Merge pull request #47 from AsBuiltReport/dev

v0.7.4 public release

AsBuiltReport.Microsoft.AD.psd1

@@ -12,7 +12,7 @@
 RootModule = 'AsBuiltReport.Microsoft.AD.psm1'
 
 # Version number of this module.
-ModuleVersion = '0.7.3'
+ModuleVersion = '0.7.4'
 
 # Supported PSEditions
 # CompatiblePSEditions = @()
@@ -59,14 +59,6 @@ RequiredModules = @(
     @{
         ModuleName = 'PSPKI';
         ModuleVersion = '3.7.2'
-    },
-    @{
-        ModuleName = 'PSSharedGoods';
-        ModuleVersion = '0.0.224'
-    },
-    @{
-        ModuleName = 'PSWriteColor';
-        ModuleVersion = '0.87.3'
     }
 )
 

CHANGELOG.md

@@ -1,5 +1,14 @@
 # :arrows_clockwise: Microsoft AD As Built Report Changelog
 
+## [0.7.4] - 2022-xx-xx
+### Changed
+
+- Access well known groups via SID to include international names and expand them to localized group names.
+- Removed PSSharedGoods/PSWriteColor module dependency
+
+### Fixed
+
+- Fixes [#42](https://github.com/AsBuiltReport/AsBuiltReport.Microsoft.AD/issues/42)
 ## [0.7.3] - 2022-05-13
 
 ### Added

README.md

@@ -24,6 +24,9 @@
             <img src="https://img.shields.io/twitter/follow/AsBuiltReport.svg?style=social"/></a>
 </p>
 <!-- ********** DO NOT EDIT THESE LINKS ********** -->
+<p align="center">
+    <a href='https://ko-fi.com/F1F8DEV80' target='_blank'><img height='36' style='border:0px;height:36px;' src='https://cdn.ko-fi.com/cdn/kofi1.png?v=3'            border='0' alt='Buy Me a Coffee at ko-fi.com' /></a>
+</p>
 
 # Microsoft AD As Built Report
 
@@ -68,8 +71,6 @@ PowerShell 5.1 or PowerShell 7, and the following PowerShell modules are require
 - [GroupPolicy Module](https://docs.microsoft.com/en-us/powershell/module/grouppolicy/?view=windowsserver2019-ps)
 - [DhcpServer Module](https://docs.microsoft.com/en-us/powershell/module/dhcpserver/?view=windowsserver2019-ps)
 - [DnsServer Module](https://docs.microsoft.com/en-us/powershell/module/dnsserver/?view=windowsserver2019-ps)
-- [PSSharedGoods Module](https://www.powershellgallery.com/packages/PSSharedGoods/)
-- [PSWriteColor Module](https://www.powershellgallery.com/packages/PSWriteColor/0.87.3)
 
 ### Linux & macOS
 
@@ -88,8 +89,6 @@ Due to a limitation of the WinRM component, a domain-joined machine is needed, a
 <!-- ********** Add installation for any additional PowerShell module(s) ********** -->
 ```powershell
 Install-Module -Name PSPKI
-Install-Module -Name PSWriteColor
-Install-Module -Name PSSharedGoods
 Install-Module -Name AsBuiltReport.Microsoft.AD
 Install-WindowsFeature -Name RSAT-AD-PowerShell
 Install-WindowsFeature -Name RSAT-DNS-Server
@@ -101,8 +100,6 @@ Install-WindowsFeature -Name GPMC
 <!-- ********** Add installation for any additional PowerShell module(s) ********** -->
 ```powershell
 Install-Module -Name PSPKI
-Install-Module -Name PSWriteColor
-Install-Module -Name PSSharedGoods
 Install-Module -Name AsBuiltReport.Microsoft.AD
 Add-WindowsCapability -online -Name 'Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'
 Add-WindowsCapability -online -Name 'Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0'

Src/Private/Get-AbrADDomainObject.ps1

@@ -5,7 +5,7 @@ function Get-AbrADDomainObject {
     .DESCRIPTION
 
     .NOTES
-        Version:        0.7.2
+        Version:        0.7.4
         Author:         Jonathan Colon
         Twitter:        @jcolonfzenpr
         Github:         rebelinux
@@ -213,21 +213,37 @@ function Get-AbrADDomainObject {
                 if ($Domain) {
                     Write-PscriboMessage "Collecting Privileged Group in Active Directory."
                     try {
+                        $DomainSID = Invoke-Command -Session $TempPssSession {(Get-ADDomain -Identity $using:Domain).domainsid.Value}
                         $DC = Invoke-Command -Session $TempPssSession {Get-ADDomain -Identity $using:Domain | Select-Object -ExpandProperty ReplicaDirectoryServers | Select-Object -First 1}
-                        if ($Domain -eq (Get-ADForest).Name) {
-                            $Groups = 'Domain Admins','Enterprise Admins','Administrators','Server Operators','DnsAdmins','Remote Desktop Users','Incoming Forest Trust Builders','Key Admins','Backup Operators','Cert Publishers','Print Operators','Account Operators','Schema Admins'
+                        if ($Domain -eq $ADSystem.Name) {
+                            #$Groups = 'Domain Admins','Enterprise Admins','Administrators','Server Operators','DnsAdmins','Remote Desktop Users','Incoming Forest Trust Builders','Key Admins','Backup Operators','Cert Publishers','Print Operators','Account Operators','Schema Admins'
+                            $GroupsSID = "$DomainSID-512","$DomainSID-519",'S-1-5-32-544','S-1-5-32-549',"$DomainSID-1101",'S-1-5-32-555','S-1-5-32-557',"$DomainSID-526",'S-1-5-32-551',"$DomainSID-517",'S-1-5-32-550','S-1-5-32-548',"$DomainSID-518"
                         }
                         else {
-                            $Groups = 'Domain Admins','Server Operators','DnsAdmins','Remote Desktop Users','Key Admins','Backup Operators','Cert Publishers','Print Operators','Account Operators'
+                            #$Groups = 'Domain Admins','Server Operators','DnsAdmins','Remote Desktop Users','Key Admins','Backup Operators','Cert Publishers','Print Operators','Account Operators'
+                            $GroupsSID = "$DomainSID-512",'S-1-5-32-544','S-1-5-32-549',"$DomainSID-1101",'S-1-5-32-555','S-1-5-32-557',"$DomainSID-526",'S-1-5-32-551',"$DomainSID-517",'S-1-5-32-550','S-1-5-32-548'
                         }
-                        if ($Groups) {
-                            foreach ($Group in $Groups) {
-                                $GroupObject = Invoke-Command -Session $TempPssSession {Get-ADGroupMember -Server $using:DC -Identity $using:Group -Recursive -ErrorAction SilentlyContinue}
-                                $inObj = [ordered] @{
-                                    'Group Name' = $Group
-                                    'Count' = ($GroupObject | Measure-Object).Count
+                        if ($GroupsSID) {
+                            foreach ($GroupSID in $GroupsSID) {
+                                try {
+                                    $Group = