-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathGet-ADBuiltInAdmins.ps1
More file actions
57 lines (48 loc) · 3.22 KB
/
Get-ADBuiltInAdmins.ps1
File metadata and controls
57 lines (48 loc) · 3.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# PowerShell script authored by Sean Metcalf (@PyroTek3)
# 2025-08-25
# Updated 2025-10-08
# Script provided as-is
Param
(
$Domain = $env:userdnsdomain
)
$DomainDC = (Get-ADDomainController -Discover -DomainName $Domain).Name
$DomainInfo = Get-ADDomain -Server $DomainDC
# $GroupArray = @('Account Operators','Backup Operators','Cert Publishers','DNSAdmins','Enterprise Key Admins','Event Log Readers','Group Policy Creator Owners','Print Operators','Server Operators','Schema Admins')
$GroupArray = @('S-1-5-32-548','S-1-5-32-551','-517','-1101','-527','S-1-5-32-573','-520','S-1-5-32-550','S-1-5-32-549','-518')
$PrivilegedGroupMemberArray = @()
ForEach ($GroupArrayItem in $GroupArray)
{
IF ($GroupArrayItem -like 'S-1-*')
{ $GroupArrayItemSID = $GroupArrayItem }
ELSE
{ $GroupArrayItemSID = $($DomainInfo.DomainSID.Value) + $GroupArrayItem }
$GroupInfo = @()
$GroupInfo = Get-ADGroup $GroupArrayItemSID -Server $DomainDC
$ADGroupMemberArray = @()
$ADGroupMemberArray = Get-ADGroupMember $GroupInfo.SID.Value -Recursive -Server $DomainDC
$ADGroupMemberString = $ADGroupMemberArray.name -join ","
$PrivilegedGroupMemberItem = New-Object PSObject
$PrivilegedGroupMemberItem | Add-Member -MemberType NoteProperty -Name GroupName -Value $GroupInfo.Name -Force
$PrivilegedGroupMemberItem | Add-Member -MemberType NoteProperty -Name MemberCount -Value $ADGroupMemberArray.Count -Force
$PrivilegedGroupMemberItem | Add-Member -MemberType NoteProperty -Name Members -Value $ADGroupMemberString -Force
$PrivilegedGroupMemberItem | Add-Member -MemberType NoteProperty -Name MemberArray -Value $ADGroupMemberArray -Force
[array]$PrivilegedGroupMemberArray += $PrivilegedGroupMemberItem
IF ($ADGroupMemberArray.Count -gt 0)
{
SWITCH ($GroupArrayItem)
{
'S-1-5-32-548' { Write-Warning "The $($GroupInfo.Name) group should be empty, but contains $($ADGroupMemberArray.Count) members" }
'-520' { Write-Warning "The $($GroupInfo.Name) group should be empty, but contains $($ADGroupMemberArray.Count) members" }
'S-1-5-32-550' { Write-Warning "The $($GroupInfo.Name) group should be empty, but contains $($ADGroupMemberArray.Count) members" }
'-518' { Write-Warning "The $($GroupInfo.Name) group should be empty, but contains $($ADGroupMemberArray.Count) members" }
}
}
IF ( ($GroupArrayItem -eq 'S-1-5-32-551') -AND ($ADGroupMemberArray.Count -ge 5) )
{ Write-Warning "The $($GroupInfo.Name) should typically have less than ~5 members, but contains $($ADGroupMemberArray.Count) members" }
IF ( ($GroupArrayItem -eq 'Cert Publishers') -AND ($ADGroupMemberArray.Count -ge 5) )
{ Write-Warning "The $($GroupInfo.Name) group should typically have ~5 members, but contains $($ADGroupMemberArray.Count) members" }
IF ( ($GroupArrayItem -eq 'S-1-5-32-573') -AND ($ADGroupMemberArray.Count -ge 2) )
{ Write-Warning "The $($GroupInfo.Name) group should typically have less than ~3 members, but contains $($ADGroupMemberArray.Count) members" }
}
$PrivilegedGroupMemberArray | Sort SamAccountName | Select GroupName,MemberCount,Members | Format-Table -Auto