controls)
{
if ($ctrl -is [System.DirectoryServices.Protocols.PageResultResponseControl])
{
$prrc = $ctrl;
break;
}
}
}
if($null -eq $prrc) {
#server was unable to process paged search
throw "Find-LdapObject: Server failed to return paged response for request $SearchFilter"
}
}
#now process the returned list of distinguishedNames and fetch required properties using ranged r
$colResults = $response.Entries
■ foreach ($objResult in $colResults)
■ {
if($intStop -eq 0)
{
$global:DirSrchResults = $objResult
if ($null -ne $global:DirSrchResults.attributes)
{
■■
# Add an Attribute for the Name
$NewOUNode = $global:xmlDoc.createElement("OU");
# Add an Attribute for the Name

AddXMLAttribute -node ([ref]$NewOUNode) -szName "Name" -value "Click ..."


AddXMLAttribute -node ([ref]$NewOUNode) -szName "Text" -value "Click ..."
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Img" -value "$env:temp\Expand.png
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Tag" -value "NotEnumerated"
■■ [void]$node.appendChild($NewOUNode);

}
else
{

$global:observableCollection.Insert(0,(LogMessage -strMessage "At least one child object


# Add an Attribute for the Name
$NewOUNode = $global:xmlDoc.createElement("OU");
# Add an Attribute for the Name

AddXMLAttribute -node ([ref]$NewOUNode) -szName "Name" -value "Click ..."


AddXMLAttribute -node ([ref]$NewOUNode) -szName "Text" -value "Click ..."
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Img" -value "$env:temp\Expand.png
AddXMLAttribute -node ([ref]$NewOUNode) -szName "Tag" -value "NotEnumerated"
■■ [void]$node.appendChild($NewOUNode);
}
}
$intStop++
}
if($global:PageSize -gt 0) {
if ($prrc.Cookie.Length -eq 0) {
#last page --> we're done
break;
}
#pass the search cookie back to server in next paged request
$pagedRqc.Cookie = $prrc.Cookie;
} else {
#exit the processing for non-paged search
break;
}
}#End While
}
function Get-XMLDomainOUTree
{
param
(
$szDomainRoot,
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS
)
$treeNodePath = $szDomainRoot

# Initialize and Build Domain OU Tree

$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strD


$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.DirectoryControl" -
}
$request.distinguishedName = $treeNodePath
$request.filter = "(name=*)"
$request.Scope = "base"
[void]$request.Attributes.Add("name")
[void]$request.Attributes.Add("objectclass")
$response = $LDAPConnection.SendRequest($request)
$DomainRoot = $response.Entries[0]
if($DomainRoot.attributes.count -ne 0)
{
$DNName = $DomainRoot.distinguishedname
if($null -ne $DomainRoot.Attributes.objectclass)
{
$strObClass = $DomainRoot.Attributes.objectclass[$DomainRoot.Attributes.objectclass.count-1
}
else
{
$strObClass = "unknown"
}
}
else
{
$DNName = $DomainRoot.distinguishedname
$strObClass = "container"
$global:observableCollection.Insert(0,(LogMessage -strMessage "Could not read object $DNName
}
$global:xmlDoc = New-Object -TypeName System.Xml.XmlDocument
$global:xmlDoc.PreserveWhitespace = $false
$RootNode = $global:xmlDoc.createElement("DomainRoot")
AddXMLAttribute -Node ([ref]$RootNode) -szName "Name" -value $szDomainRoot
AddXMLAttribute -node ([ref]$RootNode) -szName "Text" -value $DNName
AddXMLAttribute -node ([ref]$RootNode) -szName "Icon" -value "$env:temp\refresh.png"
AddXMLAttribute -node ([ref]$RootNode) -szName "Icon2" -value "$env:temp\exclude.png"
Switch ($strObClass)
{
"domainDNS"
{
AddXMLAttribute -node ([ref]$RootNode) -szName "Img" -value "$env:temp\DomainDNS.png
}
"OrganizationalUnit"
{
AddXMLAttribute -node ([ref]$RootNode) -szName "Img" -value "$env:temp\OU.png"
}
"user"
{
AddXMLAttribute -node ([ref]$RootNode) -szName "Img" -value "$env:temp\User.png"
}
"group"
{
AddXMLAttribute -node ([ref]$RootNode) -szName "Img" -value "$env:temp\Group.png"
}
"computer"
{
AddXMLAttribute -node ([ref]$RootNode) -szName "Img" -value "$env:temp\Computer.png"
}
"container"
{
AddXMLAttribute -node ([ref]$RootNode) -szName "Img" -value "$env:temp\Container.png"
}
default
{
AddXMLAttribute -node ([ref]$RootNode) -szName "Img" -value "$env:temp\Other.png"
}
}
[void]$global:xmlDoc.appendChild($RootNode)

$node = $global:xmlDoc.documentElement;
#Process the OU tree
ProcessOUTree -node $node -ADSObject $treeNodePath -CREDS $CREDS
return $global:xmlDoc
}
$global:dicRightsGuids = @{"Seed" = "xxx"}
$global:dicSidToName = @{"Seed" = "xxx"}
$global:dicSidToObject = @{"Seed" = "xxx"}
$global:dicDCSpecialSids =@{"BUILTIN\Incoming Forest Trust Builders"="S-1-5-32-557";`
"BUILTIN\Account Operators"="S-1-5-32-548";`
"BUILTIN\Server Operators"="S-1-5-32-549";`
"BUILTIN\Pre-Windows 2000 Compatible Access"="S-1-5-32-554";`
"BUILTIN\Terminal Server License Servers"="S-1-5-32-561";`
"BUILTIN\Windows Authorization Access Group"="S-1-5-32-560"}
$global:dicWellKnownSids = @{"S-1-0"="Null Authority";`
"S-1-0-0"="Nobody";`
"S-1-1"="World Authority";`
"S-1-1-0"="Everyone";`
"S-1-2"="Local Authority";`
"S-1-2-0"="Local ";`
"S-1-2-1"="Console Logon ";`
"S-1-3"="Creator Authority";`
"S-1-3-0"="Creator Owner";`
"S-1-3-1"="Creator Group";`
"S-1-3-2"="Creator Owner Server";`
"S-1-3-3"="Creator Group Server";`
"S-1-3-4"="Owner Rights";`
"S-1-4"="Non-unique Authority";`
"S-1-5"="NT Authority";`
"S-1-5-1"="Dialup";`
"S-1-5-2"="Network";`
"S-1-5-3"="Batch";`
"S-1-5-4"="Interactive";`
"S-1-5-6"="Service";`
"S-1-5-7"="Anonymous";`
"S-1-5-8"="Proxy";`
"S-1-5-9"="Enterprise Domain Controllers";`
"S-1-5-10"="Principal Self";`
"S-1-5-11"="Authenticated Users";`
"S-1-5-12"="Restricted Code";`
"S-1-5-13"="Terminal Server Users";`
"S-1-5-14"="Remote Interactive Logon";`
"S-1-5-15"="This Organization";`
"S-1-5-17"="IUSR";`
"S-1-5-18"="Local System";`
"S-1-5-19"="NT Authority";`
"S-1-5-20"="NT Authority";`
"S-1-5-22"="ENTERPRISE READ-ONLY DOMAIN CONTROLLERS BETA";`
"S-1-5-32-544"="Administrators";`
"S-1-5-32-545"="Users";`
"S-1-5-32-546"="Guests";`
"S-1-5-32-547"="Power Users";`
"S-1-5-32-548"="BUILTIN\Account Operators";`
"S-1-5-32-549"="Server Operators";`
"S-1-5-32-550"="Print Operators";`
"S-1-5-32-551"="Backup Operators";`
"S-1-5-32-552"="Replicator";`
"S-1-5-32-554"="BUILTIN\Pre-Windows 2000 Compatible Access";`
"S-1-5-32-555"="BUILTIN\Remote Desktop Users";`
"S-1-5-32-556"="BUILTIN\Network Configuration Operators";`
"S-1-5-32-557"="BUILTIN\Incoming Forest Trust Builders";`
"S-1-5-32-558"="BUILTIN\Performance Monitor Users";`
"S-1-5-32-559"="BUILTIN\Performance Log Users";`
"S-1-5-32-560"="BUILTIN\Windows Authorization Access Group";`
"S-1-5-32-561"="BUILTIN\Terminal Server License Servers";`
"S-1-5-32-562"="BUILTIN\Distributed COM Users";`
"S-1-5-32-568"="BUILTIN\IIS_IUSRS";`
"S-1-5-32-569"="BUILTIN\Cryptographic Operators";`
"S-1-5-32-573"="BUILTIN\Event Log Readers ";`
"S-1-5-32-574"="BUILTIN\Certificate Service DCOM Access";`
"S-1-5-32-575"="BUILTIN\RDS Remote Access Servers";`
"S-1-5-32-576"="BUILTIN\RDS Endpoint Servers";`
"S-1-5-32-577"="BUILTIN\RDS Management Servers";`
"S-1-5-32-578"="BUILTIN\Hyper-V Administrators";`
"S-1-5-32-579"="BUILTIN\Access Control Assistance Operators";`
"S-1-5-32-580"="BUILTIN\Remote Management Users";`
"S-1-5-33"="Write Restricted Code";`
"S-1-5-64-10"="NTLM Authentication";`
"S-1-5-64-14"="SChannel Authentication";`
"S-1-5-64-21"="Digest Authentication";`
"S-1-5-65-1"="This Organization Certificate";`
"S-1-5-80"="NT Service";`
"S-1-5-84-0-0-0-0-0"="User Mode Drivers";`
"S-1-5-113"="Local Account";`
"S-1-5-114"="Local Account And Member Of Administrators Group";`
"S-1-5-1000"="Other Organization";`
"S-1-15-2-1"="All App Packages";`
"S-1-16-0"="Untrusted Mandatory Level";`
"S-1-16-4096"="Low Mandatory Level";`
"S-1-16-8192"="Medium Mandatory Level";`
"S-1-16-8448"="Medium Plus Mandatory Level";`
"S-1-16-12288"="High Mandatory Level";`
"S-1-16-16384"="System Mandatory Level";`
"S-1-16-20480"="Protected Process Mandatory Level";`
"S-1-16-28672"="Secure Process Mandatory Level";`
"S-1-18-1"="Authentication Authority Asserted Identityl";`
"S-1-18-2"="Service Asserted Identity"}
# Function■■: Create-CanonicalName
# Arguments : [string] distinguishedName
# Returns ■: [string] CanonicalName
# Description : This function will create a canonical name of a distinguishedName string
#
#==========================================================================
Function Create-CanonicalName
{
param (
[Parameter(Mandatory=$True)]
[System.Array]$distinguishedname
)
$stringlistReversed = @()
$stringSplitted = $distinguishedname.Split(',')
$Counter = $stringSplitted.Count
$domainstring = ''
$intC = 0
for($i = 0; $i -le $stringSplitted.count; $i++)
{
if($stringSplitted[$i] -match "dc=")
{
if($intC -gt 0)
{
$domainstring += "." + $stringSplitted[$i].tostring().remove(0,3)
}
else
{
$domainstring += $stringSplitted[$i].tostring().remove(0,3)
}
$intC++
}

}
$stringReversed = ''
while ($Counter -gt 0) {
if($stringSplitted[$Counter-1] -match "dc=")
{
$Counter = $Counter-1
}
else
{
$stringReversed += $stringSplitted[$Counter-1].tostring().remove(0,3)
$Counter = $Counter-1
if ($Counter -gt 0) {
$stringReversed += '/'
}
}
}
$stringlistReversed = $domainstring + "/" + $stringReversed
return $stringlistReversed
}
#==========================================================================
# Function■■: Get-LargeNestedADGroup
# Arguments : DC name, DN of Group, Object type, Array of Members
# Returns ■: Array of Members
# Description : This function will enumerate large groups and returns direct and recusive members
#
#==========================================================================
Function Get-LargeNestedADGroup
{
Param (
# Domain Controller
[Parameter(Mandatory=$false)]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[string]$strDC,
# DistinguishedName of the group
[Parameter(Mandatory=$false)]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[string]$GroupDN,
# Returns members of type
[Parameter(Mandatory=$false)]
[ValidateSet("*", "User", "Group", "Computer")]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$Output = "*",
[System.Collections.ArrayList]
$MembersExpanded,
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS
)
begin
{
$null = Add-Type -AssemblyName System.DirectoryServices.Protocols
if(-not($MembersExpanded))
{
$MembersExpanded = New-Object System.Collections.ArrayList
}
}
Process
{
# Use ADO to search entire domain.
if($CREDS)
{
$Root = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$strDC/$GroupDN",$($CRED
$($CREDS.GetNetworkCredential().password ),
[System.DirectoryServices.AuthenticationTypes]::Secure )
}
else
{
$Root = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$strDC/$GroupDN")
}
$ADS_SECURE_AUTHENTICATION = 1
$ADS_USE_SIGNING = 64
$ADS_SERVER_BIND = 512
$adoConnection = New-Object -comObject "ADODB.Connection"
$adoConnection.Provider = "ADsDSOObject"
if($CREDS)
{
$adoConnection.Properties("User ID") = $($CREDS.UserName)
$adoConnection.Properties("Password") = $($CREDS.GetNetworkCredential().password )
$adoConnection.Properties("Encrypt Password") = "True"
}
$adoConnection.Properties("ADSI Flag") = $ADS_SERVER_BIND -bor $ADS_SECURE_AUTHENTICA
$adoCommand = New-Object -comObject "ADODB.Command"
#$adoConnection.Open("Provider=ADsDSOObject;")
$adoConnection.Open("Active Directory Provider")
$adoCommand.ActiveConnection = $adoConnection
$adoCommand.Properties.Item("Page Size") = 200
$adoCommand.Properties.Item("Timeout") = 30
$adoCommand.Properties.Item("Cache Results") = $False
$Base = $Root.distinguishedName
$Scope = "base"
$Filter = "(objectCategory=group)"
# Setup range limits.
$Last = $False
$RangeStep = 1499
$LowRange = 0
$HighRange = $LowRange + $RangeStep
$Total = 0
$ExitFlag = $False
Do
{
If ($Last -eq $True)
{
# Retrieve remaining members (less than 1000).
$Attributes = "member;range=$LowRange-*"
}
Else
{
# Retrieve 1000 members.
$Attributes = "member;range=$LowRange-$HighRange"
}
$Query = "<LDAP://$strDC/$Base>;$Filter;$Attributes;$Scope"
$adoCommand.CommandText = $Query
$adoRecordset = $adoCommand.Execute()
$Count = 0
$Members = $adoRecordset.Fields.Item("$Attributes").Value
If ($Members -eq $Null)
{
$Last = $True
}
Else
{
# If $Members is not an array, no members were retrieved.
If ($Members.GetType().Name -eq "Object[]")
{
ForEach ($Member In $Members)
{
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($strD
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
$request.DistinguishedName = $Member
$request.Filter = "(name=*)"
$request.Scope = "Base"
[void]$request.Attributes.Add("objectclass")
[void]$request.Attributes.Add("member")
Try{
$response = $LDAPConnection.SendRequest($request)
}
catch
{
Write-Verbose "Error - Could not read objectClass $Member";
continue;
}
$ADObject = $response.Entries[0]
Try{
$ObjectClass =$ADObject.attributes.objectclass[$ADObject.attributes.objectclass.count-1]
}
catch
{
Write-Verbose "Error - Could not read objectClass $Member";
continue;
}
if ($ObjectClass -eq "Group")
{
if(($ADObject.Attributes.AttributeNames -contains "member;range=0-1499") -or ($ADObjec
{
if (($global:colOfGroupMembersExpanded -notcontains $Member) -and ($GroupDN -ne
{
$MembersExpanded = @(Get-LargeNestedADGroup $strDC $Member $Output $Mem
[void]$global:GroupMembersExpanded.insert(0, $Member)
}
}
}
# Output the distinguished name of each direct member of the group.
if (($Output -eq "*") -or ($ObjectClass -eq $Output))
{
if ($MembersExpanded -notcontains $Member)
{
[void]$MembersExpanded.add($Member)
}
}

$Count = $Count + 1
}
}
}
$adoRecordset.Close()
$Total = $Total + $Count
# If this is the last query, exit the Do loop.
If ($Last -eq $True) {$ExitFlag = $True}
Else
{
# If the previous query returned no members, the query failed.
# Perform one more query to retrieve remaining members (less than 1000).
If ($Count -eq 0) {$Last = $True}
Else
{
# Retrieve the next 1000 members.
$LowRange = $HighRange + 1
$HighRange = $LowRange + $RangeStep
}
}
} Until ($ExitFlag -eq $True)
}
End
{
$adoConnection.Close()
return $MembersExpanded
}
}
#==========================================================================
# Function■■: Test-ResolveDNS
# Arguments : DNS Name, DNS Server
# Returns ■: boolean
# Description : This function try to resolve a dns record and retruns true or false
#
#==========================================================================
Function Test-ResolveDNS
{
param
(
$strDNS,
$strDNSServer = ""
)
$bolResolved = $false
$global:bolDNSSuccess = $true
$global:DNSrslt = $null
try
{
if($strDNSServer-eq "")
{
$global:DNSrslt = Resolve-DnsName -Type ALL -Name $strDNS -ErrorAction Stop
}
else
{
$global:DNSrslt = Resolve-DnsName -Type ALL -Name $strDNS -ErrorAction Stop -Server $str
}
}
catch
{
$global:bolDNSSuccess = $false
}
if($global:bolDNSSuccess)
{
if(($global:DNSrslt)[0].IPAddress -ne $null)
{
$bolResolved = $true
}
}
Remove-Variable bolDNSSuccess -Scope global
Remove-Variable DNSrslt -Scope global
return $bolResolved
}
#==========================================================================
# Function■■: LogMessage
# Arguments : Type of message, message, date stamping
# Returns ■: Custom psObject with two properties, type and message
# Description : This function creates a custom object that is used as input to an ListBox for logging pur
#
#==========================================================================
function LogMessage
{
param (
[Parameter(
Mandatory = $true
)][String[]] $strType ,

[Parameter(
Mandatory = $true
)][String[]] $strMessage ,
[Parameter(
Mandatory = $false
)][switch]$DateStamp
)

process {
if ($DateStamp)
{
$newMessageObject = New-Object PSObject -Property @{Type="$strType";Message="[$(
}
else
{
$newMessageObject = New-Object PSObject -Property @{Type="$strType";Message="$s
}

return $newMessageObject
}
}
#==========================================================================
# Function■■: ConvertTo-ObjectArrayListFromPsCustomObject
# Arguments : Defined Object
# Returns ■: Custom Object List
# Description : Convert a defined object to a custom, this will help you if you got a read-only object
#
#==========================================================================
function ConvertTo-ObjectArrayListFromPsCustomObject
{
param (
[Parameter(
Position = 0,
Mandatory = $true,
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true
)] $psCustomObject
);

process {

$myCustomArray = New-Object System.Collections.ArrayList

foreach ($myPsObject in $psCustomObject) {


$hashTable = @{};
$myPsObject | Get-Member -MemberType *Property | ForEach-Object {
$hashTable.($_.name) = $myPsObject.($_.name);
}
$Newobject = new-object psobject -Property $hashTable
[void]$myCustomArray.add($Newobject)
}
return $myCustomArray
}
}
#==========================================================================
# Function■■: DisplayLegend
# Arguments : -
# Returns ■: -
# Description : Show color legend
#==========================================================================
Function DisplayLegend
{
$xamlLegend =@"
<Window x:Class="WpfApplication1.Legend"
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
x:Name="Window" Title="Color Legend" WindowStartupLocation = "CenterScreen"
Width = "450" Height = "390" ShowInTaskbar = "True" ResizeMode="CanResizeWithGrip" Window
<Window.Resources>
<Style TargetType="{x:Type Button}" x:Key="AButtonStyle">
<Setter Property="VerticalAlignment" Value="Center"/>
<Setter Property="HorizontalAlignment" Value="Center"/>
<Setter Property="Cursor" Value="Hand"/>
<Setter Property="Foreground" Value="Pink"/>
<Setter Property="Background" Value="Transparent"/>
<Setter Property="Template">
<Setter.Value>
<ControlTemplate TargetType="Button">
<TextBlock TextDecorations="Underline"
Text="{TemplateBinding Content}"
Background="{TemplateBinding Background}"/>
<ControlTemplate.Triggers>
<Trigger Property="IsPressed" Value="True">
<Setter Property="Foreground" Value="Red"/>
</Trigger>
</ControlTemplate.Triggers>
</ControlTemplate>
</Setter.Value>
</Setter>
</Style>
</Window.Resources>
<ScrollViewer HorizontalScrollBarVisibility="Auto" VerticalScrollBarVisibility="Auto">
<Grid>
<StackPanel Orientation="Vertical">
<Label x:Name="lblText" Content="Use colors in report to identify criticality level of permissio
<StackPanel Orientation="Vertical" Margin="10,0">
<DataGrid x:Name="dgLegend" HorizontalAlignment="Left" Margin="0,0,0,0" Height="235"
<DataGrid.Columns>
<DataGridTextColumn Header='Permissions' Binding='{Binding Permissions}' Width=
<DataGridTextColumn Header='Criticality' Width='182' SortMemberPath='Criticality' S
<DataGridTextColumn.CellStyle>
<Style TargetType="DataGridCell">
<Style.Triggers>
<DataTrigger Binding="{Binding Path=Criticality}" Value="Critical">
<Setter Property="Template">
<Setter.Value>
<ControlTemplate TargetType="DataGridCell">
<TextBox Text="Critical" BorderBrush='{x:Null}' Background="R
</ControlTemplate>
</Setter.Value>
</Setter>
</DataTrigger>
<DataTrigger Binding="{Binding Path=Criticality}" Value="Warning">
<Setter Property="Template">
<Setter.Value>
<ControlTemplate TargetType="DataGridCell">
<TextBox Text="Warning" BorderBrush='{x:Null}' Background=
</ControlTemplate>
</Setter.Value>
</Setter>
</DataTrigger>
<DataTrigger Binding="{Binding Path=Criticality}" Value="Medium">
<Setter Property="Template">
<Setter.Value>
<ControlTemplate TargetType="DataGridCell">
<TextBox Text="Medium" BorderBrush='{x:Null}' Background="
</ControlTemplate>
</Setter.Value>
</Setter>
</DataTrigger>
<DataTrigger Binding="{Binding Path=Criticality}" Value="Low">
<Setter Property="Template">
<Setter.Value>
<ControlTemplate TargetType="DataGridCell">
<TextBox Text="Low" BorderBrush='{x:Null}' Background="#00
</ControlTemplate>
</Setter.Value>
</Setter>
</DataTrigger>
<DataTrigger Binding="{Binding Path=Criticality}" Value="Info">
<Setter Property="Template">
<Setter.Value>
<ControlTemplate TargetType="DataGridCell">
<TextBox Text="Info" BorderBrush='{x:Null}' Background="Gra
</ControlTemplate>
</Setter.Value>
</Setter>
</DataTrigger>
</Style.Triggers>
</Style>
</DataGridTextColumn.CellStyle>
</DataGridTextColumn>
</DataGrid.Columns>
</DataGrid>
</StackPanel>
<StackPanel Orientation="Horizontal" HorizontalAlignment="Center">
<Button x:Name="btnOK" Content="OK" Margin="00,05,00,00" Width="50" Height="20"/>
</StackPanel>
</StackPanel>
</Grid>
</ScrollViewer>
</Window>
"@
[XML] $XAML = $xamlLegend
$xaml.Window.RemoveAttribute("x:Class")

$reader=(New-Object System.Xml.XmlNodeReader $XAML)


$WindowLegend=[Windows.Markup.XamlReader]::Load( $reader )
#Replace x:Name to XML variable Name
$xamlLegend = $xamlLegend.Replace("x:Name","Name")
[XML] $XAML = $xamlLegend
#Search the XML data for object and create variables
$XAML.SelectNodes("//*[@Name]")| %{set-variable -Name ($_.Name) -Value $WindowLegend.FindNam
$Icon = @"
iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAMAAABHPGVmAAAABGdBTUEAALGPC/xhBQAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////AFP3ByUAAAAJcEhZcwAADsIAAA7CARUoSoAAAAAYdE
hwhFQb3k6/UDPCEpnpAUT0iKJyRFLuSrgRAj4eZ8AzlA1MrhAwx3xHzcdMCwJuLi3gRMKwIejilTacXW
8coj7qPO7yzSH+8r8YItuUnV8MobxANqQUgnRH7EBcfUkKi6NYvyCdBb1g+lrKO+BJdrMgbQdVMQqlP
x0LURn1TiN0617eGWAZdm46vdqIh6rO1wVc77kiXRoaBNB1XNORCTilajNqZcIg9Z/BU0SxeyME7tDQ
o4ErDMjk1kh4jHP+eKPiFTPWjMCMF13g2cbG7a6DbvDo7qWcpoRjjEXO4w2RIPOaUgB0hYDymIETJe
"@
$IconImage = New-Object System.Windows.Media.Imaging.BitmapImage
$IconImage.BeginInit()
$IconImage.StreamSource = [System.IO.MemoryStream][System.Convert]::FromBase64String($Icon)
$IconImage.EndInit()

# Freeze() prevents memory leaks.


$IconImage.Freeze()
$WindowLegend.Icon = $IconImage
$btnOK.add_Click(
{
#TODO: Place custom script here
$WindowLegend.close()
})
$Legend = @{
"Deny Permissions"="Info";
"List"="Info";
"Read Properties"="Low";
"Read Object"="Low";
"Read Permissions"="Low";
"Write Propeties"="Medium";
"Create Object"="Warning";
"Delete Object"="Warning";
"ExtendedRight"="Warning";
"Modify Permisions"="Critical";
"Full Control"="Critical"
}
foreach ($LegendRow in $Legend.keys)
{
## Legend Object to put in DataGrid
$objCriticality = New-Object PSObject
Add-Member -inputObject $objCriticality -memberType NoteProperty -name "Permissions" -value $Le
Add-Member -inputObject $objCriticality -memberType NoteProperty -name "Criticality" -value $Lege
$dgLegend.AddChild($objCriticality)
}
[void]$WindowLegend.ShowDialog()
}
#==========================================================================
# Function■■: GenerateTemplateDownloaderSchemaDefSD
# Arguments : -
# Returns ■: -
# Description : Generates a form for download links
#==========================================================================
Function GenerateTemplateDownloaderSchemaDefSD
{
[xml]$xamlTemplateDownloaderSchemaDefSD =@"
<Window x:Class="WpfApplication1.StatusBar"
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
x:Name="Window" Title="CSV Templates" WindowStartupLocation = "CenterScreen"
Width = "380" Height = "250" ShowInTaskbar = "True" ResizeMode="CanResizeWithGrip" Window
<Window.Resources>

<Style TargetType="{x:Type Button}" x:Key="AButtonStyle">


<Setter Property="VerticalAlignment" Value="Center"/>
<Setter Property="HorizontalAlignment" Value="Center"/>
<Setter Property="Cursor" Value="Hand"/>
<Setter Property="Foreground" Value="Pink"/>
<Setter Property="Background" Value="Transparent"/>
<Setter Property="Template">
<Setter.Value>
<ControlTemplate TargetType="Button">
<TextBlock TextDecorations="Underline"
Text="{TemplateBinding Content}"
Background="{TemplateBinding Background}"/>
<ControlTemplate.Triggers>
<Trigger Property="IsPressed" Value="True">
<Setter Property="Foreground" Value="Red"/>
</Trigger>
</ControlTemplate.Triggers>
</ControlTemplate>
</Setter.Value>
</Setter>
</Style>
</Window.Resources>
<ScrollViewer HorizontalScrollBarVisibility="Auto" VerticalScrollBarVisibility="Auto">
<Grid>
<StackPanel Orientation="Vertical">
<Label x:Name="lblDownloadLinks" Content="Download links for defaultSecuritydescriptor CSV
<GroupBox x:Name="gBoxTemplate" Header="Templates" HorizontalAlignment="Left" Margi
<StackPanel Orientation="Vertical" Margin="0,0">
<Button x:Name="btnDownloadCSVFileSchema2019_1809" Content="Windows Server
<Button x:Name="btnDownloadCSVFileSchema2016" Content="Windows Server 2016"
<Button x:Name="btnDownloadCSVFileSchema2012R2" Content="Windows Server 201
<Button x:Name="btnDownloadCSVFileSchema2012" Content="Windows Server 2012"
<Button x:Name="btnDownloadCSVFileSchema2008R2" Content="Windows Server 200
<Button x:Name="btnDownloadCSVFileSchema2003SP1" Content="Windows Server 20
<Button x:Name="btnDownloadCSVFileSchema2003" Content="Windows Server 2003"
<Button x:Name="btnDownloadCSVFileSchema2000SP4" Content="Windows 2000 Ser
</StackPanel>
</GroupBox>
<StackPanel Orientation="Horizontal" HorizontalAlignment="Center">
<Button x:Name="btnOK" Content="OK" Margin="00,05,00,00" Width="50" Height="20"/>
</StackPanel>
</StackPanel>
</Grid>
</ScrollViewer>
</Window>
"@
$xamlTemplateDownloaderSchemaDefSD.Window.RemoveAttribute("x:Class")
$reader=(New-Object System.Xml.XmlNodeReader $xamlTemplateDownloaderSchemaDefSD)
$TemplateDownloaderSchemaDefSDGui=[Windows.Markup.XamlReader]::Load( $reader )
$Icon = @"
iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAMAAABHPGVmAAAABGdBTUEAALGPC/xhBQAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////AFP3ByUAAAAJcEhZcwAADsIAAA7CARUoSoAAAAAYdE
hwhFQb3k6/UDPCEpnpAUT0iKJyRFLuSrgRAj4eZ8AzlA1MrhAwx3xHzcdMCwJuLi3gRMKwIejilTacXW
8coj7qPO7yzSH+8r8YItuUnV8MobxANqQUgnRH7EBcfUkKi6NYvyCdBb1g+lrKO+BJdrMgbQdVMQqlP
x0LURn1TiN0617eGWAZdm46vdqIh6rO1wVc77kiXRoaBNB1XNORCTilajNqZcIg9Z/BU0SxeyME7tDQ
o4ErDMjk1kh4jHP+eKPiFTPWjMCMF13g2cbG7a6DbvDo7qWcpoRjjEXO4w2RIPOaUgB0hYDymIETJe
"@
$IconImage = New-Object System.Windows.Media.Imaging.BitmapImage
$IconImage.BeginInit()
$IconImage.StreamSource = [System.IO.MemoryStream][System.Convert]::FromBase64String($Icon)
$IconImage.EndInit()

# Freeze() prevents memory leaks.


$IconImage.Freeze()
$TemplateDownloaderSchemaDefSDGui.Icon = $IconImage
$btnOK = $TemplateDownloaderSchemaDefSDGui.FindName("btnOK")
$btnDownloadCSVFileSchema2019_1809 = $TemplateDownloaderSchemaDefSDGui.FindName("btnD
$btnDownloadCSVFileSchema2016 = $TemplateDownloaderSchemaDefSDGui.FindName("btnDownlo
$btnDownloadCSVFileSchema2012R2 = $TemplateDownloaderSchemaDefSDGui.FindName("btnDow
$btnDownloadCSVFileSchema2012 = $TemplateDownloaderSchemaDefSDGui.FindName("btnDownlo
$btnDownloadCSVFileSchema2008R2 = $TemplateDownloaderSchemaDefSDGui.FindName("btnDow
$btnDownloadCSVFileSchema2003SP1 = $TemplateDownloaderSchemaDefSDGui.FindName("btnDo
$btnDownloadCSVFileSchema2003 = $TemplateDownloaderSchemaDefSDGui.FindName("btnDownlo
$btnDownloadCSVFileSchema2000SP4 = $TemplateDownloaderSchemaDefSDGui.FindName("btnDo
$btnOK.add_Click({
$TemplateDownloaderSchemaDefSDGui.Close()
})
$btnDownloadCSVFileSchema2019_1809.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!252&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFileSchema2016.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9%21173&authkey=!ANmZFP4
DownloadFile $URL
})
$btnDownloadCSVFileSchema2012R2.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!108&authkey=!AH2bxltG5s-l3
DownloadFile $URL
})
$btnDownloadCSVFileSchema2012.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!111&authkey=!APeksydtWJ9B
DownloadFile $URL
})
$btnDownloadCSVFileSchema2008R2.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!110&authkey=!AKYYkARRfsC
DownloadFile $URL
})
$btnDownloadCSVFileSchema2003SP1.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9%21164&authkey=AI5D2Q7km
DownloadFile $URL
})
$btnDownloadCSVFileSchema2003.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!109&authkey=!AKZcScjykAZr
DownloadFile $URL
})
$btnDownloadCSVFileSchema2000SP4.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!112&authkey=!ACo2xB2BHP
DownloadFile $URL
})
$TemplateDownloaderSchemaDefSDGui.ShowDialog()
}
#==========================================================================
# Function■■: DownloadFile
# Arguments : -
# Returns ■: -
# Description : download file
#==========================================================================
Function DownloadFile
{
param([string]$URL)
(65..90) + (97..122) | Get-Random -Count 8 | % {$TempFileName+=[char]$_}
$TemporaryDestination = $(join-path -Path $CurrentFSPath -ChildPath $TempFileName)
try
{
$WebReq = Invoke-WebRequest -Uri $URL -OutFile $TemporaryDestination -PassThru
}
catch
{
$MsgBox = [System.Windows.Forms.MessageBox]::Show("Download failed", "Error" ,0,"Error")
}
if(($WebReq.Headers.'Content-Type' -eq "application/octet-stream") -or ($WebReq.Headers.'Content-T
{
if((Test-Path -Path $TemporaryDestination))
{
$FileName = $WebReq.Headers.'Content-Disposition'.split(";") | ForEach-Object{if($_ -match "filen
$Destination = $(join-path -Path $CurrentFSPath -ChildPath $FileName)
Move-Item -Path $TemporaryDestination -Destination $Destination -Force
$MsgBox = [System.Windows.Forms.MessageBox]::Show("File downloaded: `n$Destination", "Do
}
else
{
$MsgBox = [System.Windows.Forms.MessageBox]::Show("Download failed", "Error" ,0,"Error")
}
}
else
{
$MsgBox = [System.Windows.Forms.MessageBox]::Show("Download failed! Wrong URI or file type!"
}
}
#==========================================================================
# Function■■: GenerateTemplateDownloader
# Arguments : -
# Returns ■: -
# Description : Generates a form for download links
#==========================================================================
Function GenerateTemplateDownloader
{
[xml]$xamlTemplateDownloader =@"
<Window x:Class="WpfApplication1.StatusBar"
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
x:Name="Window" Title="CSV Templates" WindowStartupLocation = "CenterScreen"
Width = "390" Height = "290" ShowInTaskbar = "True" ResizeMode="CanResizeWithGrip" Window
<Window.Resources>

<Style TargetType="{x:Type Button}" x:Key="AButtonStyle">


<Setter Property="VerticalAlignment" Value="Center"/>
<Setter Property="HorizontalAlignment" Value="Center"/>
<Setter Property="Cursor" Value="Hand"/>
<Setter Property="Foreground" Value="Pink"/>
<Setter Property="Background" Value="Transparent"/>
<Setter Property="Template">
<Setter.Value>
<ControlTemplate TargetType="Button">
<TextBlock TextDecorations="Underline"
Text="{TemplateBinding Content}"
Background="{TemplateBinding Background}"/>
<ControlTemplate.Triggers>
<Trigger Property="IsPressed" Value="True">
<Setter Property="Foreground" Value="Red"/>
</Trigger>
</ControlTemplate.Triggers>
</ControlTemplate>
</Setter.Value>
</Setter>
</Style>
</Window.Resources>
<ScrollViewer HorizontalScrollBarVisibility="Auto" VerticalScrollBarVisibility="Auto">
<Grid>
<StackPanel Orientation="Vertical" Margin="0,0,0,0">
<Label x:Name="lblDownloadLinks" Content="Download links for operating system default DA
<StackPanel Orientation="Horizontal">
<Label x:Name="lblDownloadSelect" Content="Select OS:" Margin="5,00,00,00" Foreground=
<ComboBox x:Name="SelectOS" Width="190" Margin="0,0,0,0" HorizontalAlignment="Left"
</StackPanel>
<StackPanel Orientation="Vertical" Margin="0,10">
<GroupBox x:Name="gBox2019_1809" Header="Windows Server 2019 1809" HorizontalA
<StackPanel Orientation="Vertical" Margin="0,0">
<Button x:Name="btnDownloadCSVFile2019_1809" Content="Each NC root combine
<Button x:Name="btnDownloadCSVFile2019_1809Domain" Content="Domain NC" H
<Button x:Name="btnDownloadCSVFile2019_1809Config" Content="Configuration NC
<Button x:Name="btnDownloadCSVFile2019_1809Schema" Content="Schema NC" H
<Button x:Name="btnDownloadCSVFile2019_1809DomainDNS" Content="Domain D
<Button x:Name="btnDownloadCSVFile2019_1809ForestDNS" Content="Forest DNS
<Button x:Name="btnDownloadCSVFile2019_1809AllFiles" Content="All Files Compr
</StackPanel>
</GroupBox>
<GroupBox x:Name="gBox2016" Header="Windows Server 2016" HorizontalAlignment="L
<StackPanel Orientation="Vertical" Margin="0,0">
<Button x:Name="btnDownloadCSVFile2016" Content="Each NC root combined" Hor
<Button x:Name="btnDownloadCSVFile2016Domain" Content="Domain NC" Horizont
<Button x:Name="btnDownloadCSVFile2016Config" Content="Configuration NC" Hor
<Button x:Name="btnDownloadCSVFile2016Schema" Content="Schema NC" Horizon
<Button x:Name="btnDownloadCSVFile2016DomainDNS" Content="Domain DNS Zo
<Button x:Name="btnDownloadCSVFile2016ForestDNS" Content="Forest DNS Zone
<Button x:Name="btnDownloadCSVFile2016AllFiles" Content="All Files Compressed"
</StackPanel>
</GroupBox>
<GroupBox x:Name="gBox2012R2" Header="Windows Server 2012 R2" HorizontalAlignm
<StackPanel Orientation="Vertical" Margin="0,0" >
<Button x:Name="btnDownloadCSVFile2012R2" Content="Each NC root combined" H
<Button x:Name="btnDownloadCSVFile2012R2Domain" Content="Domain NC" Horiz
<Button x:Name="btnDownloadCSVFile2012R2Config" Content="Configuration NC" H
<Button x:Name="btnDownloadCSVFile2012R2Schema" Content="Schema NC" Hori
<Button x:Name="btnDownloadCSVFile2012R2DomainDNS" Content="Domain DNS
<Button x:Name="btnDownloadCSVFile2012R2ForestDNS" Content="Forest DNS Zo
<Button x:Name="btnDownloadCSVFile2012R2AllFiles" Content="All Files Compress
</StackPanel>
</GroupBox>
<GroupBox x:Name="gBox2012" Header="Windows Server 2012" HorizontalAlignment="L
<StackPanel Orientation="Vertical" Margin="0,0">
<Button x:Name="btnDownloadCSVFile2012" Content="Each NC root combined" Hor
<Button x:Name="btnDownloadCSVFile2012Domain" Content="Domain NC" Horizont
<Button x:Name="btnDownloadCSVFile2012Config" Content="Configuration NC" Hor
<Button x:Name="btnDownloadCSVFile2012Schema" Content="Schema NC" Horizon
<Button x:Name="btnDownloadCSVFile2012DomainDNS" Content="Domain DNS Zo
<Button x:Name="btnDownloadCSVFile2012ForestDNS" Content="Forest DNS Zone
<Button x:Name="btnDownloadCSVFile2012AllFiles" Content="All Files Compressed"
</StackPanel>
</GroupBox>
<GroupBox x:Name="gBox2008R2" Header="Windows Server 2008 R2" HorizontalAlignm
<StackPanel Orientation="Vertical" Margin="0,0">
<Button x:Name="btnDownloadCSVFile2008R2" Content="Each NC root combined" H
<Button x:Name="btnDownloadCSVFile2008R2Domain" Content="Domain NC" Horiz
<Button x:Name="btnDownloadCSVFile2008R2Config" Content="Configuration NC" H
<Button x:Name="btnDownloadCSVFile2008R2Schema" Content="Schema NC" Hori
<Button x:Name="btnDownloadCSVFile2008R2DomainDNS" Content="Domain DNS
<Button x:Name="btnDownloadCSVFile2008R2ForestDNS" Content="Forest DNS Zo
<Button x:Name="btnDownloadCSVFile2008R2AllFiles" Content="All Files Compress
</StackPanel>
</GroupBox>
<GroupBox x:Name="gBox2003" Header="Windows Server 2003" HorizontalAlignment="L
<StackPanel Orientation="Vertical" Margin="0,0">
<Button x:Name="btnDownloadCSVFile2003" Content="Each NC root combined" Hor
<Button x:Name="btnDownloadCSVFile2003Domain" Content="Domain NC" Horizont
<Button x:Name="btnDownloadCSVFile2003Config" Content="Configuration NC" Hor
<Button x:Name="btnDownloadCSVFile2003Schema" Content="Schema NC" Horizon
<Button x:Name="btnDownloadCSVFile2003DomainDNS" Content="Domain DNS Zo
<Button x:Name="btnDownloadCSVFile2003ForestDNS" Content="Forest DNS Zone
<Button x:Name="btnDownloadCSVFile2003AllFiles" Content="All Files Compressed"
</StackPanel>
</GroupBox>
<GroupBox x:Name="gBox2000SP4" Header="Windows 2000 Server SP4" HorizontalAlign
<StackPanel Orientation="Vertical" Margin="0,0">
<Button x:Name="btnDownloadCSVFile2000SP4" Content="Each NC root combined"
<Button x:Name="btnDownloadCSVFile2000SP4Domain" Content="Domain NC" Hor
<Button x:Name="btnDownloadCSVFile2000SP4Config" Content="Configuration NC"
<Button x:Name="btnDownloadCSVFile2000SP4Schema" Content="Schema NC" Ho
<Button x:Name="btnDownloadCSVFile2000SP4AllFiles" Content="All Files Compres
</StackPanel>
</GroupBox>
</StackPanel>
<StackPanel Orientation="Horizontal" HorizontalAlignment="Center">
<Button x:Name="btnOK" Content="OK" Margin="00,05,00,00" Width="50" Height="20"/>
</StackPanel>
</StackPanel>
</Grid>
</ScrollViewer>
</Window>
"@
$xamlTemplateDownloader.Window.RemoveAttribute("x:Class")
$reader=(New-Object System.Xml.XmlNodeReader $xamlTemplateDownloader)
$TemplateDownloaderGui=[Windows.Markup.XamlReader]::Load( $reader )
$Icon = @"
iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAMAAABHPGVmAAAABGdBTUEAALGPC/xhBQAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////AFP3ByUAAAAJcEhZcwAADsIAAA7CARUoSoAAAAAYdE
hwhFQb3k6/UDPCEpnpAUT0iKJyRFLuSrgRAj4eZ8AzlA1MrhAwx3xHzcdMCwJuLi3gRMKwIejilTacXW
8coj7qPO7yzSH+8r8YItuUnV8MobxANqQUgnRH7EBcfUkKi6NYvyCdBb1g+lrKO+BJdrMgbQdVMQqlP
x0LURn1TiN0617eGWAZdm46vdqIh6rO1wVc77kiXRoaBNB1XNORCTilajNqZcIg9Z/BU0SxeyME7tDQ
o4ErDMjk1kh4jHP+eKPiFTPWjMCMF13g2cbG7a6DbvDo7qWcpoRjjEXO4w2RIPOaUgB0hYDymIETJe
"@
$IconImage = New-Object System.Windows.Media.Imaging.BitmapImage
$IconImage.BeginInit()
$IconImage.StreamSource = [System.IO.MemoryStream][System.Convert]::FromBase64String($Icon)
$IconImage.EndInit()

