Initial Command set

Author: FriedrichWeinmann

ADSec/ADSec.psd1

@@ -3,7 +3,7 @@
 	RootModule = 'ADSec.psm1'
 
 	# Version number of this module.
-	ModuleVersion = '1.0.0'
+	ModuleVersion = '0.1.0'
 
 	# ID used to uniquely identify this module
 	GUID = '1cfaca0a-3c7d-47dd-bb9f-9711310a0b9d'
@@ -39,7 +39,12 @@
 	# FormatsToProcess = @('xml\ADSec.Format.ps1xml')
 
 	# Functions to export from this module
-	FunctionsToExport = ''
+	FunctionsToExport = @(
+		'Get-AdsAcl'
+		'Get-AdsOrphanAce'
+		'Remove-AdsOrphanAce'
+		'Set-AdsAcl'
+	)
 
 	# Cmdlets to export from this module
 	CmdletsToExport = ''

ADSec/changelog.md

@@ -1,5 +1,3 @@
 # Changelog
-## 1.0.0 (2019-10-01)
- - New: Some Stuff
- - Upd: Moar Stuff
- - Fix: Much Stuff
+## 1.0.0 (2019-10-08)
+ - Initial Release

ADSec/en-us/strings.psd1

@@ -1,5 +1,14 @@
 # This is where the strings go, that are written by
 # Write-PSFMessage, Stop-PSFFunction or the PSFramework validation scriptblocks
 @{
-	'key' = 'Value'
+	'Assert-ADConnection.Failed'	  = 'Failed to connect to {0} as {1}' # $target, $userName
+	'Get-AdsAcl.ObjectError'		  = 'Error accessing item: {0}' # $pathItem
+	'Get-LdapObject.CredentialError'  = 'Invalid username/password' # 
+	'Get-LdapObject.SearchError'	  = 'Failed to execute ldap request.' # 
+	'Get-LdapObject.Searchfilter'	  = 'Searching with filter: {0}' # $LdapFilter
+	'Get-LdapObject.SearchRoot'	      = 'Searching {0} in {1}' # $SearchScope, $searcher.SearchRoot.Path
+	'Set-AdsAcl.SettingSecurity'	  = 'Updating security settings' # 
+	'Set-AdsOwner.AlreadyOwned'	      = '{0} is already owned by {1}' # $pathItem, $idReference
+	'Set-AdsOwner.UnresolvedIdentity' = 'Failed to resolve Identity: {0}' # $Identity
+	'Set-AdsOwner.UpdatingOwner'	  = 'Updating owner to {0}' # $idReference
 }

ADSec/functions/acl/Get-AdsAcl.ps1

@@ -0,0 +1,63 @@
+function Get-AdsAcl
+{
+<#
+	.SYNOPSIS
+		Reads the ACL from an AD object.
+	
+	.DESCRIPTION
+		Reads the ACL from an AD object.
+		Allows specifying the server to ask.
+	
+	.PARAMETER Path
+		The DistinguishedName path to the item.
+	
+	.PARAMETER Server
+		The server / domain to connect to.
+		
+	.PARAMETER Credential
+		The credentials to use for AD operations.
+	
+	.PARAMETER EnableException
+		This parameters disables user-friendly warnings and enables the throwing of exceptions.
+		This is less user friendly, but allows catching exceptions in calling scripts.
+	
+	.EXAMPLE
+		PS C:\> Get-ADUser -Filter * | Get-AdsAcl
+		
+		Returns the ACL of every user in the domain.
+#>
+	[OutputType([System.DirectoryServices.ActiveDirectorySecurity])]
+	[CmdletBinding()]
+	param (
+		[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
+		[Alias('DistinguishedName')]
+		[string[]]
+		$Path,
+		
+		[string]
+		$Server,
+		
+		[System.Management.Automation.PSCredential]
+		$Credential,
+		
+		[switch]
+		$EnableException
+	)
+	
+	begin
+	{
+		$adParameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
+		Assert-ADConnection @adParameters -Cmdlet $PSCmdlet
+	}
+	process
+	{
+		if (Test-PSFFunctionInterrupt) { return }
+		
+		foreach ($pathItem in $Path)
+		{
+			try { $adObject = Get-ADObject @adParameters -Identity $pathItem -Properties ntSecurityDescriptor }
+			catch { Stop-PSFFunction -String 'Get-AdsAcl.ObjectError' -StringValues $pathItem -Target $pathItem -EnableException $EnableException -Cmdlet $PSCmdlet -ErrorRecord $_ -Continue }
+			$adObject.ntSecurityDescriptor | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $adObject.DistinguishedName -PassThru
+		}
+	}
+}

ADSec/functions/acl/Get-AdsOrphanAce.ps1

@@ -0,0 +1,116 @@
+function Get-AdsOrphanAce
+{
+<#
+	.SYNOPSIS
+		Returns list of all access rules that have an unresolveable identity.
+	
+	.DESCRIPTION
+		Returns list of all access rules that have an unresolveable identity.
+		This is aimed at identifying and help remediating orphaned SIDs in active directory.
+	
+	.PARAMETER Path
+		The full distinguished name to the object to scan.
+	
+	.PARAMETER ExcludeDomainSID
+		SIDs from the specified domain SIDs will be ignored.
+		Use this to safely handle one-way trust where ID resolution is impossible for some IDs.
+	
+	.PARAMETER IncludeDomainSID
+		If specified, only unresolved identities from the specified SIDs will be listed.
+		Use this to safely target only rules from your owned domains in the targeted domain.
+	
+	.PARAMETER Server
+		The server / domain to connect to.
+		
+	.PARAMETER Credential
+		The credentials to use for AD operations.
+	
+	.PARAMETER EnableException
+		This parameters disables user-friendly warnings and enables the throwing of exceptions.
+		This is less user friendly, but allows catching exceptions in calling scripts.
+	
+	.EXAMPLE
+		PS C:\> Get-ADObject -LDAPFillter '(objectCategory=*)' | Get-AdsOrphanAce
+	
+		Scans all objects in the current domain for orphaned access rules.
+#>
+	[CmdletBinding()]
+	param (
+		[Parameter(ValueFromPipeline = $true, Mandatory = $true)]
+		[string[]]
+		$Path,
+		
+		[string[]]
+		$ExcludeDomainSID,
+		
+		[string[]]
+		$IncludeDomainSID,
+		
+		[string]
+		$Server,
+		
+		[System.Management.Automation.PSCredential]
+		$Credential,
+		
+		[switch]
+		$EnableException
+	)
+	
+	begin
+	{
+		$adParameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
+		Assert-ADConnection @adParameters -Cmdlet $PSCmdlet
+		
+		function Write-Result
+		{
+			[CmdletBinding()]
+			param (
+				[string]
+				$Path,
+				
+				[System.DirectoryServices.ActiveDirectoryAccessRule]
+				$AccessRule
+			)
+			
+			[PSCustomObject]@{
+				PSTypeName = 'ADSec.AccessRule'
+				Path	   = $Path
+				Identity   = $AccessRule.IdentityReference
+				ADRights   = $AccessRule.ActiveDirectoryRights
+				Type	   = $AccessRule.AccessControlType
+				ObjectType = $AccessRule.ObjectType
+				InheritedOpectType = $AccessRule.InheritedObjectType
+				Rule	   = $AccessRule
+			}
+		}
+		
+		# Wrap as nested pipeline to avoid asserting connection each time
+		$scriptCmd = { Get-AdsAcl @adParameters -EnableException:$EnableException }
+		$getAdsAcl = $scriptCmd.GetSteppablePipeline()
+		$getAdsAcl.Begin($true)
+	}
+	process
+	{
+		foreach ($pathItem in $Path)
+		{
+			try { $getAdsAcl.Process($pathItem) }
+			catch { Stop-PSFFunction -String 'Get-AdsOrphanAce.Read.Failed' -StringValues $pathItem -EnableException $EnableException -ErrorRecord $_ -Cmdlet $PSCmdlet -Continue }
+			if (-not $acl) { Stop-PSFFunction -String 'Get-AdsOrphanAce.Read.Failed' -StringValues $pathItem -EnableException $EnableException -Cmdlet $PSCmdlet -Continue }
+			
+			foreach ($rule in $acl.Access)
+			{
+				if ($rule.IdentityReference -is [System.Security.Principal.NTAccount]) { continue }
+				
+				if ($rule.IdentityReference.AccountDomainSID.Value -in $ExcludeDomainSID) { continue }
+				if ($IncludeDomainSID -and ($rule.IdentityReference.AccountDomainSID.Value -notin $IncludeDomainSID)) { continue }
+				
+				try { $null = $rule.IdentityReference.Translate([System.Security.Principal.NTAccount]) }
+				catch { Write-Result -Path $pathItem -AccessRule $rule }
+			}
+		}
+	}
+	end
+	{
+		$getAdsAcl.End()
+	}
+}