# Freeze() prevents memory leaks.


$IconImage.Freeze()
$TemplateDownloaderGui.Icon = $IconImage
$btnOK = $TemplateDownloaderGui.FindName("btnOK")
$btnDownloadCSVFile2019_1809 = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2019_
$btnDownloadCSVFile2019_1809Domain = $TemplateDownloaderGui.FindName("btnDownloadCSVFi
$btnDownloadCSVFile2019_1809Config = $TemplateDownloaderGui.FindName("btnDownloadCSVFile
$btnDownloadCSVFile2019_1809Schema = $TemplateDownloaderGui.FindName("btnDownloadCSVF
$btnDownloadCSVFile2019_1809DomainDNS = $TemplateDownloaderGui.FindName("btnDownloadC
$btnDownloadCSVFile2019_1809ForestDNS = $TemplateDownloaderGui.FindName("btnDownloadCS
$btnDownloadCSVFile2019_1809AllFiles = $TemplateDownloaderGui.FindName("btnDownloadCSVFil
$btnDownloadCSVFile2016 = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2016")
$btnDownloadCSVFile2016Domain = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2016
$btnDownloadCSVFile2016Config = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2016C
$btnDownloadCSVFile2016Schema = $TemplateDownloaderGui.FindName("btnDownloadCSVFile201
$btnDownloadCSVFile2016DomainDNS = $TemplateDownloaderGui.FindName("btnDownloadCSVFile
$btnDownloadCSVFile2016ForestDNS = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2
$btnDownloadCSVFile2016AllFiles = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2016
$btnDownloadCSVFile2012R2 = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2012R2")
$btnDownloadCSVFile2012R2Domain = $TemplateDownloaderGui.FindName("btnDownloadCSVFile20
$btnDownloadCSVFile2012R2Config = $TemplateDownloaderGui.FindName("btnDownloadCSVFile201
$btnDownloadCSVFile2012R2Schema = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2
$btnDownloadCSVFile2012R2DomainDNS = $TemplateDownloaderGui.FindName("btnDownloadCSVF
$btnDownloadCSVFile2012R2ForestDNS = $TemplateDownloaderGui.FindName("btnDownloadCSVFi
$btnDownloadCSVFile2012R2AllFiles = $TemplateDownloaderGui.FindName("btnDownloadCSVFile20
$btnDownloadCSVFile2012 = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2012")
$btnDownloadCSVFile2012Domain = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2012
$btnDownloadCSVFile2012Config = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2012C
$btnDownloadCSVFile2012Schema = $TemplateDownloaderGui.FindName("btnDownloadCSVFile201
$btnDownloadCSVFile2012DomainDNS = $TemplateDownloaderGui.FindName("btnDownloadCSVFile
$btnDownloadCSVFile2012ForestDNS = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2
$btnDownloadCSVFile2012AllFiles = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2012
$btnDownloadCSVFile2008R2 = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2008R2")
$btnDownloadCSVFile2008R2Domain = $TemplateDownloaderGui.FindName("btnDownloadCSVFile20
$btnDownloadCSVFile2008R2Config = $TemplateDownloaderGui.FindName("btnDownloadCSVFile200
$btnDownloadCSVFile2008R2Schema = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2
$btnDownloadCSVFile2008R2DomainDNS = $TemplateDownloaderGui.FindName("btnDownloadCSVF
$btnDownloadCSVFile2008R2ForestDNS = $TemplateDownloaderGui.FindName("btnDownloadCSVFi
$btnDownloadCSVFile2008R2AllFiles = $TemplateDownloaderGui.FindName("btnDownloadCSVFile20
$btnDownloadCSVFile2003 = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2003")
$btnDownloadCSVFile2003Domain = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2003
$btnDownloadCSVFile2003Config = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2003C
$btnDownloadCSVFile2003Schema = $TemplateDownloaderGui.FindName("btnDownloadCSVFile200
$btnDownloadCSVFile2003DomainDNS = $TemplateDownloaderGui.FindName("btnDownloadCSVFile
$btnDownloadCSVFile2003ForestDNS = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2
$btnDownloadCSVFile2003AllFiles = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2003
$btnDownloadCSVFile2000SP4 = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2000SP
$btnDownloadCSVFile2000SP4Domain = $TemplateDownloaderGui.FindName("btnDownloadCSVFile
$btnDownloadCSVFile2000SP4Config = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2
$btnDownloadCSVFile2000SP4Schema = $TemplateDownloaderGui.FindName("btnDownloadCSVFile
$btnDownloadCSVFile2000SP4AllFiles = $TemplateDownloaderGui.FindName("btnDownloadCSVFile2
$SelectOS = $TemplateDownloaderGui.FindName("SelectOS")
$gBox2019_1809 = $TemplateDownloaderGui.FindName("gBox2019_1809")
$gBox2016 = $TemplateDownloaderGui.FindName("gBox2016")
$gBox2012R2 = $TemplateDownloaderGui.FindName("gBox2012R2")
$gBox2012 = $TemplateDownloaderGui.FindName("gBox2012")
$gBox2008R2 = $TemplateDownloaderGui.FindName("gBox2008R2")
$gBox2003 = $TemplateDownloaderGui.FindName("gBox2003")
$gBox2000SP4 = $TemplateDownloaderGui.FindName("gBox2000SP4")
[void]$SelectOS.Items.Add("Windows Server 2019 1809")
[void]$SelectOS.Items.Add("Windows Server 2016")
[void]$SelectOS.Items.Add("Windows Server 2012 R2")
[void]$SelectOS.Items.Add("Windows Server 2008 R2")
[void]$SelectOS.Items.Add("Windows Server 2003")
[void]$SelectOS.Items.Add("Windows 2000 Server SP4")
$SelectOS.SelectedValue="Windows Server 2019 1809"
$SelectOS.add_SelectionChanged({
Switch ($SelectOS.SelectedValue)
{
"Windows Server 2019 1809"
{
$gBox2019_1809.Visibility = "Visible"
$gBox2016.Visibility = "Collapsed"
$gBox2012R2.Visibility = "Collapsed"
$gBox2012.Visibility = "Collapsed"
$gBox2008R2.Visibility = "Collapsed"
$gBox2003.Visibility = "Collapsed"
$gBox2000SP4.Visibility = "Collapsed"
}
"Windows Server 2016"
{
$gBox2019_1809.Visibility = "Collapsed"
$gBox2016.Visibility = "Visible"
$gBox2012R2.Visibility = "Collapsed"
$gBox2012.Visibility = "Collapsed"
$gBox2008R2.Visibility = "Collapsed"
$gBox2003.Visibility = "Collapsed"
$gBox2000SP4.Visibility = "Collapsed"
}
"Windows Server 2012 R2"
{
$gBox2019_1809.Visibility = "Collapsed"
$gBox2016.Visibility = "Collapsed"
$gBox2012R2.Visibility = "Visible"
$gBox2012.Visibility = "Collapsed"
$gBox2008R2.Visibility = "Collapsed"
$gBox2003.Visibility = "Collapsed"
$gBox2000SP4.Visibility = "Collapsed"
}
"Windows Server 2012"
{
$gBox2019_1809.Visibility = "Collapsed"
$gBox2016.Visibility = "Collapsed"
$gBox2012R2.Visibility = "Collapsed"
$gBox2012.Visibility = "Visible"
$gBox2008R2.Visibility = "Collapsed"
$gBox2003.Visibility = "Collapsed"
$gBox2000SP4.Visibility = "Collapsed"
}
"Windows Server 2008 R2"
{
$gBox2019_1809.Visibility = "Collapsed"
$gBox2016.Visibility = "Collapsed"
$gBox2012R2.Visibility = "Collapsed"
$gBox2012.Visibility = "Collapsed"
$gBox2008R2.Visibility = "Visible"
$gBox2003.Visibility = "Collapsed"
$gBox2000SP4.Visibility = "Collapsed"
}
"Windows Server 2003"
{
$gBox2019_1809.Visibility = "Collapsed"
$gBox2016.Visibility = "Collapsed"
$gBox2012R2.Visibility = "Collapsed"
$gBox2012.Visibility = "Collapsed"
$gBox2008R2.Visibility = "Collapsed"
$gBox2003.Visibility = "Visible"
$gBox2000SP4.Visibility = "Collapsed"
}
"Windows 2000 Server SP4"
{
$gBox2019_1809.Visibility = "Collapsed"
$gBox2016.Visibility = "Collapsed"
$gBox2012R2.Visibility = "Collapsed"
$gBox2012.Visibility = "Collapsed"
$gBox2008R2.Visibility = "Collapsed"
$gBox2003.Visibility = "Collapsed"
$gBox2000SP4.Visibility = "Visible"
}
default
{}
}
})
$btnOK.add_Click({
$TemplateDownloaderGui.Close()
})
## START 2019 1809
$btnDownloadCSVFile2019_1809.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!230&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2019_1809Domain.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!227&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2019_1809Config.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!226&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2019_1809Schema.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!231&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2019_1809DomainDNS.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!229&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2019_1809ForestDNS.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!228&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2019_1809AllFiles.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!225&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
## END 2019 1809
## START 2016
$btnDownloadCSVFile2016.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!247&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2016Domain.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!243&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2016Config.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!244&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2016Schema.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!248&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2016DomainDNS.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!246&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2016ForestDNS.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!245&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2016AllFiles.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!242&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
## END 2016
## START 2012 R2
$btnDownloadCSVFile2012R2.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!209&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2012R2Domain.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!206&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2012R2Config.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!205&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2012R2Schema.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!210&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2012R2DomainDNS.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!207&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2012R2ForestDNS.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!208&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2012R2AllFiles.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!204&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
## END 2012 R2
## START 2012
$btnDownloadCSVFile2012.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!216&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2012Domain.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!213&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2012Config.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!212&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2012Schema.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!217&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2012DomainDNS.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!214&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2012ForestDNS.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!215&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2012AllFiles.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!211&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
## END 2012
## START 2008 R2
$btnDownloadCSVFile2008R2.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!201&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2008R2Domain.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!198&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2008R2Config.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!197&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2008R2Schema.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!237&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2008R2DomainDNS.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!199&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2008R2ForestDNS.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!200&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2008R2AllFiles.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!236&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
## END 2008 R2
## START 2003
$btnDownloadCSVFile2003.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!194&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2003Domain.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!191&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2003Config.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!190&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2003Schema.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!195&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2003DomainDNS.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!192&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2003ForestDNS.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!193&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2003AllFiles.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!189&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
## END 2003
## START 2000 SP4
$btnDownloadCSVFile2000SP4.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!187&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2000SP4Domain.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!183&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2000SP4Config.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!186&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2000SP4Schema.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!188&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
$btnDownloadCSVFile2000SP4AllFiles.add_Click({
$URL = "https://onedrive.live.com/download?resid=3FC56366F033BAA9!182&authkey=!AA9I-EWBR7z
DownloadFile $URL
})
## END 2000
$TemplateDownloaderGui.ShowDialog()
}
#==========================================================================
# Function■■: GenerateTrustedDomainPicker
# Arguments : -
# Returns ■: Domain DistinguishedName
# Description : Windows Form List AD Domains in Forest
#==========================================================================
Function GenerateTrustedDomainPicker
{
param(
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
[xml]$TrustedDomainPickerXAML =@"
<Window x:Class="WpfApplication1.StatusBar"
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
x:Name="Window" Title="Locations" WindowStartupLocation = "CenterScreen"
Width = "400" Height = "200" ShowInTaskbar = "True" ResizeMode="NoResize" WindowStyle="To
<Window.Background>
<LinearGradientBrush>
<LinearGradientBrush.Transform>
<ScaleTransform x:Name="Scaler" ScaleX="1" ScaleY="1"/>
</LinearGradientBrush.Transform>
<GradientStop Color="#CC064A82" Offset="1"/>
<GradientStop Color="#FF6797BF" Offset="0.7"/>
<GradientStop Color="#FF6797BF" Offset="0.3"/>
<GradientStop Color="#FFD4DBE1" Offset="0"/>
</LinearGradientBrush>
</Window.Background>
<Grid>
<StackPanel Orientation="Vertical">
<Label x:Name="lblDomainPciker" Content="Select the location you want to search." Margin="1
<ListBox x:Name="objListBoxDomainList" HorizontalAlignment="Left" Height="78" Margin="10,05,
<StackPanel Orientation="Horizontal" HorizontalAlignment="Center">
<Button x:Name="btnOK" Content="OK" Margin="00,05,00,00" Width="50" Height="20"/>
<Button x:Name="btnCancel" Content="Cancel" Margin="10,05,00,00" Width="50" Height="20"/
</StackPanel>
</StackPanel>
</Grid>
</Window>
"@
$TrustedDomainPickerXAML.Window.RemoveAttribute("x:Class")
$reader=(New-Object System.Xml.XmlNodeReader $TrustedDomainPickerXAML)
$TrustedDomainPickerGui=[Windows.Markup.XamlReader]::Load( $reader )
$btnOK = $TrustedDomainPickerGui.FindName("btnOK")
$btnCancel = $TrustedDomainPickerGui.FindName("btnCancel")
$objListBoxDomainList = $TrustedDomainPickerGui.FindName("objListBoxDomainList")
$btnCancel.add_Click(
{
$TrustedDomainPickerGui.Close()
})
$btnOK.add_Click({
$global:strDomainPrinDNName=$objListBoxDomainList.SelectedItem
if ( $global:strDomainPrinDNName -eq $global:strDomainLongName )
{
$lblSelectPrincipalDom.Content = $global:strDomainShortName+":"
}
else
{
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strD
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest("CN=System,$global:str
[void]$request.Attributes.Add("trustdirection")
[void]$request.Attributes.Add("trustattributes")
[void]$request.Attributes.Add("flatname")
$response = $LDAPConnection.SendRequest($request)
$colResults = $response.Entries[0]
if($null -ne $colResults)
{
$global:strPrinDomDir = $colResults.attributes.trustdirection[0]
$global:strPrinDomAttr = "{0:X2}" -f [int] $colResults.attributes.trustattributes[0]
$global:strPrinDomFlat = $colResults.attributes.flatname[0].ToString()
$lblSelectPrincipalDom.Content = $global:strPrinDomFlat+":"
}
}
$TrustedDomainPickerGui.Close()
})

$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strDC,


$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest("CN=System,$global:strDo
[void]$request.Attributes.Add("trustpartner")
$response = $LDAPConnection.SendRequest($request)
$colResults = $response.Entries
foreach ($objResult in $colResults)
{
[void] $objListBoxDomainList.Items.Add($objResult.attributes.trustpartner[0])
}
[void] $objListBoxDomainList.Items.Add($global:strDomainLongName)
$TrustedDomainPickerGui.ShowDialog()
}
#==========================================================================
# Function■■: GenerateSupportStatement
# Arguments : -
# Returns ■: Support
# Description : Generate Support Statement
#==========================================================================
Function GenerateSupportStatement
{
[xml]$SupportStatementXAML =@"
<Window x:Class="WpfApplication1.StatusBar"
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
x:Name="Window" Title="CSV Templates" WindowStartupLocation = "CenterScreen"
Width = "400" Height = "500" ShowInTaskbar = "True" ResizeMode="CanResizeWithGrip" Window
<Window.Resources>

<Style TargetType="{x:Type Button}" x:Key="AButtonStyle">


<Setter Property="VerticalAlignment" Value="Center"/>
<Setter Property="HorizontalAlignment" Value="Center"/>
<Setter Property="Cursor" Value="Hand"/>
<Setter Property="Foreground" Value="Pink"/>
<Setter Property="Background" Value="Transparent"/>
<Setter Property="Template">
<Setter.Value>
<ControlTemplate TargetType="Button">
<TextBlock TextDecorations="Underline"
Text="{TemplateBinding Content}"
Background="{TemplateBinding Background}"/>
<ControlTemplate.Triggers>
<Trigger Property="IsPressed" Value="True">
<Setter Property="Foreground" Value="Red"/>
</Trigger>
</ControlTemplate.Triggers>
</ControlTemplate>
</Setter.Value>
</Setter>
</Style>
</Window.Resources>
<Grid HorizontalAlignment="Center">
<StackPanel Orientation="Vertical" Margin="0,0,00,0" HorizontalAlignment="Center">
<Label x:Name="lblSupportHeader" Content="Carefully read and understand the support statem
<Label x:Name="lblSupportStatement" Content="" Height="380" Width="370" FontSize="12" Ba
<StackPanel Orientation="Horizontal" HorizontalAlignment="Center">
<Button x:Name="btnOK" Content="OK" Margin="00,10,00,00" Width="50" Height="20"/>
</StackPanel>
</StackPanel>
</Grid>
</Window>
"@
$SupportStatementXAML.Window.RemoveAttribute("x:Class")
$reader=(New-Object System.Xml.XmlNodeReader $SupportStatementXAML)
$SuportGui=[Windows.Markup.XamlReader]::Load( $reader )
$Icon = @"
iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAMAAABHPGVmAAAABGdBTUEAALGPC/xhBQAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////AFP3ByUAAAAJcEhZcwAADsIAAA7CARUoSoAAAAAYdE
hwhFQb3k6/UDPCEpnpAUT0iKJyRFLuSrgRAj4eZ8AzlA1MrhAwx3xHzcdMCwJuLi3gRMKwIejilTacXW
8coj7qPO7yzSH+8r8YItuUnV8MobxANqQUgnRH7EBcfUkKi6NYvyCdBb1g+lrKO+BJdrMgbQdVMQqlP
x0LURn1TiN0617eGWAZdm46vdqIh6rO1wVc77kiXRoaBNB1XNORCTilajNqZcIg9Z/BU0SxeyME7tDQ
o4ErDMjk1kh4jHP+eKPiFTPWjMCMF13g2cbG7a6DbvDo7qWcpoRjjEXO4w2RIPOaUgB0hYDymIETJe
"@
$IconImage = New-Object System.Windows.Media.Imaging.BitmapImage
$IconImage.BeginInit()
$IconImage.StreamSource = [System.IO.MemoryStream][System.Convert]::FromBase64String($Icon)
$IconImage.EndInit()

# Freeze() prevents memory leaks.


$IconImage.Freeze()
$SuportGui.Icon = $IconImage
$btnOK = $SuportGui.FindName("btnOK")
$lblSupportStatement = $SuportGui.FindName("lblSupportStatement")
$txtSupoprt = @"
THIS CODE-SAMPLE IS PROVIDED "AS IS" WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR
A PARTICULAR PURPOSE.
"@
$lblSupportStatement.Content = $txtSupoprt
$btnOK.add_Click(
{
$SuportGui.Close()
})
$SuportGui.ShowDialog()
}
#==========================================================================
# Function■■: GenerateDomainPicker
# Arguments : -
# Returns ■: Domain DistinguishedName
# Description : Windows Form List AD Domains in Forest
#==========================================================================
Function GenerateDomainPicker
{
[xml]$DomainPickerXAML =@"
<Window x:Class="WpfApplication1.StatusBar"
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
x:Name="Window" Title="Select a domain" WindowStartupLocation = "CenterScreen"
Width = "380" Height = "250" ShowInTaskbar = "True" ResizeMode="CanResizeWithGrip" Window
<Window.Resources>

<Style TargetType="{x:Type Button}" x:Key="AButtonStyle">


<Setter Property="VerticalAlignment" Value="Center"/>
<Setter Property="HorizontalAlignment" Value="Center"/>
<Setter Property="Cursor" Value="Hand"/>
<Setter Property="Foreground" Value="Pink"/>
<Setter Property="Background" Value="Transparent"/>
<Setter Property="Template">
<Setter.Value>
<ControlTemplate TargetType="Button">
<TextBlock TextDecorations="Underline"
Text="{TemplateBinding Content}"
Background="{TemplateBinding Background}"/>
<ControlTemplate.Triggers>
<Trigger Property="IsPressed" Value="True">
<Setter Property="Foreground" Value="Red"/>
</Trigger>
</ControlTemplate.Triggers>
</ControlTemplate>
</Setter.Value>
</Setter>
</Style>
</Window.Resources>
<Grid>
<StackPanel Orientation="Vertical">
<Label x:Name="lblDomainPciker" Content="Please select a domain:" Margin="10,05,00,00" Foreg
<ListBox x:Name="objListBoxDomainList" HorizontalAlignment="Left" Height="78" Margin="10,05,
<StackPanel Orientation="Horizontal" HorizontalAlignment="Center">
<Button x:Name="btnOK" Content="OK" Margin="00,05,00,00" Width="50" Height="20"/>
<Button x:Name="btnCancel" Content="Cancel" Margin="10,05,00,00" Width="50" Height="20"/
</StackPanel>
</StackPanel>
</Grid>
</Window>
"@
$DomainPickerXAML.Window.RemoveAttribute("x:Class")
$reader=(New-Object System.Xml.XmlNodeReader $DomainPickerXAML)
$DomainPickerGui=[Windows.Markup.XamlReader]::Load( $reader )
$Icon = @"
iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAMAAABHPGVmAAAABGdBTUEAALGPC/xhBQAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////AFP3ByUAAAAJcEhZcwAADsIAAA7CARUoSoAAAAAYdE
hwhFQb3k6/UDPCEpnpAUT0iKJyRFLuSrgRAj4eZ8AzlA1MrhAwx3xHzcdMCwJuLi3gRMKwIejilTacXW
8coj7qPO7yzSH+8r8YItuUnV8MobxANqQUgnRH7EBcfUkKi6NYvyCdBb1g+lrKO+BJdrMgbQdVMQqlP
x0LURn1TiN0617eGWAZdm46vdqIh6rO1wVc77kiXRoaBNB1XNORCTilajNqZcIg9Z/BU0SxeyME7tDQ
o4ErDMjk1kh4jHP+eKPiFTPWjMCMF13g2cbG7a6DbvDo7qWcpoRjjEXO4w2RIPOaUgB0hYDymIETJe
"@
$IconImage = New-Object System.Windows.Media.Imaging.BitmapImage
$IconImage.BeginInit()
$IconImage.StreamSource = [System.IO.MemoryStream][System.Convert]::FromBase64String($Icon)
$IconImage.EndInit()

# Freeze() prevents memory leaks.


$IconImage.Freeze()
$DomainPickerGui.Icon = $IconImage
$btnOK = $DomainPickerGui.FindName("btnOK")
$btnCancel = $DomainPickerGui.FindName("btnCancel")
$objListBoxDomainList = $DomainPickerGui.FindName("objListBoxDomainList")
$btnCancel.add_Click(
{
$DomainPickerGui.Close()
})
$btnOK.add_Click(
{
$strSelectedDomain = $objListBoxDomainList.SelectedItem
if ($strSelectedDomain)
{
$global:TempDC = $null
if($strSelectedDomain.Contains("."))
{
$global:TempDC = $strSelectedDomain
$strSelectedDomain = "DC=" + $strSelectedDomain.Replace(".",",DC=")
}
$global:strDomainSelect = $strSelectedDomain
}
$DomainPickerGui.Close()
})
$arrPartitions = New-Object System.Collections.ArrayList
$arrPartitions.Clear()
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection("")
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($null, "(objectClass=*)", "ba
[void]$request.Attributes.Add("dnshostname")
[void]$request.Attributes.Add("supportedcapabilities")
[void]$request.Attributes.Add("namingcontexts")
[void]$request.Attributes.Add("defaultnamingcontext")
[void]$request.Attributes.Add("schemanamingcontext")
[void]$request.Attributes.Add("configurationnamingcontext")
[void]$request.Attributes.Add("rootdomainnamingcontext")
[void]$request.Attributes.Add("isGlobalCatalogReady")
try
{
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
}
catch
{
■$global:bolLDAPConnection = $false
#$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does not exist or
}
if($global:bolLDAPConnection -eq $true)
{
$global:ForestRootDomainDN = $response.Entries[0].attributes.rootdomainnamingcontext[0]
$global:SchemaDN = $response.Entries[0].attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].attributes.configurationnamingcontext[0]
$global:strDomainDNName = $response.Entries[0].attributes.defaultnamingcontext[0]
$global:IS_GC = $response.Entries[0].Attributes.isglobalcatalogready[0]
}
#Get all NC and Domain partititons
$request = New-Object System.directoryServices.Protocols.SearchRequest("CN=Partitions,$global:Con
[void]$request.Attributes.Add("ncname")
[void]$request.Attributes.Add("dnsroot")
try
{
$response = $LDAPConnection.SendRequest($request)

}
catch
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does not exist or ca
}
#If connection established list partitions
if($response)
{
$colResults = $response.Entries
foreach ($objResult in $colResults)
{
[void] $arrPartitions.add($objResult.attributes.dnsroot[0])
[void] $objListBoxDomainList.Items.Add($objResult.attributes.ncname[0])
}
}
#Get all incoming and bidirectional trusts
$request = New-Object System.directoryServices.Protocols.SearchRequest("CN=System,$global:strDo
[void]$request.Attributes.Add("trustpartner")
try
{
$response = $LDAPConnection.SendRequest($request)

}
catch
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! Domain does not exist or ca
}
#If connection established list partitions
if($response)
{
$colResults = $response.Entries
foreach ($objResult in $colResults)
{
$bolPartitionMatch = $false
foreach ($strPartition in $arrPartitions)
{
if($strPartition -eq $objResult.attributes.trustpartner[0])
{
$bolPartitionMatch = $true
}
}
if(!($bolPartitionMatch))
{
[void] $objListBoxDomainList.Items.Add($objResult.attributes.trustpartner[0])
}
}
}
if($objListBoxDomainList.Items.count -gt 0)
{
$DomainPickerGui.ShowDialog()
}
}
#==========================================================================
# Function■■: Get-SchemaData
# Arguments :
# Returns ■: string
# Description : Returns Schema Version
#==========================================================================
function Get-SchemaData
{
Param([System.Management.Automation.PSCredential] $CREDS)
■# Retrieve schema
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strDC,
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest("$global:SchemaDN", "(CN
[void]$request.Attributes.Add("rangeupper")
$response = $LDAPConnection.SendRequest($request)
$adObject = $response.Entries
if(($null -ne $adObject) -and ($adobject.Count -ne 0 ))
{
foreach ($entry in $response.Entries)
{

■try
■{
■■[int] $ExchangeVersion = $entry.Attributes.rangeupper[0]
■■■■■
■■if ( $global:SchemaHashExchange.ContainsKey($ExchangeVersion) )
■■{
■■■$txtBoxExSchema.Text = $global:SchemaHashExchange[$ExchangeVersion]
■■}
■■else
■■{
■■■$txtBoxExSchema.Text = "Unknown"
■■}
■}
■catch
■{
■■$txtBoxExSchema.Text = "Not Found"
■}
}
}
else
{
■$txtBoxExSchema.Text = "Not Found"
}
$request = New-Object System.directoryServices.Protocols.SearchRequest("$global:SchemaDN", "(CN
[void]$request.Attributes.Add("rangeupper")
$response = $LDAPConnection.SendRequest($request)
$adObject = $response.Entries
if(($null -ne $adObject) -and ($adobject.Count -ne 0 ))
{
foreach ($entry in $response.Entries)
{

■try
■{
■■[int] $LyncVersion = $entry.Attributes.rangeupper[0]
■■■■■
■■if ( $global:SchemaHashLync.ContainsKey($LyncVersion) )
■■{
■■■$txtBoxLyncSchema.Text = $global:SchemaHashLync[$LyncVersion]
■■}
■■else
■■{
■■■$txtBoxLyncSchema.Text = "Unknown"
■■}
■}
■catch
■{
■■$txtBoxLyncSchema.Text = "Not Found"
■}
}
}
else
{
■$txtBoxLyncSchema.Text = "Not Found"
}
$request = New-Object System.directoryServices.Protocols.SearchRequest("$global:SchemaDN", "(CN
[void]$request.Attributes.Add("objectversion")
$response = $LDAPConnection.SendRequest($request)
$adObject = $response.Entries
if(($null -ne $adObject) -and ($adobject.Count -ne 0 ))
{
foreach ($entry in $response.Entries)
{

■try
■{
■■$ADSchemaVersion = $entry.Attributes.objectversion[0]
■■■■■
■■if ( $global:SchemaHashAD.ContainsKey([int]$ADSchemaVersion) )
■■{
■■■$txtBoxADSchema.Text = $global:SchemaHashAD[[int]$ADSchemaVersion]
■■}
■■else
■■{
■■■$txtBoxADSchema.Text = $ADSchemaVersion
■■}
■}
■catch
■{
■■$txtBoxADSchema.Text = "Not Found"
■}
}
}
else
{
■$txtBoxADSchema.Text = "Not Found"
}
$request = New-Object System.directoryServices.Protocols.SearchRequest("$global:strDomainDNNam
[void]$request.Attributes.Add("msds-behavior-version")
$response = $LDAPConnection.SendRequest($request)
$adObject = $response.Entries
if(($null -ne $adObject) -and ($adobject.Count -ne 0 ))
{
foreach ($entry in $response.Entries)
{

■try
■{
■■$ADDFL = $entry.Attributes.'msds-behavior-version'[0]
■■■■■
■■if ( $global:DomainFLHashAD.ContainsKey([int]$ADDFL) )
■■{
■■■$txtBoxDFL.Text = $global:DomainFLHashAD[[int]$ADDFL]
■■}
■■else
■■{
■■■$txtBoxDFL.Text = "Unknown"
■■}
■}
■catch
■{
■■$txtBoxDFL.Text = "Not Found"
■}
}
}
else
{
■$txtBoxDFL.Text = "Not Found"
}
$request = New-Object System.directoryServices.Protocols.SearchRequest("CN=Partitions,CN=Config
[void]$request.Attributes.Add("msds-behavior-version")
$response = $LDAPConnection.SendRequest($request)
$adObject = $response.Entries
if(($null -ne $adObject) -and ($adobject.Count -ne 0 ))
{
foreach ($entry in $response.Entries)
{
■try
■{
■■$ADFFL = $entry.Attributes.'msds-behavior-version'[0]
■■■■■
■■if ( $global:ForestFLHashAD.ContainsKey([int]$ADFFL) )
■■{
■■■$txtBoxFFL.Text = $global:ForestFLHashAD[[int]$ADFFL]
■■}
■■else
■■{
■■■$txtBoxFFL.Text = "Unknown"
■■}
■}
■catch
■{
■■$txtBoxFFL.Text = "Not Found"
■}
}
}
else
{
■$txtBoxFFL.Text = "Not Found"
}
$request = New-Object System.directoryServices.Protocols.SearchRequest("CN=Directory Service,CN
[void]$request.Attributes.Add("dsheuristics")
$response = $LDAPConnection.SendRequest($request)
$adObject = $response.Entries
if(($null -ne $adObject) -and ($adobject.Count -ne 0 ))
{
foreach ($entry in $response.Entries)
{

■try
■{
■■$DSHeuristics = $entry.Attributes.dsheuristics[0]
■■■■■
■■if ($DSHeuristics.Substring(2,1) -eq "1")
■■{
■■■$txtListObjectMode.Text = "Enabled"
■■}
■■else
■■{
■■■$txtListObjectMode.Text = "Disabled"
■■}
■}
■catch
■{
■■$txtListObjectMode.Text = "Not Found"
■}
}
}
else
{
■$txtListObjectMode.Text = "Disabled"
}
}
#==========================================================================
# Function■■: Get-HighestNetFrameWorkVer
# Arguments :
# Returns ■: string
# Description : Returns Highest .Net Framework Version
#==========================================================================
Function Get-HighestNetFrameWorkVer
{
$arrDotNetFrameWorkVersions = Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup
Get-ItemProperty -name Version,Release -EA 0 |
Where-Object { $_.PSChildName -match '^(?!S)\p{L}'} |
Select-Object Version
$DotNetVer = $arrDotNetFrameWorkVersions | where-object{$_.version -ge 4.6} | Select-Object -Last 1
if($DotNetVer){$HighestDotNetFrmVer = $DotNetVer.Version}
else{
$DotNetVer = $arrDotNetFrameWorkVersions | where-object{$_.version -ge 4.5} | Select-Object -Last 1
if($DotNetVer){$HighestDotNetFrmVer = $DotNetVer.Version}
else{
$DotNetVer = $arrDotNetFrameWorkVersions | where-object{$_.version -ge 4.0} | Select-Object -Last 1
if($DotNetVer){$HighestDotNetFrmVer = $DotNetVer.Version}
else{
$DotNetVer = $arrDotNetFrameWorkVersions | where-object{$_.version -ge 3.5} | Select-Object -Last 1
if($DotNetVer){$HighestDotNetFrmVer = $DotNetVer.Version}
else{
$DotNetVer = $arrDotNetFrameWorkVersions | where-object{$_.version -ge 3.0} | Select-Object -Last 1
if($DotNetVer){$HighestDotNetFrmVer = $DotNetVer.Version}
else{
$DotNetVer = $arrDotNetFrameWorkVersions | where-object{$_.version -ge 2.0} | Select-Object -Last 1
if($DotNetVer){$HighestDotNetFrmVer = $DotNetVer.Version}
else{
$DotNetVer = $arrDotNetFrameWorkVersions | where-object{$_.version -ge 1.1} | Select-Object -Last 1
if($DotNetVer){$HighestDotNetFrmVer = $DotNetVer.Version}
else{
$DotNetVer = $arrDotNetFrameWorkVersions | where-object{$_.version -ge 1.0} | Select-Object -Last 1
if($DotNetVer){$HighestDotNetFrmVer = $DotNetVer.Version}
}}}}}}}
Remove-variable DotNetVer,arrDotNetFrameWorkVersions
return $HighestDotNetFrmVer
}
#==========================================================================
# Function■■: GetDomainController
# Arguments : Domain FQDN,bol using creds, PSCredential
# Returns ■: Domain Controller
# Description : Locate a domain controller in a specified domain
#==========================================================================
Function GetDomainController
{
Param([string] $strDomainFQDN,
[bool] $bolCreds,
[parameter(Mandatory=$false)]
[System.Management.Automation.PSCredential] $DCCREDS)
$strDomainController = ""
if ($bolCreds -eq $true)
{
$Context = New-Object DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$strDomainF
$ojbDomain = [DirectoryServices.ActiveDirectory.Domain]::GetDomain($Context)
$strDomainController = $($ojbDomain.FindDomainController()).name
}
else
{
$Context = New-Object DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$strDomainF
$ojbDomain = [DirectoryServices.ActiveDirectory.Domain]::GetDomain($Context)
$strDomainController = $($ojbDomain.FindDomainController()).name
}
return $strDomainController
}
#==========================================================================
# Function■■: Get-DirContext
# Arguments : string domain controller,credentials
# Returns ■: Directory context
# Description : Get Directory Context
#==========================================================================
function Get-DirContext
{
Param($DomainController,
[System.Management.Automation.PSCredential] $CREDS)
■if($CREDS)
■■{
■■$Context = new-object DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer",$Doma
■}
■else
■{
■■$Context = New-Object DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer",$Dom
■}

return $Context
}
#==========================================================================
# Function■■: TestCreds
# Arguments : System.Management.Automation.PSCredential
# Returns ■: Boolean
# Description : Check If username and password is valid
#==========================================================================
Function TestCreds
{
Param([System.Management.Automation.PSCredential] $psCred)
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
if ($psCred.UserName -match "\\")
{
If ($psCred.UserName.split("\")[0] -eq "")
{
[directoryservices.directoryEntry]$root = (New-Object system.directoryservices.directoryEntry)
$ctx = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.Dire
}
else
{

$ctx = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.Dire


}
$bolValid = $ctx.ValidateCredentials($psCred.UserName.split("\")[1],$psCred.GetNetworkCredential(
}
else
{
[directoryservices.directoryEntry]$root = (New-Object system.directoryservices.directoryEntry)
$ctx = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.Directo
$bolValid = $ctx.ValidateCredentials($psCred.UserName,$psCred.GetNetworkCredential().Password
}
return $bolValid
}
#==========================================================================
# Function■■: GetTokenGroups
# Arguments : Principal DistinguishedName string
# Returns ■: ArrayList of groups names
# Description : Group names of all sids in tokenGroups
#==========================================================================
Function GetTokenGroups
{
Param(
$PrincipalDomDC,

$PrincipalDN,
[bool]
$bolCreds,
[parameter(Mandatory=$false)]
[System.Management.Automation.PSCredential]
$GetTokenCreds,
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS
)
$script:bolErr = $false
$tokenGroups = New-Object System.Collections.ArrayList
$tokenGroups.Clear()
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($PrincipalDom
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
$request.DistinguishedName = $PrincipalDN
$request.Filter = "(name=*)"
$request.Scope = "Base"
[void]$request.Attributes.Add("tokengroups")
[void]$request.Attributes.Add("tokengroupsglobalanduniversal")
[void]$request.Attributes.Add("objectsid")
$response = $LDAPConnection.SendRequest($request)
$ADobject = $response.Entries[0]
if ( $global:strDomainPrinDNName -eq $global:strDomainDNName )
{
$SIDs = $ADobject.Attributes.tokengroups
}
else
{
$SIDs = $ADobject.Attributes.tokengroupsglobalanduniversal
}
#Get selected principal SID
$ownerSIDs = (New-Object System.Security.Principal.SecurityIdentifier $ADobject.Attributes.objectsid[0
# Add selected principal SID to tokenGroups
[void]$tokenGroups.Add($ownerSIDs)
$arrForeignSecGroups = FindForeignSecPrinMemberships $(GenerateSearchAbleSID $ownerSIDs) $C
foreach ($ForeignMemb in $arrForeignSecGroups)
{
if($null -ne $ForeignMemb)
{
if($ForeignMemb.tostring().length -gt 0 )
{
[void]$tokenGroups.add($ForeignMemb)
}
}
}
# Populate hash table with security group memberships.
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($PrincipalDom
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
$request.DistinguishedName = "CN=ForeignSecurityPrincipals,$global:strDomainDNName"
$request.Filter = "(CN=S-1-5-11)"
$request.Scope = "onelevel"
[void]$request.Attributes.Add("objectsid")
$response = $LDAPConnection.SendRequest($request)
$colResults = $response.Entries
foreach ($objResult in $colResults)
{

[byte[]] $byte = $objResult.Attributes.objectsid.GetValues([byte[]])[0]
$ForeignDefaultWellKnownSIDs = (New-Object System.Security.Principal.SecurityIdentifier($byte, 0)
$arrForeignSecGroups = FindForeignSecPrinMemberships $(GenerateSearchAbleSID $ForeignDefa
foreach ($ForeignMemb in $arrForeignSecGroups)
{
if($null -ne $ForeignMemb)
{
if($ForeignMemb.tostring().length -gt 0 )
{
[void]$tokenGroups.add($ForeignMemb)
}
}
}
}
#Add SID string to tokenGroups
ForEach ($Value In $SIDs)
{
$SID = New-Object System.Security.Principal.SecurityIdentifier $Value, 0
[void]$tokenGroups.Add($SID.Value)
}
#Add Everyone
[void]$tokenGroups.Add("S-1-1-0")
#Add Authenticated Users
[void]$tokenGroups.Add("S-1-5-11")
if(($global:strPrinDomAttr -eq 14) -or ($global:strPrinDomAttr -eq 18) -or ($global:strPrinDomAttr -eq "5C
{
#Add Other Organization
[void]$tokenGroups.Add("S-1-5-1000")
}
else
{
#Add This Organization
[void]$tokenGroups.Add("S-1-5-15")
}
#Remove duplicate
$tokenGroups = $tokenGroups | Select-Object -Unique
Return $tokenGroups
}
#==========================================================================
# Function■■: GenerateSearchAbleSID
# Arguments : SID Decimal form Value as string
# Returns ■: SID in String format for LDAP searcheds
# Description : Convert SID from decimal to hex with "\" for searching with LDAP
#==========================================================================
Function GenerateSearchAbleSID
{
Param([String] $SidValue)
# Create SID .NET object using SID string provided
$sid = New-Object system.Security.Principal.SecurityIdentifier $SidValue
# Create a byte array of the proper length
$sidBytes = New-Object byte[] $sid.BinaryLength
$SidDec = $sid.GetBinaryForm( $sidBytes, 0 )
#$SidDec =$sidBytes.tostring().split("")
Foreach ($intSID in $sidBytes)
{
[string] $SIDHex = "{0:X2}" -f [int] $intSID
$strSIDHextString = $strSIDHextString + "\" + $SIDHex
}
return $strSIDHextString
}
#==========================================================================
# Function■■: FindForeignSecPrinMemberships
# Arguments : SID Decimal form Value as string
# Returns ■: Group names
# Description : Searching for ForeignSecurityPrinicpals and return memberhsip
#==========================================================================
Function FindForeignSecPrinMemberships
{
Param([string] $strSearchAbleSID,
[System.Management.Automation.PSCredential] $ForeignCREDS)
$arrForeignMembership = New-Object System.Collections.ArrayList
[void]$arrForeignMembership.clear()
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strDC,
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
$request.DistinguishedName = "CN=ForeignSecurityPrincipals,$global:strDomainDNName"
$request.Filter = "(&(objectSID=$strSearchAbleSID))"
$request.Scope = "Subtree"
[void]$request.Attributes.Add("memberof")
$response = $LDAPConnection.SendRequest($request)
Foreach ( $obj in $response.Entries)
{

$index = 0
while($index -le $obj.Attributes.memberof.count -1)
{
$member = $obj.Attributes.memberof[$index]
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:st
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
$request.DistinguishedName = $member
$request.Filter = "(name=*)"
$request.Scope = "Base"
[void]$request.Attributes.Add("objectsid")
$response = $LDAPConnection.SendRequest($request)
$ADobject = $response.Entries[0]
$strPrinName = New-Object System.Security.Principal.SecurityIdentifier $($ADobject.Attributes.ob
[void]$arrForeignMembership.add($strPrinName.Value)
$index++
}
}
return $arrForeignMembership
}
#==========================================================================
# Function■■: GetSidStringFromSidByte
# Arguments : SID Value in Byte[]
# Returns ■: SID in String format
# Description : Convert SID from Byte[] to String
#==========================================================================
Function GetSidStringFromSidByte
{
Param([byte[]] $SidByte)
$objectSid = [byte[]]$SidByte
$sid = New-Object System.Security.Principal.SecurityIdentifier($objectSid,0)
$sidString = ($sid.value).ToString()
return $sidString
}
#==========================================================================
# Function■■: GetSecPrinDN
# Arguments : samAccountName
# Returns ■: DistinguishedName
# Description : Search Security Principal and Return DistinguishedName
#==========================================================================
Function GetSecPrinDN
{
Param([string] $samAccountName,
[string] $strDomainDC,
[bool] $bolCreds,
[parameter(Mandatory=$false)]
[System.Management.Automation.PSCredential] $CREDS)
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($strDomainDC
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
$request.Filter = "(name=*)"
$request.Scope = "Base"
$response = $LDAPConnection.SendRequest($request)
$strPrinDomDefNC = $response.Entries[0].Attributes.defaultnamingcontext[0]
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($strDomainDC
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
$request.DistinguishedName = $strPrinDomDefNC
$request.Filter = "(&(samAccountName=$samAccountName))"
$request.Scope = "Subtree"
[void]$request.Attributes.Add("name")
$response = $LDAPConnection.SendRequest($request)
$ADobject = $response.Entries[0]
if($ADobject.Attributes.Count -gt 0)
{
■$global:strPrincipalDN = $ADobject.distinguishedname
}
else
{
$global:strPrincipalDN = ""
}
return $global:strPrincipalDN
}
#==========================================================================
# Function■■: GetSchemaObjectGUID
# Arguments : Object Guid or Rights Guid
# Returns ■: LDAPDisplayName or DisplayName
# Description : Searches in the dictionaries(Hash) dicRightsGuids and $global:dicSchemaIDGUIDs an
#■■■■for the name of the object or Extended Right, if found in Schema the dicRightsGuids is updated
#■■■■Then the functions return the name(LDAPDisplayName or DisplayName).
#==========================================================================
Function GetSchemaObjectGUID
{
Param(
[string]
$Domain,
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
■[string] $strOut =""
■[string] $strLDAPname = ""

BuildSchemaDic

$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strD


$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest("$global:SchemaDN", "(
[System.DirectoryServices.Protocols.PageResultRequestControl]$pagedRqc = new-object System.D
$request.Controls.Add($pagedRqc) | Out-Null
[void]$request.Attributes.Add("ldapdisplayname")
[void]$request.Attributes.Add("schemaidguid")
while ($true)
{
$response = $LdapConnection.SendRequest($request, (new-object System.Timespan(0,0,$global

#for paged search, the response for paged search result control - we will need a cookie from resul
if($global:PageSize -gt 0) {
[System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$null;
if ($response.Controls.Length -gt 0)
{
foreach ($ctrl in $response.Controls)
{
if ($ctrl -is [System.DirectoryServices.Protocols.PageResultResponseControl])
{
$prrc = $ctrl;
break;
}
}
}
if($null -eq $prrc) {
#server was unable to process paged search
throw "Find-LdapObject: Server failed to return paged response for request $SearchFilter"
}
}
#now process the returned list of distinguishedNames and fetch required properties using ranged r
$colResults = $response.Entries
■ foreach ($objResult in $colResults)
■ {
■■ $strLDAPname = $objResult.attributes.ldapdisplayname[0]
■■ $guidGUID = [System.GUID] $objResult.attributes.schemaidguid[0]
$strGUID = $guidGUID.toString().toUpper()
■■ If (!($global:dicSchemaIDGUIDs.ContainsKey($strGUID)))
{
$global:dicSchemaIDGUIDs.Add($strGUID,$strLDAPname)
$global:dicNameToSchemaIDGUIDs.Add($strLDAPname,$strGUID)
}
■■■■
■ }
if($global:PageSize -gt 0) {
if ($prrc.Cookie.Length -eq 0) {
#last page --> we're done
break;
}
#pass the search cookie back to server in next paged request
$pagedRqc.Cookie = $prrc.Cookie;
} else {
#exit the processing for non-paged search
break;
}
}

■return $strOut
}
#==========================================================================
# Function■■: CheckDNExist
# Arguments : string distinguishedName, string directory server
# Returns ■: Boolean
# Description : Check If distinguishedName exist
#==========================================================================
function CheckDNExist
{
Param (
$sADobjectName,
[string]
$strDC,

[Parameter(Mandatory=$false)]
[pscredential]
$CREDS
)
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($strDC, $CR
#$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.DirectoryControl" -
}
$request.DistinguishedName = $sADobjectName
$request.Filter = "(name=*)"
$request.Scope = "Base"
■try
■{
$response = $LDAPConnection.SendRequest($request)
■}
■catch
■{
■■return $false
■}
if($response.Entries.count -gt 0)
{
$ADobject = $response.Entries[0]
If($null -eq $ADobject.distinguishedname)
{return $false}
else
{return $true}
}
}
#==========================================================================
# Function■■: TestCSVColumnsDefaultSD
# Arguments : CSV import for Default Security descriptor
# Returns ■: Boolean
# Description : Search for all requried column names in CSV and return true or false
#==========================================================================
function TestCSVColumnsDefaultSD
{
param($CSVImport)
$bolColumExist = $false
$colHeaders = ( $CSVImport | Get-member -MemberType 'NoteProperty' | Select-Object -ExpandPrope
$bolName = $false
$boldistinguishedName = $false
$bolVersion = $false
$bolModifiedDate = $false
$bolSDDL = $false
Foreach ($ColumnName in $colHeaders )
{
if($ColumnName.Trim() -eq "Name")
{
$bolName = $true
}
if($ColumnName.Trim() -eq "distinguishedName")
{
$boldistinguishedName = $true
}
if($ColumnName.Trim() -eq "Version")
{
$bolVersion = $true
}
if($ColumnName.Trim() -eq "ModifiedDate")
{
$bolModifiedDate = $true
}
if($ColumnName.Trim() -eq "SDDL")
{
$bolSDDL = $true
}

}
#if test column names exist
if($bolName -and $boldistinguishedName -and $bolVersion -and $bolModifiedDate -and $bolSDDL)
{
$bolColumExist = $true
}
return $bolColumExist
}
#==========================================================================
# Function■■: TestCSVColumns
# Arguments : CSV import
# Returns ■: Boolean
# Description : Search for all requried column names in CSV and return true or false
#==========================================================================
function TestCSVColumns
{
param($CSVImport)
$bolColumExist = $false
$colHeaders = ( $CSVImport | Get-member -MemberType 'NoteProperty' | Select-Object -ExpandPrope
$bolAccessControlType = $false
$bolActiveDirectoryRights = $false
$bolIdentityReference = $false
$bolInheritanceFlags = $false
$bolInheritanceType = $false
$bolInheritedObjectType = $false
$bolInvocationID = $false
$bolIsInherited = $false
$bolObjectFlags= $false
$bolObjectType = $false
$bolOrgUSN= $false
$bolOU = $false
$bolPropagationFlags = $false
$bolSDDate = $false
Foreach ($ColumnName in $colHeaders )
{
if($ColumnName.Trim() -eq "AccessControlType")
{
$bolAccessControlType = $true
}
if($ColumnName.Trim() -eq "ActiveDirectoryRights")
{
$bolActiveDirectoryRights = $true
}
if($ColumnName.Trim() -eq "IdentityReference")
{
$bolIdentityReference = $true
}
if($ColumnName.Trim() -eq "InheritanceFlags")
{
$bolInheritanceFlags = $true
}
if($ColumnName.Trim() -eq "InheritanceType")
{
$bolInheritanceType = $true
}
if($ColumnName.Trim() -eq "InheritedObjectType")
{
$bolInheritedObjectType = $true
}
if($ColumnName.Trim() -eq "InvocationID")
{
$bolInvocationID = $true
}
if($ColumnName.Trim() -eq "IsInherited")
{
$bolIsInherited = $true
}

if($ColumnName.Trim() -eq "ObjectFlags")


{
$bolObjectFlags= $true
}
if($ColumnName.Trim() -eq "ObjectType")
{
$bolObjectType = $true
}
if($ColumnName.Trim() -eq "OrgUSN")
{
$bolOrgUSN= $true
}
if(($ColumnName.Trim() -eq "Object") -or ($ColumnName.Trim() -eq "OU"))
{
$bolOU = $true
}
if($ColumnName.Trim() -eq "PropagationFlags")
{
$bolPropagationFlags = $true
}
if($ColumnName.Trim() -eq "SDDate")
{
$bolSDDate = $true
}
}
#if test column names exist
if($bolAccessControlType -and $bolActiveDirectoryRights -and $bolIdentityReference -and $bolInherita
-and $bolInvocationID -and $bolIsInherited -and $bolObjectFlags -and $bolObjectType -and $bolOrgU
-and $bolSDDate)
{
$bolColumExist = $true
}
return $bolColumExist
}
#==========================================================================
# Function■■: ReverseDNList
# Arguments : array of distinguishedname
# Returns ■: List of reversed distinguishedname
# Description : List of reversed distinguishedname
#==========================================================================
function ReverseDNList {
param (
[Parameter(Mandatory=$True)]
[System.Array]$stringlist
)
$stringlistReversed = @()
foreach ($string in $stringlist) {
$stringSplitted = $string.Split(',')
$Counter = $stringSplitted.Count
$stringReversed = ''
while ($Counter -gt 0) {
$stringReversed += $stringSplitted[$Counter-1]
$Counter = $Counter-1
if ($Counter -gt 0) {
$stringReversed += ','
}
}
$stringlistReversed += $stringReversed
}
return $stringlistReversed
}
#==========================================================================
# Function■■: GetAllChildNodes
# Arguments : Node distinguishedName
# Returns ■: List of Nodes
# Description : Search for a Node and returns distinguishedName
#==========================================================================
function GetAllChildNodes
{
param (
# Search base
[Parameter(Mandatory=$true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
ValueFromRemainingArguments=$false,
Position=0,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$firstnode,
# Scope
[Parameter(Mandatory=$false,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
ValueFromRemainingArguments=$false,
Position=1,
ParameterSetName='Default')]
[ValidateSet("base", "onelevel", "subtree")]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$Scope,
# Search filter (Optional)
[Parameter(Mandatory=$false,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
ValueFromRemainingArguments=$false,
Position=2,
ParameterSetName='Default')]
[string]
$CustomFilter="",
# Distinguishednames to exlude in result
[Parameter(Mandatory=$false,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
ValueFromRemainingArguments=$false,
Position=3,
ParameterSetName='Default')]
[string]
$ExcludedDNs="",
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS
)
$nodelist = New-Object System.Collections.ArrayList
$nodelist.Clear()
[boolean]$global:SearchFailed = $false
# Add all Children found as Sub Nodes to the selected TreeNode
$strFilterAll = "(objectClass=*)"
$strFilterContainer = "(&(|(objectClass=organizationalUnit)(objectClass=container)(objectClass=Domain
$strFilterOU = "(|(objectClass=organizationalUnit)(objectClass=domainDNS))"
$strFilterGPO="(&(|(objectClass=organizationalUnit)(objectClass=domainDNS))(gplink=*LDAP*))"
$ReqFilter = ""
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strDC,
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
[System.DirectoryServices.Protocols.PageResultRequestControl]$pagedRqc = new-object System.Dire
$request.Controls.Add($pagedRqc) | Out-Null
if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.DirectoryControl" -Arg
}
$request.DistinguishedName = $firstnode
If ($rdbScanAll.IsChecked -eq $true)
{
■$ReqFilter = $strFilterAll
}
If ($rdbScanOU.IsChecked -eq $true)
{
■$ReqFilter = $strFilterOU
}
If ($rdbScanContainer.IsChecked -eq $true)
{
■$ReqFilter = $strFilterContainer
}
If ($rdbScanFilter.IsChecked -eq $true)
{
if($CustomFilter -gt 0)
{
$ReqFilter = $CustomFilter
}
}
if($CustomFilter -ne "")
{
$ReqFilter = $CustomFilter
}
if($Scope -eq "base")
{
If ($rdbScanFilter.IsChecked -eq $true)
{
if($CustomFilter -gt 0)
{
$ReqFilter = $CustomFilter
}
else
{
$ReqFilter = $strFilterAll
}
}
else {
if($CustomFilter -ne "")
{
$ReqFilter = $CustomFilter
}
else
{
$ReqFilter = $strFilterAll
}
}
}
if($rdbGPO.IsChecked -eq $true)
{
$ReqFilter = $strFilterGPO
}
# Set search scope
$request.Scope = $Scope
#if the seaching using a scope of onelevel we add the base node to the results
if ($Scope -eq "onelevel")
{
# Test the filter against the first node
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strD
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request2 = New-Object System.directoryServices.Protocols.Searchrequest($firstnode, $ReqFilter, "
if($GPO)
{
[void]$request2.Attributes.Add("gplink")
}
else
{
[void]$request2.Attributes.Add("name")
}
try
{
$response2 = $LDAPConnection.Sendrequest($request2)
}
catch
{
if($_.Exception.Message.tostring() -match "The search filter is invalid")
{
$global:SearchFailed = $true
if($global:bolCMD)
{
Write-host "The search filter is invalid"
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "The search filter is invalid"
}
break
}
}
#if the filter catch the first node add it to list
If ($response2.Entries.Count -gt 0)
{
if($ExcludedDNs)
{
$arrExcludedDN = $ExcludedDNs.split(";")
$bolInclude = $true
Foreach( $strExcludeDN in $arrExcludedDN)
{
if(!($objResult.distinguishedName -notmatch $strExcludeDN ))
{
$bolInclude = $false
break
}
}
if($bolInclude)
{
#Reverse string to be able to sort output
try
{
$nodelist += $firstnode
}
catch
{}
$intNomatch++

}
}
else
{
$nodelist += $firstnode
}
}
}#End if Scope = onelevel
$request.filter = $ReqFilter
if($ExcludedDNs)
{
$arrExcludedDN = $ExcludedDNs.split(";")
while ($true)
{
try
{
$response = $LdapConnection.SendRequest($request, (new-object System.Timespan(0,0,$glob
}
catch
{
if($_.Exception.Message.tostring() -match "The search filter is invalid")
{
$global:SearchFailed = $true
if($global:bolCMD)
{
Write-host "The search filter is invalid"
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "The search filter is invali
}
break
}
}
#for paged search, the response for paged search result control - we will need a cookie from result la
if($global:PageSize -gt 0) {
[System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$null;
if ($response.Controls.Length -gt 0)
{
foreach ($ctrl in $response.Controls)
{
if ($ctrl -is [System.DirectoryServices.Protocols.PageResultResponseControl])
{
$prrc = $ctrl;
break;
}
}
}
if($null -eq $prrc) {
#server was unable to process paged search
throw "Find-LdapObject: Server failed to return paged response for request $SearchFilter"
}
}
#now process the returned list of distinguishedNames and fetch required properties using ranged retr
$colResults = $response.Entries
$intTotalSearch = $colResults.Count
$intNomatch = 0
■foreach ($objResult in $colResults)
■{
$bolInclude = $true
Foreach( $strExcludeDN in $arrExcludedDN)
{
if(!($objResult.distinguishedName -notmatch $strExcludeDN ))
{
$bolInclude = $false
break
}
}
#Add objects with distinguihsedname not matching string
if($bolInclude)
{
#Reverse string to be able to sort output
$nodelist += $objResult.distinguishedName
$intNomatch++
}

}
if($global:PageSize -gt 0) {
if ($prrc.Cookie.Length -eq 0) {
#last page --> we're done
break;
}
#pass the search cookie back to server in next paged request
$pagedRqc.Cookie = $prrc.Cookie;
} else {
#exit the processing for non-paged search
break;
}
} #End While
#Caclulate number of objects exluded in search
$global:intObjExluced = $intTotalSearch - $intNomatch
# Log information about skipped objects
if($global:bolCMD)
{
Write-host "Number of objects excluded: $global:intObjExluced"
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Number of objects excluded: $g
}
}
# If no string in Excluded String box
else
{
$colResults = @()
while ($true)
{
try
{
$response = $LdapConnection.SendRequest($request, (new-object System.Timespan(0,0,$global
}
catch
{
if($_.Exception.Message.tostring() -match "The search filter is invalid")
{
$global:SearchFailed = $true
if($global:bolCMD)
{
Write-host "The search filter is invalid"
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "The search filter is invali
}
break
}
}
#for paged search, the response for paged search result control - we will need a cookie from resul
if($global:PageSize -gt 0) {
[System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$null;
if ($response.Controls.Length -gt 0)
{
foreach ($ctrl in $response.Controls)
{
if ($ctrl -is [System.DirectoryServices.Protocols.PageResultResponseControl])
{
$prrc = $ctrl;
break;
}
}
}
if($null -eq $prrc) {
#server was unable to process paged search
throw "Find-LdapObject: Server failed to return paged response for request $SearchFilter"
}
}
#now process the returned list of distinguishedNames and fetch required properties using ranged r
if($GPO)
{
$colResults = $response.Entries
■ foreach ($objResult in $colResults)
■ {
$gplink = $objResult.attributes.gplink[0]
$arrLinks = @($gplink.split("["))

foreach ($link in $arrLinks)


{
$nodelist +=$link.split(";")[0].replace("LDAP://","")+";"+$objResult.DistinguishedName
}
}
}
else
{
$colResults += $response.Entries
}
if($global:PageSize -gt 0) {
if ($prrc.Cookie.Length -eq 0) {
#last page --> we're done
break;
}
#pass the search cookie back to server in next paged request
$pagedRqc.Cookie = $prrc.Cookie;
} else {
#exit the processing for non-paged search
break;
}
}
if(-not($GPO))
{
if($colResults.count -gt 0)
{
$nodelist += $colResults.DistinguishedName
}
}
}
if(-not($GPO))
{
if($nodelist.count -gt 0)
{
$nodelist = ReverseDNList $nodelist
$nodelist = $nodelist | sort
$nodelist = ReverseDNList $nodelist
}
}
return $nodelist
}
#==========================================================================
# Function■■: GetDomainShortName
# Arguments : domain name
# Returns ■: N/A
# Description : Search for short domain name
#==========================================================================
function GetDomainShortName
{
param(
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS,
[string]
$strDomain,
[string]
$strConfigDN)

$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strD


$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest("CN=Partitions,$strConf
[void]$request.Attributes.Add("netbiosname")
try
{
$response = $LDAPConnection.SendRequest($request)
$adObject = $response.Entries[0]
}
catch
{
}
if($null -ne $adObject)
{
$ReturnShortName = $adObject.Attributes.netbiosname[0]
■}
■else
■{
■■$ReturnShortName = ""
■}

return $ReturnShortName
}
#==========================================================================
# Function■■: Get-ProtectedPerm
# Arguments :
# Returns ■: ArrayList
# Description : Creates the Security Descriptor with the Protect object from accidental deleations ACE
#==========================================================================
Function Get-ProtectedPerm
{
$sdProtectedDeletion = New-Object System.Collections.ArrayList
$sdProtectedDeletion.clear()
$protectedDeletionsACE1 = New-Object PSObject -Property @{ActiveDirectoryRights="DeleteChild";In
InheritedObjectType="00000000-0000-0000-0000-000000000000";ObjectFlags="None";AccessControl
InheritanceFlags="None";PropagationFlags="None"}
[void]$sdProtectedDeletion.insert(0,$protectedDeletionsACE)
$protectedDeletionsACE2 = New-Object PSObject -Property @{ActiveDirectoryRights="DeleteChild, De
InheritedObjectType="00000000-0000-0000-0000-000000000000";ObjectFlags="ObjectAceTypePresen
InheritanceFlags="None";PropagationFlags="None"}
$protectedDeletionsACE3 = New-Object PSObject -Property @{ActiveDirectoryRights="DeleteTree, De
InheritedObjectType="00000000-0000-0000-0000-000000000000";ObjectFlags="None";AccessControl
InheritanceFlags="None";PropagationFlags="None"}
[void]$sdProtectedDeletion.insert(0,@($protectedDeletionsACE1,$protectedDeletionsACE2,$protected
return $sdProtectedDeletion
}
#==========================================================================
# Function■■: Get-DefaultPermissions
# Arguments : Object Class, Trustee Name
# Returns ■: ArrayList
# Description : Fetch the Default Security Descriptor with the Default
#==========================================================================
Function Get-DefaultPermissions
{
Param(
$strObjectClass,
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
$sdOUDef = New-Object System.Collections.ArrayList
$sdOUDef.clear()
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strDC,
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest("$global:SchemaDN", "(lda
[void]$request.Attributes.Add("defaultsecuritydescriptor")
$response = $LDAPConnection.SendRequest($request)
$colResults = $response.Entries
foreach ($entry in $response.Entries)
{
$sec = New-Object System.DirectoryServices.ActiveDirectorySecurity
$defSD = ""
if($null -ne $entry.Attributes.defaultsecuritydescriptor)
{
Try{
$sec.SetSecurityDescriptorSddlForm($entry.Attributes.defaultsecuritydescriptor[0])
}
catch
{
if($bolCMD)
{
Write-host "The SDDL string contains an invalid sid or a sid that cannot be translated." -Foreg
Write-host "Only domain-joined computers can translate some sids." -ForegroundColor Red
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "The SDDL string contains a
$global:observableCollection.Insert(0,(LogMessage -strMessage "Only domain-joined compu
}
}
}
$defSD = $sec.GetAccessRules($true, $false, [System.Security.Principal.SecurityIdentifier])
$sec = $null
}
if($null -ne $defSD){
$(ConvertTo-ObjectArrayListFromPsCustomObject $defSD)| ForEach-Object{[void]$sdOUDef.add($_)
$defSD = $null
if ($strObjectClass -eq "computer")
{
if($global:intObjeComputer -eq 0)
{
$global:additionalComputerACE1 = New-Object PSObject -Property @{ActiveDirectoryRights="De
InheritedObjectType="00000000-0000-0000-0000-000000000000";ObjectFlags="None";AccessCo
InheritanceFlags="None";PropagationFlags="None"}

#[void]$sdOUDef.insert(0,$global:additionalComputerACE)
$global:additionalComputerACE2 = New-Object PSObject -Property @{ActiveDirectoryRights="Wr
InheritedObjectType="00000000-0000-0000-0000-000000000000";ObjectFlags="ObjectAceTypeP
InheritanceFlags="None";PropagationFlags="None"}
#[void]$sdOUDef.insert(0,$global:additionalComputerACE)
$global:additionalComputerACE3 = New-Object PSObject -Property @{ActiveDirectoryRights="Wr
InheritedObjectType="00000000-0000-0000-0000-000000000000";ObjectFlags="ObjectAceTypeP
InheritanceFlags="None";PropagationFlags="None"}
#[void]$sdOUDef.insert(0,$global:additionalComputerACE)
$global:additionalComputerACE4 = New-Object PSObject -Property @{ActiveDirectoryRights="Wr
InheritedObjectType="00000000-0000-0000-0000-000000000000";ObjectFlags="ObjectAceTypeP
InheritanceFlags="None";PropagationFlags="None"}

#[void]$sdOUDef.insert(0,$global:additionalComputerACE)
$global:additionalComputerACE5 = New-Object PSObject -Property @{ActiveDirectoryRights="Wr
InheritedObjectType="00000000-0000-0000-0000-000000000000";ObjectFlags="ObjectAceTypeP
InheritanceFlags="None";PropagationFlags="None"}
#[void]$sdOUDef.insert(0,$global:additionalComputerACE)
$global:additionalComputerACE6 = New-Object PSObject -Property @{ActiveDirectoryRights="Wr
InheritedObjectType="00000000-0000-0000-0000-000000000000";ObjectFlags="ObjectAceTypeP
InheritanceFlags="None";PropagationFlags="None"}
#[void]$sdOUDef.insert(0,$global:additionalComputerACE)

$global:additionalComputerACE7 = New-Object PSObject -Property @{ActiveDirectoryRights="Se


InheritedObjectType="00000000-0000-0000-0000-000000000000";ObjectFlags="ObjectAceTypeP
InheritanceFlags="None";PropagationFlags="None"}
#[void]$sdOUDef.insert(0,$global:additionalComputerACE)

$global:additionalComputerACE8 = New-Object PSObject -Property @{ActiveDirectoryRights="Se


InheritedObjectType="00000000-0000-0000-0000-000000000000";ObjectFlags="ObjectAceTypeP
InheritanceFlags="None";PropagationFlags="None"}
[void]$sdOUDef.insert(0,@($global:additionalComputerACE1,$global:additionalComputerACE2,$g
}
else
{
[void]$sdOUDef.insert(0,@($global:additionalComputerACE1,$global:additionalComputerACE2,$g
}
$global:intObjeComputer++
}# End if Computer
}
return $sdOUDef
}
#==========================================================================
# Function■■: CacheRightsGuids
# Arguments : none
# Returns ■: nothing
# Description : Enumerates all Extended Rights and put them in a Hash dicRightsGuids
#==========================================================================
Function CacheRightsGuids
{
■param(
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)

$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:st


$LDAPConnection.SessionOptions.ReferralChasing = "None"
$searcher = New-Object System.directoryServices.Protocols.SearchRequest
$searcher.DistinguishedName = $global:ConfigDN
[void]$searcher.Attributes.Add("cn")
[void]$searcher.Attributes.Add("name")
[void]$searcher.Attributes.Add("rightsguid")
[void]$searcher.Attributes.Add("validaccesses")
[void]$searcher.Attributes.Add("displayname")
■■$searcher.filter = "(&(objectClass=controlAccessRight))"
try
{
$searcherSent = $LDAPConnection.SendRequest($searcher)
$colResults = $searcherSent.Entries
}
catch
{
}
■■$intCounter = 0

■foreach ($objResult in $colResults)
■{
■■ $strRightDisplayName = $objResult.Attributes.displayname[0]
■■ $strRightGuid = $objResult.Attributes.rightsguid[0]
■■ $strRightGuid = $($strRightGuid).toString()
#Expecting to fail at lest once since two objects have the same rightsguid
&{#Try
■■ $global:dicRightsGuids.Add($strRightGuid,$strRightDisplayName)■
}
Trap [SystemException]
{
continue
}
■■$intCounter++
}
■■■
}
#==========================================================================
# Function■■: MapGUIDToMatchingName
# Arguments : Object Guid or Rights Guid
# Returns ■: LDAPDisplayName or DisplayName
# Description : Searches in the dictionaries(Hash) dicRightsGuids and $global:dicSchemaIDGUIDs an
#■■■■for the name of the object or Extended Right, if found in Schema the dicRightsGuids is updated
#■■■■Then the functions return the name(LDAPDisplayName or DisplayName).
#==========================================================================
Function MapGUIDToMatchingName
{
Param(
[string]
$strGUIDAsString,
[string]
$Domain,

[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
■[string] $strOut = $strGUIDAsString
■[string] $strLDAPname = ""
■If ($strGUIDAsString -eq "")
■{
■ Break
■}
■$strGUIDAsString = $strGUIDAsString.toUpper()
■if ($global:dicRightsGuids.ContainsKey($strGUIDAsString))
■{
■■$strOut =$global:dicRightsGuids.Item($strGUIDAsString)
■}
■If ($strOut -eq $strGUIDAsString)
■{ #Didn't find a match in extended rights
■■If ($global:dicSchemaIDGUIDs.ContainsKey($strGUIDAsString))
■■{
■■■$strOut =$global:dicSchemaIDGUIDs.Item($strGUIDAsString)
■■}
■■else
■■{
■■
■■ if ($strGUIDAsString -match("^(\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0
■■ {
■■ ■
■■■$ConvertGUID = ConvertGUID($strGUIDAsString)
■■
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$searcher = New-Object System.directoryServices.Protocols.SearchRequest
$searcher.DistinguishedName = $global:SchemaDN
[void]$searcher.Attributes.Add("cn")

[void]$searcher.Attributes.Add("name")
[void]$searcher.Attributes.Add("ldapdisplayname")
■■■$searcher.filter = "(&(schemaIDGUID=$ConvertGUID))"
$searcherSent = $LDAPConnection.SendRequest($searcher)
$objSchemaObject = $searcherSent.Entries[0]
■■■ if ($objSchemaObject)
■■■ {
■■■■$strLDAPname =$objSchemaObject.attributes.ldapdisplayname[0]
■■■■$global:dicSchemaIDGUIDs.Add($strGUIDAsString.toUpper(),$strLDAPname)
■■■■$strOut=$strLDAPname
■■■■
■■■ }
■■}
■ }
■}

■return $strOut
}
#==========================================================================
# Function■■: ConvertGUID
# Arguments : Object Guid or Rights Guid
# Returns ■: AD Searchable GUID String
# Description : Convert a GUID to a string
#==========================================================================
Function ConvertGUID
{
Param($guid)
■ $test = "(.{2})(.{2})(.{2})(.{2})(.{2})(.{2})(.{2})(.{2})(.{2})(.{2})(.{2})(.{2})(.{2})(.{2})(.{2})(.{2})"
■ $pattern = '"\$4\$3\$2\$1\$6\$5\$8\$7\$9\$10\$11\$12\$13\$14\$15\$16"'
■ $ConvertGUID = [regex]::Replace($guid.replace("-",""), $test, $pattern).Replace("`"","")
■ return $ConvertGUID
}
#==========================================================================
# Function■■: fixfilename
# Arguments : Text for naming text file
# Returns ■: Text with replace special characters
# Description : Replace characters that be contained in a file name.
#==========================================================================
function fixfilename
{
Param([string] $strFileName)
$strFileName = $strFileName.Replace("*","#")
$strFileName = $strFileName.Replace("/","#")
$strFileName = $strFileName.Replace("\","#")
$strFileName = $strFileName.Replace(":","#")
$strFileName = $strFileName.Replace("<","#")
$strFileName = $strFileName.Replace(">","#")
$strFileName = $strFileName.Replace("|","#")
$strFileName = $strFileName.Replace('"',"#")
$strFileName = $strFileName.Replace('?',"#")
return $strFileName
}
#==========================================================================
# Function■■: WritePermCSV
# Arguments : Security Descriptor, OU distinguishedName, Ou put text file
# Returns ■: n/a
# Description : Writes the SD to a text file.
#==========================================================================
function WritePermCSV
{
Param($sd,[string]$object,[string]$canonical,[string]$objType,[string] $fileout, [bool] $ACLMeta,[string
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
$sd | foreach {
#Convert SID to Names for lookups
$strPrincipalName = $_.IdentityReference.toString()
■ If ($strPrincipalName -match "S-1-")
■ {
■ $strPrincipalName = ConvertSidToName -server $global:strDomainLongName -Sid $strPrincipal
■ }
# Add Translated object GUID information to output
if($TranslateGUID -eq $True)
{
■ if($($_.InheritedObjectType.toString()) -ne "00000000-0000-0000-0000-000000000000" )
{

$strTranslatedInheritObjType = $(MapGUIDToMatchingName -strGUIDAsString $_.InheritedO


}
else
{
$strTranslatedInheritObjType = "None" #$($_.InheritedObjectType.toString())
}
■ if($($_.ObjectType.toString()) -ne "00000000-0000-0000-0000-000000000000" )
{

$strTranslatedObjType = $(MapGUIDToMatchingName -strGUIDAsString $_.ObjectType.toS


}
else
{
$strTranslatedObjType = "None" #$($_.ObjectType.toString())
}
}
else
{
$strTranslatedInheritObjType = $($_.InheritedObjectType.toString())
$strTranslatedObjType = $($_.ObjectType.toString())
}

if($bolShowCriticalityColor -eq $true)


{
$intCriticalityValue = Get-Criticality -Returns "Color" $_.IdentityReference.toString() $_.ActiveDir
Switch ($intCriticalityValue)
{
0 {$strLegendText = "Info"}
1 {$strLegendText = "Low"}
2 {$strLegendText = "Medium"}
3 {$strLegendText = "Warning"}
4 {$strLegendText = "Critical"}
}
}
else
{
$strLegendText = ""
}
$objCSVLine = new-object PSObject
if($GPO)
{
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "GPO" -value $GP
}
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "Object" -value $objec
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "ObjectClass" -value
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "IdentityReference" -
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "PrincipalName" -val
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "ActiveDirectoryRight
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "InheritanceType" -va
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "ObjectType" -value
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "InheritedObjectType"
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "ObjectFlags" -value
if($null -ne $_.AccessControlType)
{
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "AccessControlTyp
}
else
{
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "AccessControlTyp
}
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "IsInherited" -value $
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "InheritanceFlags" -v
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "PropagationFlags" -
# Add Meta data info to output
If ($ACLMeta -eq $true)
{
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "SDDate" -value $
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "InvocationID" -val
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "OrgUSN" -value $

}
else
{
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "SDDate" -value ""
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "InvocationID" -val
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "OrgUSN" -value "
}
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "Criticality" -value $s

Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "CanonicalName" -va


if($GetOUProtected)
{
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "Inheritance Disabl
}
else
{
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "Inheritance Disabl
}
if($compare)
{
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "State" -value $_.S
}
if($Outfile)
{
export-csv -InputObject $objCSVLine -Path $fileout -Encoding UTF8 -NoClobber -NoTypeInform
}
else
{
return $objCSVLine
}
}
}
#==========================================================================
# Function■■: WritePermCSV
# Arguments : Security Descriptor, OU distinguishedName, Ou put text file
# Returns ■: n/a
# Description : Writes the SD to a text file.
#==========================================================================
function WriteDefSDPermCSV
{
Param($sd,[string]$object,[string]$objType,[string] $fileout, [bool] $ACLMeta,[string] $strVersion,[strin
[pscredential]
$CREDS)
$sd | foreach {
#Convert SID to Names for lookups
$strPrincipalName = $_.IdentityReference.toString()
■ If ($strPrincipalName -match "S-1-")
■ {
■ $strPrincipalName = ConvertSidToName -server $global:strDomainLongName -Sid $strPrincipal
■ }
# Add Translated object GUID information to output
if($TranslateGUID -eq $True)
{
■ if($($_.InheritedObjectType.toString()) -ne "00000000-0000-0000-0000-000000000000" )
{

$strTranslatedInheritObjType = $(MapGUIDToMatchingName -strGUIDAsString $_.InheritedO


}
else
{
$strTranslatedInheritObjType = "None" #$($_.InheritedObjectType.toString())
}
■ if($($_.ObjectType.toString()) -ne "00000000-0000-0000-0000-000000000000" )
{

$strTranslatedObjType = $(MapGUIDToMatchingName -strGUIDAsString $_.ObjectType.toS


}
else
{
$strTranslatedObjType = "None" #$($_.ObjectType.toString())
}
}
else
{
$strTranslatedInheritObjType = $($_.InheritedObjectType.toString())
$strTranslatedObjType = $($_.ObjectType.toString())
}

if($bolShowCriticalityColor -eq $true)


{
$intCriticalityValue = Get-Criticality -Returns "Color" $_.IdentityReference.toString() $_.ActiveDir
Switch ($intCriticalityValue)
{
0 {$strLegendText = "Info"}
1 {$strLegendText = "Low"}
2 {$strLegendText = "Medium"}
3 {$strLegendText = "Warning"}
4 {$strLegendText = "Critical"}
}
}
else
{
$strLegendText = ""
}
$objCSVLine = new-object PSObject
if($GPO)
{
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "GPO" -value $GP
}
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "Object" -value $objec
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "ObjectClass" -value
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "IdentityReference" -
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "PrincipalName" -val
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "ActiveDirectoryRight
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "InheritanceType" -va
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "ObjectType" -value
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "InheritedObjectType"
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "ObjectFlags" -value
if($null -ne $_.AccessControlType)
{
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "AccessControlTyp
}
else
{
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "AccessControlTyp
}
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "IsInherited" -value $
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "InheritanceFlags" -v
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "PropagationFlags" -
# Add Meta data info to output
If ($ACLMeta -eq $true)
{
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "SDDate" -value $
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "Version" -value $s
#Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "OrgUSN" -value

}
else
{
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "SDDate" -value ""
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "Version" -value ""
#Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "OrgUSN" -value
}
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "Criticality" -value $s

if($compare)
{
Add-Member -InputObject $objCSVLine -MemberType NoteProperty -Name "State" -value $_.S
}
if($Outfile)
{
export-csv -InputObject $objCSVLine -Path $fileout -Encoding UTF8 -NoClobber -NoTypeInform
}
else
{
return $objCSVLine
}
}
}
#==========================================================================
# Function■■: GetObjectTypeFromSid
# Arguments : SID string
# Returns ■: Object type of Security Object
# Description : Try to get the object of a SID
#==========================================================================
function GetObjectTypeFromSid
{
Param($server,$sid,
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
$strObjectType = $null
$ID = New-Object System.Security.Principal.SecurityIdentifier($sid)
If ($global:dicSidToObject.ContainsKey($sid))
{
■$strObjectType =$global:dicSidToObject.Item($sid)
}
else
{
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strD

$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.DirectoryControl" -
}
$request.DistinguishedName = "<SID=$sid>"
$request.Filter = "(name=*)"
$request.Scope = "Base"
[void]$request.Attributes.Add("objectclass")
try
{
$response = $LDAPConnection.SendRequest($request)
$result = $response.Entries[0]
■ $strObjectType = $result.attributes.objectclass[-1]
}
catch
{

}
if($null -ne $strObjectType )
{
$global:dicSidToObject.Add($sid,$strObjectType)
}
}
return $strObjectType
}
#==========================================================================
# Function■■: ConvertSidToName
# Arguments : SID string
# Returns ■: Friendly Name of Security Object
# Description : Try to translate the SID if it fails it try to match a Well-Known.
#==========================================================================
function ConvertSidToName
{
Param($server,$sid,
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
$global:strAccNameTranslation = ""
$ID = New-Object System.Security.Principal.SecurityIdentifier($sid)
&{#Try
■$User = $ID.Translate( [System.Security.Principal.NTAccount])
■$global:strAccNameTranslation = $User.Value
}
Trap [SystemException]
{
■If ($global:dicWellKnownSids.ContainsKey($sid))
■{
■■$global:strAccNameTranslation = $global:dicWellKnownSids.Item($sid)
■■return $global:strAccNameTranslation
■}
■;Continue
}
if ($global:strAccNameTranslation -eq "")
{
If ($global:dicSidToName.ContainsKey($sid))
{
■ $global:strAccNameTranslation =$global:dicSidToName.Item($sid)
}
else
{
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:st

$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.DirectoryControl
}
$request.DistinguishedName = "<SID=$sid>"
$request.Filter = "(name=*)"
$request.Scope = "Base"
[void]$request.Attributes.Add("samaccountname")

$response = $LDAPConnection.SendRequest($request)
$result = $response.Entries[0]
try
{
■ $global:strAccNameTranslation = $global:strDomainShortName + "\" + $result.attributes.samacc
}
catch
{

}
■ if(!($global:strAccNameTranslation))
{
$global:strAccNameTranslation = $result.distinguishedname
}
$global:dicSidToName.Add($sid,$global:strAccNameTranslation)
}
}
If (($global:strAccNameTranslation -eq $nul) -or ($global:strAccNameTranslation -eq ""))
{
■$global:strAccNameTranslation =$sid
}
return $global:strAccNameTranslation
}
#==========================================================================
# Function■■: Get-Criticality
# Arguments : $objRights,$objAccess,$objFlags,$objInheritanceType
# Returns ■: Integer
# Description : Check criticality and returns number for rating
#==========================================================================
Function Get-Criticality
{
Param($Returns="Filter",$objIdentity,$objRights,$objAccess,$objFlags,$objInheritanceType,$objObje
$intCriticalityLevel = 0
Switch ($objRights)
{
"ListChildren"
{
If ($objAccess -eq "Allow")
{
$intCriticalityLevel = 0
}
}
"Read permissions, Modify permissions"
{
$intCriticalityLevel = 4
}
"Modify permissions"
{
$intCriticalityLevel = 4
}
{($_ -match "WriteDacl") -or ($_ -match "WriteOwner")}
{
$intCriticalityLevel = 4
}
"DeleteChild, DeleteTree, Delete"
{
If ($objAccess -eq "Allow")
{
$intCriticalityLevel = 3
}
}
"Delete"
{
If ($objAccess -eq "Allow")
{
$intCriticalityLevel = 3
}
}
"GenericRead"
{
If ($objAccess -eq "Allow")
{
$intCriticalityLevel = 1
■}
}
"CreateChild"
{
If ($objAccess -eq "Allow")
{
$intCriticalityLevel = 3
■}
}
"DeleteChild"
{
If ($objAccess -eq "Allow")
{
$intCriticalityLevel = 3
■}
}
"ExtendedRight"
{
If ($objAccess -eq "Allow")
{
Switch ($objObjectType)
{
# Domain Administer Server =
"ab721a52-1e2f-11d0-9819-00aa0040529b"
{
$intCriticalityLevel = 4
}
# Change Password =
"ab721a53-1e2f-11d0-9819-00aa0040529b"
{
$intCriticalityLevel = 1
}
# Reset Password =
"00299570-246d-11d0-a768-00aa006e0529"
{
$intCriticalityLevel = 4
}
# Send As =
"ab721a54-1e2f-11d0-9819-00aa0040529b"
{
$intCriticalityLevel = 4
}
# Receive As =
"ab721a56-1e2f-11d0-9819-00aa0040529b"
{
$intCriticalityLevel = 4
}
# Send To =
"ab721a55-1e2f-11d0-9819-00aa0040529b"
{
$intCriticalityLevel = 4
}
# Open Address List =
"a1990816-4298-11d1-ade2-00c04fd8d5cd"
{
$intCriticalityLevel = 1
}
# Replicating Directory Changes =
"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"
{
$intCriticalityLevel = 4
}
# Replication Synchronization =
"1131f6ab-9c07-11d1-f79f-00c04fc2dcd2"
{
$intCriticalityLevel = 4
}
# Manage Replication Topology =
"1131f6ac-9c07-11d1-f79f-00c04fc2dcd2"
{
$intCriticalityLevel = 4
}
# Change Schema Master =
"e12b56b6-0a95-11d1-adbb-00c04fd8d5cd"
{
$intCriticalityLevel = 4
}
# Change Rid Master =
"d58d5f36-0a98-11d1-adbb-00c04fd8d5cd"
{
$intCriticalityLevel = 4
}
# Do Garbage Collection =
"fec364e0-0a98-11d1-adbb-00c04fd8d5cd"
{
$intCriticalityLevel = 4
}
# Recalculate Hierarchy =
"0bc1554e-0a99-11d1-adbb-00c04fd8d5cd"
{
$intCriticalityLevel = 4
}
# Allocate Rids =
"1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd"
{
$intCriticalityLevel = 4
}
# Change PDC =
"bae50096-4752-11d1-9052-00c04fc2d4cf"
{
$intCriticalityLevel = 4
}
# Add GUID =
"440820ad-65b4-11d1-a3da-0000f875ae0d"
{
$intCriticalityLevel = 4
}
# Change Domain Master =
"014bf69c-7b3b-11d1-85f6-08002be74fab"
{
$intCriticalityLevel = 4
}
# Receive Dead Letter =
"4b6e08c0-df3c-11d1-9c86-006008764d0e"
{
$intCriticalityLevel = 1
}
# Peek Dead Letter =
"4b6e08c1-df3c-11d1-9c86-006008764d0e"
{
$intCriticalityLevel = 1
}
# Receive Computer Journal =
"4b6e08c2-df3c-11d1-9c86-006008764d0e"
{
$intCriticalityLevel = 1
}
# Peek Computer Journal =
"4b6e08c3-df3c-11d1-9c86-006008764d0e"
{
$intCriticalityLevel = 1
}
# Receive Message =
"06bd3200-df3e-11d1-9c86-006008764d0e"
{
$intCriticalityLevel = 1
}
# Peek Message =
"06bd3201-df3e-11d1-9c86-006008764d0e"
{
$intCriticalityLevel = 1
}
# Send Message =
"06bd3202-df3e-11d1-9c86-006008764d0e"
{
$intCriticalityLevel = 1
}
# Receive Journal =
"06bd3203-df3e-11d1-9c86-006008764d0e"
{
$intCriticalityLevel = 1
}
# Open Connector Queue =
"b4e60130-df3f-11d1-9c86-006008764d0e"
{
$intCriticalityLevel = 1
}
# Apply Group Policy =
"edacfd8f-ffb3-11d1-b41d-00a0c968f939"
{
$intCriticalityLevel = 1
}
# Add/Remove Replica In Domain =
"9923a32a-3607-11d2-b9be-0000f87a36b2"
{
$intCriticalityLevel = 4
}
# Change Infrastructure Master =
"cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd"
{
$intCriticalityLevel = 4
}
# Update Schema Cache =
"be2bb760-7f46-11d2-b9ad-00c04f79f805"
{
$intCriticalityLevel = 4
}
# Recalculate Security Inheritance =
"62dd28a8-7f46-11d2-b9ad-00c04f79f805"
{
$intCriticalityLevel = 4
}
# Check Stale Phantoms =
"69ae6200-7f46-11d2-b9ad-00c04f79f805"
{
$intCriticalityLevel = 4
}
# Enroll =
"0e10c968-78fb-11d2-90d4-00c04f79dc55"
{
$intCriticalityLevel = 1
}
# Generate Resultant Set of Policy (Planning) =
"b7b1b3dd-ab09-4242-9e30-9980e5d322f7"
{
$intCriticalityLevel = 1
}
# Refresh Group Cache for Logons =
"9432c620-033c-4db7-8b58-14ef6d0bf477"
{
$intCriticalityLevel = 4
}
# Enumerate Entire SAM Domain =
"91d67418-0135-4acc-8d79-c08e857cfbec"
{
$intCriticalityLevel = 4
}
# Generate Resultant Set of Policy (Logging) =
"b7b1b3de-ab09-4242-9e30-9980e5d322f7"
{
$intCriticalityLevel = 1
}
# Create Inbound Forest Trust =
"e2a36dc9-ae17-47c3-b58b-be34c55ba633"
{
$intCriticalityLevel = 4
}
# Replicating Directory Changes All =
"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
{
$intCriticalityLevel = 4
}
# Migrate SID History =
"BA33815A-4F93-4c76-87F3-57574BFF8109"
{
$intCriticalityLevel = 4
}
# Reanimate Tombstones =
"45EC5156-DB7E-47bb-B53F-DBEB2D03C40F"
{
$intCriticalityLevel = 4
}
# Allowed to Authenticate =
"68B1D179-0D15-4d4f-AB71-46152E79A7BC"
{
$intCriticalityLevel = 1
}
# Execute Forest Update Script =
"2f16c4a5-b98e-432c-952a-cb388ba33f2e"
{
$intCriticalityLevel = 4
}
# Monitor Active Directory Replication =
"f98340fb-7c5b-4cdb-a00b-2ebdfa115a96"
{
$intCriticalityLevel = 3
}
# Update Password Not Required Bit =
"280f369c-67c7-438e-ae98-1d46f3c6f541"
{
$intCriticalityLevel = 1
}
# Unexpire Password =
"ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501"
{
$intCriticalityLevel = 1
}
# Enable Per User Reversibly Encrypted Password =
"05c74c5e-4deb-43b4-bd9f-86664c2a7fd5"
{
$intCriticalityLevel = 1
}
# Query Self Quota =
"4ecc03fe-ffc0-4947-b630-eb672a8a9dbc"
{
$intCriticalityLevel = 1
}
# Read Only Replication Secret Synchronization =
"1131f6ae-9c07-11d1-f79f-00c04fc2dcd2"
{
$intCriticalityLevel = 4
}
# Reload SSL/TLS Certificate =
"1a60ea8d-58a6-4b20-bcdc-fb71eb8a9ff8"
{
$intCriticalityLevel = 4
}
# Replicating Directory Changes In Filtered Set =
"89e95b76-444d-4c62-991a-0facbeda640c"
{
$intCriticalityLevel = 4
}
# Run Protect Admin Groups Task =
"7726b9d5-a4b4-4288-a6b2-dce952e80a7f"
{
$intCriticalityLevel = 4
}
# Manage Optional Features for Active Directory =
"7c0e2a7c-a419-48e4-a995-10180aad54dd"
{
$intCriticalityLevel = 4
}
# Allow a DC to create a clone of itself =
"3e0f7e18-2c7a-4c10-ba82-4d926db99a3e"
{
$intCriticalityLevel = 4
}
# AutoEnrollment =
"a05b8cc2-17bc-4802-a710-e7c15ab866a2"
{
$intCriticalityLevel = 1
}
# Set Owner of an object during creation. =
"4125c71f-7fac-4ff0-bcb7-f09a41325286"
{
$intCriticalityLevel = 1
}
# Bypass the quota restrictions during creation. =
"88a9933e-e5c8-4f2a-9dd7-2527416b8092"
{
$intCriticalityLevel = 4
}
# Read secret attributes of objects in a Partition. =
"084c93a2-620d-4879-a836-f0ae47de0e89"
{
$intCriticalityLevel = 4
}
# Write secret attributes of objects in a Partition. =
"94825A8D-B171-4116-8146-1E34D8F54401"
{
$intCriticalityLevel = 4
}
default
{
$intCriticalityLevel = 1
}
}
}
}
"GenericAll"
{
If ($objAccess -eq "Allow")
{
Switch ($objInheritanceType)
■ {
"All"
{
Switch ($objObjectType)
{
# Any = 4
"00000000-0000-0000-0000-000000000000"
{
$intCriticalityLevel = 4
}
# Privat-Information = 3
"91e647de-d96f-4b70-9557-d63ff4f3ccd8"
{
$intCriticalityLevel = 3
}
# Password Reset = 4
"00299570-246d-11d0-a768-00aa006e0529"
{
$intCriticalityLevel = 4
}
# Membership = 4
"bc0ac240-79a9-11d0-9020-00c04fc2d4cf"
{
$intCriticalityLevel = 4
}
default
{
$intCriticalityLevel = 3
}
}
}
■ ■ "None"
■■ {
$intCriticalityLevel = 4
}
"Children"
■ {