ADSec/functions/acl/Remove-AdsOrphanAce.ps1

@@ -0,0 +1,153 @@
+function Remove-AdsOrphanAce
+{
+<#
+	.SYNOPSIS
+		Removes all access rules that have an unresolveable identity.
+	
+	.DESCRIPTION
+		Removes all access rules that have an unresolveable identity.
+		This is aimed at identifying and remediating orphaned SIDs in active directory.
+	
+	.PARAMETER Path
+		The full distinguished name to the object to clean.
+	
+	.PARAMETER ExcludeDomainSID
+		SIDs from the specified domain SIDs will be ignored.
+		Use this to safely handle one-way trust where ID resolution is impossible for some IDs.
+	
+	.PARAMETER IncludeDomainSID
+		If specified, only unresolved identities from the specified SIDs will be listed.
+		Use this to safely target only rules from your owned domains in the targeted domain.
+	
+	.PARAMETER Server
+		The server / domain to connect to.
+		
+	.PARAMETER Credential
+		The credentials to use for AD operations.
+	
+	.PARAMETER EnableException
+		This parameters disables user-friendly warnings and enables the throwing of exceptions.
+		This is less user friendly, but allows catching exceptions in calling scripts.
+	
+	.PARAMETER Confirm
+		If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.
+	
+	.PARAMETER WhatIf
+		If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.
+	
+	.EXAMPLE
+		PS C:\> Get-ADObject -LDAPFillter '(objectCategory=*)' | Remove-AdsOrphanAce
+	
+		Purges all objects in the current domain from orphaned access rules.
+#>
+	[CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')]
+	param (
+		[Parameter(ValueFromPipeline = $true, Mandatory = $true)]
+		[string[]]
+		$Path,
+		
+		[string[]]
+		$ExcludeDomainSID,
+		
+		[string[]]
+		$IncludeDomainSID,
+		
+		[string]
+		$Server,
+		
+		[System.Management.Automation.PSCredential]
+		$Credential,
+		
+		[switch]
+		$EnableException
+	)
+	
+	begin
+	{
+		$adParameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
+		Assert-ADConnection @adParameters -Cmdlet $PSCmdlet
+		
+		function Write-Result
+		{
+			[CmdletBinding()]
+			param (
+				[string]
+				$Path,
+				
+				[System.DirectoryServices.ActiveDirectoryAccessRule]
+				$AccessRule,
+				
+				[ValidateSet('Deleted', 'Failed')]
+				[string]
+				$Action,
+				
+				[System.Management.Automation.ErrorRecord]
+				$ErrorRecord
+			)
+			
+			[PSCustomObject]@{
+				PSTypeName = 'ADSec.AccessRule'
+				Path	   = $Path
+				Identity   = $AccessRule.IdentityReference
+				Action	   = $Action
+				ADRights   = $AccessRule.ActiveDirectoryRights
+				Type	   = $AccessRule.AccessControlType
+				ObjectType = $AccessRule.ObjectType
+				InheritedOpectType = $AccessRule.InheritedObjectType
+				Rule	   = $AccessRule
+				Error	   = $ErrorRecord
+			}
+		}
+		
+		# Wrap as nested pipeline to avoid asserting connection each time
+		$scriptCmd = { Get-AdsAcl @adParameters -EnableException:$EnableException }
+		$getAdsAcl = $scriptCmd.GetSteppablePipeline()
+		$getAdsAcl.Begin($true)
+	}
+	process
+	{
+		foreach ($pathItem in $Path)
+		{
+			Write-PSFMessage -Level Verbose -String 'Remove-AdsOrphanAce.Searching' -StringValues $pathItem
+			try { $acl = $getAdsAcl.Process($pathItem) }
+			catch { Stop-PSFFunction -String 'Remove-AdsOrphanAce.Read.Failed' -StringValues $pathItem -EnableException $EnableException -ErrorRecord $_ -Cmdlet $PSCmdlet -Continue }
+			if (-not $acl) { Stop-PSFFunction -String 'Remove-AdsOrphanAce.Read.Failed' -StringValues $pathItem -EnableException $EnableException -Cmdlet $PSCmdlet -Continue }
+			
+			$rulesToPurge = foreach ($rule in $acl.Access)
+			{
+				if ($rule.IdentityReference -is [System.Security.Principal.NTAccount]) { continue }
+				if ($rule.IdentityReference.AccountDomainSID.Value -in $ExcludeDomainSID) { continue }
+				if ($IncludeDomainSID -and ($rule.IdentityReference.AccountDomainSID.Value -notin $IncludeDomainSID)) { continue }
+				
+				try { $null = $rule.IdentityReference.Translate([System.Security.Principal.NTAccount]) }
+				catch
+				{
+					$null = $acl.RemoveAccessRule($rule)
+					$rule
+				}
+			}
+			if (-not $rulesToPurge)
+			{
+				Write-PSFMessage -Level Verbose -String 'Remove-AdsOrphanAce.NoOrphans' -StringValues $pathItem
+				continue
+			}
+			
+			Invoke-PSFProtectedCommand -ActionString 'Remove-AdsOrphanAce.Removing' -ActionStringValues ($rulesToPurge | Measure-Object).Count -Target $pathItem -ScriptBlock {
+				try
+				{
+					Set-ADObject @adParameters -Identity $pathItem -Replace @{ ntSecurityDescriptor = $acl } -ErrorAction Stop
+					foreach ($rule in $rulesToPurge) { Write-Result -Path $pathItem -AccessRule $rule -Action Deleted }
+				}
+				catch
+				{
+					foreach ($rule in $rulesToPurge) { Write-Result -Path $pathItem -AccessRule $rule -Action Failed -ErrorRecord $_ }
+					throw
+				}
+			} -EnableException $EnableException.ToBool() -PSCmdlet $PSCmdlet -Continue
+		}
+	}
+	end
+	{
+		$getAdsAcl.End()
+	}
+}