}
"Descendents"
{
Switch ($objInheritedObjectType)
{
# Any = 4
"00000000-0000-0000-0000-000000000000"
{
$intCriticalityLevel = 4
}
# User = 4
"bf967aba-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
# Group = 4
"bf967a9c-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
# Computer = 4
"bf967a86-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
# ms-DS-Managed-Service-Account = 4
"ce206244-5827-4a86-ba1c-1c0c386c1b64"
{
$intCriticalityLevel = 4
}
# msDS-Group-Managed-Service-Account = 4
"7b8b558a-93a5-4af7-adca-c017e67f1057"
{
$intCriticalityLevel = 4
}
default
{
$intCriticalityLevel = 3
}
}

}
■ default
■ {
$intCriticalityLevel = 3
}
}#End switch
■}
}
"CreateChild, DeleteChild"
{
If ($objAccess -eq "Allow")
{
$intCriticalityLevel = 3
■}
}
"ReadProperty"
{
If ($objAccess -eq "Allow")
{
$intCriticalityLevel = 1
Switch ($objInheritanceType)
{
■ "None"
■ {
}
"Children"
■ {

}
"Descendents"
{

}
■ default
■ {
}
}#End switch
}
}
{$_ -match "WriteProperty"}
{
If ($objAccess -eq "Allow")
{
Switch ($objInheritanceType)
■ {
{($_ -match "All") -or ($_ -match "None")}
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
Switch ($objObjectType)
{

# msDS-KeyCredentialLink = 4
"5b47d60f-6090-40b2-9f37-2a4de88f3063"
{
$intCriticalityLevel = 4
}
# Domain Password & Lockout Policies = 4
"c7407360-20bf-11d0-a768-00aa006e0529"
{
$intCriticalityLevel = 4
}
# Account Restrictions = 4
"4c164200-20c0-11d0-a768-00aa006e0529"
{
$intCriticalityLevel = 4
}
# Group Membership = 4
"bc0ac240-79a9-11d0-9020-00c04fc2d4cf"
{
$intCriticalityLevel = 4
}
# Public Information = 4
"e48d0154-bcf8-11d1-8702-00c04fb96050"
{
$intCriticalityLevel = 4
}
# Email-Information = 0
"E45795B2-9455-11d1-AEBD-0000F80367C1"
{
$intCriticalityLevel = 0
}
# Web-Information = 2
"E45795B3-9455-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 1
}
}
# Personal-Information = 2
"77B5B886-944A-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 2
}
}
# User-Account-Control = 4
"bf967a68-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
# Service-Principal-Name = 4
"f3a64788-5306-11d1-a9c5-0000f80367c1"
{
$intCriticalityLevel = 4
}
# Is-Member-Of-DL = 4
"bf967991-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
default
{
$intCriticalityLevel = 2
}
}
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
}
default
{
$intCriticalityLevel = 3
}
}#End switch
}
"Children"
■ {
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
Switch ($objObjectType)
{
# Domain Password & Lockout Policies = 4
"c7407360-20bf-11d0-a768-00aa006e0529"
{
$intCriticalityLevel = 4
}
# Account Restrictions = 4
"4c164200-20c0-11d0-a768-00aa006e0529"
{
$intCriticalityLevel = 4
}
# Group Membership = 4
"bc0ac240-79a9-11d0-9020-00c04fc2d4cf"
{
$intCriticalityLevel = 4
}
# Email-Information = 0
"E45795B2-9455-11d1-AEBD-0000F80367C1"
{
$intCriticalityLevel = 0
}
# Web-Information = 2
"E45795B3-9455-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 2
}
}
# Personal-Information = 2
"77B5B886-944A-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 2
}
}
# User-Account-Control = 4
"bf967a68-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
# Service-Principal-Name = 4
"f3a64788-5306-11d1-a9c5-0000f80367c1"
{
$intCriticalityLevel = 4
}
# Is-Member-Of-DL = 4
"bf967991-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
default
{
$intCriticalityLevel = 2
}
}
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
Switch ($objInheritedObjectType)
{
# User = 4 ,Group = 4,Computer = 4
{($_ -eq "bf967aba-0de6-11d0-a285-00aa003049e2") -or ($_ -eq "bf967a9c-0de6-1
{
Switch ($objObjectType)
{
# Account Restrictions = 4
"4c164200-20c0-11d0-a768-00aa006e0529"
{
$intCriticalityLevel = 4
}
# Group Membership = 4
"bc0ac240-79a9-11d0-9020-00c04fc2d4cf"
{
$intCriticalityLevel = 4
}
# Email-Information = 0
"E45795B2-9455-11d1-AEBD-0000F80367C1"
{
$intCriticalityLevel = 0
}
# Web-Information = 2
"E45795B3-9455-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 2
}
}
# Personal-Information = 2
"77B5B886-944A-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 2
}
}
# User-Account-Control = 4
"bf967a68-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
# Service-Principal-Name = 4
"f3a64788-5306-11d1-a9c5-0000f80367c1"
{
$intCriticalityLevel = 4
}
# Is-Member-Of-DL = 4
"bf967991-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
default
{
$intCriticalityLevel = 2
}
}
}
default
{
$intCriticalityLevel = 3
}
}
}
"InheritedObjectAceTypePresent"
{
Switch ($objInheritedObjectType)
{
# User = 4 ,Group = 4,Computer = 4
{($_ -eq "bf967aba-0de6-11d0-a285-00aa003049e2") -or ($_ -eq "bf967a9c-0de6-1
{
Switch ($objObjectType)
{
# All
"00000000-0000-0000-0000-000000000000"
{
$intCriticalityLevel = 4
}
# Account Restrictions = 4
"4c164200-20c0-11d0-a768-00aa006e0529"
{
$intCriticalityLevel = 4
}
# Group Membership = 4
"bc0ac240-79a9-11d0-9020-00c04fc2d4cf"
{
$intCriticalityLevel = 4
}
# Email-Information = 0
"E45795B2-9455-11d1-AEBD-0000F80367C1"
{
$intCriticalityLevel = 0
}
# Web-Information = 2
"E45795B3-9455-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 2
}
}
# Personal-Information = 2
"77B5B886-944A-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 2
}
}
# User-Account-Control = 4
"bf967a68-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
# Service-Principal-Name = 4
"f3a64788-5306-11d1-a9c5-0000f80367c1"
{
$intCriticalityLevel = 4
}
# Is-Member-Of-DL = 4
"bf967991-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
default
{
$intCriticalityLevel = 2
}
}
}
default
{
$intCriticalityLevel = 3
}
}

}
"None"
{
Switch ($objObjectType)
{
# All
"00000000-0000-0000-0000-000000000000"
{
$intCriticalityLevel = 4
}
# Account Restrictions = 4
"4c164200-20c0-11d0-a768-00aa006e0529"
{
$intCriticalityLevel = 4
}
# Group Membership = 4
"bc0ac240-79a9-11d0-9020-00c04fc2d4cf"
{
$intCriticalityLevel = 4
}
# Email-Information = 0
"E45795B2-9455-11d1-AEBD-0000F80367C1"
{
$intCriticalityLevel = 0
}
# Web-Information = 2
"E45795B3-9455-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 2
}
}
# Personal-Information = 2
"77B5B886-944A-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 2
}
}
# User-Account-Control = 4
"bf967a68-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
# Service-Principal-Name = 4
"f3a64788-5306-11d1-a9c5-0000f80367c1"
{
$intCriticalityLevel = 4
}
# Is-Member-Of-DL = 4
"bf967991-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
default
{
$intCriticalityLevel = 2
}
}
}
default
{
}
}#End switch

}
"Descendents"
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
Switch ($objObjectType)
{
# Domain Password & Lockout Policies = 4
"c7407360-20bf-11d0-a768-00aa006e0529"
{
$intCriticalityLevel = 4
}
# Account Restrictions = 4
"4c164200-20c0-11d0-a768-00aa006e0529"
{
$intCriticalityLevel = 4
}
# Group Membership = 4
"bc0ac240-79a9-11d0-9020-00c04fc2d4cf"
{
$intCriticalityLevel = 4
}
# Email-Information = 0
"E45795B2-9455-11d1-AEBD-0000F80367C1"
{
$intCriticalityLevel = 0
}
# Web-Information = 2
"E45795B3-9455-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 2
}
}
# Personal-Information = 2
"77B5B886-944A-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 2
}
}
# User-Account-Control = 4
"bf967a68-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
# Service-Principal-Name = 4
"f3a64788-5306-11d1-a9c5-0000f80367c1"
{
$intCriticalityLevel = 4
}
# Is-Member-Of-DL = 4
"bf967991-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
default
{
$intCriticalityLevel = 2
}
}
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
Switch ($objInheritedObjectType)
{
# User = 4 ,Group = 4,Computer = 4
{($_ -eq "bf967aba-0de6-11d0-a285-00aa003049e2") -or ($_ -eq "bf967a9c-0de6-1
{
Switch ($objObjectType)
{
# Account Restrictions = 4
"4c164200-20c0-11d0-a768-00aa006e0529"
{
$intCriticalityLevel = 4
}
# Group Membership = 4
"bc0ac240-79a9-11d0-9020-00c04fc2d4cf"
{
$intCriticalityLevel = 4
}
# Email-Information = 0
"E45795B2-9455-11d1-AEBD-0000F80367C1"
{
$intCriticalityLevel = 0
}
# Web-Information = 2
"E45795B3-9455-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 2
}
}
# Personal-Information = 2
"77B5B886-944A-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 2
}
}
# User-Account-Control = 4
"bf967a68-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
# Service-Principal-Name = 4
"f3a64788-5306-11d1-a9c5-0000f80367c1"
{
$intCriticalityLevel = 4
}
# Is-Member-Of-DL = 4
"bf967991-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
default
{
$intCriticalityLevel = 2
}
}
}
default
{
$intCriticalityLevel = 3
}
}

}
"InheritedObjectAceTypePresent"
{
Switch ($objInheritedObjectType)
{
# User = 4 ,Group = 4,Computer = 4
{($_ -eq "bf967aba-0de6-11d0-a285-00aa003049e2") -or ($_ -eq "bf967a9c-0de6-1
{
Switch ($objObjectType)
{
# All
"00000000-0000-0000-0000-000000000000"
{
$intCriticalityLevel = 4
}
# Account Restrictions = 4
"4c164200-20c0-11d0-a768-00aa006e0529"
{
$intCriticalityLevel = 4
}
# Group Membership = 4
"bc0ac240-79a9-11d0-9020-00c04fc2d4cf"
{
$intCriticalityLevel = 4
}
# Email-Information = 0
"E45795B2-9455-11d1-AEBD-0000F80367C1"
{
$intCriticalityLevel = 0
}
# Web-Information = 2
"E45795B3-9455-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 2
}
}
# Personal-Information = 2
"77B5B886-944A-11d1-AEBD-0000F80367C1"
{
#If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF")
{
$intCriticalityLevel = 1
}
else
{
$intCriticalityLevel = 2
}
}
# User-Account-Control = 4
"bf967a68-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
# Service-Principal-Name = 4
"f3a64788-5306-11d1-a9c5-0000f80367c1"
{
$intCriticalityLevel = 4
}
# Is-Member-Of-DL = 4
"bf967991-0de6-11d0-a285-00aa003049e2"
{
$intCriticalityLevel = 4
}
default
{
$intCriticalityLevel = 2
}
}
}
default
{
$intCriticalityLevel = 3
}
}

}
default
{
}
}#End switch

}
■ default
■ {
$intCriticalityLevel = 3
}
}#End switch
}#End if Allow
}
{($_ -match "WriteDacl") -or ($_ -match "WriteOwner")}
{
$intCriticalityLevel = 4
}
default
{
If ($objAccess -eq "Allow")
{
if($objRights -match "Write")
{
$intCriticalityLevel = 2
}
if($objRights -match "Create")
{
$intCriticalityLevel = 3
}
if($objRights -match "Delete")
{
$intCriticalityLevel = 3
}
if($objRights -match "ExtendedRight")
{
$intCriticalityLevel = 3
}
if($objRights -match "WriteDacl")
{
$intCriticalityLevel = 4
}
if($objRights -match "WriteOwner")
{
$intCriticalityLevel = 4
}
}
}
}# End Switch
if($Returns -eq "Filter")
{
if ($intCriticalityLevel -ge $CriticalityFilter)
{
Return $True
}
else
{
Return $false
}

}
else
{
Return $intCriticalityLevel
}
}
#==========================================================================
#==========================================================================
# Function■■: WriteOUT
# Arguments : Security Descriptor, OU dn string, Output htm file or other format
# Returns ■: n/a
# Description : Wites the SD info to a HTM table or other format, it appends info if the file exist
#==========================================================================
function WriteOUT
{
Param([bool] $bolACLExist,$sd,[string]$DSObject,[string]$Canonical,[bool] $OUHeader,[string] $strC
[string]$strSDDL,
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
if($Type -eq "HTML")
{
$htm = $true
$fileout = $htmfileout
}
if($HTM)
{
$strTHOUColor = "E5CF00"
$strTHColor = "EFAC00"
if ($bolCriticalityLevel -eq $true)
{
$strLegendColor =@"
bgcolor="#A4A4A4"
"@
}
else
{
$strLegendColor = ""
}
$strLegendColorInfo=@"
bgcolor="#A4A4A4"
"@
$strLegendColorLow =@"
bgcolor="#0099FF"
"@
$strLegendColorMedium=@"
bgcolor="#FFFF00"
"@
$strLegendColorWarning=@"
bgcolor="#FFD700"
"@
$strLegendColorCritical=@"
bgcolor="#DF0101"
"@
$strFont =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontRights =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontOU =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontTH =@"
<FONT size="2" face="verdana, hevetica, arial">
"@
If ($OUHeader -eq $true)
{
if ($GPO)
{
$strHTMLText =@"
$strHTMLText
<TR bgcolor="$strTHOUColor"><TD><b>$strFontOU $GPOdisplayname</b>
"@
}
else
{
$strHTMLText =@"
$strHTMLText
<TR bgcolor="$strTHOUColor">
"@
}
$strHTMLText =@"
$strHTMLText
<TD><b>$strFontOU $DSObject</b>
"@
if ($Canonical)
{
$strHTMLText =@"
$strHTMLText
<TD><b>$strFontOU $Canonical</b>
"@
}
if ($bolObjClass -eq $true)
{
$strHTMLText =@"
$strHTMLText
<TD><b>$strFontOU $strObjClass</b>
"@
}
if ($boolReplMetaDate -eq $true)
{
$strHTMLText =@"
$strHTMLText
<TD><b>$strFontOU $strReplMetaDate</b>
"@
}
if ($boolACLSize -eq $true)
{
$strHTMLText =@"
$strHTMLText
<TD><b>$strFontOU $strACLSize bytes</b>
"@
}
if ($boolOUProtected -eq $true)
{
if ($bolOUProtected -eq $true)
{
$strHTMLText =@"
$strHTMLText
<TD bgcolor="FF0000"><b>$strFontOU $bolOUProtected</b>
"@
}
else
{
$strHTMLText =@"
$strHTMLText
<TD><b>$strFontOU $bolOUProtected</b>
"@
}
}
$strHTMLText =@"
$strHTMLText
</TR>
"@
}
Switch ($strColorTemp)
{
"1"
■{
■$strColor = "DDDDDD"
■$strColorTemp = "2"
■}
"2"
■{
■$strColor = "AAAAAA"
■$strColorTemp = "1"
■}■■
"3"
■{
■$strColor = "FF1111"
}
"4"
■{
■$strColor = "00FFAA"
}
"5"
■{
■$strColor = "FFFF00"
}
■}# End Switch
}#End if HTM
if ($bolACLExist)
{
■$sd | foreach{
if($null -ne $_.AccessControlType)
{
$objAccess = $($_.AccessControlType.toString())
}
else
{
$objAccess = $($_.AuditFlags.toString())
}
■$objFlags = $($_.ObjectFlags.toString())
■$objType = $($_.ObjectType.toString())
$objIsInheried = $($_.IsInherited.toString())
■$objInheritedType = $($_.InheritedObjectType.toString())
■$objRights = $($_.ActiveDirectoryRights.toString())
$objInheritanceType = $($_.InheritanceType.toString())
Switch ($objRights)
{
"Self"
{
#Self right are never express in gui it's a validated write ( 0x00000008 ACTRL_DS_SELF)
$objRights = ""
}
"GenericRead"
{
$objRights = "Read Permissions,List Contents,Read All Properties,List"
}
"CreateChild"
{
$objRights = "Create"■
}
"DeleteChild"
{
$objRights = "Delete Child"■■
}
"GenericAll"
{
$objRights = "Full Control"■■
}
"CreateChild, DeleteChild"
{
$objRights = "Create/Delete"■■
}
"ReadProperty"
{
Switch ($objInheritanceType)
■ {
■ ■ "None"
■■ {

Switch ($objFlags)
■ ■ {
■■ ■ "ObjectAceTypePresent"
{
$objRights = "Read"■
}
■■ ■ "ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Read"■
}
default
■■ {$objRights = "Read All Properties"■}
}#End switch
}
"Children"
■■ {

Switch ($objFlags)
■ ■ {
■■ ■ "ObjectAceTypePresent"
{
$objRights = "Read"■
}
■■ ■ "ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Read"■
}
default
■■ {$objRights = "Read All Properties"■}
}#End switch
}
"Descendents"
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$objRights = "Read"■
}

"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Read"■
}
default
{$objRights = "Read All Properties"■}
}#End switch
}
default
{$objRights = "Read All Properties"■}
}#End switch
}
"ReadProperty, WriteProperty"
{
$objRights = "Read All Properties;Write All Properties"■■■
}
"WriteProperty"
{
Switch ($objInheritanceType)
■ {
■ ■ "None"
■■ {
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$objRights = "Write"■
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Write"■
}
default
{
$objRights = "Write All Properties"■
}
}#End switch
}
"Children"
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$objRights = "Write"■
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Write"■
}
default
{
$objRights = "Write All Properties"■
}
}#End switch
}
"Descendents"
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$objRights = "Write"■
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Write"■
}
default
{
$objRights = "Write All Properties"■
}
}#End switch
}
default
{
$objRights = "Write All Properties"
}
}#End switch■■
}
default
{

}
}# End Switch
if($bolShowCriticalityColor)
{
$intCriticalityValue = Get-Criticality -Returns "Color" $_.IdentityReference.toString() $_.ActiveDirec

Switch ($intCriticalityValue)
{
0 {$strLegendText = "Info";$strLegendColor = $strLegendColorInfo}
1 {$strLegendText = "Low";$strLegendColor = $strLegendColorLow}
2 {$strLegendText = "Medium";$strLegendColor = $strLegendColorMedium}
3 {$strLegendText = "Warning";$strLegendColor = $strLegendColorWarning}
4 {$strLegendText = "Critical";$strLegendColor = $strLegendColorCritical}
}
$strLegendTextVal = $strLegendText
if($intCriticalityValue -gt $global:intShowCriticalityLevel)
{
$global:intShowCriticalityLevel = $intCriticalityValue
}
}

■$IdentityReference = $($_.IdentityReference.toString())

If ($IdentityReference.contains("S-1-"))
■{
$strNTAccount = ConvertSidToName -server $global:strDomainLongName -Sid $IdentityReferenc
■}
else
{
$strNTAccount = $IdentityReference
}

Switch ($strColorTemp)
{
"1"
■{
■$strColor = "DDDDDD"
■$strColorTemp = "2"
■}
■"2"
■{
■$strColor = "AAAAAA"
■$strColorTemp = "1"
■}■■
"3"
■{
■$strColor = "FF1111"
}
"4"
■{
■$strColor = "00FFAA"
}
"5"
■{
■$strColor = "FFFF00"
}
■}# End Switch
■ Switch ($objInheritanceType)
■{
■ ■"All"
■ ■{
■ ■■Switch ($objFlags)
■ ■{
■■ ■"InheritedObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "This object and all child objects"
$strPerm = "$objRights $(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatc
■■ ■} ■
■■ ■"ObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "This object and all child objects"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■}
■■ ■"ObjectAceTypePresent, InheritedObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "$(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■} ■ ■
■■ ■"None"
■■ ■{
■■ ■■$strApplyTo ="This object and all child objects"
$strPerm = "$objRights"
■■ ■}
■■ ■■default
■ ■■ {
■■ ■■$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 1K"
■■ ■} ■

■■ }# End Switch
■ ■■
■ ■}
■ ■"Descendents"
■ ■{

■ ■■Switch ($objFlags)
■ ■{
■■ ■"InheritedObjectAceTypePresent"
■■ ■{
■■ ■ $strApplyTo = "Descendant $(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMa
$strPerm = "$objRights"
■■ ■}
■■ ■"None"
■■ ■{
■■ ■■$strApplyTo = "Child Objects Only"
$strPerm = "$objRights"
■■ ■} ■ ■
■■ ■"ObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "Child Objects Only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■}
■■ ■"ObjectAceTypePresent, InheritedObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo =■"$(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName
$strPerm =■"$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■}
■■ ■default
■ ■■■{
■■ ■■$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 2K"
■■ ■} ■

■■ } ■■
■ ■}
■ ■"None"
■ ■{
■ ■■Switch ($objFlags)
■ ■{
■■ ■"ObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "This Object Only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■}
■■ ■"None"
■■ ■{
■■ ■■$strApplyTo = "This Object Only"
$strPerm = "$objRights"
■■ ■}
■■ ■■default
■ ■■ {
■■ ■■$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 4K"
■■ ■} ■

■■■}
■ ■}
■ ■"SelfAndChildren"
■ ■{
■ ■ ■■Switch ($objFlags)
■ ■{
■■ ■"ObjectAceTypePresent"
■ ■■{
■■ ■■$strApplyTo = "This object and all child objects within this container only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■}
■■ ■"InheritedObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "This object and all child objects within this container only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatch
■■ ■}
■■ ■"ObjectAceTypePresent, InheritedObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "$(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■} ■ ■
■■ ■"None"
■■ ■{
■■ ■■$strApplyTo = "This object and all child objects"
$strPerm = "$objRights"
■■ ■} ■
■■ ■default
■ ■■ {
■■ ■■$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 5K"
■■ ■} ■

■■■} ■
■ ■} ■
■ ■"Children"
■ ■{
■ ■ ■■Switch ($objFlags)
■ ■{
■■ ■"InheritedObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "Descendant $(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMa
$strPerm = "$objRights"
■■ ■}
■■ ■"None"
■■ ■{
■■ ■■$strApplyTo = "Children within this container only"
$strPerm = "$objRights"
■■ ■} ■ ■
■■ ■"ObjectAceTypePresent, InheritedObjectAceTypePresent"
■ ■■{
■■ ■■$strApplyTo = "$(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName
$strPerm = "$(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingName -strGUIDA
■■ ■} ■
■■ ■"ObjectAceTypePresent"
■ ■■{
■■ ■■$strApplyTo = "Children within this container only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■} ■■ ■
■■ ■default
■ ■■■{
■■ ■■$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 6K"
■■ ■} ■

■ ■■}
■ ■}
■ ■default
■ ■{
■■ $strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 7K"
■■} ■
■}# End Switch
##
if($Type -eq "Object")
{
$objhashtableACE = [pscustomobject][ordered]@{
Object = $DSObject ;`
ObjectClass = $strObjClass}
if($strSDDL)
{
add-member -InputObject $objhashtableACE -MemberType NoteProperty -Name "SDDL" -Value $
}
else
{
add-member -InputObject $objhashtableACE -MemberType NoteProperty -Name "IdentityReferen
add-member -InputObject $objhashtableACE -MemberType NoteProperty -Name "Trustee" -Value
add-member -InputObject $objhashtableACE -MemberType NoteProperty -Name "Access" -Value
add-member -InputObject $objhashtableACE -MemberType NoteProperty -Name "Inherited" -Valu
add-member -InputObject $objhashtableACE -MemberType NoteProperty -Name "Apply To" -Valu
add-member -InputObject $objhashtableACE -MemberType NoteProperty -Name "Permission" -Va
}
if($Canonical)
{
add-member -InputObject $objhashtableACE -MemberType NoteProperty -Name "CanonicalName
$objhashtableACE = $objhashtableACE | Select-Object -Property Object,CanonicalName,* -Error
}
if($GPO)
{
add-member -InputObject $objhashtableACE -MemberType NoteProperty -Name "GPO" -Value $G
$objhashtableACE = $objhashtableACE | Select-Object -Property GPO,* -ErrorAction SilentlyCon
}

if($boolOUProtected)
{
$objhashtableACE | Add-Member NoteProperty "Inheritance Disabled" $bolOUProtected.toString()
}
if($boolReplMetaDate)
{
$objhashtableACE | Add-Member NoteProperty "Security Descriptor Modified" $strReplMetaDate
}
if($CompareMode)
{
$objhashtableACE | Add-Member NoteProperty State $($_.State.toString())
}
if ($bolCriticalityLevel -or $bolShowCriticalityColor)
{
$objhashtableACE | Add-Member NoteProperty 'Criticality Level' $strLegendTextVal
}
[VOID]$global:ArrayAllACE.Add($objhashtableACE)
}
If($HTM)
{
if ($GPO)
{
$strACLHTMLText =@"
$strACLHTMLText
<TR bgcolor="$strColor"><TD>$strFont $GPOdisplayname</TD>
"@
}
else
{
$strACLHTMLText =@"
$strACLHTMLText
<TR bgcolor="$strColor">
"@
}
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $DSObject</TD>
"@
if ($Canonical)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $Canonical</TD>
"@
}
if ($bolObjClass -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $strObjClass</TD>
"@
}
if ($boolReplMetaDate -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $strReplMetaDate</TD>
"@
}
if ($boolACLSize -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $strACLSize bytes</TD>
"@
}
if ($boolOUProtected -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $bolOUPRotected </TD>
"@
}
if($strSDDL)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $strSDDL</TD>
"@
}
else
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont <a href="#web" onclick="GetGroupDN('$strNTAccount')">$strNTAccount</a></TD>
<TD>$strFont $objAccess</TD>
<TD>$strFont $objIsInheried </TD>
<TD>$strFont $strApplyTo</TD>
<TD $strLegendColor>$strFontRights $strPerm</TD>
"@
}
if($CompareMode)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $($_.State.toString())</TD>
"@
}
if ($bolCriticalityLevel -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD $strLegendColor>$strFont $strLegendTextVal</TD>
"@
}
}#End If HTM
}# End Foreach

}
else
{
if($HTM)
{
if ($OUHeader -eq $false)
{
if ($FilterMode)
{
if ($boolReplMetaDate -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $strReplMetaDate</TD>
"@
}
if ($boolACLSize -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $strACLSize bytes</TD>
"@
}
if ($boolOUProtected -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $bolOUPRotected </TD>
"@
}
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont N/A</TD>
<TD>$strFont N/A</TD>
<TD>$strFont N/A</TD>
<TD>$strFont N/A</TD>
<TD>$strFont No Matching Permissions Set</TD>
"@
if ($bolCriticalityLevel -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD $strLegendColor>$strFont $strLegendTextVal</TD>
"@
}
}
else
{
if ($boolReplMetaDate -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $strReplMetaDate</TD>
"@
}
if ($boolACLSize -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $strACLSize bytes</TD>
"@
}
if ($boolOUProtected -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $bolOUPRotected </TD>
"@
}
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont N/A</TD>
<TD>$strFont N/A</TD>
<TD>$strFont N/A</TD>
<TD>$strFont N/A</TD>
<TD>$strFont No Permissions Set</TD>
"@
if ($bolCriticalityLevel -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD $strLegendColor>$strFont $strLegendTextVal</TD>
"@
}
}# End If
}#end If OUHeader false
}#End if HTM
} #End if bolACLExist
if($HTM)
{
$strACLHTMLText =@"
$strACLHTMLText
</TR>
"@
#end ifelse OUHEader
$strHTMLText = $strHTMLText + $strACLHTMLText
Out-File -InputObject $strHTMLText -Append -FilePath $fileout
Out-File -InputObject $strHTMLText -Append -FilePath $strFileHTM
$strHTMLText = $null
$strACLHTMLText = $null
Remove-Variable -Name "strHTMLText"
Remove-Variable -Name "strACLHTMLText"
}#End if HTM
}
#==========================================================================
# Function■■: WriteDefSDAccessHTM
# Arguments : Security Descriptor, OU dn string, Output htm file
# Returns ■: n/a
# Description : Wites the SD info to a HTM table, it appends info if the file exist
#==========================================================================
function WriteDefSDAccessHTM
{
Param([bool]$bolACLExist, $sd, [bool]$bolObjClass,[string]$strObjectClass, [string]$strColorTemp,[s
if($Type -eq "HTML")
{
$htm = $true
$fileout = $htmfileout
}
if($Type -eq "EXCEL")
{
$EXCEL = $true
$fileout = $xlsxout
}
if($HTM)
{
$strTHOUColor = "E5CF00"
$strTHColor = "EFAC00"
if ($bolCriticalityLevel -eq $true)
{
$strLegendColor =@"
bgcolor="#A4A4A4"
"@
}
else
{
$strLegendColor = ""
}
$strLegendColorInfo=@"
bgcolor="#A4A4A4"
"@
$strLegendColorLow =@"
bgcolor="#0099FF"
"@
$strLegendColorMedium=@"
bgcolor="#FFFF00"
"@
$strLegendColorWarning=@"
bgcolor="#FFD700"
"@
$strLegendColorCritical=@"
bgcolor="#DF0101"
"@
$strFont =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontRights =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontOU =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontTH =@"
<FONT size="2" face="verdana, hevetica, arial">
"@
If ($OUHeader -eq $true)
{
$strHTMLText =@"
$strHTMLText
<TR bgcolor="$strTHOUColor">
"@
$strHTMLText =@"
$strHTMLText
<TD><b>$strFontOU $strObjectClass</b>
"@
if ($boolReplMetaDate -eq $true)
{
$strHTMLText =@"
$strHTMLText
<TD><b>$strFontOU $strReplMetaDate</b>
<TD><b>$strFontOU $strReplMetaVer</b>
"@
}
$strHTMLText =@"
$strHTMLText
</TR>
"@
}
Switch ($strColorTemp)
{
"1"
■{
■$strColor = "DDDDDD"
■$strColorTemp = "2"
■}
"2"
■{
■$strColor = "AAAAAA"
■$strColorTemp = "1"
■}■■
"3"
■{
■$strColor = "FF1111"
}
"4"
■{
■$strColor = "00FFAA"
}
"5"
■{
■$strColor = "FFFF00"
}
■}# End Switch
}#End if HTM
if ($bolACLExist)
{
■$sd | foreach{
if($null -ne $_.AccessControlType)
{
$objAccess = $($_.AccessControlType.toString())
}
else
{
$objAccess = $($_.AuditFlags.toString())
}
■$objFlags = $($_.ObjectFlags.toString())
■$objType = $($_.ObjectType.toString())
$objIsInheried = $($_.IsInherited.toString())
■$objInheritedType = $($_.InheritedObjectType.toString())
■$objRights = $($_.ActiveDirectoryRights.toString())
$objInheritanceType = $($_.InheritanceType.toString())
Switch ($objRights)
{
"Self"
{
#Self right are never express in gui it's a validated write ( 0x00000008 ACTRL_DS_SELF)
$objRights = ""
}
"GenericRead"
{
$objRights = "Read Permissions,List Contents,Read All Properties,List"
}
"CreateChild"
{
$objRights = "Create"■
}
"DeleteChild"
{
$objRights = "Delete Child"■■
}
"GenericAll"
{
$objRights = "Full Control"■■
}
"CreateChild, DeleteChild"
{
$objRights = "Create/Delete"■■
}
"ReadProperty"
{
Switch ($objInheritanceType)
■ {
■ ■ "None"
■■ {

Switch ($objFlags)
■ ■ {
■■ ■ "ObjectAceTypePresent"
{
$objRights = "Read"■
}
■■ ■ "ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Read"■
}
default
■■ {$objRights = "Read All Properties"■}
}#End switch
}
"Children"
■■ {

Switch ($objFlags)
■ ■ {
■■ ■ "ObjectAceTypePresent"
{
$objRights = "Read"■
}
■■ ■ "ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Read"■
}
default
■■ {$objRights = "Read All Properties"■}
}#End switch
}
"Descendents"
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$objRights = "Read"■
}

"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Read"■
}
default
{$objRights = "Read All Properties"■}
}#End switch
}
default
{$objRights = "Read All Properties"■}
}#End switch
}
"ReadProperty, WriteProperty"
{
$objRights = "Read All Properties;Write All Properties"■■■
}
"WriteProperty"
{
Switch ($objInheritanceType)
■ {
■ ■ "None"
■■ {
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$objRights = "Write"■
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Write"■
}
default
{
$objRights = "Write All Properties"■
}
}#End switch
}
"Children"
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$objRights = "Write"■
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Write"■
}
default
{
$objRights = "Write All Properties"■
}
}#End switch
}
"Descendents"
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$objRights = "Write"■
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Write"■
}
default
{
$objRights = "Write All Properties"■
}
}#End switch
}
default
{
$objRights = "Write All Properties"
}
}#End switch■■
}
default
{

}
}# End Switch
if($bolShowCriticalityColor)
{
$intCriticalityValue = Get-Criticality -Returns "Color" $_.IdentityReference.toString() $_.ActiveDirec

Switch ($intCriticalityValue)
{
0 {$strLegendText = "Info";$strLegendColor = $strLegendColorInfo}
1 {$strLegendText = "Low";$strLegendColor = $strLegendColorLow}
2 {$strLegendText = "Medium";$strLegendColor = $strLegendColorMedium}
3 {$strLegendText = "Warning";$strLegendColor = $strLegendColorWarning}
4 {$strLegendText = "Critical";$strLegendColor = $strLegendColorCritical}
}
$strLegendTextVal = $strLegendText
if($intCriticalityValue -gt $global:intShowCriticalityLevel)
{
$global:intShowCriticalityLevel = $intCriticalityValue
}
}

■$IdentityReference = $($_.IdentityReference.toString())

If ($IdentityReference.contains("S-1-"))
■{
■ $strNTAccount = ConvertSidToName -server $global:strDomainLongName -Sid $IdentityReference -
■}
else
{
$strNTAccount = $IdentityReference
}

Switch ($strColorTemp)
{
"1"
■{
■$strColor = "DDDDDD"
■$strColorTemp = "2"
■}
■"2"
■{
■$strColor = "AAAAAA"
■$strColorTemp = "1"
■}■■
"3"
■{
■$strColor = "FF1111"
}
"4"
■{
■$strColor = "00FFAA"
}
"5"
■{
■$strColor = "FFFF00"
}
■}# End Switch
■ Switch ($objInheritanceType)
■{
■ ■"All"
■ ■{
■ ■■Switch ($objFlags)
■ ■{
■■ ■"InheritedObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "This object and all child objects"
$strPerm = "$objRights $(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatc
■■ ■} ■
■■ ■"ObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "This object and all child objects"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■}
■■ ■"ObjectAceTypePresent, InheritedObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "$(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■} ■ ■
■■ ■"None"
■■ ■{
■■ ■■$strApplyTo ="This object and all child objects"
$strPerm = "$objRights"
■■ ■}
■■ ■■default
■ ■■ {
■■ ■■$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 1K"
■■ ■} ■

■■ }# End Switch
■ ■■
■ ■}
■ ■"Descendents"
■ ■{

■ ■■Switch ($objFlags)
■ ■{
■■ ■"InheritedObjectAceTypePresent"
■■ ■{
■■ ■ $strApplyTo = "$(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName
$strPerm = "$objRights"
■■ ■}
■■ ■"None"
■■ ■{
■■ ■■$strApplyTo = "Child Objects Only"
$strPerm = "$objRights"
■■ ■} ■ ■
■■ ■"ObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "Child Objects Only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■}
■■ ■"ObjectAceTypePresent, InheritedObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo =■"$(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName
$strPerm =■"$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■}
■■ ■default
■ ■■■{
■■ ■■$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 2K"
■■ ■} ■

■■ } ■■
■ ■}
■ ■"None"
■ ■{
■ ■■Switch ($objFlags)
■ ■{
■■ ■"ObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "This Object Only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■}
■■ ■"None"
■■ ■{
■■ ■■$strApplyTo = "This Object Only"
$strPerm = "$objRights"
■■ ■}
■■ ■■default
■ ■■ {
■■ ■■$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 4K"
■■ ■} ■

■■■}
■ ■}
■ ■"SelfAndChildren"
■ ■{
■ ■ ■■Switch ($objFlags)
■ ■{
■■ ■"ObjectAceTypePresent"
■ ■■{
■■ ■■$strApplyTo = "This object and all child objects within this container only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■}
■■ ■"InheritedObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "Children within this container only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatch
■■ ■}
■■ ■"ObjectAceTypePresent, InheritedObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "$(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■} ■ ■
■■ ■"None"
■■ ■{
■■ ■■$strApplyTo = "This object and all child objects"
$strPerm = "$objRights"
■■ ■} ■
■■ ■default
■ ■■ {
■■ ■■$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 5K"
■■ ■} ■

■■■} ■
■ ■} ■
■ ■"Children"
■ ■{
■ ■ ■■Switch ($objFlags)
■ ■{
■■ ■"InheritedObjectAceTypePresent"
■■ ■{
■■ ■■$strApplyTo = "Children within this container only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatch
■■ ■}
■■ ■"None"
■■ ■{
■■ ■■$strApplyTo = "Children within this container only"
$strPerm = "$objRights"
■■ ■} ■ ■
■■ ■"ObjectAceTypePresent, InheritedObjectAceTypePresent"
■ ■■{
■■ ■■$strApplyTo = "$(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName
$strPerm = "$(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingName -strGUIDA
■■ ■} ■
■■ ■"ObjectAceTypePresent"
■ ■■{
■■ ■■$strApplyTo = "Children within this container only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingNam
■■ ■} ■■ ■
■■ ■default
■ ■■■{
■■ ■■$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 6K"
■■ ■} ■

■ ■■}
■ ■}
■ ■default
■ ■{
■■ $strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 7K"
■■} ■
■}# End Switch
If($Excel)
{
$objhashtableACE = [pscustomobject][ordered]@{
ObjectClass = $strObjectClass}
if($boolReplMetaDate)
{
$objhashtableACE | Add-Member NoteProperty "Security Descriptor Modified" $strReplMetaDate
$objhashtableACE | Add-Member NoteProperty "Version" $strReplMetaVer
}
$objhashtableACE | Add-Member NoteProperty "IdentityReference" $IdentityReference.toString()
$objhashtableACE | Add-Member NoteProperty "Trustee" $strNTAccount.toString()
$objhashtableACE | Add-Member NoteProperty "Access" $objAccess.toString()
$objhashtableACE | Add-Member NoteProperty "Inherited" $objIsInheried.toString()
$objhashtableACE | Add-Member NoteProperty "Apply To" $strApplyTo.toString()
$objhashtableACE | Add-Member NoteProperty "Permission" $strPerm.toString()

if($boolOUProtected)
{
$objhashtableACE | Add-Member NoteProperty "Inheritance Disabled" $bolOUProtected.toString()
}
if ($bolCriticalityLevel -eq $true)
{
$objhashtableACE | Add-Member NoteProperty "Criticality Level" $strLegendTextVal.toString()
}
if($CompareMode)
{
$objhashtableACE | Add-Member NoteProperty State $($_.State.toString())
}
[VOID]$global:ArrayAllACE.Add($objhashtableACE)
}
If($HTM)
{
$strACLHTMLText =@"
$strACLHTMLText
<TR bgcolor="$strColor">
"@
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $strObjectClass</TD>
"@
if ($boolReplMetaDate -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $strReplMetaDate</TD>
<TD>$strFont $strReplMetaVer</TD>
"@
}
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont <a href="#web" onclick="GetGroupDN('$strNTAccount')">$strNTAccount</a></TD>
<TD>$strFont $objAccess</TD>
<TD>$strFont $objIsInheried </TD>
<TD>$strFont $strApplyTo</TD>
<TD $strLegendColor>$strFontRights $strPerm</TD>
"@
if($CompareMode)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $($_.State.toString())</TD>
"@
}
if ($bolCriticalityLevel -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD $strLegendColor>$strFont $strLegendTextVal</TD>
"@
}
}#End If HTM
}# End Foreach

}
else
{
if($HTM)
{
if ($OUHeader -eq $false)
{
if ($FilterMode)
{
if ($boolReplMetaDate -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $strReplMetaDate</TD>
"@
}
if ($boolACLSize -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $strACLSize bytes</TD>
"@
}
if ($boolOUProtected -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $bolOUPRotected </TD>
"@
}
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont N/A</TD>
<TD>$strFont N/A</TD>
<TD>$strFont N/A</TD>
<TD>$strFont N/A</TD>
<TD>$strFont No Matching Permissions Set</TD>
"@
if ($bolCriticalityLevel -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD $strLegendColor>$strFont $strLegendTextVal</TD>
"@
}
}
else
{
if ($boolReplMetaDate -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $strReplMetaDate</TD>
"@
}
if ($boolACLSize -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $strACLSize bytes</TD>
"@
}
if ($boolOUProtected -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont $bolOUPRotected </TD>
"@
}
$strACLHTMLText =@"
$strACLHTMLText
<TD>$strFont N/A</TD>
<TD>$strFont N/A</TD>
<TD>$strFont N/A</TD>
<TD>$strFont N/A</TD>
<TD>$strFont No Permissions Set</TD>
"@
if ($bolCriticalityLevel -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
<TD $strLegendColor>$strFont $strLegendTextVal</TD>
"@
}
}# End If
}#end If OUHeader false
}#End if HTM
} #End if bolACLExist
if($HTM)
{
$strACLHTMLText =@"
$strACLHTMLText
</TR>
"@
#end ifelse OUHEader
$strHTMLText = $strHTMLText + $strACLHTMLText
Out-File -InputObject $strHTMLText -Append -FilePath $fileout
Out-File -InputObject $strHTMLText -Append -FilePath $strFileHTM
$strHTMLText = $null
$strACLHTMLText = $null
Remove-Variable -Name "strHTMLText"
Remove-Variable -Name "strACLHTMLText"
}#End if HTM
}
#==========================================================================
# Function■■: InitiateDefSDAccessHTM
# Arguments : Output htm file
# Returns ■: n/a
# Description : Wites base HTM table syntax, it appends info if the file exist
#==========================================================================
Function InitiateDefSDAccessHTM
{
Param([string] $htmfileout,
[string]$strStartingPoint,
$RepMetaDate,
[bool]$bolCompare,
[string] $strComparefile,
[bool]$bolCriticaltiy)
$strACLTypeHeader = "Access"
If($bolCompare)
{
$strHTMLText =@"
<h1 style="color: #79A0E0;text-align: center;">Default Security Descriptor COMPARE REPORT - $($st
<h3 style="color: #191010;text-align: center;">
Template: $strComparefile
</h3>
"@
}
else
{
$strHTMLText =@"
<h1 style="color: #79A0E0;text-align: center;">Default Security Descriptor REPORT - $($strStartingPoin
"@
}
$strHTMLText =@"
$strHTMLText
<TABLE BORDER=1>
"@
$strTHOUColor = "E5CF00"
$strTHColor = "EFAC00"
$strFont =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontOU =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontTH =@"
<FONT size="2" face="verdana, hevetica, arial">
"@
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH ObjectClass</font></th>
"@
if ($RepMetaDate -eq $true)
{
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH Security Descriptor Modified</font><th bgcolor="$strTHColor">$
"@
}
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH Trustee</font></th><th bgcolor="$strTHColor">$strFontTH $str
"@
if ($bolCompare -eq $true)
{
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH State</font></th>
"@
}
if ($bolCriticaltiy -eq $true)
{
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH Criticality Level</font></th>
"@
}
Out-File -InputObject $strHTMLText -Append -FilePath $htmfileout
$strHTMLText = $null
$strTHOUColor = $null
$strTHColor = $null
Remove-Variable -Name "strHTMLText"
Remove-Variable -Name "strTHOUColor"
Remove-Variable -Name "strTHColor"
}
#==========================================================================
# Function■■: InitiateHTM
# Arguments : Output htm file
# Returns ■: n/a
# Description : Wites base HTM table syntax, it appends info if the file exist
#==========================================================================
Function InitiateHTM
{
Param([string] $htmfileout,[string]$strStartingPoint,[string]$strDN,[bool]$RepMetaDate ,[bool]$ACLSi
If($rdbSACL.IsChecked)
{
$strACLTypeHeader = "Audit"
}
else
{
$strACLTypeHeader = "Access"
}
If($bolCompare)
{
$strHTMLText =@"
<h1 style="color: #79A0E0;text-align: center;">COMPARE REPORT - $($strStartingPoint.ToUpper())</h
<h3 style="color: #191010;text-align: center;">
Template: $strComparefile
</h3>
"@
}
else
{
If($bolFilter)
{
$strHTMLText =@"
<h1 style="color: #79A0E0;text-align: center;">FILTERED REPORT - $($strStartingPoint.ToUpper())</h
"@
}
else
{
If($bolEffectiveRights)
{
$strHTMLText =@"
<h1 style="color: #79A0E0;text-align: center;">EFFECTIVE RIGHTS REPORT <br>
Service Principal: $($global:strEffectiveRightAccount.ToUpper())</h1>
"@
}
else
{
$strHTMLText =@"
<h1 style="color: #79A0E0;text-align: center;">ACL REPORT - $($strStartingPoint.ToUpper())</h1>
"@
}
}
}
If($bolCriticaltiy)
{
$strHTMLText =@"
$strHTMLText
<div style="text-align: center;font-weight: bold}">
<FONT size="6" color= "#79A0E0">Highest Criticality Level:</FONT> 20141220T02111105659400201
</div>
"@
}
$strHTMLText =@"
$strHTMLText
<h3 style="color: #191010;text-align: center;">$strDN<br>
Report Created: $(get-date -uformat "%Y-%m-%d %H:%M:%S")</h3>
"@
If($SkipDefACE)
{
$strHTMLText =@"
$strHTMLText
<h3 style="color: #191010;text-align: center;">Default permissions excluded</h3>
"@
}
If($SkipProtectDelACE)
{
$strHTMLText =@"
$strHTMLText
<h3 style="color: #191010;text-align: center;">Protected against accidental deletions permissions exclu
"@
}
$strHTMLText =@"
$strHTMLText
<TABLE BORDER=1>
"@
$strTHOUColor = "E5CF00"
$strTHColor = "EFAC00"
$strFont =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontOU =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontTH =@"
<FONT size="2" face="verdana, hevetica, arial">
"@
if ($GPO)
{
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH GPO</font>
"@
}
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH Object</font></th>
"@
if ($bolCanonical -eq $true)
{
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH CanonicalName</font>
"@
}
if ($bolObjType -eq $true)
{
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH ObjectClass</font>
"@
}
if ($RepMetaDate -eq $true)
{
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH Security Descriptor Modified</font>
"@
}
if ($ACLSize -eq $true)
{
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH DACL Size</font>
"@
}
if ($bolACEOUProtected -eq $true)
{
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH Inheritance Disabled</font>
"@
}
if($SDDL)
{
$strHTMLText =@"
$strHTMLText
</th><th bgcolor="$strTHColor">$strFontTH SDDL</font></th>
"@
}
else
{
$strHTMLText =@"
$strHTMLText
</th><th bgcolor="$strTHColor">$strFontTH Trustee</font></th><th bgcolor="$strTHColor">$strFontTH
"@
}
if ($bolCompare -eq $true)
{
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH State</font></th>
"@
}
if ($bolCriticaltiy -eq $true)
{
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH Criticality Level</font></th>
"@
}
Out-File -InputObject $strHTMLText -Append -FilePath $htmfileout
$strHTMLText = $null
$strTHOUColor = $null
$strTHColor = $null
Remove-Variable -Name "strHTMLText"
Remove-Variable -Name "strTHOUColor"
Remove-Variable -Name "strTHColor"
}
#==========================================================================
# Function■■: CreateHTA
# Arguments : OU Name, Ou put HTA file
# Returns ■: n/a
# Description : Initiates a base HTA file with Export(Save As),Print and Exit buttons.
#==========================================================================
function CreateHTA
{
Param([string]$NodeName,[string]$htafileout,[string]$htmfileout,[string] $folder,[string] $strDomainDN
$strHTAText =@"
<html>
<head>
<hta:Application ID="hta"
ApplicationName="Report">
<title>Report on $NodeName</title>
<script type="text/vbscript">
Dim i
Dim strGroupMemberList
Dim dicSeenGroupMember
Dim strBGColor
Dim strBG1
Dim strBG2
Dim MaxResult
MaxResult = 500
set dicSeenGroupMember = CreateObject("Scripting.Dictionary")
i=0
strBG1 = "bgcolor=#AAAAAA"
strBG2 = "bgcolor=#DDDDDD"
Function ListMembers (strGroupADsPath, dicSeenGroupMember, strRDN)
Dim objGroup, objMember
set objGroup = GetObject(strGroupADsPath)
for each objMember In objGroup.Members
if i < MaxResult Then
■ If strGroupMemberList = "" Then
■■ strBGColor = strBG1
■■ strGroupMemberList = "<TR "&strBGColor&"><TD>" & objMember.Get("cn") & "</TD><TD>" & ob
■ Else
■■ If strBGColor = strBG1 Then
■■■ strBGColor = strBG2
■■ Else
■■■ strBGColor = strBG1
■■ End If
■ strGroupMemberList = strGroupMemberList & vbCrlf & "<TR "&strBGColor&"><TD>" & objMember
■ End If
i=i+1
if objMember.Class = "group" then
if dicSeenGroupMember.Exists(objMember.ADsPath) then
else
dicSeenGroupMember.Add objMember.ADsPath, 1
ListMembers objMember.ADsPath, dicSeenGroupMember, strRDN
end if
end if
else
if Not i > MaxResult Then
strGroupMemberList = strGroupMemberList & vbCrlf & "<TR "&strBGColor&"><TD>Reached Max
end if
i=i+1
exit for
end if

next
End Function
Sub DisplayMembers(strMemberTable,strGroupName,strGroupDN)
On Error Resume Next
Dim objDialogWindow
dim wshShell
Set objDialogWindow = window.Open("about:blank","AboutWindow","height=400,width=800,left=100,to
objDialogWindow.Focus()
strHTML = "<html><title>Direct Members</title>" &_
"<body>" &_
"<h1 style='color: #79A0E0;text-align: center;'>" & strGroupName &"</h1>" &_
"<h3 style='color: #191010;text-align: center;'>" & strGroupDN &"</h3>"
if Not strMemberTable = "" Then
strHTML = strHTML & "<TABLE BORDER=1>" &_
"<th bgcolor=#EFAC00> Member</th><th bgcolor=#EFAC00>DN</th>" &_
strMemberTable &_
"</table></body></html>"
else
strHTML = strHTML &"<img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABYAAAA
TkSuQmCC' />" &_
"</body></html>"
end if
objDialogWindow.document.write strHTML
End Sub
Function GetGroupDN(strRDN)
Dim oConnection
Dim oRecordset
Dim oCmd
Dim strQuery
Set oConnection = CreateObject("ADODB.Connection")
Set oRecordset = CreateObject("ADODB.Recordset")
Set oCmd = CReateObject("ADODB.Command")
oConnection.Provider = "ADsDSOObject"
oConnection.Open "ADs Provider"
Set oCmd.ActiveConnection = oConnection
oCmd.Properties("Page Size") = 20
strGroupText = Split(strRDN,"\")
If (ubound(strGroupText) > 0) Then
■strRDN = strGroupText(1)
End IF
strQuery = "<LDAP://$strDC/$strDomainDN>;(&(samaccountname="&strRDN&")(|(objectClass=group)(
oCmd.CommandText = strQuery
Set oRecordSet = oCmd.Execute
If oRecordset.EOF And oRecordset.BOF Then
■■MsgBox "Could not find group"
Else
■While Not oRecordset.EOF
■■GetGroupDN = oRecordset.Fields("distinguishedName")
Set objGroupAD = GetObject("LDAP://" & GetGroupDN)
■■oRecordset.MoveNext
i=0
strGroupMemberList = ""
if objGroupAD.Class = "group" Then
strRDN = "MEMBERS OF - " & strRDN
ListMembers "LDAP://" & GetGroupDN, dicSeenGroupMember, strRDN
If Not i = 0 Then
■ DisplayMembers strGroupMemberList,strRDN,GetGroupDN
Else
strGroupMemberList = "<TR "&strBGColor&"><TD>Group Empty</TD><TD></TD></TR>"
DisplayMembers strGroupMemberList,strRDN,GetGroupDN
End IF■
else
strRDN = "User Object - " & strRDN
■ DisplayMembers strGroupMemberList,strRDN,GetGroupDN
end if
■Wend
End If
Set oConnection = Nothing
Set oRecordset = Nothing
Set oCmd = Nothing
End Function
Sub ExportToCSV()
Dim objFSO,objFile,objNewFile,oShell,oEnv
Set oShell=CreateObject("wscript.shell")
Set oEnv=oShell.Environment("System")
strTemp=oShell.ExpandEnvironmentStrings("%USERPROFILE%")
strTempFile="$htmfileout"
strOutputFolder="$folder"
strFile=SaveAs("$NodeName.htm",strOutputFolder)
If strFile="" Then Exit Sub
Set objFSO=CreateObject("Scripting.FileSystemObject")
objFSO.CopyFile strTempFile,strFile, true
MsgBox "Finished exporting to " & strFile,vbOKOnly+vbInformation,"Export"
End Sub
Function SaveAs(strFile,strOutFolder)
Dim objDialog
SaveAs=InputBox("Enter the filename and path."&vbCrlf&vbCrlf&"Example: "&strOutFolder&"\CONTOS
End Function
</script>
</head>
<body>
<input type="button" value="Export" onclick="ExportToCSV" tabindex="9">
<input id="print_button" type="button" value="Print" name="Print_button" class="Hide" onClick="Window
<input type="button" value="Exit" onclick=self.close name="B3" tabindex="1" class="btn">
"@
Out-File -InputObject $strHTAText -Force -FilePath $htafileout
}
#==========================================================================
# Function■■: WriteSPNHTM
# Arguments : Security Principal Name, Output htm file
# Returns ■: n/a
# Description : Wites the account membership info to a HTM table, it appends info if the file exist
#==========================================================================
function WriteSPNHTM
{
Param([string] $strSPN,$tokens,[string]$objType,[int]$intMemberOf,[string] $strColorTemp,[string] $h
#$strHTMLText ="<TABLE BORDER=1>"
$strTHOUColor = "E5CF00"
$strTHColor = "EFAC00"
$strFont =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontOU =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontTH =@"
<FONT size="2" face="verdana, hevetica, arial">
"@
$strHTMLText =@"
$strHTMLText
<TR bgcolor="$strTHOUColor"><TD><b>$strFontOU $strSPN</b><TD><b>$strFontOU $objType</b><
"@
$strHTMLText =@"
$strHTMLText
<TR bgcolor="$strTHColor"><TD><b>$strFontTH Groups</b></TD><TD></TD><TD></TD></TR>
"@
$tokens | foreach{
If ($_.contains("S-1-"))
{
■$strNTAccount = ConvertSidToName -server $global:strDomainLongName -Sid $_ -CREDS $CREDS
}
if ($($strNTAccount.toString()) -ne $strSPN)
{
Switch ($strColorTemp)
{
"1"
■{
■$strColor = "DDDDDD"
■$strColorTemp = "2"
■}
"2"
■{
■$strColor = "AAAAAA"
■$strColorTemp = "1"
■}■■
"3"
■{
■$strColor = "FF1111"
}
"4"
■{
■$strColor = "00FFAA"
}
"5"
■{
■$strColor = "FFFF00"
}
■}# End Switch
$strGroupText=$strGroupText+@"
<TR bgcolor="$strColor"><TD>
$strFont $($strNTAccount.toString())</TD></TR>
"@
}
}
$strHTMLText = $strHTMLText + $strGroupText
Out-File -InputObject $strHTMLText -Append -FilePath $htafileout
Out-File -InputObject $strHTMLText -Append -FilePath $htmfileout
$strHTMLText = ""
}
#==========================================================================
# Function■■: WriteDefSDSDDLHTM
# Arguments : Security Principal Name, Output htm file
# Returns ■: n/a
# Description : Wites the account membership info to a HTM table, it appends info if the file exist
#==========================================================================
function WriteDefSDSDDLHTM
{
Param([string] $strColorTemp,[string] $htafileout,[string] $htmfileout,[string]$strObjectClass,[string]$s
$strTHOUColor = "E5CF00"
$strTHColor = "EFAC00"
$strFont =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontOU =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontTH =@"
<FONT size="2" face="verdana, hevetica, arial">
"@
$strHTMLText =@"
$strHTMLText
<TR bgcolor="$strTHOUColor"><TD><b>$strFontOU $strObjectClass</b>
<TD><b>$strFontOU $strDefSDVer</b>
<TD><b>$strFontOU $strDefSDDate</b>
"@
$strHTMLText =@"
$strHTMLText
</TR>
"@
Switch ($strColorTemp)
{
"1"
■ {
■ $strColor = "DDDDDD"
■ $strColorTemp = "2"
■ }
"2"
■ {
■ $strColor = "AAAAAA"
■ $strColorTemp = "1"
■ }■■
"3"
■ {
■ $strColor = "FF1111"
}
"4"
■ {
■ $strColor = "00FFAA"
}
"5"
■ {
■ $strColor = "FFFF00"
}
}# End Switch
$strGroupText=$strGroupText+@"
<TR bgcolor="$strColor"><TD> $strFont $strObjectClass</TD><TD> $strFont $strDefSDVer</TD><TD
"@
$strHTMLText = $strHTMLText + $strGroupText
Out-File -InputObject $strHTMLText -Append -FilePath $htafileout
Out-File -InputObject $strHTMLText -Append -FilePath $htmfileout
$strHTMLText = ""
}
#==========================================================================
# Function■■: CreateDefaultSDReportHTA
# Arguments : Forest Name, Output HTA file
# Returns ■: n/a
# Description : Initiates a base HTA file with Export(Save As),Print and Exit buttons.
#==========================================================================
function CreateDefaultSDReportHTA
{
Param([string]$Forest,[string]$htafileout,[string]$htmfileout,[string] $folder)
$strHTAText =@"
<html>
<head>
<hta:Application ID="hta"
ApplicationName="Report">
<title>defaultSecurityDescriptor Report on $Forest</title>
<script type="text/vbscript">
Sub ExportToCSV()
Dim objFSO,objFile,objNewFile,oShell,oEnv
Set oShell=CreateObject("wscript.shell")
Set oEnv=oShell.Environment("System")
strTemp=oShell.ExpandEnvironmentStrings("%USERPROFILE%")
strTempFile="$htmfileout"
strOutputFolder="$folder"
strFile=SaveAs("$($Forest.Split("\")[-1]).htm",strOutputFolder)
If strFile="" Then Exit Sub
Set objFSO=CreateObject("Scripting.FileSystemObject")
objFSO.CopyFile strTempFile,strFile, true
MsgBox "Finished exporting to " & strFile,vbOKOnly+vbInformation,"Export"
End Sub
Function SaveAs(strFile,strOutFolder)
Dim objDialog
SaveAs=InputBox("Enter the filename and path."&vbCrlf&vbCrlf&"Example: "&strOutFolder&"\CONTOS
End Function
</script>
</head>
<body>
<input type="button" value="Export" onclick="ExportToCSV" tabindex="9">
<input id="print_button" type="button" value="Print" name="Print_button" class="Hide" onClick="Window
<input type="button" value="Exit" onclick=self.close name="B3" tabindex="1" class="btn">
"@
Out-File -InputObject $strHTAText -Force -FilePath $htafileout
}
#==========================================================================
# Function■■: CreateSPNHTM
# Arguments : OU Name, Ou put HTM file
# Returns ■: n/a
# Description : Initiates a base HTM file with Export(Save As),Print and Exit buttons.
#==========================================================================
function CreateDefSDHTM
{
Param([string]$SPN,[string]$htmfileout)
$strHTAText =@"
<html>
<head[string]$SPN
<title>Default Security Descritor Report on $SPN</title>
"@
Out-File -InputObject $strHTAText -Force -FilePath $htmfileout
}
#==========================================================================
# Function■■: InitiateSPNHTM
# Arguments : Output htm file
# Returns ■: n/a
# Description : Wites base HTM table syntax, it appends info if the file exist
#==========================================================================
Function InitiateDefSDHTM
{
Param([string] $htmfileout,[string] $strStartingPoint)
$strHTMLText =@"
<h1 style="color: #79A0E0;text-align: center;">Default Security Descriptor REPORT - $($strStartingPoin
"@
$strHTMLText =$strHTMLText +"<TABLE BORDER=1>"
$strTHOUColor = "E5CF00"
$strTHColor = "EFAC00"
$strFont =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontOU =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontTH =@"
<FONT size="2" face="verdana, hevetica, arial">
"@
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH Object</font></th><th bgcolor="$strTHColor">$strFontTH Versi
"@
Out-File -InputObject $strHTMLText -Append -FilePath $htmfileout
}
#==========================================================================
# Function■■: CreateServicePrincipalReportHTA
# Arguments : OU Name, Ou put HTA file
# Returns ■: n/a
# Description : Initiates a base HTA file with Export(Save As),Print and Exit buttons.
#==========================================================================
function CreateServicePrincipalReportHTA
{
Param([string]$SPN,[string]$htafileout,[string]$htmfileout,[string] $folder)
$strHTAText =@"
<html>
<head>
<hta:Application ID="hta"
ApplicationName="Report">
<title>Membership Report on $SPN</title>
<script type="text/vbscript">
Sub ExportToCSV()
Dim objFSO,objFile,objNewFile,oShell,oEnv
Set oShell=CreateObject("wscript.shell")
Set oEnv=oShell.Environment("System")
strTemp=oShell.ExpandEnvironmentStrings("%USERPROFILE%")
strTempFile="$htmfileout"
strOutputFolder="$folder"
strFile=SaveAs("$($SPN.Split("\")[-1]).htm",strOutputFolder)
If strFile="" Then Exit Sub
Set objFSO=CreateObject("Scripting.FileSystemObject")
objFSO.CopyFile strTempFile,strFile, true
MsgBox "Finished exporting to " & strFile,vbOKOnly+vbInformation,"Export"
End Sub
Function SaveAs(strFile,strOutFolder)
Dim objDialog
SaveAs=InputBox("Enter the filename and path."&vbCrlf&vbCrlf&"Example: "&strOutFolder&"\CONTOS
End Function
</script>
</head>
<body>
<input type="button" value="Export" onclick="ExportToCSV" tabindex="9">
<input id="print_button" type="button" value="Print" name="Print_button" class="Hide" onClick="Window
<input type="button" value="Exit" onclick=self.close name="B3" tabindex="1" class="btn">
"@
Out-File -InputObject $strHTAText -Force -FilePath $htafileout
}
#==========================================================================
# Function■■: CreateSPNHTM
# Arguments : OU Name, Ou put HTM file
# Returns ■: n/a
# Description : Initiates a base HTM file with Export(Save As),Print and Exit buttons.
#==========================================================================
function CreateSPNHTM
{
Param([string]$SPN,[string]$htmfileout)
$strHTAText =@"
<html>
<head[string]$SPN
<title>Membership Report on $SPN</title>
"@
Out-File -InputObject $strHTAText -Force -FilePath $htmfileout
}
#==========================================================================
# Function■■: InitiateSPNHTM
# Arguments : Output htm file
# Returns ■: n/a
# Description : Wites base HTM table syntax, it appends info if the file exist
#==========================================================================
Function InitiateSPNHTM
{
Param([string] $htmfileout)
$strHTMLText ="<TABLE BORDER=1>"
$strTHOUColor = "E5CF00"
$strTHColor = "EFAC00"
$strFont =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontOU =@"
<FONT size="1" face="verdana, hevetica, arial">
"@
$strFontTH =@"
<FONT size="2" face="verdana, hevetica, arial">
"@
$strHTMLText =@"
$strHTMLText
<th bgcolor="$strTHColor">$strFontTH Account Name</font></th><th bgcolor="$strTHColor">$strFontT
"@
Out-File -InputObject $strHTMLText -Append -FilePath $htmfileout
}
#==========================================================================
# Function■■: CreateHTM
# Arguments : OU Name, Ou put HTM file
# Returns ■: n/a
# Description : Initiates a base HTM file with Export(Save As),Print and Exit buttons.
#==========================================================================
function CreateHTM
{
Param([string]$NodeName,[string]$htmfileout)
$strHTAText =@"
<html>
<head>
<title>Report on $NodeName</title>
"@
Out-File -InputObject $strHTAText -Force -FilePath $htmfileout
}
#==========================================================================
# Function■■: Select-File
# Arguments : n/a
# Returns ■: folder path
# Description : Dialogbox for selecting a file
#==========================================================================
function Select-File
{
param (
[System.String]$Title = "Select Template File",
[System.String]$InitialDirectory = $CurrentFSPath,
[System.String]$Filter = "All Files(*.csv)|*.csv"
)

$dialog = New-Object System.Windows.Forms.OpenFileDialog


$dialog.Filter = $filter
$dialog.InitialDirectory = $initialDirectory
$dialog.ShowHelp = $true
$dialog.Title = $title
$result = $dialog.ShowDialog()
if ($result -eq "OK")
{
return $dialog.FileName
}
else
{
return ""
}
}
#==========================================================================
# Function■■: Select-Folder
# Arguments : n/a
# Returns ■: folder path
# Description : Dialogbox for selecting a folder
#==========================================================================
function Select-Folder
{
Param($message='Select a folder', $path = 0)
$object = New-Object -comObject Shell.Application
$folder = $object.BrowseForFolder(0, $message, 0, $path)
if ($null -ne $folder) {
$folder.self.Path
}
}
#==========================================================================
# Function■■: Get-Perm
# Arguments : List of OU Path
# Returns ■: All Permissions on a speficied object
# Description : Enumerates all access control entries on a speficied object
#==========================================================================
Function Get-Perm
{
Param(
#Array of distinguishedNames
[System.Collections.ArrayList]
$AllObjectDn,
#Domain NetBiosName
[string]
$DomainNetbiosName,
#If inherited permissions should be included
$IncludeInherited,
[boolean]
#If default permissions should be ignored
$SkipDefaultPerm,
[boolean]
#If protected object permissions should be ignored
$SkipProtectedPerm,
[boolean]
#if any filter is used
$FilterEna,
[boolean]
#Retrieve the Owner
$bolGetOwnerEna,
[boolean]
#Get replication meta data
[boolean]
$bolReplMeta,
#Get the size of the DACL
[boolean]
$bolACLsize,
#Perform a effictive permissions check
[boolean]
$bolEffectiveR,
#Show if the OU is protected from inheritance
[boolean]
$bolGetOUProtected,
#Convert GUIDs to names
[boolean]
$bolGUIDtoText,
#Show the result
[boolean]
$Show,
#The ouput type of the result
[string]
$OutType,
#If the result should be written to a file
[boolean]
$bolToFile,
#if criticality level have been selected
[boolean]
$bolAssess,
#the criticality level selected
[string]
$AssessLevel,
#Display the colors of the criticality level
[boolean]
$bolShowCriticalityColor,
#Scan GPO
[boolean]
$GPO,
#Skipt built-in groups
[boolean]
$FilterBuiltin,
#Translate the GUID
[boolean]
$TranslateGUID,
#Search every nested group
[boolean]
$RecursiveFind,
#Return this type of objects when searching nested groups
[string]
$RecursiveObjectType,
#Permissiosn that apply to this type of object
[string]
$ApplyTo,
#If a object type have been selected
[boolean]
$ACLObjectFilter,
#Filter a trustee string
[string]
$FilterTrustee,
#If filtering of trustee is selected
[boolean]
$FilterForTrustee,
#Filter for Allow of Deny
[string]
$AccessType,
#If filter for allow or deny is selected
[boolean]
$AccessFilter,
#Filter using permissions
[boolean]
$BolACLPermissionFilter,
#Permissions to filter
[string]
$ACLPermissionFilter,
#Added credentials
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS,
#Retrun only objects of a this type
[string]
$ReturnObjectType,
#If a object type have been selected
[boolean]
$SDDL

)
$bolCompare = $false
$bolACLExist = $true
$global:strOwner = ""
$strACLSize = ""
$bolOUProtected = $false
$aclcount = 0
$sdOUProtect = ""
$global:ArrayAllACE = New-Object System.Collections.ArrayList
if(($OutType -eq "EXCEL") -or ($OutType -eq "CSV"))
{
$WriteOut = "Object"
}
else
{
$WriteOut = "HTML"
}
if(($OutType -eq "CSVTEMPLATE") -or ($OutType -eq "CSV"))
{
$bolCSV = $true
■If ((Test-Path $strFileCSV) -eq $true)
■{
■ Remove-Item $strFileCSV
■}
}
else
{
$bolCSV = $false
}
$count = 0
$i = 0
$intCSV = 0
if($global:bolCMD)
{
$intTot = 0
#calculate percentage
$intTot = $AllObjectDn.count
}
else
{
if (($PSVersionTable.PSVersion -ne "2.0") -and ($global:bolProgressBar))
{
$intTot = 0
#calculate percentage
$intTot = $AllObjectDn.count
if ($intTot -gt 0)
{
LoadProgressBar

}
}
}
while($count -le $AllObjectDn.count -1)
{
if($GPO)
{
$ADObjDN = $AllObjectDn[$count].Split(";")[0]
$GPOTarget = $AllObjectDn[$count].Split(";")[1]
if($GPO)
{
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:st
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
$request.DistinguishedName = $ADObjDN
$request.Filter = "(objectClass=*)"
$request.Scope = "Base"
[void]$request.Attributes.Add("displayname")
$response = $LDAPConnection.SendRequest($request)
$result = $response.Entries[0]
try
{
$GPOdisplayname = $result.attributes.displayname[0]
}
catch
{
}
}
}
else
{
$ADObjDN = $($AllObjectDn[$count])
}
$global:secd = ""
$bolACLExist = $true
$global:GetSecErr = $false
if(($global:bolCMD) -and ($global:bolProgressBar))
{
$i++
[int]$pct = ($i/$intTot)*100
Write-Progress -Activity "Collecting objects" -Status "Currently scanning $i of $intTot objects" -Id 0 -C
}
else
{
if (($PSVersionTable.PSVersion -ne "2.0") -and ($global:bolProgressBar))
{
$i++
[int]$pct = ($i/$intTot)*100
#Update the progress bar

while(($null -eq $global:ProgressBarWindow.Window.IsInitialized) -and ($intLoop -lt 20))


{
Start-Sleep -Milliseconds 1
$cc++
}
if ($global:ProgressBarWindow.Window.IsInitialized -eq $true)
{
Update-ProgressBar "Currently scanning $i of $intTot objects" $pct
}

}
}
$sd = New-Object System.Collections.ArrayList
$GetOwnerEna = $bolGetOwnerEna

$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strDC,


$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest("$ADObjDN", "(name=*)", "
if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.DirectoryControl" -Arg
}
[void]$request.Attributes.Add("objectclass")
if($UseCanonicalName)
{
[void]$request.Attributes.Add("canonicalname")
}
[void]$request.Attributes.Add("ntsecuritydescriptor")

if ($rdbDACL.IsChecked)
{
$SecurityMasks = [System.DirectoryServices.Protocols.SecurityMasks]'Owner' -bor [System.Director
$control = New-Object System.DirectoryServices.Protocols.SecurityDescriptorFlagControl($SecurityM
[void]$request.Controls.Add($control)
$response = $LDAPConnection.SendRequest($request)
$DSobject = $response.Entries[0]
#Check if any NTsecuritydescr
if($null -ne $DSobject.Attributes.ntsecuritydescriptor)
{
if($null -ne $DSobject.Attributes.objectclass)
{
$strObjectClass = $DSobject.Attributes.objectclass[$DSobject.Attributes.objectclass.count-1]
}
else
{
$strObjectClass = "unknown"
}
if($SDDL)
{
[string]$strSDDL = ""
$objSd = $DSobject.Attributes.ntsecuritydescriptor[0]
if ($objSD -is [Byte[]]) {
$SDDLSec = New-Object System.Security.AccessControl.RawSecurityDescriptor @($objS
} elseif ($objSD -is [string]) {
$SDDLSec = New-Object System.Security.AccessControl.RawSecurityDescriptor @($objS
}
if(!($IncludeInherited))
{
$arrSDDL = @(($SDDLSec.GetSddlForm('Access,Owner')).split(")") | ?{$_ -notmatch "ID;"})
if($arrSDDL.count -gt 0)
{
for($IntCount=0;$IntCount -lt $($arrSDDL.count -1);$IntCount++)
{
$strSDDL +="$($arrSDDL[$IntCount]))"
}
}
}
else
{
$strSDDL = $SDDLSec.GetSddlForm('Access,Owner')
}
}
$sec = New-Object System.DirectoryServices.ActiveDirectorySecurity
if($chkBoxRAWSDDL.IsChecked)
{
$secSDDL = New-Object System.DirectoryServices.ActiveDirectorySecurity
$objSd = $DSobject.Attributes.ntsecuritydescriptor[0]
if ($objSD -is [Byte[]]) {
$SDDLSec = New-Object System.Security.AccessControl.RawSecurityDescriptor @($objS
} elseif ($objSD -is [string]) {
$SDDLSec = New-Object System.Security.AccessControl.RawSecurityDescriptor @($objS
}
$strSDDLForm = $SDDLSec.GetSddlForm('Access,Owner')
$arrSplitedSDDL = $strSDDLForm.Split("(")
$intI = 0
Foreach ($strSDDLPart in $arrSplitedSDDL)
{
if($intI -gt 0)
{
if($sec.Owner -eq $null)
{
$sec.SetSecurityDescriptorSDDLForm("$($arrSplitedSDDL[0])($strSDDLPart")
}
else
{
if(!($IncludeInherited))
{
if(($strSDDLPart.split(";")[1] -ne "CIID") -and ($strSDDLPart.split(";")[1] -ne "CIIOID"))
{
$secSDDL.SetSecurityDescriptorSDDLForm("$($arrSplitedSDDL[0])($strSDDLPart
$sec.AddAccessRule($secSDDL.Access[0])
}
}
else
{
$secSDDL.SetSecurityDescriptorSDDLForm("$($arrSplitedSDDL[0])($strSDDLPart")
$sec.AddAccessRule($secSDDL.Access[0])
}
}
}
$intI++
}
}
else
{
$sec.SetSecurityDescriptorBinaryForm($DSobject.Attributes.ntsecuritydescriptor[0])
}
&{#Try
$global:secd = $sec.GetAccessRules($true, $IncludeInherited, [System.Security.Principal.Secur
}
Trap [SystemException]
{
if($bolCMD)
{
Write-host "Failed to translate identity:$ADObjDN" -ForegroundColor red
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed to translate identity:$
}
$global:GetSecErr = $true
Continue
}
}
else
{
#Fail futher scan when NTsecurityDescriptor is null
$global:GetSecErr = $true
}
}
else
{
$SecurityMasks = [System.DirectoryServices.Protocols.SecurityMasks]'Owner' -bor [System.Director
$control = New-Object System.DirectoryServices.Protocols.SecurityDescriptorFlagControl($SecurityM
[void]$request.Controls.Add($control)
$response = $LDAPConnection.SendRequest($request)
$DSobject = $response.Entries[0]
if($null -ne $DSobject.Attributes.objectclass)
{
$strObjectClass = $DSobject.Attributes.objectclass[$DSobject.Attributes.objectclass.count-1]
}
else
{
$strObjectClass = "unknown"
}
$sec = New-Object System.DirectoryServices.ActiveDirectorySecurity
$sec.SetSecurityDescriptorBinaryForm($DSobject.Attributes.ntsecuritydescriptor[0])
&{#Try
$global:secd = $sec.GetAuditRules($true, $IncludeInherited, [System.Security.Principal.SecurityId
}
Trap [SystemException]
{
if($bolCMD)
{
Write-host "Failed to translate identity:$ADObjDN" -ForegroundColor red
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed to translate identity:$AD
}
$global:GetSecErr = $true
Continue
}
}
if(($global:GetSecErr -ne $true) -or ($global:secd -ne ""))
{
$sd.clear()
if($null -ne $global:secd){
$(ConvertTo-ObjectArrayListFromPsCustomObject $global:secd)| ForEach-Object{[void]$sd.add(
}
If ($GetOwnerEna -eq $true)
{

&{#Try
$global:strOwner = $sec.GetOwner([System.Security.Principal.SecurityIdentifier]).value
}

Trap [SystemException]
{
if($global:bolADDSType)
{
if($bolCMD)
{
Write-host "Failed to translate owner identity:$ADObjDN" -ForegroundColor red
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed to translate owner
}
}
Continue
}
$newSdOwnerObject = New-Object PSObject -Property @{ActiveDirectoryRights="Read permissi
InheritedObjectType="None";ObjectFlags="None";AccessControlType="Owner";IdentityReference
InheritanceFlags="None";PropagationFlags="None"}
[void]$sd.insert(0,$newSdOwnerObject)

}
■If ($SkipDefaultPerm)
■{
If ($GetOwnerEna -eq $false)
{

&{#Try
$global:strOwner = $sec.GetOwner([System.Security.Principal.SecurityIdentifier]).value
}

Trap [SystemException]
{
if($bolCMD)
{
Write-host "Failed to translate owner identity:$ADObjDN" -ForegroundColor red
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed to translate owner
}
Continue
}
}
}
if ($bolACLsize -eq $true)
{
$strACLSize = $sec.GetSecurityDescriptorBinaryForm().length
}
if ($bolGetOUProtected -eq $true)
{
$bolOUProtected = $sec.AreAccessRulesProtected
}
if ($bolReplMeta -eq $true)
{

$AclChange = $(GetACLMeta $global:strDC $ADObjDN -CREDS $CREDS)


$objLastChange = $AclChange.split(";")[0]
$strOrigInvocationID = $AclChange.split(";")[1]
$strOrigUSN = $AclChange.split(";")[2]
}

If (($FilterEna -eq $true) -and ($bolEffectiveR -eq $false))


{
If ($AccessFilter)
{
if ($AccessType.Length -gt 0)
{
$sd = @($sd | Where-Object{$_.AccessControlType -eq $AccessType})
}
}
If ($ACLObjectFilter)
{
if ($ApplyTo.Length -gt 0)
{
if($ApplyTo.Split("|").Count -gt 1 )
{
[System.Collections.ArrayList]$arryApplyTo = $ApplyTo.Split("|")
if($arryApplyTo -contains "*")
{
$arryApplyTo.Remove("*")
}
$ApplyToString = ""
$ApplyToAllString = ""
For($i = 0 ; $i -lt $arryApplyTo.count ; $i++)
{
if($i -eq $arryApplyTo.count -1)
{
$ApplyToString += $global:dicNameToSchemaIDGUIDs.Item($arryApplyTo[$i])
}
else
{
$ApplyToString += $global:dicNameToSchemaIDGUIDs.Item($arryApplyTo[$i]) + "|
}

}
if($ApplyTo.Split("|") -contains "*")
{
$sd = @($sd | Where-Object{(($_.ObjectType -match $ApplyToString) -or ($_.InheritedO
}
else
{
$sd = @($sd | Where-Object{($_.ObjectType -match $ApplyToString) -or ($_.InheritedO
}
}
else
{
if($ApplyTo -contains "*")
{
$sd = @($sd | Where-Object{(($_.ObjectType -eq "00000000-0000-0000-0000-0000000
}
else
{
$sd = @($sd | Where-Object{($_.ObjectType -eq $global:dicNameToSchemaIDGUIDs.It
}
}
}
}
If ($BolACLPermissionFilter)
{
If ($ACLPermissionFilter)
{
if ($ACLPermissionFilter.Length -gt 0)
{
$sd = @($sd | Where-Object{$_.ActiveDirectoryRights -match $ACLPermissionFilter})
}
}
}
}
if($FilterBuiltin)
{
# Filter out default and built-in security principals
$sd = @($sd | Where-Object{`
($_.IdentityReference -match "S-1-5-21-") -and `
($_.IdentityReference -notmatch $("^"+$domainsid+"-5\d{2}$")) -and
($_.IdentityReference -notmatch $("^"+$domainsid+"-4\d{2}$"))
})
}
if($RecursiveFind)
{
$RecursiveData = new-object System.Collections.ArrayList
foreach($ace in $sd)
{
[Void]$RecursiveData.add($ace)
$SID_DN = ""
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
$request.DistinguishedName = "<SID=$($ace.IdentityReference)>"
$request.Filter = "(name=*)"
$request.Scope = "Base"
[void]$request.Attributes.Add("objectClass")
[void]$request.Attributes.Add("member")
try
{
$response = $LDAPConnection.SendRequest($request)
$result = $response.Entries[0]
■ $SID_DN = $result.distinguishedName
$ObjectClass =$result.attributes.objectclass[$result.attributes.objectclass.count-1]
}
catch
{
Write-Verbose "Could not resolve $sid"
}
if($SID_DN)
{
if($ObjectClass -eq "Group")
{
if(($result.Attributes.AttributeNames -contains "member;range=0-1499") -or ($result.Attribu
{
$global:GroupMembersExpanded = New-Object System.Collections.ArrayList
$NetstedResult = Get-LargeNestedADGroup $global:strDC $SID_DN $RecursiveObject
if($NetstedResult)
{
foreach($NestedObject in $NetstedResult)
{
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConne
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
$request.DistinguishedName = $NestedObject
$request.Filter = "(name=*)"
$request.Scope = "Base"
[void]$request.Attributes.Add("objectsid")
[void]$request.Attributes.Add("msds-principalname")
$response = $LDAPConnection.SendRequest($request)
$ADObject = $response.Entries[0]
$recursiveobject = new-object psobject
add-member -inputobject $recursiveobject -MemberType NoteProperty -Name "Ide
add-member -inputobject $recursiveobject -MemberType NoteProperty -Name "Act
add-member -inputobject $recursiveobject -MemberType NoteProperty -Name "Inh
add-member -inputobject $recursiveobject -MemberType NoteProperty -Name "Ob
add-member -inputobject $recursiveobject -MemberType NoteProperty -Name "Inh
add-member -inputobject $recursiveobject -MemberType NoteProperty -Name "Ob
add-member -inputobject $recursiveobject -MemberType NoteProperty -Name "Acc
add-member -inputobject $recursiveobject -MemberType NoteProperty -Name "IsIn
add-member -inputobject $recursiveobject -MemberType NoteProperty -Name "Inh
add-member -inputobject $recursiveobject -MemberType NoteProperty -Name "Pro
[Void]$RecursiveData.add($recursiveobject)
$recursiveobject = $null
}
}
}
}

}
$SD = $RecursiveData | Sort-Object -Property InheritedObjectType,ObjectType,IdentityReference
$RecursiveData = $null
}
If (($FilterEna -eq $true) -and ($bolEffectiveR -eq $false))
{
If ($FilterForTrustee)
{
if ($FilterTrustee.Length -gt 0)
{
$sd = @($sd | Where-Object{if($_.IdentityReference -like "S-1-*"){`
$(ConvertSidToName -server $global:strDomainLongName -Sid $_.IdentityReference -CRED
else{$_.IdentityReference -like $FilterTrustee}})

}
}
}
if($ReturnObjectType)
{
if($ReturnObjectType -ne "*")
{
$sd = @($sd | Where-Object{(GetObjectTypeFromSid -server $global:strDC -Sid $_.IdentityRefe
}
}
If ($bolAssess)
{
Switch ($AssessLevel)
{
"Info" {$CriticalityFilter = 0}
"Low" {$CriticalityFilter = 1}
"Medium" {$CriticalityFilter = 2}
"Warning" {$CriticalityFilter = 3}
"Critical" {$CriticalityFilter = 4}
}
$sd = @($sd | Where-Object{Get-Criticality -Returns "Filter" $_.IdentityReference.toString() $_.Act
}
if ($bolEffectiveR -eq $true)
{
if ($global:tokens.count -gt 0)
{
$sdtemp2 = New-Object System.Collections.ArrayList

if ($global:strPrincipalDN -eq $ADObjDN)


{
$sdtemp = ""
$sdtemp = $sd | Where-Object{$_.IdentityReference -eq "S-1-5-10"}
if($sdtemp)
{
[void]$sdtemp2.Add( $sdtemp)
}
}
foreach ($tok in $global:tokens)
■ {

$sdtemp = ""
$sdtemp = $sd | Where-Object{$_.IdentityReference -eq $tok}
if($sdtemp)
{
[void]$sdtemp2.Add( $sdtemp)
}

}
$sd = $sdtemp2
}
}
$intSDCount = $sd.count

if (!($null -eq $sd))


{
■■$index=0
■■$permcount = 0
if ($intSDCount -gt 0)
{
if($SDDL)
{
$sd = @($sd[0])
}
■■ while($index -le $sd.count -1)
■■ {
if($GPO)
{
$strDistinguishedName = $GPOTarget
}
else
{
$strDistinguishedName = $DSobject.distinguishedname.toString()
}
$bolMatchDef = $false
$bolMatchprotected = $false
if($UseCanonicalName)
{
if($DSobject.attributes.canonicalname)
{
$CanonicalName = $DSobject.attributes.canonicalname[0]
}
else
{
$CanonicalName = Create-CanonicalName $DSobject.distinguishedname.toString()
}
}
$strNTAccount = $sd[$index].IdentityReference.ToString()
■ If ($strNTAccount.contains("S-1-"))
■ {
■ $strNTAccount = ConvertSidToName -server $global:strDomainLongName -Sid $strNTA
■ }
#Remove Default Permissions if SkipDefaultPerm selected
if($SkipDefaultPerm)
{
if($strObjectClass -ne $strTemoObjectClass)
{
$sdOUDef = Get-DefaultPermissions -strObjectClass $strObjectClass -CREDS $CRE
}
$strTemoObjectClass = $strObjectClass
$indexDef=0
while($indexDef -le $sdOUDef.count -1)
{
■■■ if (($sdOUDef[$indexDef].IdentityReference -eq $sd[$index].IdentityReference) -and ($s
■■■ {
■■■ $bolMatchDef = $true
■■■ } #End If
$indexDef++
} #End While
}
if($bolMatchDef)
■■■■ {
■■■■ }
■■■■ else
■■■■ {
#Remove Protect Against Accidental Deletaions Permissions if SkipProtectedPerm selec
if($SkipProtectedPerm)
{
if($sdOUProtect -eq "")
{
$sdOUProtect = Get-ProtectedPerm
}
$indexProtected=0
while($indexProtected -le $sdOUProtect.count -1)
{
■■■ if (($sdOUProtect[$indexProtected].IdentityReference -eq $sd[$index].IdentityReferen
edObjectType -eq $sd[$index].InheritedObjectType))
■■■ {
■■■ $bolMatchprotected = $true
■■■ }#End If
$indexProtected++
} #End While
}
if($bolMatchprotected)
■■■■ {
■■■■ }
■■■■ else
{
■■■■■ If ($bolCSV)
■■■■■ {
$intCSV++
if($OutType -eq "CSVTEMPLATE")
{
■■■■ ■■ WritePermCSV $sd[$index] $strDistinguishedName $CanonicalName $strObjectClass $
}
else
{
$bolOUHeader = $false
WriteOUT $bolACLExist $sd[$index] $strDistinguishedName $CanonicalName $bo
}
■■■■ ■ }# End If
Else
{
■■■■■ If ($strColorTemp -eq "1")
■■■■■ {
■■■■■■ $strColorTemp = "2"
■■■■■ }# End If
■■■■■ else
■■■■■ {
■■■■■■ $strColorTemp = "1"
■■■■■ }# End If■■■■ ■
■■■■ ■ if ($permcount -eq 0)
■■■■ ■ {
$bolOUHeader = $true
■■■■ ■■ WriteOUT $bolACLExist $sd[$index] $strDistinguishedName $CanonicalName $bolOUH
■■■■ ■ }
■■■■ ■ else
■■■■ ■ {
$bolOUHeader = $false
■■■■ ■■ WriteOUT $bolACLExist $sd[$index] $strDistinguishedName $CanonicalName $bolOUH
■■■■ ■ }# End If
}
$aclcount++
■■■■■ $permcount++
■■■■ }# End If SkipProtectedPerm
}# End If SkipDefaultPerm
■■■■ $index++
■■ }# End while
}
else
{
If (!($bolCSV))
{
■■■ If ($strColorTemp -eq "1")
■■■ {
■■■ $strColorTemp = "2"
■■■ }
■■■ else
■■■ {
■■■ $strColorTemp = "1"
■■■ }■■
■■ ■ if ($permcount -ne 0)
■■ ■ {
$bolOUHeader = $false
$GetOwnerEna = $false
WriteOUT $bolACLExist $sd $strDistinguishedName $CanonicalName $bolOUHeader $str
#$aclcount++
■■ ■ }
}
$permcount++
}#End if array

If (!($bolCSVO))
{
$bolACLExist = $false
if (($permcount -eq 0) -and ($index -gt 0))
{
$bolOUHeader = $true
■ WriteOUT $bolACLExist $sd $strDistinguishedName $CanonicalName $bolOUHeader "1" $str
$aclcount++
}# End If
}# End if bolCSVOnly
}
}#End $global:GetSecErr
■$count++
}# End while

if (($count -gt 0))


{
if ($aclcount -eq 0)
{
if($bolCMD)
{
Write-host "No Permissions found!" -ForegroundColor red
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "No Permissions found!" -strType
if (($PSVersionTable.PSVersion -ne "2.0") -and ($global:bolProgressBar))
{
$global:ProgressBarWindow.Window.Dispatcher.invoke([action]{$global:ProgressBarWindow.W
$ProgressBarWindow = $null
Remove-Variable -Name "ProgressBarWindow" -Scope Global
}
}
}
else
{
if(-not $bolCMD)
{
if (($PSVersionTable.PSVersion -ne "2.0") -and ($global:bolProgressBar))
{

$global:ProgressBarWindow.Window.Dispatcher.invoke([action]{$global:ProgressBarWindow
}
}
if($bolCSV)
{
if($OutType -eq "CSVTEMPLATE")
{
if($bolCMD)
{
if($bolToFile)
{
Write-host "Report saved in: $strFileCSV" -ForegroundColor Yellow
Write-output $strFileCSV
}
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Report saved in $strFileCS
}
#If Get-Perm was called with Show then open the CSV file.
if($Show)
{
■ Invoke-Item $strFileCSV
}
}
else
{
if($bolCMD)
{
if($bolToFile)
{
$global:ArrayAllACE | export-csv -Path $strFileCSV -NoTypeInformation -NoClobber
Write-host "Report saved in: $strFileCSV" -ForegroundColor Yellow
Write-output $strFileCSV
}
else
{
$global:ArrayAllACE
}
}
else
{
$global:ArrayAllACE | export-csv -Path $strFileCSV -NoTypeInformation -NoClobber
$global:observableCollection.Insert(0,(LogMessage -strMessage "Report saved in $strFileCS
}
#If Get-Perm was called with Show then open the CSV file.
if($Show)
{
■ Invoke-Item $strFileCSV
}
}
}
else
{
#If excel output
if($OutType -eq "EXCEL")
{
$tablename = $($strNode+"acltbl") -replace '[^a-zA-Z]+',''
if($bolShowCriticalityColor)
{
# Array with alphabet characters
$ExcelColumnAlphabet = @()
for ([byte]$c = [char]'A'; $c -le [char]'Z'; $c++)
{
$ExcelColumnAlphabet += [char]$c
}

#Define Column name for "criticality" by using position in array


$RangeColumnCriticality = $ExcelColumnAlphabet[$(($global:ArrayAllACE | get-member -Me
$global:ArrayAllACE | Export-Excel -path $strFileEXCEL -WorkSheetname $($strNode+"_AC
New-ConditionalText -RuleType Equal -ConditionValue Low -Range "$($RangeColumnCritica
New-ConditionalText -RuleType Equal -ConditionValue Critical -Range "$($RangeColumnCri
New-ConditionalText -RuleType Equal -ConditionValue Warning -Range "$($RangeColumnC
New-ConditionalText -RuleType Equal -ConditionValue Medium -Range "$($RangeColumnCr
New-ConditionalText -RuleType Equal -ConditionValue Info -Range "$($RangeColumnCritica
)
}
else
{
$global:ArrayAllACE | Export-Excel -path $strFileEXCEL -WorkSheetname $($strNode+"_AC
}
if($bolCMD)
{
Write-host "Report saved in: $strFileEXCEL" -ForegroundColor Yellow
Write-output $strFileEXCEL
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Report saved in $strFileEX
}
if($Show)
{
If (test-path HKLM:SOFTWARE\Classes\Excel.Application)
{
■ Invoke-Item $strFileEXCEL
}
}
}#End if EXCEL
else
{
if($bolShowCriticalityColor)
{
Switch ($global:intShowCriticalityLevel)
{
0
{
(Get-Content $strFileHTA) -replace "20141220T021111056594002014122000", '<FONT si
(Get-Content $strFileHTM) -replace "20141220T021111056594002014122000", '<FONT s
}
1
{
(Get-Content $strFileHTA) -replace "20141220T021111056594002014122000", '<FONT si
(Get-Content $strFileHTM) -replace "20141220T021111056594002014122000", '<FONT s
}
2
{
(Get-Content $strFileHTA) -replace "20141220T021111056594002014122000", '<FONT si
(Get-Content $strFileHTM) -replace "20141220T021111056594002014122000", '<FONT s
}
3
{
(Get-Content $strFileHTA) -replace "20141220T021111056594002014122000", '<FONT si
(Get-Content $strFileHTM) -replace "20141220T021111056594002014122000", '<FONT s
}
4
{
(Get-Content $strFileHTA) -replace "20141220T021111056594002014122000", '<FONT si
(Get-Content $strFileHTM) -replace "20141220T021111056594002014122000", '<FONT s
}
}
}
#If Get-Perm was called with Show then open the HTA file.
if($Show)
{
■ try
{
Invoke-Item $strFileHTA
}
catch
{
if($bolCMD)
{
Write-host "Failed to launch MSHTA.exe" -ForegroundColor Red
Write-host "Instead opening the following file directly: $strFileHTM" -ForegroundColor Ye
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed to launch MSHT
$global:observableCollection.Insert(0,(LogMessage -strMessage "Instead opening the fo
}
invoke-item $strFileHTM
}
}
}
}
}# End If
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "No objects found!" -strType "Error"
}
$i = $null
Remove-Variable -Name "i"
$secd = $null
}
#==========================================================================
# Function■■: Get-PermCompare
# Arguments : OU Path
# Returns ■: N/A
# Description : Compare Permissions on node with permissions in CSV file
#==========================================================================
Function Get-PermCompare
{
Param([System.Collections.ArrayList]$AllObjectDn,[boolean]$SkipDefaultPerm,[boolean]$SkipProtec
[pscredential]
$CREDS)
&{#Try
$arrOUList = New-Object System.Collections.ArrayList
$bolCompare = $true
$bolCompareDelegation = $false
$bolFilter = $false
$bolOUPRotected = $false
$strACLSize = ""
$bolAClMeta = $false
$strOwner = ""
$count = 0
$aclcount = 0
$SDUsnCheck = $false
$ExitCompare = $false
$sdOUProtect = ""
$global:ArrayAllACE = New-Object System.Collections.ArrayList
if(($OutType -eq "EXCEL") -or ($OutType -eq "CSV"))
{
$WriteOut = "Object"
}
else
{
$WriteOut = "HTML"
}
If ($bolAssess)
{
Switch ($AssessLevel)
{
"Info" {$CriticalityFilter = 0}
"Low" {$CriticalityFilter = 1}
"Medium" {$CriticalityFilter = 2}
"Warning" {$CriticalityFilter = 3}
"Critical" {$CriticalityFilter = 4}
}
$global:csvHistACLs = @($global:csvHistACLs | Where-Object{Get-Criticality -Returns "Filter" $_.Ide
}
if ($chkBoxTemplateNodes.IsChecked -eq $true)
{
$index = 0
#Enumerate all Nodes in CSV
if($global:csvHistACLs[0].Object)
{
while($index -le $global:csvHistACLs.count -1)
{
$arrOUList.Add($global:csvHistACLs[$index].Object)
$index++
}
}
else
{
while($index -le $global:csvHistACLs.count -1)
{
$arrOUList.Add($global:csvHistACLs[$index].OU)
$index++
}
}
$arrOUListUnique = $arrOUList | Select-Object -Unique
#Replace any existing strings matching <DOMAIN-DN>
$arrOUListUnique = $arrOUListUnique -replace "<DOMAIN-DN>",$global:strDomainDNName

#Replace any existing strings matching <ROOT-DN>


$arrOUListUnique = $arrOUListUnique -replace "<ROOT-DN>",$global:ForestRootDomainDN
#If the user entered any text replace matching string from CSV
if($txtReplaceDN.text.Length -gt 0)
{
$arrOUListUnique = $arrOUListUnique -replace $txtReplaceDN.text,$global:strDomainDNName
}
$AllObjectDn = @($arrOUListUnique)
}
If ($bolReplMeta -eq $true)
{
If ($global:csvHistACLs[0].SDDate.length -gt 1)
{
$bolAClMeta = $true
}
$arrUSNCheckList = $global:csvHistACLs | Select-Object -Property OU,OrgUSN -Unique
}
#Verify that USN exist in file and that Meta data will be retreived
if($chkBoxScanUsingUSN.IsChecked -eq $true)
{
if($bolAClMeta -eq $true)
{
$SDUsnCheck = $true
}
else
{
If ($bolReplMeta -eq $true)
{
$MsgBox = [System.Windows.Forms.MessageBox]::Show("Could not compare using USN.`nDid
Switch ($MsgBOx)
{
"YES"
{$ExitCompare = $false}
"NO"
{$ExitCompare = $true}
Default
{$ExitCompare = $true}
}
}
else
{
$MsgBox = [System.Windows.Forms.MessageBox]::Show("Could not compare using USN.`nMa
Switch ($MsgBOx)
{
"YES"
{$ExitCompare = $false}
"NO"
{$ExitCompare = $true}
Default
{$ExitCompare = $true}
}
}
}
}
if(!($ExitCompare))
{
If ($bolCSV)
{
■If ((Test-Path $strFileCSV) -eq $true)
■{
■ Remove-Item $strFileCSV
■}
}
$i = 0
$intCSV = 0
$intReturned = 0
if($global:bolCMD)
{
$intTot = 0
#calculate percentage
$intTot = $AllObjectDn.count
}
else
{
if (($PSVersionTable.PSVersion -ne "2.0") -and ($global:bolProgressBar))
{
$intTot = 0
#calculate percentage
$intTot = $AllObjectDn.count
if ($intTot -gt 0)
{
LoadProgressBar

}
}
}
while($count -le $AllObjectDn.count -1)
{
$global:GetSecErr = $false
$global:secd = ""
if(($global:bolCMD) -and ($global:bolProgressBar))
{
$i++
[int]$pct = ($i/$intTot)*100
Write-Progress -Activity "Collecting objects" -Status "Currently scanning $i of $intTot objects" -Id 0
}
else
{
if (($PSVersionTable.PSVersion -ne "2.0") -and ($global:bolProgressBar))
{
$i++
[int]$pct = ($i/$intTot)*100
#Update the progress bar
while(($null -eq $global:ProgressBarWindow.Window.IsInitialized) -and ($intLoop -lt 20))
{
Start-Sleep -Milliseconds 1
$cc++
}
if ($global:ProgressBarWindow.Window.IsInitialized -eq $true)
{
Update-ProgressBar "Currently scanning $i of $intTot objects" $pct
}

}
}
$OUMatchResultOverall = $false
$sd = New-Object System.Collections.ArrayList
$GetOwnerEna = $bolGetOwnerEna
if($GPO)
{
$ADObjDN = $AllObjectDn[$count].Split(";")[0]
$GPOTarget = $AllObjectDn[$count].Split(";")[1]
if($GPO)
{
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
$request.DistinguishedName = $ADObjDN
$request.Filter = "(objectClass=*)"
$request.Scope = "Base"
[void]$request.Attributes.Add("displayname")
$response = $LDAPConnection.SendRequest($request)
$result = $response.Entries[0]
try
{
$GPOdisplayname = $result.attributes.displayname[0]
}
catch
{
}
}
}
else
{
$ADObjDN = $($AllObjectDn[$count])
}
$OUdnorgDN = $ADObjDN
#Counter used for fitlerout Nodes with only defaultpermissions configured
$intAclOccurence = 0
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strD
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest("$ADObjDN", "(name=*)
if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.DirectoryControl" -
}
[void]$request.Attributes.Add("objectclass")
if($UseCanonicalName)
{
[void]$request.Attributes.Add("canonicalname")
}
[void]$request.Attributes.Add("ntsecuritydescriptor")

$response = $null
$DSobject = $null

if ($rdbDACL.IsChecked)
{
$SecurityMasks = [System.DirectoryServices.Protocols.SecurityMasks]'Owner' -bor [System.Direc
$control = New-Object System.DirectoryServices.Protocols.SecurityDescriptorFlagControl($Securi
[void]$request.Controls.Add($control)
$SendRequest = $false
try
{
$response = $LDAPConnection.SendRequest($request)
$SendRequest = $true
}
catch
{
if($global:bolCMD)
{
Write-host "Failed to connect to:$ADObjDN"
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed to connect to:$ADOb
}
}
if($SendRequest)
{
$DSobject = $response.Entries[0]
if($GPO)
{
$strDistinguishedName = $GPOTarget
}
else
{
$strDistinguishedName = $DSobject.distinguishedname.toString()
}
#Check if any NTsecuritydescr
if($null -ne $DSobject.Attributes.ntsecuritydescriptor)
{
if($null -ne $DSobject.Attributes.objectclass)
{
$strObjectClass = $DSobject.Attributes.objectclass[$DSobject.Attributes.objectclass.count-1]
}
else
{
$strObjectClass = "unknown"
}
if($UseCanonicalName)
{
if($DSobject.attributes.canonicalname)
{
$CanonicalName = $DSobject.attributes.canonicalname[0]
}
else
{
$CanonicalName = Create-CanonicalName $DSobject.distinguishedname.toString()
}
}
$sec = New-Object System.DirectoryServices.ActiveDirectorySecurity
if($chkBoxRAWSDDL.IsChecked)
{

$secSDDL = New-Object System.DirectoryServices.ActiveDirectorySecurity


$objSd = $DSobject.Attributes.ntsecuritydescriptor[0]
if ($objSD -is [Byte[]]) {
$SDDLSec = New-Object System.Security.AccessControl.RawSecurityDescriptor @($ob
} elseif ($objSD -is [string]) {
$SDDLSec = New-Object System.Security.AccessControl.RawSecurityDescriptor @($ob
}
$strSDDL = $SDDLSec.GetSddlForm('Access,Owner')
$arrSplitedSDDL = $strSDDL.Split("(")
$intI = 0
Foreach ($strSDDLPart in $arrSplitedSDDL)
{
if($intI -gt 0)
{
if($sec.Owner -eq $null)
{
$sec.SetSecurityDescriptorSDDLForm("$($arrSplitedSDDL[0])($strSDDLPart")
}
else
{
if(!($chkInheritedPerm.IsChecked))
{
if(($strSDDLPart.split(";")[1] -ne "CIID") -and ($strSDDLPart.split(";")[1] -ne "CIIOID"
{
$secSDDL.SetSecurityDescriptorSDDLForm("$($arrSplitedSDDL[0])($strSDDLP
$sec.AddAccessRule($secSDDL.Access[0])
}
}
else
{
$secSDDL.SetSecurityDescriptorSDDLForm("$($arrSplitedSDDL[0])($strSDDLPart
$sec.AddAccessRule($secSDDL.Access[0])
}
}
}
$intI++
}
}
else
{
$sec.SetSecurityDescriptorBinaryForm($DSobject.Attributes.ntsecuritydescriptor[0])
}
&{#Try
$global:secd = $sec.GetAccessRules($true, $chkInheritedPerm.IsChecked, [System.Security
}
Trap [SystemException]
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed to translate identity:$
&{#Try
$global:secd = $sec.GetAccessRules($true, $chkInheritedPerm.IsChecked, [System.Secur
}
Trap [SystemException]
{
$global:GetSecErr = $true
Continue
}
Continue
}
}
else
{
#Fail futher scan when NTsecurityDescriptor is null
$global:GetSecErr = $true
}
}#End If failed Send Request

}
else
{
$SecurityMasks = [System.DirectoryServices.Protocols.SecurityMasks]'Owner' -bor [System.Direc
$control = New-Object System.DirectoryServices.Protocols.SecurityDescriptorFlagControl($Securi
[void]$request.Controls.Add($control)
$response = $LDAPConnection.SendRequest($request)
$DSobject = $response.Entries[0]
if($null -ne $DSobject.Attributes.objectclass)
{
$strObjectClass = $DSobject.Attributes.objectclass[$DSobject.Attributes.objectclass.count-1]
}
else
{
$strObjectClass = "unknown"
}
$sec = New-Object System.DirectoryServices.ActiveDirectorySecurity
$sec.SetSecurityDescriptorBinaryForm($DSobject.Attributes.ntsecuritydescriptor[0])
&{#Try
#$DSobject.psbase.Options.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Owner
$global:secd = $sec.GetAuditRules($true, $chkInheritedPerm.IsChecked, [System.Security.Prin
}
Trap [SystemException]
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed to translate identity:$AD
&{#Try
$global:secd = $sec.GetAuditRules($true, $chkInheritedPerm.IsChecked, [System.Security.P
}
Trap [SystemException]
{
$global:GetSecErr = $true
Continue
}
Continue
}
}
if($DSobject.attributes.count -gt 0)
{
if(($global:GetSecErr -ne $true) -or ($global:secd -ne ""))
{
$sd.clear()
if($null -ne $global:secd){
$(ConvertTo-ObjectArrayListFromPsCustomObject $global:secd)| ForEach-Object{[void]$sd.ad
}
If ($GetOwnerEna -eq $true)
{

&{#Try
$global:strOwner = $sec.GetOwner([System.Security.Principal.SecurityIdentifier]).value
}

Trap [SystemException]
{
if($global:bolADDSType)
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed to translate owner
}
$global:strOwner = $sec.GetOwner([System.Security.Principal.SecurityIdentifier]).value
Continue
}
$newSdOwnerObject = New-Object PSObject -Property @{ActiveDirectoryRights="Read permis
InheritedObjectType="None";ObjectFlags="None";AccessControlType="Owner";IdentityReferen
InheritanceFlags="None";PropagationFlags="None"}
[void]$sd.insert(0,$newSdOwnerObject)

}
■ If ($SkipDefaultPerm)
■ {
If ($GetOwnerEna -eq $false)
{

&{#Try
$global:strOwner = $sec.GetOwner([System.Security.Principal.SecurityIdentifier]).value
}

Trap [SystemException]
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed to translate owner
$global:strOwner = $sec.GetOwner([System.Security.Principal.SecurityIdentifier]).value
Continue
}
}
}
If ($bolAssess)
{
Switch ($AssessLevel)
{
"Info" {$CriticalityFilter = 0}
"Low" {$CriticalityFilter = 1}
"Medium" {$CriticalityFilter = 2}
"Warning" {$CriticalityFilter = 3}
"Critical" {$CriticalityFilter = 4}
}
$sd = @($sd | Where-Object{Get-Criticality -Returns "Filter" $_.IdentityReference.toString() $_.A
}
if ($bolACLsize -eq $true)
{
#$strACLSize = $sec.GetSecurityDescriptorBinaryForm().length
$strACLSize = $SDDLSec.BinaryLength
}
if ($bolGetOUProtected -eq $true)
{
$bolOUProtected = $sec.AreAccessRulesProtected
}
if ($bolReplMeta -eq $true)
{

$AclChange = $(GetACLMeta $global:strDC $ADObjDN -CREDS $CREDS)


$objLastChange = $AclChange.split(";")[0]
$strOrigInvocationID = $AclChange.split(";")[1]
$strOrigUSN = $AclChange.split(";")[2]
}

#$rar = @($($sd | select-Object -Property *))


$index = 0
$SDResult = $false
$OUMatchResult = $false

$SDUsnNew = $true
if ($SDUsnCheck -eq $true)
{

while($index -le $arrUSNCheckList.count -1)
{
$SDHistResult = $false

if($arrUSNCheckList[$index].Object)
{
$strOUcol = $arrUSNCheckList[$index].Object
}
else
{
$strOUcol = $arrUSNCheckList[$index].OU
}
if($strOUcol.Contains("<DOMAIN-DN>") -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace "<DOMAIN-DN>",$global:strDomainDNName)
}
if($strOUcol.Contains("<ROOT-DN>") -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace "<ROOT-DN>",$global:ForestRootDomainDN)
}
if($txtReplaceDN.text.Length -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace $txtReplaceDN.text,$global:strDomainDNName)
}
■■■ if ($OUdnorgDN -eq $strOUcol )
■■■ {
$OUMatchResult = $true
$SDResult = $true
if($strOrigUSN -eq $arrUSNCheckList[$index].OrgUSN)
{
$aclcount++
foreach($sdObject in $sd)
■ {

if($null -ne $sdObject.AccessControlType)


{
$ACEType = $sdObject.AccessControlType
}
else
{
$ACEType = $sdObject.AuditFlags
}
$strNTAccount = $sdObject.IdentityReference
■ If ($strNTAccount.contains("S-1-"))
■ {
■ $strNTAccount = ConvertSidToName -server $global:strDomainLongName -Sid
■ }
$newSdObject = New-Object PSObject -Property @{ActiveDirectoryRights=$sdO
InheritedObjectType=$sdObject.InheritedObjectType;ObjectFlags=$sdObject.Ob
InheritanceFlags=$sdObject.InheritanceFlags;PropagationFlags=$sdObject.Prop

if(($TemplateFilter -eq "MATCH") -or ($TemplateFilter -eq "ALL"))


{
$OUMatchResultOverall = $true
$intReturned++
If ($bolCSV)
{
$intCSV++
if($OutType -eq "CSVTEMPLATE")
{
WritePermCSV $newSdObject $strDistinguishedname $CanonicalName
}
else
{
$bolOUHeader = $false
WriteOUT $true $newSdObject $strDistinguishedname $CanonicalName
}
}# End If
Else
{
if ($intAclOccurence -eq 0)
{
$intAclOccurence++
$bolOUHeader = $true
WriteOUT $false $sd $strDistinguishedname $CanonicalName $bolOUHe

}
$bolOUHeader = $false
WriteOUT $true $newSdObject $strDistinguishedname $CanonicalName $b
}#End !$bolCSVOnly
}#End Returns
}
$SDUsnNew = $false
break
}
else
{
$aclcount++
$SDUsnNew = $true
break
}
}
$index++
}

}
If (($SDUsnCheck -eq $false) -or ($SDUsnNew -eq $true))
{
■ foreach($sdObject in $sd)
■ {
$bolMatchDef = $false
$bolMatchprotected = $false
$strIdentityReference= $sdObject.IdentityReference.toString()
■ If ($strIdentityReference.contains("S-1-"))
■ {
■ $strNTAccount = ConvertSidToName -server $global:strDomainLongName -Sid $strIdentity
■ }
#Remove Default Permissions if SkipDefaultPerm selected
if($SkipDefaultPerm)
{
if($strObjectClass -ne $strTemoObjectClass)
{
$sdOUDef = Get-DefaultPermissions -strObjectClass $strObjectClass -CREDS $CREDS
}
$strTemoObjectClass = $strObjectClass
$indexDef=0
while($indexDef -le $sdOUDef.count -1) {
■■■ if (($sdOUDef[$indexDef].IdentityReference -eq $sdObject.IdentityReference) -and ($
■■■ {
■■■ $bolMatchDef = $true
■■■ } #End If
$indexDef++
} #End While
}
if($bolMatchDef)
■■■■{
■■■■}
else
{
#Remove Protect Against Accidental Deletaions Permissions if SkipProtectedPerm selecte
if($SkipProtectedPerm)
{
if($sdOUProtect -eq "")
{
$sdOUProtect = Get-ProtectedPerm
}
$indexProtected=0
while($indexProtected -le $sdOUProtect.count -1)
{
■■■ if (($sdOUProtect[$indexProtected].IdentityReference -eq $sdObject.IdentityReference)
eq $sdObject.InheritedObjectType))
■■■ {
■■■ $bolMatchprotected = $true
■■■ }#End If
$indexProtected++
} #End While
}
if($bolMatchprotected)
■■■■ {
■■■■ }
■■■■ else
■■■■ {
■■ $index = 0
■■ $SDResult = $false
$OUMatchResult = $false
$aclcount++
if($null -ne $sdObject.AccessControlType)
{
$ACEType = $sdObject.AccessControlType
}
else
{
$ACEType = $sdObject.AuditFlags
}
$newSdObject = New-Object PSObject -Property @{ActiveDirectoryRights=$sdObject.A
InheritedObjectType=$sdObject.InheritedObjectType;ObjectFlags=$sdObject.ObjectFlag
InheritanceFlags=$sdObject.InheritanceFlags;PropagationFlags=$sdObject.Propagation
■■ while($index -le $global:csvHistACLs.count -1)
■■ {
if($global:csvHistACLs[$index].Object)
{
$strOUcol = $global:csvHistACLs[$index].Object
}
else
{
$strOUcol = $global:csvHistACLs[$index].OU
}
if($strOUcol.Contains("<DOMAIN-DN>") -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace "<DOMAIN-DN>",$global:strDomainDNName)
}
if($strOUcol.Contains("<ROOT-DN>") -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace "<ROOT-DN>",$global:ForestRootDomainDN)
}
if($txtReplaceDN.text.Length -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace $txtReplaceDN.text,$global:strDomainDNName)
}
■■■ if ($OUdnorgDN -eq $strOUcol )
■■■ {
$OUMatchResult = $true
$OUMatchResultOverall = $true
■■■■ $strPrincipalName = $global:csvHistACLs[$index].PrincipalName
if($strPrincipalName.Contains("<DOMAIN-NETBIOS>"))
{
■■ $strPrincipalName = ($strPrincipalName -Replace "<DOMAIN-NETBIOS>",$globa
}
if($strPrincipalName.Contains("<ROOT-NETBIOS>"))
{
■■ $strPrincipalName = ($strPrincipalName -Replace "<ROOT-NETBIOS>",$global:s
}
if($strPrincipalName.Contains("<DOMAINSID>"))
{
■■ $strPrincipalName = ($strPrincipalName -Replace "<DOMAINSID>",$global:Doma
}
if($strPrincipalName.Contains("<ROOTDOMAINSID>"))
{
■■ $strPrincipalName = ($strPrincipalName -Replace "<ROOTDOMAINSID>",$global
}
■ If ($strPrincipalName.contains("S-1-"))
■ {
■ $strPrincipalName = ConvertSidToName -server $global:strDomainLongName -S
■ }
if($txtReplaceNetbios.text.Length -gt 0)
{
■■ $strPrincipalName = ($strPrincipalName -Replace $txtReplaceNetbios.text,$globa
}
■■■■ $strTmpActiveDirectoryRights = $global:csvHistACLs[$index].ActiveDirectoryRights■■
■■■■ $strTmpInheritanceType = $global:csvHistACLs[$index].InheritanceType■■■
■■■■ $strTmpObjectTypeGUID = $global:csvHistACLs[$index].ObjectType
■■■■ $strTmpInheritedObjectTypeGUID = $global:csvHistACLs[$index].InheritedObjectType
■■■■ $strTmpAccessControlType = $global:csvHistACLs[$index].AccessControlType
if ($strTmpAccessControlType -eq "Owner" )
{
$global:strOwnerTemplate = $strPrincipalName
}
If (($newSdObject.PrincipalName -eq $strPrincipalName) -and ($newSdObject.Acti
■■ ■■ {
■■■■■ $SDResult = $true
■■ ■■ }
■■ ■ }
■■■ $index++
■■ }# End While
if(($TemplateFilter -eq "MATCH") -or ($TemplateFilter -eq "ALL"))
{
if ($SDResult)
{
$intReturned++
■■■■■ If ($bolCSV)
■■■■■ {
$intCSV++
if($OutType -eq "CSVTEMPLATE")
{
■■■■ ■■ WritePermCSV $newSdObject $strDistinguishedname $CanonicalName $strObjectClas
}
else
{
$bolOUHeader = $false
WriteOUT $true $newSdObject $strDistinguishedname $CanonicalName $bolOUH
}
■■■■ ■ }# End If
Else
{
if ($intAclOccurence -eq 0)
{
$intAclOccurence++
$bolOUHeader = $true
WriteOUT $false $sd $strDistinguishedname $CanonicalName $bolOUHeader $str

}
$bolOUHeader = $false
WriteOUT $true $newSdObject $strDistinguishedname $CanonicalName $bolOUHea
}#End !$bolCSVOnly

}
}#End Retrunrs
■■ If ($OUMatchResult -And !($SDResult))
■■ {
if(($TemplateFilter -eq "NEW") -or ($TemplateFilter -eq "ALL"))
{
$newSdObject.State = "New"
$intReturned++
If ($bolCSV)
■■■■■ {
$intCSV++
if($OutType -eq "CSVTEMPLATE")
{
■■■■ ■■ WritePermCSV $newSdObject $strDistinguishedname $CanonicalName $strObjectClas
}
else
{
$bolOUHeader = $false
WriteOUT $true $newSdObject $strDistinguishedname $CanonicalName $bolOUH
}
■■■■ ■ }# End If
Else
{
if ($intAclOccurence -eq 0)
{
$intAclOccurence++
$bolOUHeader = $true
WriteOUT $false $sd $strDistinguishedname $CanonicalName $bolOUHeader $str
}
$bolOUHeader = $false
WriteOUT $true $newSdObject $strDistinguishedname $CanonicalName $bolOUHea
}#End !$bolCSVO
}#End Returns
}
}# End If SkipProtectedPerm
}# End If SkipDefaultPerm
■ }
} # if $SDUsnCheck -eq $true
If (($SDUsnCheck -eq $false) -or ($SDUsnNew -eq $true))
{
$index = 0
while($index -le $global:csvHistACLs.count -1)
{
$SDHistResult = $false
if($global:csvHistACLs[$index].Object)
{
$strOUcol = $global:csvHistACLs[$index].Object
}
else
{
$strOUcol = $global:csvHistACLs[$index].OU
}
if($strOUcol.Contains("<DOMAIN-DN>") -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace "<DOMAIN-DN>",$global:strDomainDNName)
}
if($strOUcol.Contains("<ROOT-DN>") -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace "<ROOT-DN>",$global:ForestRootDomainDN)
}
if($txtReplaceDN.text.Length -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace $txtReplaceDN.text,$global:strDomainDNName)
}
■■■ if ($OUdnorgDN -eq $strOUcol )
■■■ {
$OUMatchResult = $true
■■■■ $strIdentityReference = $global:csvHistACLs[$index].IdentityReference
if($strIdentityReference.Contains("<DOMAIN-NETBIOS>"))
{
■■ $strIdentityReference = ($strIdentityReference -Replace "<DOMAIN-NETBIOS>",$global:s
}
if($strIdentityReference.Contains("<ROOT-NETBIOS>"))
{
■■ $strIdentityReference = ($strIdentityReference -Replace "<ROOT-NETBIOS>",$global:strR
}
if($strIdentityReference.Contains("<DOMAINSID>"))
{
■■ $strIdentityReference = ($strIdentityReference -Replace "<DOMAINSID>",$global:Domain
}
if($strIdentityReference.Contains("<ROOTDOMAINSID>"))
{
■■ $strIdentityReference = ($strIdentityReference -Replace "<ROOTDOMAINSID>",$global:F
}
if($txtReplaceNetbios.text.Length -gt 0)
{
■■ $strIdentityReference = ($strIdentityReference -Replace $txtReplaceNetbios.text,$global:s
}
■■■■ $strTmpActiveDirectoryRights = $global:csvHistACLs[$index].ActiveDirectoryRights■■■
■■■■ $strTmpInheritanceType = $global:csvHistACLs[$index].InheritanceType■■■■
■■■■ $strTmpObjectTypeGUID = $global:csvHistACLs[$index].ObjectType
■■■■ $strTmpInheritedObjectTypeGUID = $global:csvHistACLs[$index].InheritedObjectType
■■■■ $strTmpAccessControlType = $global:csvHistACLs[$index].AccessControlType
if ($strTmpAccessControlType -eq "Owner" )
{
$global:strOwnerTemplate = $strIdentityReference
}

#$rarHistCheck = @($($sd | select-object -Property *))


■ foreach($sdObject in $sd)
■ {
$bolMatchDef = $false
#$strIdentityReference = $sdObject.IdentityReference.toString()
■ #If ($strIdentityReference.contains("S-1-"))
■ #{
■ # $strNTAccount = ConvertSidToName -server $global:strDomainLongName -Sid $strId
■ #}
#Remove Default Permissions if SkipDefaultPerm selected
if($SkipDefaultPerm)
{
if($strObjectClass -ne $strTemoObjectClass)
{
$sdOUDef = Get-DefaultPermissions -strObjectClass $strObjectClass -CREDS $CR
}
$strTemoObjectClass = $strObjectClass
$indexDef=0
while($indexDef -le $sdOUDef.count -1) {
■■■ if (($sdOUDef[$indexDef].IdentityReference -eq $sdObject.IdentityReference) -a
■■■ {
■■■ $bolMatchDef = $true
■■■ }#} #End If
$indexDef++
} #End While
}
if($bolMatchDef)
■■■■ {
■■■■ }
else
{
#Remove Protect Against Accidental Deletaions Permissions if SkipProtectedPerm se
if($SkipProtectedPerm)
{
if($sdOUProtect -eq "")
{
$sdOUProtect = Get-ProtectedPerm
}
$indexProtected=0
while($indexProtected -le $sdOUProtect.count -1)
{
■■■ if (($sdOUProtect[$indexProtected].IdentityReference -eq $strNTAccount) -and ($s
Object.InheritedObjectType))
■■■ {
■■■ $bolMatchprotected = $true
■■■ }#End If
$indexProtected++
} #End While
}
if($bolMatchprotected)
■■■■ {
■■■■ }
■■■■ else
■■■■ {
if($null -ne $sdObject.AccessControlType)
{
$ACEType = $sdObject.AccessControlType
}
else
{
$ACEType = $sdObject.AuditFlags
}

$newSdObject = New-Object PSObject -Property @{ActiveDirectoryRights=$sdObj


InheritedObjectType=$sdObject.InheritedObjectType;ObjectFlags=$sdObject.Objec
InheritanceFlags=$sdObject.InheritanceFlags;PropagationFlags=$sdObject.Propag
If (($newSdObject.IdentityReference -eq $strIdentityReference) -and ($newSdObje
{
$SDHistResult = $true
}#End If $newSdObject
}# End If SkipProtectedPerm
}# End If SkipDefaultPerm
}# End foreach
#If OU exist in CSV but no matching ACE found
If ($OUMatchResult -And !($SDHistResult))
{
$strIdentityReference = $global:csvHistACLs[$index].IdentityReference
if($strIdentityReference.Contains("<DOMAIN-NETBIOS>"))
{
■■ $strIdentityReference = ($strIdentityReference -Replace "<DOMAIN-NETBIOS>",$glob
}
if($strIdentityReference.Contains("<ROOT-NETBIOS>"))
{
■■ $strIdentityReference = ($strIdentityReference -Replace "<ROOT-NETBIOS>",$global:s
}
if($strIdentityReference.Contains("<DOMAINSID>"))
{
■■ $strIdentityReference = ($strIdentityReference -Replace "<DOMAINSID>",$global:Dom
}
if($strIdentityReference.Contains("<ROOTDOMAINSID>"))
{
■■ $strIdentityReference = ($strIdentityReference -Replace "<ROOTDOMAINSID>",$globa
}
if($txtReplaceNetbios.text.Length -gt 0)
{
■■ $strIdentityReference = ($strIdentityReference -Replace $txtReplaceNetbios.text,$globa
}
■ If ($strIdentityReference.contains("S-1-"))
■ {
■ $strIdentityReference = ConvertSidToName -server $global:strDomainLongName -Sid $
■ }
$histSDObject = New-Object PSObject -Property @{ActiveDirectoryRights=$global:csvH
InheritedObjectType=$global:csvHistACLs[$index].InheritedObjectType;ObjectFlags=$g
InheritanceFlags=$global:csvHistACLs[$index].InheritanceFlags;PropagationFlags=$glo
if(($TemplateFilter -eq "MISSING") -or ($TemplateFilter -eq "ALL"))
{
■■■■■ $intReturned++
■■■■■ If ($bolCSV)
■■■■■ {
$intCSV++
if($OutType -eq "CSVTEMPLATE")
{
■■■■ WritePermCSV $histSDObject $strDistinguishedname $CanonicalName $strObjectCla
}
else
{
$bolOUHeader = $false
WriteOUT $true $histSDObject $strDistinguishedname $CanonicalName $bolOUHe
}
■■■■ ■ }# End If
Else
{
if ($intAclOccurence -eq 0)
{
$intAclOccurence++
$bolOUHeader = $true
WriteOUT $false $sd $strDistinguishedname $CanonicalName $bolOUHeader $str
}
$bolOUHeader = $false
WriteOUT $true $histSDObject $strDistinguishedname $CanonicalName $bolOUHead
}#End !$bolCSVOnly
}#End Returns
$histSDObject = ""
}# End If $OUMatchResult
}# End if $OUdn
■■■ $index++
■■ }# End While
} #End If If ($SDUsnCheck -eq $false)
#If the OU was not found in the CSV
If (!$OUMatchResultOverall)
{
■ foreach($sdObject in $sd)
{
$bolMatchDef = $false
if($sdObject.IdentityReference.value)
{
$strNTAccount = $sdObject.IdentityReference.value
}
else
{
$strNTAccount = $sdObject.IdentityReference
}
■ If ($strNTAccount.contains("S-1-"))
■ {
■ $strNTAccount = ConvertSidToName -server $global:strDomainLongName -Sid $strNTAccou
■ }
#Remove Default Permissions if SkipDefaultPerm selected
if($SkipDefaultPerm -or $bolCompareDelegation)
{
if($strObjectClass -ne $strTemoObjectClass)
{
$sdOUDef = Get-DefaultPermissions -strObjectClass $strObjectClass -CREDS $CREDS
}
$strTemoObjectClass = $strObjectClass
$indexDef=0
while($indexDef -le $sdOUDef.count -1) {
■■■ if (($sdOUDef[$indexDef].IdentityReference -eq $sdObject.IdentityReference) -and ($
■■■ {
■■■ $bolMatchDef = $true
■■■ }#} #End If
$indexDef++
} #End While
}
if($bolMatchDef)
■■■ {
■■■ }
else
{
if($SkipDefaultPerm -or $bolCompareDelegation)
{
$strDelegationNotation = "Node not in file"
If (($strNTAccount -eq $global:strOwnerTemplate) -and ($sdObject.ActiveDirectoryRight
{

}#End If $newSdObject
else
{
$MissingOUSdObject = New-Object PSObject -Property @{ActiveDirectoryRights=$sd
InheritedObjectType=$sdObject.InheritedObjectType;ObjectFlags=$sdObject.ObjectF
InheritanceFlags=$sdObject.InheritanceFlags;PropagationFlags=$sdObject.Propagat
$intReturned++
■■■■ If ($bolCSV)
■■■■■ {
$intCSV++
■■■■ ■■
if($OutType -eq "CSVTEMPLATE")
{
■■■■ WritePermCSV $MissingOUSdObject $strDistinguishedname $CanonicalName $str
}
else
{
$bolOUHeader = $false
WriteOUT $true $MissingOUSdObject $OUdn $CanonicalName $bolOUHeader
}
■■■■ ■ }# End If
Else
{
if ($intAclOccurence -eq 0)
{
$intAclOccurence++
$bolOUHeader = $true
WriteOUT $false $sd $strDistinguishedname $CanonicalName $bolOUHeader $
}
$bolOUHeader = $false
WriteOUT $true $MissingOUSdObject $OUdn $CanonicalName $bolOUHeader "5"
}#End !$bolCSVOnly
}
}
else
{
if($SDUsnCheck -eq $false)
{
$strDelegationNotation = "Node not in file"

$MissingOUSdObject = New-Object PSObject -Property @{ActiveDirectoryRights=$sd


InheritedObjectType=$sdObject.InheritedObjectType;ObjectFlags=$sdObject.ObjectF
InheritanceFlags=$sdObject.InheritanceFlags;PropagationFlags=$sdObject.Propagat
if(($TemplateFilter -eq "MISSING") -or ($TemplateFilter -eq "ALL"))
{
■■■■ $intReturned++
■■■■ If ($bolCSV)
■■■■■ {
$intCSV++
if($OutType -eq "CSVTEMPLATE")
{
■■■■ WritePermCSV $MissingOUSdObject $strDistinguishedname $CanonicalName $str
}
else
{
$bolOUHeader = $false
WriteOUT $false $sd $strDistinguishedname $CanonicalName $bolOUHeader $
}
■■■■ ■ }# End If
Else
{
if ($intAclOccurence -eq 0)
{
$intAclOccurence++
$bolOUHeader = $true
WriteOUT $false $sd $strDistinguishedname $CanonicalName $bolOUHeader $
}
$bolOUHeader = $false
WriteOUT $true $MissingOUSdObject $strDistinguishedname $CanonicalName $b
}#End !$bolCSVOnly
}#End Returns
}
}
}#Skip Default or bolComparedelegation
}#End Forech $sd
} #End If not OUMatchResultOverall
}#End Global:GetSecErr
}#else if adobject missing name
else
{
$index = 0
while($index -le $global:csvHistACLs.count -1)
{
$SDHistResult = $false
if($global:csvHistACLs[$index].Object)
{
$strOUcol = $global:csvHistACLs[$index].Object
}
else
{
$strOUcol = $global:csvHistACLs[$index].OU
}
if($strOUcol.Contains("<DOMAIN-DN>") -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace "<DOMAIN-DN>",$global:strDomainDNName)
}
if($strOUcol.Contains("<ROOT-DN>") -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace "<ROOT-DN>",$global:ForestRootDomainDN)
}
if($txtReplaceDN.text.Length -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace $txtReplaceDN.text,$global:strDomainDNName)
}
■ if ($OUdnorgDN -eq $strOUcol )
■ {
$strIdentityReference = $global:csvHistACLs[$index].IdentityReference
if($strIdentityReference.Contains("<DOMAIN-NETBIOS>"))
{
■■ $strIdentityReference = ($strIdentityReference -Replace "<DOMAIN-NETBIOS>",$global:strDo
}
if($strIdentityReference.Contains("<ROOT-NETBIOS>"))
{
■■ $strIdentityReference = ($strIdentityReference -Replace "<ROOT-NETBIOS>",$global:strRootD
}
if($strIdentityReference.Contains("<DOMAINSID>"))
{
■■ $strIdentityReference = ($strIdentityReference -Replace "<DOMAINSID>",$global:DomainSID)
}
if($strIdentityReference.Contains("<ROOTDOMAINSID>"))
{
■■ $strIdentityReference = ($strIdentityReference -Replace "<ROOTDOMAINSID>",$global:Fores
}
if($txtReplaceNetbios.text.Length -gt 0)
{
■■ $strIdentityReference = ($strIdentityReference -Replace $txtReplaceNetbios.text,$global:strDo
}
■ If ($strIdentityReference.contains("S-1-"))
■ {
■ $strIdentityReference = ConvertSidToName -server $global:strDomainLongName -Sid $strIdent
■ }
$histSDObject = New-Object PSObject -Property @{ActiveDirectoryRights=$global:csvHistACLs
InheritedObjectType=$global:csvHistACLs[$index].InheritedObjectType;ObjectFlags=$global:cs
InheritanceFlags=$global:csvHistACLs[$index].InheritanceFlags;PropagationFlags=$global:csvH
$intReturned++
If ($bolCSV)
■■■{
if($OutType -eq "CSVTEMPLATE")
{
■■■■WritePermCSV $histSDObject $DSobject.distinguishedname.toString() $CanonicalName $strO
}
else
{
$bolOUHeader = $false
WriteOUT $true $histSDObject $strOUcol $CanonicalName $bolOUHeader "3" $strFileHTA
}
■■■}# End If
Else
{
if ($intAclOccurence -eq 0)
{
$intAclOccurence++
$bolOUHeader = $true
WriteOUT $false $histSDObject $strOUcol $CanonicalName $bolOUHeader $strColorTem
}
$bolOUHeader = $false
WriteOUT $true $histSDObject $strOUcol $CanonicalName $bolOUHeader "3" $strFileHTA $
}#End !$bolCSVOnly
$histSDObject = ""
}
$index++
}
}#End if adobject missing name
$count++
}# End While $AllObjectDn.count
if (($count -gt 0))
{
if(-not $bolCMD)
{
if (($PSVersionTable.PSVersion -ne "2.0") -and ($global:bolProgressBar))
{

$global:ProgressBarWindow.Window.Dispatcher.invoke([action]{$global:ProgressBarWindow
}
}
if ($aclcount -eq 0)
{
[System.Windows.Forms.MessageBox]::Show("No Permissions found!" , "Status")
}
else
{

if($intReturned -gt 0)
{
if($bolCSV)
{
if($OutType -eq "CSVTEMPLATE")
{
if($bolCMD)
{
if($bolToFile)
{
Write-host "Report saved in: $strFileCSV" -ForegroundColor Yellow
Write-output $strFileCSV
}
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Report saved in $strFi
}
#If Get-Perm was called with Show then open the CSV file.
if($Show)
{
■ Invoke-Item $strFileCSV
}
}
else
{
if($bolCMD)
{
if($bolToFile)
{
$global:ArrayAllACE | export-csv -Path $strFileCSV -NoTypeInformation -NoClobber
Write-host "Report saved in: $strFileCSV" -ForegroundColor Yellow
Write-output $strFileCSV
}
else
{
$global:ArrayAllACE
}
}
else
{
$global:ArrayAllACE | export-csv -Path $strFileCSV -NoTypeInformation -NoClobber
$global:observableCollection.Insert(0,(LogMessage -strMessage "Report saved in $strFi
}
#If Get-Perm was called with Show then open the CSV file.
if($Show)
{
■ Invoke-Item $strFileCSV
}
}
}
else
{
#If excel output
if($OutType -eq "EXCEL")
{
# Array with alphabet characters
$ExcelColumnAlphabet = @()
for ([byte]$c = [char]'A'; $c -le [char]'Z'; $c++)
{
$ExcelColumnAlphabet += [char]$c
}
if($bolShowCriticalityColor)
{

#Define Column name for "criticality" by using position in array


$RangeColumnCriticality = $ExcelColumnAlphabet[$(($global:ArrayAllACE | get-member -
#Define Column name for "state" by using position in array
$RangeColumnState = $ExcelColumnAlphabet[$(($global:ArrayAllACE | get-member -Mem
$global:ArrayAllACE | Export-Excel -path $strFileEXCEL -WorkSheetname $($strNode+"_A
New-ConditionalText -RuleType Equal -ConditionValue Low -Range "$($RangeColumnCrit
New-ConditionalText -RuleType Equal -ConditionValue Critical -Range "$($RangeColumnC
New-ConditionalText -RuleType Equal -ConditionValue Warning -Range "$($RangeColumn
New-ConditionalText -RuleType Equal -ConditionValue Medium -Range "$($RangeColumn
New-ConditionalText -RuleType Equal -ConditionValue Info -Range "$($RangeColumnCrit
New-ConditionalText Missing -Range "$($RangeColumnState):$($RangeColumnState)" -B
New-ConditionalText Match -Range "$($RangeColumnState):$($RangeColumnState)" -Ba
New-ConditionalText New -Range "$($RangeColumnState):$($RangeColumnState)" -Back
)
}
else
{
#Define Column name for "state" by using position in array
$RangeColumnState = $ExcelColumnAlphabet[$(($global:ArrayAllACE | get-member -Mem
$global:ArrayAllACE | Export-Excel -path $strFileEXCEL -WorkSheetname $($strNode+"_A
New-ConditionalText Missing -Range "$($RangeColumnState):$($RangeColumnState)" -B
New-ConditionalText Match -Range "$($RangeColumnState):$($RangeColumnState)" -Ba
New-ConditionalText New -Range "$($RangeColumnState):$($RangeColumnState)" -Back
)
}

if($bolCMD)
{
Write-host "Report saved in: $strFileEXCEL" -ForegroundColor Yellow
Write-output $strFileEXCEL
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Report saved in $strFileE
}
}#End if EXCEL
else
{
if($bolShowCriticalityColor)
{
Switch ($global:intShowCriticalityLevel)
{
0
{
(Get-Content $strFileHTA) -replace "20141220T021111056594002014122000", '<FONT
(Get-Content $strFileHTM) -replace "20141220T021111056594002014122000", '<FONT
}
1
{
(Get-Content $strFileHTA) -replace "20141220T021111056594002014122000", '<FONT
(Get-Content $strFileHTM) -replace "20141220T021111056594002014122000", '<FONT
}
2
{
(Get-Content $strFileHTA) -replace "20141220T021111056594002014122000", '<FONT
(Get-Content $strFileHTM) -replace "20141220T021111056594002014122000", '<FONT
}
3
{
(Get-Content $strFileHTA) -replace "20141220T021111056594002014122000", '<FONT
(Get-Content $strFileHTM) -replace "20141220T021111056594002014122000", '<FONT
}
4
{
(Get-Content $strFileHTA) -replace "20141220T021111056594002014122000", '<FONT
(Get-Content $strFileHTM) -replace "20141220T021111056594002014122000", '<FONT
}
}
}
#If Get-Perm was called with Show then open the HTA file.
if($Show)
{
try
{
Invoke-Item $strFileHTA
}
catch
{
if($bolCMD)
{
Write-host "Failed to launch MSHTA.exe" -ForegroundColor Red
Write-host "Instead opening the following file directly: $strFileHTM" -ForegroundColor
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed to launch MS
$global:observableCollection.Insert(0,(LogMessage -strMessage "Instead opening the
}
invoke-item $strFileHTM
}
}
}
}
}
else
{
if($bolCMD)
{
Write-host "No results" -ForegroundColor Red
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "No results" -strType "Error" -D
}
}
}# End If
}
else
{
[System.Windows.Forms.MessageBox]::Show("No objects found!" , "Status")
}
}#End if ExitCompare
}# End Try
$histSDObject = ""
$sdObject = ""
$MissingOUSdObject = ""
$newSdObject = ""
$DSobject = ""
$global:strOwner = ""
$global:csvHistACLs = ""

$secd = $null
Remove-Variable -Name "secd" -Scope Global
}
#==========================================================================
# Function■■: ConvertCSVtoHTM
# Arguments : Fle Path
# Returns ■: N/A
# Description : Convert CSV file to HTM Output
#==========================================================================
Function ConvertCSVtoHTM
{
Param($CSVInput,[boolean] $bolGUIDtoText,[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
$OutType = "HTML"
$bolReplMeta = $false
if($chkBoxSeverity.isChecked -or $chkBoxEffectiveRightsColor.isChecked)
{
$bolShowCriticalityColor = $true
}
else
{
$bolShowCriticalityColor = $false
}
If(Test-Path $CSVInput)
{
$fileName = $(Get-ChildItem $CSVInput).BaseName
■$strFileHTA = $env:temp + "\"+$global:ACLHTMLFileName+".hta"
■$strFileHTM = $env:temp + "\"+"$fileName"+".htm" ■
$global:csvHistACLs = import-Csv $CSVInput
#Test CSV file format
if(TestCSVColumns $global:csvHistACLs)
{
If ($global:csvHistACLs[0].SDDate.length -gt 1)
{
$bolReplMeta = $true
}
$colHeaders = ( $global:csvHistACLs| Get-member -MemberType 'NoteProperty' | Select-Object -E
$bolObjType = $false
Foreach ($ColumnName in $colHeaders )
{
if($ColumnName.Trim() -eq "ObjectClass")
{
$bolObjType = $true
}
}
CreateHTM $fileName $strFileHTM
CreateHTA $fileName $strFileHTA $strFileHTM $CurrentFSPath $global:strDomainDNName $glob
■ $UseCanonicalName = $chkBoxUseCanonicalName.IsChecked
InitiateHTM $strFileHTM $fileName $fileName $bolReplMeta $false $Protected $bolShowCriticality
■ InitiateHTM $strFileHTA $fileName $fileName $bolReplMeta $false $Protected $bolShowCriticalityC

$tmpOU = ""
$index = 0
while($index -le $global:csvHistACLs.count -1)
{

if($global:csvHistACLs[$index].Object)
{
$strOUcol = $global:csvHistACLs[$index].Object
}
else
{
$strOUcol = $global:csvHistACLs[$index].OU
}
if($strOUcol.Contains("<DOMAIN-DN>") -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace "<DOMAIN-DN>",$global:strDomainDNName)
}
if($strOUcol.Contains("<ROOT-DN>") -gt 0)
{
■■ $strOUcol = ($strOUcol -Replace "<ROOT-DN>",$global:ForestRootDomainDN)■
}
■■ $strOU = $strOUcol
■■ $strTrustee = $global:csvHistACLs[$index].IdentityReference
■■ $strRights = $global:csvHistACLs[$index].ActiveDirectoryRights■■■■
■■ $strInheritanceType = $global:csvHistACLs[$index].InheritanceType■■■■
■■ $strObjectTypeGUID = $global:csvHistACLs[$index].ObjectType
■■ $strInheritedObjectTypeGUID = $global:csvHistACLs[$index].InheritedObjectType
■■ $strObjectFlags = $global:csvHistACLs[$index].ObjectFlags
■■ $strAccessControlType = $global:csvHistACLs[$index].AccessControlType
■■ $strIsInherited = $global:csvHistACLs[$index].IsInherited
■■ $strInheritedFlags = $global:csvHistACLs[$index].InheritanceFlags
■■ $strPropFlags = $global:csvHistACLs[$index].PropagationFlags
If ($bolReplMeta -eq $true)
{
$strTmpACLDate = $global:csvHistACLs[$index].SDDate
}
If ($UseCanonicalName -eq $true)
{
$CanonicalName = $global:csvHistACLs[$index].CanonicalName
}

If ($bolObjType -eq $true)


{
■■ $strObjectClass = $global:csvHistACLs[$index].ObjectClass
}
if($strTrustee.Contains("<DOMAIN-NETBIOS>"))
{
■■ $strTrustee = ($strTrustee -Replace "<DOMAIN-NETBIOS>",$global:strDomainShortName)
}
if($strTrustee.Contains("<ROOT-NETBIOS>"))
{
■■ $strTrustee = ($strTrustee -Replace "<ROOT-NETBIOS>",$global:strRootDomainShortName)
}
if($strTrustee.Contains("<DOMAINSID>"))
{
■■ $strTrustee = ($strTrustee -Replace "<DOMAINSID>",$global:DomainSID)
}
if($strTrustee.Contains("<ROOTDOMAINSID>"))
{
■■ $strTrustee = ($strTrustee -Replace "<ROOTDOMAINSID>",$global:ForestRootDomainSID)
}
$txtSdObject = New-Object PSObject -Property @{ActiveDirectoryRights=$strRights;Inheritance
InheritedObjectType=$strInheritedObjectTypeGUID;ObjectFlags=$strObjectFlags;AccessContro
InheritanceFlags=$strInheritedFlags;PropagationFlags=$strPropFlags}
■ If ($strColorTemp -eq "1")
■ {
■■ $strColorTemp = "2"
■ }# End If
■ else
■ {
■■ $strColorTemp = "1"
■ }# End If
if ($tmpOU -ne $strOU)
{

$bolOUHeader = $true
WriteOUT $true $txtSdObject $strOU $CanonicalName $bolOUHeader $strColorTemp $strFi

$tmpOU = $strOU
}
else
{
$bolOUHeader = $false
WriteOUT $true $txtSdObject $strOU $CanonicalName $bolOUHeader $strColorTemp $strFi
}
■■■
$index++
■■■■
}#End While
if($bolShowCriticalityColor)
{
Switch ($global:intShowCriticalityLevel)
{
0
{
(Get-Content $strFileHTA) -replace "20141220T021111056594002014122000", '<FONT size
(Get-Content $strFileHTM) -replace "20141220T021111056594002014122000", '<FONT size
}
1
{
(Get-Content $strFileHTA) -replace "20141220T021111056594002014122000", '<FONT size
(Get-Content $strFileHTM) -replace "20141220T021111056594002014122000", '<FONT size
}
2
{
(Get-Content $strFileHTA) -replace "20141220T021111056594002014122000", '<FONT size
(Get-Content $strFileHTM) -replace "20141220T021111056594002014122000", '<FONT size
}
3
{
(Get-Content $strFileHTA) -replace "20141220T021111056594002014122000", '<FONT size
(Get-Content $strFileHTM) -replace "20141220T021111056594002014122000", '<FONT size
}
4
{
(Get-Content $strFileHTA) -replace "20141220T021111056594002014122000", '<FONT size
(Get-Content $strFileHTM) -replace "20141220T021111056594002014122000", '<FONT size
}
}
}
Invoke-Item $strFileHTA
}#else if test column names exist
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "CSV file got wrong format! File:
} #End if test column names exist
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed! $CSVInput does not exist!"
}
}# End Function
#==========================================================================
# Function■■: GetACLMeta
# Arguments : Domain Controller, AD Object DN
# Returns ■: Semi-colon separated string
# Description : Get AD Replication Meta data LastOriginatingChange, LastOriginatingDsaInvocationID
# usnOriginatingChange and returns as string
#==========================================================================
Function GetACLMeta
{
Param($DomainController,$objDN,
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strDC,
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($objDN, "(name=*)", "base
$SecurityMasks = [System.DirectoryServices.Protocols.SecurityMasks]'Owner' -bor [System.DirectoryS
$control = New-Object System.DirectoryServices.Protocols.SecurityDescriptorFlagControl($SecurityMa
[void]$request.Controls.Add($control)
[void]$request.Attributes.Add("ntsecuritydescriptor")
[void]$request.Attributes.Add("name")
[void]$request.Attributes.Add("msDS-ReplAttributeMetaData")
$response = $LDAPConnection.SendRequest($request)
foreach ($entry in $response.Entries)
{

$index = 0
while($index -le $entry.attributes.'msds-replattributemetadata'.count -1)
{
$childMember = $entry.attributes.'msds-replattributemetadata'[$index]
$childMember = $childMember.replace("$($childMember[-1])","")
If ($([xml]$childMember).DS_REPL_ATTR_META_DATA.pszAttributeName -eq "nTSecurityDes
{
$strLastChangeDate = $([xml]$childMember).DS_REPL_ATTR_META_DATA.ftimeLastOrigin
$strInvocationID = $([xml]$childMember).DS_REPL_ATTR_META_DATA.uuidLastOriginating
$strOriginatingChange = $([xml]$childMember).DS_REPL_ATTR_META_DATA.usnOriginatin
}
$index++
}
}
if ($strLastChangeDate -eq $nul)
{
$ACLdate = $(get-date "1601-01-01" -UFormat "%Y-%m-%d %H:%M:%S")
$strInvocationID = "00000000-0000-0000-0000-000000000000"
$strOriginatingChange = "000000"
}
else
{
$ACLdate = $(get-date $strLastChangeDate -UFormat "%Y-%m-%d %H:%M:%S")
}
return "$ACLdate;$strInvocationID;$strOriginatingChange"
}
#==========================================================================
# Function■■: Get-DefaultSD
# Arguments : string ObjectClass
# Returns ■:
# Description : Create report of default Security Descriptor
#==========================================================================
Function Get-DefaultSD
{
Param( [String[]] $strObjectClass,[bool] $bolChangedDefSD,[bool]$bolSDDL,[string]$File,
[boolean]$Show,[string] $OutType,[bool]$bolShowCriticalityColor,[bool]$Assess,[string]$Criticality,[bo
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
if($OutType -eq "CSV")
{
$ToFile = $true
■If ((Test-Path $File) -eq $true)
■{
■ Remove-Item $File
■}
}
else
{
$ToFile = $false
}
$bolOUHeader = $true
$bolCompare = $false
$intNumberofDefSDFound = 0
$global:ArrayAllACE = New-Object System.Collections.ArrayList
$strColorTemp = 1
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strDC,
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($global:SchemaDN, "(&(ob
[System.DirectoryServices.Protocols.PageResultRequestControl]$pagedRqc = new-object System.Dire
$request.Controls.Add($pagedRqc) | Out-Null
[void]$request.Attributes.Add("defaultsecuritydescriptor")
[void]$request.Attributes.Add("name")
[void]$request.Attributes.Add("msds-replattributemetadata")
$CountadObject = 0
while ($true)
{
$response = $LdapConnection.SendRequest($request, (new-object System.Timespan(0,0,$global:Ti

#for paged search, the response for paged search result control - we will need a cookie from result la
if($global:PageSize -gt 0) {
[System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$null;
if ($response.Controls.Length -gt 0)
{
foreach ($ctrl in $response.Controls)
{
if ($ctrl -is [System.DirectoryServices.Protocols.PageResultResponseControl])
{
$prrc = $ctrl;
break;
}
}
}
if($null -eq $prrc) {
#server was unable to process paged search
throw "Find-LdapObject: Server failed to return paged response for request $SearchFilter"
}
}
#now process the returned list of distinguishedNames and fetch required properties using ranged retr
$CountadObject = $CountadObject + $response.Entries.Count
if($global:PageSize -gt 0)
{
if ($prrc.Cookie.Length -eq 0)
{
#last page --> we're done
break;
}
#pass the search cookie back to server in next paged request
$pagedRqc.Cookie = $prrc.Cookie;
}
else
{
#exit the processing for non-paged search
break;
}
}#End While
#Load Progressbar
if (($PSVersionTable.PSVersion -ne "2.0") -and ($global:bolProgressBar))
{
$intTot = 0
#calculate percentage
$intTot = $CountadObject
if ($intTot -gt 0)
{
LoadProgressBar

}
}
$response = $null
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strDC,
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($global:SchemaDN, "(&(ob
[System.DirectoryServices.Protocols.PageResultRequestControl]$pagedRqc = new-object System.Dire
$request.Controls.Add($pagedRqc) | Out-Null
[void]$request.Attributes.Add("defaultsecuritydescriptor")
[void]$request.Attributes.Add("name")
[void]$request.Attributes.Add("msds-replattributemetadata")
while ($true)
{
$response = $LdapConnection.SendRequest($request, (new-object System.Timespan(0,0,$global:Ti

#for paged search, the response for paged search result control - we will need a cookie from result la
if($global:PageSize -gt 0) {
[System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$null;
if ($response.Controls.Length -gt 0)
{
foreach ($ctrl in $response.Controls)
{
if ($ctrl -is [System.DirectoryServices.Protocols.PageResultResponseControl])
{
$prrc = $ctrl;
break;
}
}
}
if($null -eq $prrc) {
#server was unable to process paged search
throw "Find-LdapObject: Server failed to return paged response for request $SearchFilter"
}
}
#now process the returned list of distinguishedNames and fetch required properties using ranged retr
foreach ($entry in $response.Entries)
{
#Update Progressbar
if (($PSVersionTable.PSVersion -ne "2.0") -and ($global:bolProgressBar))
{
$i++
[int]$pct = ($i/$intTot)*100
#Update the progress bar
while(($null -eq $global:ProgressBarWindow.Window.IsInitialized) -and ($intLoop -lt 20))
{
Start-Sleep -Milliseconds 1
$cc++
}
if ($global:ProgressBarWindow.Window.IsInitialized -eq $true)
{
Update-ProgressBar "Currently scanning $i of $intTot objects" $pct
}

}
$index = 0
while($index -le $entry.attributes.'msds-replattributemetadata'.count -1)
{
$childMember = $entry.attributes.'msds-replattributemetadata'[$index]
$childMember = $childMember.replace("$($childMember[-1])","")
If ($([xml]$childMember).DS_REPL_ATTR_META_DATA.pszAttributeName -eq "defaultSecurity
{
$strLastChangeDate = $([xml]$childMember).DS_REPL_ATTR_META_DATA.ftimeLastOrigin
$strVersion = $([xml]$childMember).DS_REPL_ATTR_META_DATA.dwVersion
if ($strLastChangeDate -eq $nul)
{
$strLastChangeDate = $(get-date "1601-01-01" -UFormat "%Y-%m-%d %H:%M:%S")

}
else
{
$strLastChangeDate = $(get-date $strLastChangeDate -UFormat "%Y-%m-%d %H:%M:%S")
}
}
$index++
}
if($bolChangedDefSD -eq $true)
{

if($strVersion -gt 1)
{
$strObjectClassName = $entry.Attributes.name[0]
$sec = New-Object System.DirectoryServices.ActiveDirectorySecurity
if($bolSDDL -eq $true)
{
$strSDDL = ""
if($null -ne $entry.Attributes.defaultsecuritydescriptor)
{
$strSDDL = $entry.Attributes.defaultsecuritydescriptor[0]
}
#Indicate that a defaultsecuritydescriptor was found
$intNumberofDefSDFound++
WriteDefSDSDDLHTM $strColorTemp $strFileDefSDHTA $strFileDefSDHTM $strObjectClas
Switch ($strColorTemp)
{
"1"
■ {
■ $strColorTemp = "2"
■ }
"2"
■ {
■ $strColorTemp = "1"
■ }■
}
}
else
{
$sd = ""
if($null -ne $entry.Attributes.defaultsecuritydescriptor)
{
$sec.SetSecurityDescriptorSddlForm($entry.Attributes.defaultsecuritydescriptor[0])
}
$sd = $sec.GetAccessRules($true, $false, [System.Security.Principal.SecurityIdentifier])
if($FilterBuiltin)
{
# Filter out default and built-in security principals
$sd = @($sd | Where-Object{`
($_.IdentityReference -match "S-1-5-21-") -and `
($_.IdentityReference -notmatch $("^"+$domainsid+"-5\d{2}$")) -and
($_.IdentityReference -notmatch $("^"+$domainsid+"-4\d{2}$"))
})
}
If ($Assess)
{
Switch ($Criticality)
{
"Info" {$CriticalityFilter = 0}
"Low" {$CriticalityFilter = 1}
"Medium" {$CriticalityFilter = 2}
"Warning" {$CriticalityFilter = 3}
"Critical" {$CriticalityFilter = 4}
}
$sd = @($sd | Where-Object{Get-Criticality -Returns "Filter" $_.IdentityReference.toString(
}
#Indicate that a defaultsecuritydescriptor was found
$intNumberofDefSDFound++
if (($OutType -eq "CSV") -or ($OutType -eq ""))
{
WriteDefSDPermCSV $sd $entry.distinguishedName $strObjectClassName $File $bolRep
}
else
{
WriteDefSDAccessHTM $true $sd $true $strObjectClassName $strColorTemp $strFileDefS
}
}

}
}
else
{
$strObjectClassName = $entry.Attributes.name[0]
$sec = New-Object System.DirectoryServices.ActiveDirectorySecurity
if($bolSDDL -eq $true)
{
$strSDDL = ""
if($null -ne $entry.Attributes.defaultsecuritydescriptor)
{
$strSDDL = $entry.Attributes.defaultsecuritydescriptor[0]
}
#Indicate that a defaultsecuritydescriptor was found
$intNumberofDefSDFound++
WriteDefSDSDDLHTM $strColorTemp $strFileDefSDHTA $strFileDefSDHTM $strObjectClas
Switch ($strColorTemp)
{
"1"
■ {
■ $strColorTemp = "2"
■ }
"2"
■ {
■ $strColorTemp = "1"
■ }■
}
}
else
{
$sd = ""
if($null -ne $entry.Attributes.defaultsecuritydescriptor)
{
Try{
$sec.SetSecurityDescriptorSddlForm($entry.Attributes.defaultsecuritydescriptor[0])
}
catch
{
if($bolCMD)
{
Write-host "The SDDL string contains an invalid sid or a sid that cannot be translated.
Write-host "Only domain-joined computers can translate some sids." -ForegroundColo
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "The SDDL string co
$global:observableCollection.Insert(0,(LogMessage -strMessage "Only domain-joined
}
}
}
#If any access has been added report it
if($sec.access.count -gt 0)
{
$sd = $sec.GetAccessRules($true, $false, [System.Security.Principal.SecurityIdentifier])
if($FilterBuiltin)
{
# Filter out default and built-in security principals
$sd = @($sd | Where-Object{`
($_.IdentityReference -match "S-1-5-21-") -and `
($_.IdentityReference -notmatch $("^"+$domainsid+"-5\d{2}$")) -and
($_.IdentityReference -notmatch $("^"+$domainsid+"-4\d{2}$"))
})
}
If ($Assess)
{
Switch ($Criticality)
{
"Info" {$CriticalityFilter = 0}
"Low" {$CriticalityFilter = 1}
"Medium" {$CriticalityFilter = 2}
"Warning" {$CriticalityFilter = 3}
"Critical" {$CriticalityFilter = 4}
}
$sd = @($sd | Where-Object{Get-Criticality -Returns "Filter" $_.IdentityReference.toStrin
}
#Indicate that a defaultsecuritydescriptor was found
$intNumberofDefSDFound++
if (($OutType -eq "CSV") -or ($OutType -eq ""))
{
WriteDefSDPermCSV $sd $entry.distinguishedName $strObjectClassName $File $bolR
}
else
{
WriteDefSDAccessHTM $true $sd $true $strObjectClassName $strColorTemp $strFileD
}
}#End if $sec
}
}
}
if($global:PageSize -gt 0)
{
if ($prrc.Cookie.Length -eq 0)
{
#last page --> we're done
break;
}
#pass the search cookie back to server in next paged request
$pagedRqc.Cookie = $prrc.Cookie;
}
else
{
#exit the processing for non-paged search
break;
}
}#End While
if (($PSVersionTable.PSVersion -ne "2.0") -and ($global:bolProgressBar))
{
$global:ProgressBarWindow.Window.Dispatcher.invoke([action]{$global:ProgressBarWindow.Window
$ProgressBarWindow = $null
Remove-Variable -Name "ProgressBarWindow" -Scope Global
}
if($intNumberofDefSDFound -gt 0)
{
if($ToFile )
{
if($bolCMD)
{
Write-host "Report saved in: $strFileCSV" -ForegroundColor Yellow
Write-output $strFileCSV
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Report saved in $strFileCSV"
}
#If Get-Perm was called with Show then open the CSV file.
if($Show)
{
■ #Invoke-Item $strFileCSV
}
}
else
{
#If excel output
if($OutType -eq "EXCEL")
{
$global:ArrayAllACE
#| Export-Excel -path $strFileEXCEL -WorkSheetname "DefaultSD" -BoldTopRow -TableStyle M

if($bolCMD)
{
Write-host "Report saved in: $strFileEXCEL" -ForegroundColor Yellow
Write-output $strFileEXCEL
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Report saved in $strFileEX
}
if($Show)
{
If (test-path HKLM:SOFTWARE\Classes\Excel.Application)
{
■ Invoke-Item $strFileEXCEL
}
}
}#End if EXCEL
else
{
if($bolCMD)
{
Write-host "Report saved in: $strFileDefSDHTM" -ForegroundColor Yellow
Write-output $strFileDefSDHTM
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Report saved in $strFileDe
}
#If Get-Perm was called with Show then open the HTA file.
if($Show)
{
■ try
{
Invoke-Item $strFileDefSDHTA
}
catch
{
if($bolCMD)
{
Write-host "Failed to launch MSHTA.exe" -ForegroundColor Red
Write-host "Instead opening the following file directly: $strFileDefSDHTM" -ForegroundC
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Failed to launch MSHT
$global:observableCollection.Insert(0,(LogMessage -strMessage "Instead opening the fo
}
Invoke-Item $strFileDefSDHTM
}
}
}
}
}
else
{
if($bolCMD)
{
Write-host "No defaultsecuritydescriptor found!" -ForegroundColor Yellow
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "No defaultsecuritydescriptor fou
}
}
}
#==========================================================================
# Function■■: Get-DefaultSDCompare
# Arguments : string ObjectClass
# Returns ■:
# Description : Compare the default Security Descriptor
#==========================================================================
Function Get-DefaultSDCompare
{
Param( [String[]] $strObjectClass="*",
[string] $strTemplate,
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS
)
$strFileDefSDHTA = $env:temp + "\"+$global:ModifiedDefSDAccessFileName+".hta"
$strFileDefSDHTM = $env:temp + "\"+$global:ModifiedDefSDAccessFileName+".htm"
$bolOUHeader = $true
$bolReplMeta = $true
$bolCompare = $true
#Indicator that a defaultsecuritydescriptor was found
$intNumberofDefSDFound = 0
CreateHTM "strObjectClass" $strFileDefSDHTM■■■■■
CreateHTA "$strObjectClass" $strFileDefSDHTA $strFileDefSDHTM $CurrentFSPath $global:strDomai
InitiateDefSDAccessHTM $strFileDefSDHTA $strObjectClass $bolReplMeta $true $strTemplate
InitiateDefSDAccessHTM $strFileDefSDHTM $strObjectClass $bolReplMeta $true $strTemplate
#Default color
$strColorTemp = 1
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strDC,
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($global:SchemaDN, "(&(ob
[System.DirectoryServices.Protocols.PageResultRequestControl]$pagedRqc = new-object System.Dire
$request.Controls.Add($pagedRqc) | Out-Null
[void]$request.Attributes.Add("defaultsecuritydescriptor")
[void]$request.Attributes.Add("name")
[void]$request.Attributes.Add("msds-replattributemetadata")
$CountadObject = 0
while ($true)
{
$response = $LdapConnection.SendRequest($request, (new-object System.Timespan(0,0,$global:Ti

#for paged search, the response for paged search result control - we will need a cookie from result la
if($global:PageSize -gt 0) {
[System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$null;
if ($response.Controls.Length -gt 0)
{
foreach ($ctrl in $response.Controls)
{
if ($ctrl -is [System.DirectoryServices.Protocols.PageResultResponseControl])
{
$prrc = $ctrl;
break;
}
}
}
if($null -eq $prrc) {
#server was unable to process paged search
throw "Find-LdapObject: Server failed to return paged response for request $SearchFilter"
}
}
#now process the returned list of distinguishedNames and fetch required properties using ranged retr
$CountadObject = $CountadObject + $response.Entries.Count
if($global:PageSize -gt 0)
{
if ($prrc.Cookie.Length -eq 0)
{
#last page --> we're done
break;
}
#pass the search cookie back to server in next paged request
$pagedRqc.Cookie = $prrc.Cookie;
}
else
{
#exit the processing for non-paged search
break;
}
}#End While
#Load Progressbar
if (($PSVersionTable.PSVersion -ne "2.0") -and ($global:bolProgressBar))
{
$intTot = 0
#calculate percentage
$intTot = $CountadObject
if ($intTot -gt 0)
{
LoadProgressBar

}
}
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strDC,
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($global:SchemaDN, "(&(ob
[System.DirectoryServices.Protocols.PageResultRequestControl]$pagedRqc = new-object System.Dire
$request.Controls.Add($pagedRqc) | Out-Null
[void]$request.Attributes.Add("defaultsecuritydescriptor")
[void]$request.Attributes.Add("name")
[void]$request.Attributes.Add("msds-replattributemetadata")
while ($true)
{
$response = $LdapConnection.SendRequest($request, (new-object System.Timespan(0,0,$global:Ti
#for paged search, the response for paged search result control - we will need a cookie from result la
if($global:PageSize -gt 0) {
[System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$null;
if ($response.Controls.Length -gt 0)
{
foreach ($ctrl in $response.Controls)
{
if ($ctrl -is [System.DirectoryServices.Protocols.PageResultResponseControl])
{
$prrc = $ctrl;
break;
}
}
}
if($null -eq $prrc) {
#server was unable to process paged search
throw "Find-LdapObject: Server failed to return paged response for request $SearchFilter"
}
}
#now process the returned list of distinguishedNames and fetch required properties using ranged retr
foreach ($entry in $response.Entries)
{
$ObjectMatchResult = $false
#Update Progressbar
if (($PSVersionTable.PSVersion -ne "2.0") -and ($global:bolProgressBar))
{
$i++
[int]$pct = ($i/$intTot)*100
#Update the progress bar
while(($null -eq $global:ProgressBarWindow.Window.IsInitialized) -and ($intLoop -lt 20))
{
Start-Sleep -Milliseconds 1
$cc++
}
if ($global:ProgressBarWindow.Window.IsInitialized -eq $true)
{
Update-ProgressBar "Currently scanning $i of $intTot objects" $pct
}

}
#Counter for Metadata
$index = 0
#Get metadata for defaultSecurityDescriptor
while($index -le $entry.attributes.'msds-replattributemetadata'.count -1)
{
$childMember = $entry.attributes.'msds-replattributemetadata'[$index]
$childMember = $childMember.replace("$($childMember[-1])","")
If ($([xml]$childMember).DS_REPL_ATTR_META_DATA.pszAttributeName -eq "defaultSecurity
{
$strLastChangeDate = $([xml]$childMember).DS_REPL_ATTR_META_DATA.ftimeLastOrigin
$strVersion = $([xml]$childMember).DS_REPL_ATTR_META_DATA.dwVersion
if ($strLastChangeDate -eq $nul)
{
$strLastChangeDate = $(get-date "1601-01-01" -UFormat "%Y-%m-%d %H:%M:%S")

}
else
{
$strLastChangeDate = $(get-date $strLastChangeDate -UFormat "%Y-%m-%d %H:%M:%
}
}
$index++
}
#Get object name
$strObjectClassName = $entry.Attributes.name[0]
#Make sure strSDDL is empty
$strSDDL = ""
if($null -ne $entry.Attributes.defaultsecuritydescriptor)
{
$strSDDL = $entry.Attributes.defaultsecuritydescriptor[0]
}
$index = 0
#Enumerate template file
$ObjectMatchResult = $false
while($index -le $global:csvdefSDTemplate.count -1)
■ {
$strNamecol = $global:csvdefSDTemplate[$index].Name
#Check for matching object names
■■ if ($strObjectClassName -eq $strNamecol )
■■ {
$ObjectMatchResult = $true
$strSDDLcol = $global:csvdefSDTemplate[$index].SDDL
#Replace any <ROOT-DOAMIN> strngs with Forest Root Domain SID
if($strSDDLcol.Contains("<ROOT-DOMAIN>"))
{
if($global:ForestRootDomainSID -gt "")
{
$strSDDLcol = $strSDDLcol.Replace("<ROOT-DOMAIN>",$global:ForestRootDomainS
}
}
#Compare SDDL
if($strSDDL -eq $strSDDLcol)
{
$sd = ""
#Create ad security object
$sec = New-Object System.DirectoryServices.ActiveDirectorySecurity
if($null -ne $entry.Attributes.defaultsecuritydescriptor)
{
$sec.SetSecurityDescriptorSddlForm($entry.Attributes.defaultsecuritydescriptor[0])
}
$sd = $sec.GetAccessRules($true, $false, [System.Security.Principal.NTAccount])
#Count ACE for applying header on fist
$intACEcount = 0
foreach($ObjectDefSD in $sd)
{
$strNTAccount = $ObjectDefSD.IdentityReference.toString()
■ If ($strNTAccount.contains("S-1-"))
■ {
■ $strNTAccount = ConvertSidToName -server $global:strDomainLongName -Sid $strNTA
■ }
$newObjectDefSD = New-Object PSObject -Property @{ActiveDirectoryRights=$ObjectD
InheritedObjectType=$ObjectDefSD.InheritedObjectType;ObjectFlags=$ObjectDefSD.O
InheritanceFlags=$ObjectDefSD.InheritanceFlags;PropagationFlags=$ObjectDefSD.Pro
#Matching color "green"
$strColorTemp = 4
#If first ACE add header
if ($intACEcount -eq 0)
■■■■ ■ {
#Indicate that a defaultsecuritydescriptor was found
$intNumberofDefSDFound++
$bolOUHeader = $true
WriteDefSDAccessHTM $newObjectDefSD $strObjectClassName $strColorTemp $st
}
else
{
$bolOUHeader = $false
WriteDefSDAccessHTM $newObjectDefSD $strObjectClassName $strColorTemp $st
}
#Count ACE to not ad a header
$intACEcount++
}
$newObjectDefSD = $null
$sd = $null
$sec = $null
}
else
{
$sd = ""
#Create ad security object
$sec = New-Object System.DirectoryServices.ActiveDirectorySecurity
if($null -ne $entry.Attributes.defaultsecuritydescriptor)
{
$sec.SetSecurityDescriptorSddlForm($entry.Attributes.defaultsecuritydescriptor[0])
}
$sd = $sec.GetAccessRules($true, $false, [System.Security.Principal.NTAccount])
#Count ACE for applying header on fist
$intACEcount = 0
#Comare DefaultSecurityDesriptor in schema with template looking for matching and new A
foreach($ObjectDefSD in $sd)
{
#Check if matchin ACE exits, FALSE until found
$SDCompareResult = $false
$strNTAccount = $ObjectDefSD.IdentityReference.toString()
■ If ($strNTAccount.contains("S-1-"))
■ {
■ $strNTAccount = ConvertSidToName -server $global:strDomainLongName -Sid $strNTA
■ }
$newObjectDefSD = New-Object PSObject -Property @{ActiveDirectoryRights=$ObjectD
InheritedObjectType=$ObjectDefSD.InheritedObjectType;ObjectFlags=$ObjectDefSD.O
InheritanceFlags=$ObjectDefSD.InheritanceFlags;PropagationFlags=$ObjectDefSD.Pro
$sdFile = ""
#Create ad security object
$secFile = New-Object System.DirectoryServices.ActiveDirectorySecurity
if($null -ne $strSDDLcol)
{
$secFile.SetSecurityDescriptorSddlForm($strSDDLcol)
}
$sdFile = $secFile.GetAccessRules($true, $false, [System.Security.Principal.NTAccount
foreach($ObjectDefSDFile in $sdFile)
{
If (($newObjectDefSD.IdentityReference -eq $ObjectDefSDFile.IdentityReference)
ype))
■■ ■■ {
■■■■■ $SDCompareResult = $true
■■ ■■ }
}
if ($SDCompareResult)
{
#Change from New to Match
$newObjectDefSD.State = "Match"
#Match color "Green"
$strColorTemp = 4
#If first ACE add header
if ($intACEcount -eq 0)
■■■■ ■ {
#Indicate that a defaultsecuritydescriptor was found
$intNumberofDefSDFound++
$bolOUHeader = $true
WriteDefSDAccessHTM $newObjectDefSD $strObjectClassName $strColorTemp $
}
else
{
$bolOUHeader = $false
WriteDefSDAccessHTM $newObjectDefSD $strObjectClassName $strColorTemp $
}
#Count ACE to not ad a header
$intACEcount++
}
else
{
#New color "Yellow"
$strColorTemp = 5
#If first ACE add header
if ($intACEcount -eq 0)
■■■■ ■ {
#Indicate that a defaultsecuritydescriptor was found
$intNumberofDefSDFound++
$bolOUHeader = $true
WriteDefSDAccessHTM $newObjectDefSD $strObjectClassName $strColorTemp $
}
else
{
$bolOUHeader = $false
WriteDefSDAccessHTM $newObjectDefSD $strObjectClassName $strColorTemp $
}
#Count ACE to not ad a header
$intACEcount++
}
}
$newObjectDefSD = $null
#Comare DefaultSecurityDesriptor in template with schema looking for missing ACE's
$secFile = New-Object System.DirectoryServices.ActiveDirectorySecurity
if($null -ne $strSDDLcol)
{
$secFile.SetSecurityDescriptorSddlForm($strSDDLcol)
}
$sdFile = $secFile.GetAccessRules($true, $false, [System.Security.Principal.NTAccount])
foreach($ObjectDefSDFromFile in $sdFile)
{
#Check if matchin ACE missing, TRUE until found
$SDMissingResult = $true
$ObjectDefSDFile = New-Object PSObject -Property @{ActiveDirectoryRights=$ObjectD
InheritedObjectType=$ObjectDefSDFromFile.InheritedObjectType;ObjectFlags=$Object
InheritanceFlags=$ObjectDefSDFromFile.InheritanceFlags;PropagationFlags=$ObjectD
foreach($ObjectDefSD in $sd)
{
If (($ObjectDefSD.IdentityReference -eq $ObjectDefSDFile.IdentityReference) -and ($
■■ ■■ {
■■■■■ $SDMissingResult = $false
■■ ■■ }
}
if ($SDMissingResult)
{
#Missig´ng color "Red"
$strColorTemp = 3
#If first ACE add header
if ($intACEcount -eq 0)
■■■■ ■ {
#Indicate that a defaultsecuritydescriptor was found
$intNumberofDefSDFound++
$bolOUHeader = $true
WriteDefSDAccessHTM $ObjectDefSDFile $strObjectClassName $strColorTemp $
}
else
{
$bolOUHeader = $false
WriteDefSDAccessHTM $ObjectDefSDFile $strObjectClassName $strColorTemp $
}
#Count ACE to not ad a header
$intACEcount++
}
}
$secFile = $null
$sdFile = $null
$ObjectDefSDFile = $null
$ObjectDefSDFromFile = $null
$ObjectDefSD = $null
$sd = $null
$sec = $null
}#End matchin SDDL
}#End matching object name
$index++
}#End while
#Check if the schema object does not exist in template
if($ObjectMatchResult -eq $false)
{
$sd = ""
#Create ad security object
$sec = New-Object System.DirectoryServices.ActiveDirectorySecurity
if($null -ne $entry.Attributes.defaultsecuritydescriptor)
{
$sec.SetSecurityDescriptorSddlForm($entry.Attributes.defaultsecuritydescriptor[0])
}
$sd = $sec.GetAccessRules($true, $false, [System.Security.Principal.NTAccount])
#Count ACE for applying header on fist
$intACEcount = 0
foreach($ObjectDefSD in $sd)
{
$newObjectDefSD = New-Object PSObject -Property @{ActiveDirectoryRights=$ObjectDefSD
InheritedObjectType=$ObjectDefSD.InheritedObjectType;ObjectFlags=$ObjectDefSD.Object
InheritanceFlags=$ObjectDefSD.InheritanceFlags;PropagationFlags=$ObjectDefSD.Propaga
#Matching color "green"
$strColorTemp = 5
#If first ACE add header
if ($intACEcount -eq 0)
■■■ {
$bolOUHeader = $true
#Indicate that a defaultsecuritydescriptor was found
$intNumberofDefSDFound++
WriteDefSDAccessHTM $newObjectDefSD $strObjectClassName $strColorTemp $strFileD
}
else
{
$bolOUHeader = $false
WriteDefSDAccessHTM $newObjectDefSD $strObjectClassName $strColorTemp $strFileD
}
#Count ACE to not ad a header
$intACEcount++
}
$newObjectDefSD = $null
$sd = $null
}
}#End foreach
if($global:PageSize -gt 0)
{
if ($prrc.Cookie.Length -eq 0)
{
#last page --> we're done
break;
}
#pass the search cookie back to server in next paged request
$pagedRqc.Cookie = $prrc.Cookie;
}
else
{
#exit the processing for non-paged search
break;
}
}#End While
if (($PSVersionTable.PSVersion -ne "2.0") -and ($global:bolProgressBar))
{
$global:ProgressBarWindow.Window.Dispatcher.invoke([action]{$global:ProgressBarWindow.Window
$ProgressBarWindow = $null
Remove-Variable -Name "ProgressBarWindow" -Scope Global
}
if($intNumberofDefSDFound -gt 0)
{
Invoke-Item $strFileDefSDHTA
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "No defaultsecuritydescriptor found
}
}
#==========================================================================
# Function■■: Write-DefaultSDCSV
# Arguments : string ObjectClass
# Returns ■:
# Description : Write the default Security Descriptor to a CSV
#==========================================================================
Function Write-DefaultSDCSV
{
Param(
[string]
$fileout,

$strObjectClass="*",

[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
#Number of columns in CSV import
$strCSVHeaderDefsd = @"
"Name","distinguishedName","Version","ModifiedDate","SDDL"
"@
If ((Test-Path $fileout) -eq $true)
{
Remove-Item $fileout
}
$strCSVHeaderDefsd | Out-File -FilePath $fileout -Encoding UTF8
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strDC,
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($global:SchemaDN, "(&(ob
[System.DirectoryServices.Protocols.PageResultRequestControl]$pagedRqc = new-object System.Dire
$request.Controls.Add($pagedRqc) | Out-Null
[void]$request.Attributes.Add("defaultsecuritydescriptor")
[void]$request.Attributes.Add("name")
[void]$request.Attributes.Add("msds-replattributemetadata")
while ($true)
{
$response = $LdapConnection.SendRequest($request, (new-object System.Timespan(0,0,$global:Ti

#for paged search, the response for paged search result control - we will need a cookie from result la
if($global:PageSize -gt 0) {
[System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$null;
if ($response.Controls.Length -gt 0)
{
foreach ($ctrl in $response.Controls)
{
if ($ctrl -is [System.DirectoryServices.Protocols.PageResultResponseControl])
{
$prrc = $ctrl;
break;
}
}
}
if($null -eq $prrc) {
#server was unable to process paged search
throw "Find-LdapObject: Server failed to return paged response for request $SearchFilter"
}
}
#now process the returned list of distinguishedNames and fetch required properties using ranged retr
foreach ($entry in $response.Entries)
{
$index = 0
while($index -le $entry.attributes.'msds-replattributemetadata'.count -1)
{
$childMember = $entry.attributes.'msds-replattributemetadata'[$index]
$childMember = $childMember.replace("$($childMember[-1])","")
If ($([xml]$childMember).DS_REPL_ATTR_META_DATA.pszAttributeName -eq "defaultSecurity
{
$strLastChangeDate = $([xml]$childMember).DS_REPL_ATTR_META_DATA.ftimeLastOrigin
$strVersion = $([xml]$childMember).DS_REPL_ATTR_META_DATA.dwVersion
if ($strLastChangeDate -eq $nul)
{
$strLastChangeDate = $(get-date "1601-01-01" -UFormat "%Y-%m-%d %H:%M:%S")

}
else
{
$strLastChangeDate = $(get-date $strLastChangeDate -UFormat "%Y-%m-%d %H:%M:%S")
}
}
$index++
}
$strSDDL = ""
if($null -ne $entry.Attributes.defaultsecuritydescriptor)
{
$strSDDL = $entry.Attributes.defaultsecuritydescriptor[0]
}
$strName = $entry.Attributes.name[0]
$strDistinguishedName = $entry.distinguishedname
#Write to file
[char]34+$strName+[char]34+","+[char]34+`
$strDistinguishedName+[char]34+","+[char]34+`
$strVersion+[char]34+","+[char]34+`
$strLastChangeDate+[char]34+","+[char]34+`
$strSDDL+[char]34 | Out-File -Append -FilePath $fileout -Encoding UTF8

}
if($global:PageSize -gt 0)
{
if ($prrc.Cookie.Length -eq 0)
{
#last page --> we're done
break;
}
#pass the search cookie back to server in next paged request
$pagedRqc.Cookie = $prrc.Cookie;
}
else
{
#exit the processing for non-paged search
break;
}
}#End While
$global:observableCollection.Insert(0,(LogMessage -strMessage "Report saved in $fileout" -strType "W
}
#==========================================================================
# Function■■: GetEffectiveRightSP
# Arguments :
# Returns ■:
# Description : Rs
#==========================================================================
Function GetEffectiveRightSP
{
param(
[string] $strPrincipal,
[string] $strDomainDistinguishedName,
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS
)
$global:strEffectiveRightSP = ""
$global:strEffectiveRightAccount = ""
$global:strSPNobjectClass = ""
$global:strPrincipalDN = ""
$strPrinName = ""
$SPFound = $false
if ($global:strPrinDomDir -eq 2)
{
&{#Try
$Script:CredsExt = $host.ui.PromptForCredential("Need credentials", "Please enter your user name a
$Window.Activate()
}
Trap [SystemException]
{
continue
}
$h = (get-process -id $global:myPID).MainWindowHandle # just one notepad must be opened!
[SFW]::SetForegroundWindow($h)
if($null -ne $Script:CredsExt.UserName)
{
if (TestCreds $CredsExt)
{
$global:strPinDomDC = $(GetDomainController $global:strDomainPrinDNName $true $Script:C
$global:strPrincipalDN = (GetSecPrinDN $strPrincipal $global:strPinDomDC $true -CREDS $Sc
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Bad user name or password!
$lblEffectiveSelUser.Content = ""
}
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Faild to insert credentials!" -strT
}
}
else
{
if ( $global:strDomainPrinDNName -eq $global:strDomainDNName )
{
$lblSelectPrincipalDom.Content = $global:strDomainShortName+":"
$global:strPinDomDC = $global:strDC
$global:strPrincipalDN = (GetSecPrinDN $strPrincipal $global:strPinDomDC $false -CREDS $CRE
}
else
{
$global:strPinDomDC = $global:strDC
$global:strPrincipalDN = (GetSecPrinDN $strPrincipal $global:strPinDomDC $false -CREDS $CRE
}
}
if ($global:strPrincipalDN -eq "")
{
if($global:bolCMD)
{
Write-host "Could not find $strPrincipal!" -ForegroundColor Red
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Could not find $strPrincipal!" -str
$lblEffectiveSelUser.Content = ""
}
}
else
{
$SPFound = $true
$global:strEffectiveRightAccount = $strPrincipal
if($global:bolCMD)
{
#Write-host "Found security principal"
}
else
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Found security principal" -strTyp
}

if ($global:strPrinDomDir -eq 2)
{
[System.Collections.ArrayList] $global:tokens = @(GetTokenGroups -PrincipalDomDC $global:strP

if($CREDS)
{
$objADPrinipal = new-object DirectoryServices.DirectoryEntry("LDAP://$global:strPinDomDC/$g
}
else
{
$objADPrinipal = new-object DirectoryServices.DirectoryEntry("LDAP://$global:strPinDomDC/$g
}

$objADPrinipal.psbase.RefreshCache("msDS-PrincipalName")
$strPrinName = $($objADPrinipal.psbase.Properties.Item("msDS-PrincipalName"))
$global:strSPNobjectClass = $($objADPrinipal.psbase.Properties.Item("objectClass"))[$($objADPr
if (($strPrinName -eq "") -or ($null -eq $strPrinName))
{
$strPrinName = "$global:strPrinDomFlat\$($objADPrinipal.psbase.Properties.Item("samAccount
}
$global:strEffectiveRightSP = $strPrinName
$lblEffectiveSelUser.Content = $strPrinName
}
else
{
[System.Collections.ArrayList] $global:tokens = @(GetTokenGroups -PrincipalDomDC $global:strP

if($CREDS)
{
$objADPrinipal = new-object DirectoryServices.DirectoryEntry("LDAP://$global:strPinDomDC/$g
}
else
{
$objADPrinipal = new-object DirectoryServices.DirectoryEntry("LDAP://$global:strPinDomDC/$g
}

$objADPrinipal.psbase.RefreshCache("msDS-PrincipalName")
$strPrinName = $($objADPrinipal.psbase.Properties.Item("msDS-PrincipalName"))
$global:strSPNobjectClass = $($objADPrinipal.psbase.Properties.Item("objectClass"))[$($objADPr
if (($strPrinName -eq "") -or ($null -eq $strPrinName))
{
$strPrinName = "$global:strPrinDomFlat\$($objADPrinipal.psbase.Properties.Item("samAccount
}
$global:strEffectiveRightSP = $strPrinName
$lblEffectiveSelUser.Content = $strPrinName
}
}
return $SPFound
}
#==========================================================================
# Function■■: LoadProgressBar
# Arguments : n/a
# Returns ■: n/a
# Description : Open up a progress bar in a XAML window
#==========================================================================
Function LoadProgressBar
{
$global:ProgressBarWindow = [hashtable]::Synchronized(@{})
$newRunspace =[runspacefactory]::CreateRunspace()
$newRunspace.ApartmentState = "STA"
$newRunspace.ThreadOptions = "ReuseThread"
$newRunspace.Open()
$newRunspace.SessionStateProxy.SetVariable("global:ProgressBarWindow",$global:ProgressBarWind
$psCmd = [PowerShell]::Create().AddScript({
[xml]$xamlProgressBar = @"
<Window x:Class="WpfApplication1.StatusBar"
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
x:Name="Window" Title="Scanning..." WindowStartupLocation = "CenterScreen"
Width = "350" Height = "150" ShowInTaskbar = "True" ResizeMode="NoResize" WindowStyle="To
<Grid>
<StackPanel >
<Label x:Name="lblProgressBarInfo" Foreground="white" Content="Currently scanning 0 of 0 ob
<ProgressBar x:Name = "ProgressBar" HorizontalAlignment="Left" Height="23" Margin="10,0,0
<ProgressBar.Foreground>
<LinearGradientBrush EndPoint="1,0.5" StartPoint="0,0.5">
<GradientStop Color="#FF237026"/>
<GradientStop Color="#FF0BF815" Offset="1"/>
<GradientStop Color="#FF0BF815" Offset="1"/>
</LinearGradientBrush>
</ProgressBar.Foreground>
</ProgressBar>
<Label x:Name="lblSkipProgressBar" Content="For increased speed, turn off the progress bar.&
</StackPanel>
</Grid>
</Window>
"@

$xamlProgressBar.Window.RemoveAttribute("x:Class")
$reader=(New-Object System.Xml.XmlNodeReader $xamlProgressBar)
$global:ProgressBarWindow.Window=[Windows.Markup.XamlReader]::Load( $reader )
$global:ProgressBarWindow.lblProgressBarInfo = $global:ProgressBarWindow.window.FindName("lb
$global:ProgressBarWindow.ProgressBar = $global:ProgressBarWindow.window.FindName("Progre
$global:ProgressBarWindow.ProgressBar.Value = 0
$global:ProgressBarWindow.Window.ShowDialog() | Out-Null
$global:ProgressBarWindow.Error = $Error
})
$psCmd.Runspace = $newRunspace
[void]$psCmd.BeginInvoke()
}
#==========================================================================
# Function■■: Update-ProgressBar
# Arguments : n/a
# Returns ■: n/a
# Description : Update progress bar in a XAML window
#==========================================================================
Function Update-ProgressBar
{
Param ($txtlabel,$valProgress)
&{#Try
$global:ProgressBarWindow.ProgressBar.Dispatcher.invoke([action]{ $global:ProgressBarWindo
}
Trap [SystemException]
{
$global:observableCollection.Insert(0,(LogMessage -strMessage "Progressbar Failed!" -strType

}
}
#==========================================================================
# Function■■: Find-RiskyTemplates
# Arguments : Configuration partition distinguishedname
# Returns ■: An array of distinguishednames for templates that are published
# Description : Find and returns an array of distinguishednames for templates that are published and h
#==========================================================================
Function Find-RiskyTemplates
{
Param(
[Parameter(Mandatory=$true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
ValueFromRemainingArguments=$false,
Position=0,
ParameterSetName='Default')]
[ValidateNotNull()]
[ValidateNotNullOrEmpty()]
[String]
$ConfigurationDN="",
[Parameter(Mandatory=$false)]
[pscredential]
$CREDS)
#array Published templates names
$arrPublishedPKITemplates = New-Object System.Collections.ArrayList
#array Published templates DN
$arrPublishedTemplatesDN = New-Object System.Collections.ArrayList
# Search published for PKI templates
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:strD
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$SearchFilter = "(objectClass=pKIEnrollmentService)"
$request = New-Object System.directoryServices.Protocols.SearchRequest("CN=Enrollment Service
[System.DirectoryServices.Protocols.PageResultRequestControl]$pagedRqc = new-object System.D
$request.Controls.Add($pagedRqc) | Out-Null
[void]$request.Attributes.Add("certificatetemplates")
while ($true)
{
$response = $LdapConnection.SendRequest($request, (new-object System.Timespan(0,0,$global

#for paged search, the response for paged search result control - we will need a cookie from resul
if($global:PageSize -gt 0) {
[System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$null;
if ($response.Controls.Length -gt 0)
{
foreach ($ctrl in $response.Controls)
{
if ($ctrl -is [System.DirectoryServices.Protocols.PageResultResponseControl])
{
$prrc = $ctrl;
break;
}
}
}
if($null -eq $prrc) {
#server was unable to process paged search
throw "Find-LdapObject: Server failed to return paged response for request $SearchFilter"
}
}
#now process the returned list of distinguishedNames and fetch required properties using ranged r
$colResults = $response.Entries
■ foreach ($objResult in $colResults)
■ {
■■ for($i=0;$i -lt $objResult.attributes.certificatetemplates.count;$i++)
{
[void]$arrPublishedPKITemplates.Add($objResult.attributes.certificatetemplates[$i])
}
}
if($global:PageSize -gt 0) {
if ($prrc.Cookie.Length -eq 0) {
#last page --> we're done
break;
}
#pass the search cookie back to server in next paged request
$pagedRqc.Cookie = $prrc.Cookie;
} else {
#exit the processing for non-paged search
break;
}
}#End While
#if any results found in published template names continue to a search for the object
if($arrPublishedPKITemplates)
{
# For each template name searc for the object
Foreach($PublishedTemplate in $arrPublishedPKITemplates)
{
# Search for PKI templates objects
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$SearchFilter = "(&(objectClass=pKICertificateTemplate)(cn=$PublishedTemplate)(!(mspki-enro
$request = New-Object System.directoryServices.Protocols.SearchRequest("CN=Certificate Tem
[System.DirectoryServices.Protocols.PageResultRequestControl]$pagedRqc = new-object Syst
$request.Controls.Add($pagedRqc) | Out-Null
[void]$request.Attributes.Add("mspki-enrollment-flag")

$arrPublishedPKITemplates = New-Object System.Collections.ArrayList


while ($true)
{
$response = $LdapConnection.SendRequest($request, (new-object System.Timespan(0,0,$g

#for paged search, the response for paged search result control - we will need a cookie from
if($global:PageSize -gt 0) {
[System.DirectoryServices.Protocols.PageResultResponseControl] $prrc=$null;
if ($response.Controls.Length -gt 0)
{
foreach ($ctrl in $response.Controls)
{
if ($ctrl -is [System.DirectoryServices.Protocols.PageResultResponseControl])
{
$prrc = $ctrl;
break;
}
}
}
if($null -eq $prrc) {
#server was unable to process paged search
throw "Find-LdapObject: Server failed to return paged response for request $SearchFilte
}
}
#now process the returned list of distinguishedNames and fetch required properties using ran
$colResults = $response.Entries
■ foreach ($objResult in $colResults)
■ {
■■ for($i=0;$i -le $objResult.attributes.certificatetemplates.count;$i++)
{
$strEnrollmentFlag = $(GetEnrollmentFlag $objResult.attributes.'mspki-enrollment-flag'[0
if(($strEnrollmentFlag -eq "") -or (-not($strEnrollmentFlag -match "CT_FLAG_PEND_AL
{
[void]$arrPublishedTemplatesDN.Add($objResult.distinguishedname)
}
}
}
if($global:PageSize -gt 0) {
if ($prrc.Cookie.Length -eq 0) {
#last page --> we're done
break;
}
#pass the search cookie back to server in next paged request
$pagedRqc.Cookie = $prrc.Cookie;
} else {
#exit the processing for non-paged search
break;
}
}#End While
}
}

# Return all published template objects


return $arrPublishedTemplatesDN

}
#==========================================================================
# Function■■: GetEnrollmentFlag
# Arguments : Enrollment flags of a certificate template
# Returns ■: String of the translated values
# Description : Returns a certificate enrollment flag status
#==========================================================================
Function GetEnrollmentFlag ($EnrollmentFlag)
{
[string] $strStatus = ""
if ($EnrollmentFlag -band 0x00000001)
{ $strStatus = $strStatus + ",CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS"}
if ($EnrollmentFlag -band 0x00000002)
{ $strStatus = $strStatus + ",CT_FLAG_PEND_ALL_REQUESTS"}
if ($EnrollmentFlag -band 0x00000004)
{ $strStatus = $strStatus + ",CT_FLAG_PUBLISH_TO_KRA_CONTAINER"}
if ($EnrollmentFlag -band 0x00000008)
{ $strStatus = $strStatus + ",CT_FLAG_PUBLISH_TO_DS"}
if ($EnrollmentFlag -band 0x00000010)
{ $strStatus = $strStatus + ",CT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE"}
if ($EnrollmentFlag -band 0x00000020)
{ $strStatus = $strStatus + ",CT_FLAG_AUTO_ENROLLMENT"}
if ($EnrollmentFlag -band 0x00000040)
{ $strStatus = $strStatus + ",CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT"}
if ($EnrollmentFlag -band 0x00000100)
{ $strStatus = $strStatus + ",CT_FLAG_USER_INTERACTION_REQUIRED"}
if ($EnrollmentFlag -band 0x00000400)
{ $strStatus = $strStatus + ",CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STO
if ($EnrollmentFlag -band 0x00000800)
{ $strStatus = $strStatus + ",CT_FLAG_ALLOW_ENROLL_ON_BEHALF_OF"}
if ($EnrollmentFlag -band 0x00001000)
{ $strStatus = $strStatus + ",CT_FLAG_ADD_OCSP_NOCHECK"}
if ($EnrollmentFlag -band 0x00002000)
{ $strStatus = $strStatus + ",CT_FLAG_ENABLE_KEY_REUSE_ON_NT_TOKEN_KEYSET_STORAGE
if ($EnrollmentFlag -band 0x00004000)
{ $strStatus = $strStatus + ",CT_FLAG_NOREVOCATIONINFOINISSUEDCERTS"}
if ($EnrollmentFlag -band 0x00008000)
{ $strStatus = $strStatus + ",CT_FLAG_INCLUDE_BASIC_CONSTRAINTS_FOR_EE_CERTS"}
if ($EnrollmentFlag -band 0x00010000)
{ $strStatus = $strStatus + ",CT_FLAG_ALLOW_PREVIOUS_APPROVAL_KEYBASEDRENEWAL_VA
if ($EnrollmentFlag -band 0x00020000)
{ $strStatus = $strStatus + ",CT_FLAG_ISSUANCE_POLICIES_FROM_REQUEST"}
if ($EnrollmentFlag -band 0x00040000)
{ $strStatus = $strStatus + ",CT_FLAG_SKIP_AUTO_RENEWAL"}
[int] $index = $strStatus.IndexOf(",")
If($index -eq 0)
{
$strStatus = $strStatus.substring($strStatus.IndexOf(",") + 1, $strStatus.Length -1 )
}
return $strStatus
}#End function
#Number of columns in CSV import
$strCSVHeader = @"
"Object","ObjectClass","IdentityReference","PrincipalName","ActiveDirectoryRights","InheritanceType","
"@
$strCSVCompareHeader = @"
"Object","ObjectClass","IdentityReference","PrincipalName","ActiveDirectoryRights","InheritanceType","
"@
$global:myPID = $PID
$global:csvHistACLs = New-Object System.Collections.ArrayList
$strLastCacheGuidsDom = ""
$sd = ""
$global:intObjeComputer = 0
$null = Add-Type -AssemblyName System.DirectoryServices.Protocols
if($base -or $GPO)
{
# Display script info
Write-Host $ADACLScanVersion
$CREDS = $null
if($credentials)
{
$CREDS = $Credentials
}
if($Criticality)
{
$ShowCriticalityColor = $true
}
if($Output -eq "")
{
$Show = $false
}
if($AccessType.Length -gt 0)
{
$AccessFilter = $true
}
else
{
$AccessFilter = $false
}
if($ApplyTo.Length -gt 0)
{
$ACLObjectFilter = $true
}
else
{
$ACLObjectFilter = $false
}
if($FilterTrustee.Length -gt 0)
{
$FilterForTrustee = $true
}
else
{
$FilterForTrustee = $false
}

if($Permission.Length -gt 0)
{
$BolACLPermissionFilter = $true
}
else
{
$BolACLPermissionFilter = $false
}
if($FilterForTrustee -or $ACLObjectFilter -or $AccessFilter -or $Permission)
{
$ACLFilter = $True
}
else
{
$ACLFilter= $False
}
if($ShowProgressBar)
{
$global:bolProgressBar = $true
}
else
{
$global:bolProgressBar = $false
}
#Connect to Custom Naming Context
$global:bolCMD = $true

if (($base.Length -gt 0) -or ($GPO))


{
if($base -ne "RootDSE")
{
$strNamingContextDN = $base
}
if($Server -eq "")
{
if($Port -eq "")
{
$global:strDC = ""
}
else
{
$global:strDC = "localhost:" +$Port
}
}
else
{
if($Port -eq "")
{
$global:strDC = $Server
}
else
{
$global:strDC = $Server + ":" + $Port
}
}
$global:bolLDAPConnection = $false
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global:st
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest("", "(objectClass=*)", "
if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.DirectoryControl
}
[void]$request.Attributes.Add("dnshostname")
[void]$request.Attributes.Add("supportedcapabilities")
[void]$request.Attributes.Add("namingcontexts")
[void]$request.Attributes.Add("defaultnamingcontext")
[void]$request.Attributes.Add("schemanamingcontext")
[void]$request.Attributes.Add("configurationnamingcontext")
[void]$request.Attributes.Add("rootdomainnamingcontext")
[void]$request.Attributes.Add("isGlobalCatalogReady")

■ try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
$global:bolConnected = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
$global:bolConnected = $false
Write-host "Failed! Domain does not exist or can not be connected: $($_.Exception.InnerExcept
■ }
if($global:bolLDAPConnection -eq $true)
{
$strPrimaryCapability= $response.Entries[0].attributes.supportedcapabilities[0]
Switch ($strPrimaryCapability)
{
"1.2.840.113556.1.4.1851"
{
$global:DSType = "AD LDS"
$global:bolADDSType = $false
$global:strDomainDNName = $response.Entries[0].Attributes.namingcontexts[-1]
$global:SchemaDN = $response.Entries[0].Attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].Attributes.configurationnamingcontext[0]
if($Port -eq "")
{
if(Test-ResolveDNS $response.Entries[0].Attributes.dnshostname[0])
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0]
}
}
else
{
if(Test-ResolveDNS $response.Entries[0].Attributes.dnshostname[0])
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0] +":" + $Port
}
}
}
"1.2.840.113556.1.4.800"
{
$global:DSType = "AD DS"
$global:bolADDSType = $true
$global:ForestRootDomainDN = $response.Entries[0].Attributes.rootdomainnamingcontext
$global:strDomainDNName = $response.Entries[0].Attributes.defaultnamingcontext[0]
$global:SchemaDN = $response.Entries[0].Attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].Attributes.configurationnamingcontext[0]
$global:IS_GC = $response.Entries[0].Attributes.isglobalcatalogready[0]
if($Port -eq "")
{
if(Test-ResolveDNS $response.Entries[0].Attributes.dnshostname[0])
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0]
}
}
else
{
if(Test-ResolveDNS $response.Entries[0].Attributes.dnshostname[0])
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0] +":" + $Port
}

}
$global:strDomainPrinDNName = $global:strDomainDNName
$global:strDomainShortName = GetDomainShortName -strDomain $global:strDomainDNN
$global:strRootDomainShortName = GetDomainShortName -strDomain $global:ForestRoo
$lblSelectPrincipalDom.Content = $global:strDomainShortName+":"
}
default
{
$global:ForestRootDomainDN = $response.Entries[0].Attributes.rootdomainnamingcontext
$global:strDomainDNName = $response.Entries[0].Attributes.defaultnamingcontext[0]
$global:SchemaDN = $response.Entries[0].Attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].Attributes.configurationnamingcontext[0]
$global:IS_GC = $response.Entries[0].Attributes.isglobalcatalogready[0]
if($Port -eq "")
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0]
}
else
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0] +":" + $Port
}
}
}
if($strNamingContextDN -eq "")
{
$strNamingContextDN = $global:strDomainDNName
}
If(CheckDNExist -sADobjectName $strNamingContextDN -strDC $global:strDC -CREDS $CRED
{
$NCSelect = $true
}
else
{
Write-Output "Failed to connect to $base"
$global:bolConnected = $false
}

}#bolLDAPConnection
} # End If D lenght
else
{
$global:bolConnected = $false
}
$bolEffective = $false
if($EffectiveRightsPrincipal.Length -gt 0)
{
if($(GetEffectiveRightSP $EffectiveRightsPrincipal $global:strDomainDNName -CREDS $CREDS)
{
$bolEffective = $true
$IncludeInherited = $true
}
else
{
break;
}
}
#Check if a naming context is selected
If ($NCSelect -eq $true)
{
■ If (!($strLastCacheGuidsDom -eq $global:strDomainDNName))
■ {
■ $global:dicRightsGuids = @{"Seed" = "xxx"}
■ CacheRightsGuids -CREDS $CREDS
■ $strLastCacheGuidsDom = $global:strDomainDNName

■ }
#Get Forest Root Domain ObjectSID
if ($global:bolADDSType)
{
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($global:strDomainD
[void]$request.Attributes.Add("objectsid")

try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
Write-host "Failed! Domain does not exist or can not be connected: $($_.Exception.InnerExce
■ }
if($global:bolLDAPConnection -eq $true)
{
$global:DomainSID = GetSidStringFromSidByte $response.Entries[0].attributes.objectsid.Get
}

if($global:ForestRootDomainDN -ne $global:strDomainDNName)


{
$global:strForestDomainLongName = $global:ForestRootDomainDN.Replace("DC=","")
$global:strForestDomainLongName = $global:strForestDomainLongName.Replace(",",".")
if($CREDS.UserName)
{
$Context = New-Object DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$glob
}
else
{
$Context = New-Object DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$glob
}
$ojbDomain = [DirectoryServices.ActiveDirectory.Domain]::GetDomain($Context)
$global:strForestDC = $($ojbDomain.FindDomainController()).name
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($glob
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($global:ForestRo
[void]$request.Attributes.Add("objectsid")

try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
Write-host "Failed! Domain does not exist or can not be connected: $($_.Exception.InnerEx
■ }
if($global:bolLDAPConnection -eq $true)
{
$global:ForestRootDomainSID = GetSidStringFromSidByte $response.Entries[0].attributes
}
}
else
{
$global:strForestDC = $global:strDC
$global:ForestRootDomainSID = $global:DomainSID
}

}
#Verify that you could connect to the naming context
if($Global:bolLDAPConnection)
{
if($GPO -or ($base -eq "RootDSE"))
{
if(($base -eq "") -or ($base -eq "RootDSE"))
{
$base = $global:strDomainDNName
}
}
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($global
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($base, "(objectClas
[void]$request.Attributes.Add("name")
try
{
$response = $LDAPConnection.SendRequest($request)
#Set search base as the name of the output file
$strNode = fixfilename $response.Entries[0].Attributes.name[0]
}
catch
{
}

if($GPO)
{
$strNode = $strNode + "_GPOs"
}
############### COMPARE THINGS ##########
if($Template)
{
if ($(Test-Path $Template) -eq $true)
{
$global:bolCSVLoaded = $false
$strCompareFile = $Template
&{#Try
$global:bolCSVLoaded = $true
$global:csvHistACLs = import-Csv $strCompareFile
}
Trap [SystemException]
{
$strCSVErr = $_.Exception.Message
Write-Host "Failed to load CSV. $strCSVErr" -ForegroundColor Red
$global:bolCSVLoaded = $false
continue
}
#Verify that a successful CSV import is performed before continue
if($global:bolCSVLoaded)
{
#Test CSV file format
if(TestCSVColumns $global:csvHistACLs)
{

$bolContinue = $true
if($global:csvHistACLs[0].Object)
{
$strOUcol = $global:csvHistACLs[0].Object
}
else
{
$strOUcol = $global:csvHistACLs[0].OU
}
if($strOUcol.Contains("<DOMAIN-DN>") -gt 0)
{
$strOUcol = ($strOUcol -Replace "<DOMAIN-DN>",$global:strDomainDNName)
}
if($strOUcol.Contains("<ROOT-DN>") -gt 0)
{
$strOUcol = ($strOUcol -Replace "<ROOT-DN>",$global:ForestRootDomainDN)
if($global:strDomainDNName -ne $global:ForestRootDomainDN)
{
if($global:IS_GC -eq "TRUE")
{
Write-Host "You are not connected to the forest root domain: $global:ForestRo
$a = Read-Host "Do you want to continue? Press Y[Yes] or N[NO]:"
if($a -eq "Y")
{
if($global:strDC.contains(":"))
{
$global:strDC = $global:strDC.split(":")[0] + ":3268"
}
else
{
$global:strDC = $global:strDC + ":3268"
}

}
else
{
$bolContinue = $false
}
}
else
{
Write-host "You are not connected to the forest root domain: $global:ForestRo
$bolContinue = $false
}
}
}

if($txtReplaceDN.text.Length -gt 0)
{
$strOUcol = ($strOUcol -Replace $txtReplaceDN.text,$global:strDomainDNName)
}
$sADobjectName = $strOUcol
#Verify if the connection can be done
if($bolContinue)
{
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConne
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest
if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.D
}
$request.DistinguishedName = $sADobjectName
$request.Filter = "(name=*)"
$request.Scope = "Base"
[void]$request.Attributes.Add("name")

$response = $LDAPConnection.SendRequest($request)
$ADobject = $response.Entries[0]
$strNode = fixfilename $ADobject.attributes.name[0]
}
else
{
#Set the node to empty , no connection will be done
$strNode = ""
}

}
else
{
Write-host "Wrong format in: $Template" -ForegroundColor Red
exit
}
}
}
else
{
Write-host "File not found $Template" -ForegroundColor Red
exit
}
}
############### COMPARE THINGS ##########

#Get current date


$date= get-date -uformat %Y%m%d_%H%M%S

if($ACLObjectFilter)
{
GetSchemaObjectGUID -Domain $global:strDomainDNName -CREDS $CREDS
}
if($Targets)
{
if($Targets -eq "RiskyTemplates")
{
$allSubOU = Find-RiskyTemplates -ConfigurationDN $global:ConfigDN -CREDS $CREDS
}
}
else
{
if(-not($GPO))
{
#Get all LDAP objects to read ACL's on
$allSubOU = @(GetAllChildNodes -firstnode $base -Scope $Scope -CustomFilter $LDAPF
}
else
{
#Get all LDAP objects to read ACL's on
$allSubOU = @(GetAllChildNodes -firstnode $base -Scope $Scope -CustomFilter "(&(|(obj
}
}
if($CanonicalNames)
{
$UseCanonicalName = $true
}
else
{
$UseCanonicalName = $false
}
#If more than 0 objects returned send it to Get-Perm to read ACL's
if($allSubOU.count -gt 0)
{
#Set the path for the CSV file name
if($OutputFolder -gt "")
{
#Check if foler exist if not use current folder
if(Test-Path $OutputFolder)
{
$strFileCSV = $OutputFolder + "\" +$strNode + "_" + $global:strDomainShortName + "_a
}
else
{
Write-host "Path:$OutputFolder was not found! Writting to current folder." -ForegroundC
$strFileCSV = $CurrentFSPath + "\" +$strNode + "_" + $global:strDomainShortName + "
}
}
else
{
$strFileCSV = $CurrentFSPath + "\" +$strNode + "_" + $global:strDomainShortName + "_a
}
$bolAssess = if($Criticality){$true}else{$false}
if(($Output -eq "CSV") -or ($Output -eq "CSVTEMPLATE") -or ($Output -eq "HTML") -or ($O
{
$file = $true
# Check if HTML switch is selected , creates a HTML file
Switch ($Output)
{
"HTML"
{■■■
$bolCSV = $false
$strFileHTA = $env:temp + "\"+$global:ACLHTMLFileName+".hta"
#Set the path for the HTM file name
if($OutputFolder -gt "")
{
#Check if foler exist if not use current folder
if(Test-Path $OutputFolder)
{
$strFileHTM = $OutputFolder + "\"+"$global:strDomainShortName-$strNode-$glo
}
else
{
Write-host "Path:$OutputFolder was not found! Writting to current folder." -Foreg
$strFileHTM = $CurrentFSPath + "\"+"$global:strDomainShortName-$strNode-$g
}
}
else
{
$strFileHTM = $CurrentFSPath + "\"+"$global:strDomainShortName-$strNode-$glo
}
CreateHTA "$global:strDomainShortName-$strNode" $strFileHTA $strFileHTM $Curre
CreateHTM "$global:strDomainShortName-$strNode" $strFileHTM■
if($Template)
{
InitiateHTM $strFileHTA $strNode $Base $SDDate $false $Protected $ShowCritica
InitiateHTM $strFileHTM $strNode $Base $SDDate $false $Protected $ShowCritica
}
else
{
InitiateHTM $strFileHTA $strNode $Base $SDDate $false $Protected $ShowCriticality
InitiateHTM $strFileHTM $strNode $Base $SDDate $false $Protected $ShowCriticality
}
if($Template)
{
Get-PermCompare $allSubOU $SkipDefaults $SkipProtected $false $Owner $bolCSV
}
else
{
Get-Perm -AllObjectDn $allSubOU -DomainNetbiosName $global:strDomainShortNam
icalityColor -GPO $GPO -FilterBuiltin $SkipBuiltIn -TranslateGUID $Translate -RecursiveFind $Recursiv
}
Write-host "Report saved in: $strFileHTM" -ForegroundColor Yellow
Write-output $strFileHTM
}
"EXCEL"
{■
$bolCSV = $false
$ExcelModuleExist = $true
if(!$(get-module ImportExcel))
{
Write-Host "Checking for ImportExcel PowerShell Module..."
if(!$(get-module -ListAvailable | Where-Object name -eq "ImportExcel"))
{
write-host "You need to install the PowerShell module ImportExcel found in the P
$ExcelModuleExist = $false
}
else
{
Import-Module ImportExcel
$ExcelModuleExist = $true
}
}
if($ExcelModuleExist)
{
if($ExcelFile -eq "")
{
#Set the path for the Excel file name■■
if($OutputFolder -gt "")
{
#Check if foler exist if not use current folder
if(Test-Path $OutputFolder)
{
$strFileEXCEL = $OutputFolder + "\" +$strNode + "_" + $global:strDomainS
}
else
{
Write-host "Path:$OutputFolder was not found! Writting to current folder." -F
$strFileEXCEL = $CurrentFSPath + "\" +$strNode + "_" + $global:strDomain
}
}
else
{
$strFileEXCEL = $CurrentFSPath + "\" +$strNode + "_" + $global:strDomainSh
}
}
else
{
$strFileEXCEL = $ExcelFile
}
if($Template)
{
Get-PermCompare $allSubOU $SkipDefaults $SkipProtected $SDDate $Owner
}
else
{
Get-Perm -AllObjectDn $allSubOU -DomainNetbiosName $global:strDomainSho
$ShowCriticalityColor -GPO $GPO -FilterBuiltin $SkipBuiltIn -TranslateGUID $Translate -RecursiveFind
}
}
}
"CSVTEMPLATE"
{
$bolCSV = $true
if($Template)
{
Get-PermCompare $allSubOU $SkipDefaults $SkipProtected $false $Owner $bolC
}
else
{
Get-Perm -AllObjectDn $allSubOU -DomainNetbiosName $global:strDomainShortN
r $ShowCriticalityColor -GPO $GPO -FilterBuiltin $SkipBuiltIn -TranslateGUID $Translate -RecursiveFin

}
}
default
{
$bolCSV = $true
if($Template)
{
Get-PermCompare $allSubOU $SkipDefaults $SkipProtected $false $Owner $bolC
}
else
{
Get-Perm -AllObjectDn $allSubOU -DomainNetbiosName $global:strDomainShortN
riticalityColor -GPO $GPO -FilterBuiltin $SkipBuiltIn -TranslateGUID $Translate -RecursiveFind $Recur

}
}
}
else
{
if($RAW)
{
$bolCSV = $true
$file = $false
if($Template)
{
Get-PermCompare $allSubOU $SkipDefaults $SkipProtected $false $Owner $bolCSV
}
else
{

Get-Perm -AllObjectDn $allSubOU -DomainNetbiosName $global:strDomainShortNam


howCriticalityColor -GPO $GPO -FilterBuiltin $SkipBuiltIn -TranslateGUID $Translate -RecursiveFind $R
}
}
else
{
$bolCSV = $true
$file = $false
if($Template)
{
Get-PermCompare $allSubOU $SkipDefaults $SkipProtected $false $Owner $bolCSV
}
else
{
Get-Perm -AllObjectDn $allSubOU -DomainNetbiosName $global:strDomainShortNam
calityColor -GPO $GPO -FilterBuiltin $SkipBuiltIn -TranslateGUID $Translate -RecursiveFind $Recursiv
}
}
}
}
else
{
Write-host "No objects returned! Does your filter relfect the objects you are searching for?"
}
}#end if $Global:bolLDAPConnection
else {
Write-Verbose "Could not connect! Check your credentials"
}
}#End if $NCSelect
}# End if D
else
{
if($DefaultSecurityDescriptor)
{
$global:bolProgressBar = $false
#Connect to Custom Naming Context
$global:bolCMD = $true
$bolReplMeta = $true

if($Criticality)
{
$ShowCriticalityColor = $true
}
else
{
$ShowCriticalityColor = $false
}

if($Criticality)
{
$CriticalitySelected = $true
}
else
{
$CriticalitySelected = $false
}
$global:bolLDAPConnection = $false
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection("")
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest("", "(objectClass=*)", "
if($global:bolShowDeleted)
{
[string] $LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
[void]$request.Controls.Add((New-Object "System.DirectoryServices.Protocols.DirectoryControl
}
[void]$request.Attributes.Add("dnshostname")
[void]$request.Attributes.Add("supportedcapabilities")
[void]$request.Attributes.Add("namingcontexts")
[void]$request.Attributes.Add("defaultnamingcontext")
[void]$request.Attributes.Add("schemanamingcontext")
[void]$request.Attributes.Add("configurationnamingcontext")
[void]$request.Attributes.Add("rootdomainnamingcontext")
[void]$request.Attributes.Add("isGlobalCatalogReady")

■ try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
Write-host "Failed! Domain does not exist or can not be connected: $($_.Exception.InnerExcept
■ }
if($global:bolLDAPConnection -eq $true)
{
$strPrimaryCapability= $response.Entries[0].attributes.supportedcapabilities[0]
Switch ($strPrimaryCapability)
{
"1.2.840.113556.1.4.1851"
{
$global:DSType = "AD LDS"
$global:bolADDSType = $false
$global:strDomainDNName = $response.Entries[0].Attributes.namingcontexts[-1]
$global:SchemaDN = $response.Entries[0].Attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].Attributes.configurationnamingcontext[0]
if($Port -eq "")
{
if(Test-ResolveDNS $response.Entries[0].Attributes.dnshostname[0])
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0]
}
}
else
{
if(Test-ResolveDNS $response.Entries[0].Attributes.dnshostname[0])
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0] +":" + $Port
}
}
}
"1.2.840.113556.1.4.800"
{
$global:DSType = "AD DS"
$global:bolADDSType = $true
$global:ForestRootDomainDN = $response.Entries[0].Attributes.rootdomainnamingconte
$global:strDomainDNName = $response.Entries[0].Attributes.defaultnamingcontext[0]
$global:SchemaDN = $response.Entries[0].Attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].Attributes.configurationnamingcontext[0]
$global:IS_GC = $response.Entries[0].Attributes.isglobalcatalogready[0]
if($Port -eq "")
{
if(Test-ResolveDNS $response.Entries[0].Attributes.dnshostname[0])
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0]
}
}
else
{
if(Test-ResolveDNS $response.Entries[0].Attributes.dnshostname[0])
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0] +":" + $Port
}

}
$global:strDomainPrinDNName = $global:strDomainDNName
$global:strDomainShortName = GetDomainShortName -strDomain $global:strDomainDN
$global:strRootDomainShortName = GetDomainShortName -strDomain $global:ForestR
$lblSelectPrincipalDom.Content = $global:strDomainShortName+":"
}
default
{
$global:ForestRootDomainDN = $response.Entries[0].Attributes.rootdomainnamingconte
$global:strDomainDNName = $response.Entries[0].Attributes.defaultnamingcontext[0]
$global:SchemaDN = $response.Entries[0].Attributes.schemanamingcontext[0]
$global:ConfigDN = $response.Entries[0].Attributes.configurationnamingcontext[0]
$global:IS_GC = $response.Entries[0].Attributes.isglobalcatalogready[0]
if($Port -eq "")
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0]
}
else
{
$global:strDC = $response.Entries[0].Attributes.dnshostname[0] +":" + $Port
}
}
}
if($strNamingContextDN -eq "")
{
$strNamingContextDN = $global:strDomainDNName
}
If(CheckDNExist -sADobjectName $strNamingContextDN -strDC $global:strDC -CREDS $CRED
{
$NCSelect = $true
}
else
{
Write-Output "Failed to connect to $base"
$global:bolConnected = $false
}

}#bolLDAPConnection
If ($NCSelect -eq $true)
{
■ If (!($strLastCacheGuidsDom -eq $global:strDomainDNName))
■ {
■ $global:dicRightsGuids = @{"Seed" = "xxx"}
■ CacheRightsGuids -CREDS $CREDS
■ $strLastCacheGuidsDom = $global:strDomainDNName

■ }
#Get Forest Root Domain ObjectSID
if ($global:bolADDSType)
{
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($glob
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($global:strDoma
[void]$request.Attributes.Add("objectsid")

try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
Write-host "Failed! Domain does not exist or can not be connected: $($_.Exception.InnerEx
■ }
if($global:bolLDAPConnection -eq $true)
{
$global:DomainSID = GetSidStringFromSidByte $response.Entries[0].attributes.objectsid.G
}

if($global:ForestRootDomainDN -ne $global:strDomainDNName)


{
$global:strForestDomainLongName = $global:ForestRootDomainDN.Replace("DC=","")
$global:strForestDomainLongName = $global:strForestDomainLongName.Replace(",",".")
if($CREDS.UserName)
{
$Context = New-Object DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$g
}
else
{
$Context = New-Object DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$g
}
$ojbDomain = [DirectoryServices.ActiveDirectory.Domain]::GetDomain($Context)
$global:strForestDC = $($ojbDomain.FindDomainController()).name
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($g
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($global:Forest
[void]$request.Attributes.Add("objectsid")

try
■ {
$response = $LDAPConnection.SendRequest($request)
$global:bolLDAPConnection = $true
■ }
■ catch
■ {
■■ $global:bolLDAPConnection = $false
Write-host "Failed! Domain does not exist or can not be connected: $($_.Exception.Inne
■ }
if($global:bolLDAPConnection -eq $true)
{
$global:ForestRootDomainSID = GetSidStringFromSidByte $response.Entries[0].attribut
}
}
else
{
$global:strForestDC = $global:strDC
$global:ForestRootDomainSID = $global:DomainSID
}

}
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection("")
$LDAPConnection.SessionOptions.ReferralChasing = "None"
$request = New-Object System.directoryServices.Protocols.SearchRequest($global:SchemaDN
[void]$request.Attributes.Add("name")
$response = $LDAPConnection.SendRequest($request)
#Set search base as the name of the output file
$strNode = fixfilename $response.Entries[0].Attributes.name[0]
if($SchemaObjectName -ne "*")
{
$strNode = $SchemaObjectName
}
#Get current date
$date= get-date -uformat %Y%m%d_%H%M%S
Switch ($Output)
{
"HTML"
{
#Set the path for the HTM file name
if($OutputFolder -gt "")
{
#Check if foler exist if not use current folder
if(Test-Path $OutputFolder)
{
$strFileDefSDHTM = $OutputFolder + "\"+"$global:strDomainShortName-$strNode-$g
}
else
{
Write-host "Path:$OutputFolder was not found! Writting to current folder." -Foreground
$strFileDefSDHTM = $CurrentFSPath + "\"+"$global:strDomainShortName-$strNode-
}
}
else
{
$strFileDefSDHTM = $CurrentFSPath + "\"+"$global:strDomainShortName-$strNode-$g
}
$strFileDefSDHTA = $env:temp + "\"+$global:ACLHTMLFileName+".hta"
if($bolSDDL -eq $true)
{
CreateDefaultSDReportHTA $global:strDomainLongName $strFileDefSDHTA $strFile
CreateDefSDHTM $global:strDomainLongName $strFileDefSDHTM
InitiateDefSDHTM $strFileDefSDHTM $strObjectClass
InitiateDefSDHTM $strFileDefSDHTA $strObjectClass
}
else
{
CreateHTM $strNode $strFileDefSDHTM■■■■■
CreateHTA $strNode $strFileDefSDHTA $strFileDefSDHTM $CurrentFSPath $global:str
InitiateDefSDAccessHTM $strFileDefSDHTA $strObjectClass $bolReplMeta $false "" $S
InitiateDefSDAccessHTM $strFileDefSDHTM $strObjectClass $bolReplMeta $false "" $S
}
Get-DefaultSD -strObjectClass $SchemaObjectName -bolChangedDefSD $OnlyModified -
}
"EXCEL"
{
$bolCSV = $false
$ExcelModuleExist = $true
if(!$(get-module ImportExcel))
{
Write-Host "Checking for ImportExcel PowerShell Module..."
if(!$(get-module -ListAvailable | Where-Object name -eq "ImportExcel"))
{
write-host "You need to install the PowerShell module ImportExcel found in the PSGa
$ExcelModuleExist = $false
}
else
{
Import-Module ImportExcel
$ExcelModuleExist = $true
}
}
if($ExcelModuleExist)
{ ■■
if($ExcelFile -eq "")
{
#Set the path for the Excel file name
if($OutputFolder -gt "")
{
#Check if foler exist if not use current folder
if(Test-Path $OutputFolder)
{
$strFileEXCEL = $OutputFolder + "\" +$strNode + "_" + $global:strDomainShortN
}
else
{
Write-host "Path:$OutputFolder was not found! Writting to current folder." -Foreg
$strFileEXCEL = $CurrentFSPath + "\" +$strNode + "_" + $global:strDomainShor
}
}
else
{
$strFileEXCEL = $CurrentFSPath + "\" +$strNode + "_" + $global:strDomainShortN
}
}
else
{
$strFileEXCEL = $ExcelFile
}
#$rslt = Get-DefaultSD -strObjectClass "*" -bolChangedDefSD $true -bolSDDL $false -S
Get-DefaultSD -strObjectClass $SchemaObjectName -bolChangedDefSD $OnlyModified
}
}
default
{
#Set the path for the CSV file name
if($OutputFolder -gt "")
{
#Check if foler exist if not use current folder
if(Test-Path $OutputFolder)
{
$strFileCSV = $OutputFolder + "\" +$strNode + "_" + $global:strDomainShortName +
}
else
{
Write-host "Path:$OutputFolder was not found! Writting to current folder." -Foreground
$strFileCSV = $CurrentFSPath + "\" +$strNode + "_" + $global:strDomainShortName
}
}
else
{
$strFileCSV = $CurrentFSPath + "\" +$strNode + "_" + $global:strDomainShortName + "
}
Get-DefaultSD -strObjectClass $SchemaObjectName -bolChangedDefSD $OnlyModified -
}
}
}#End if $NCSelect
}# End if D
else # Else GUI will open
{
$global:bolCMD = $false
[void]$Window.ShowDialog()
}
}

You might also like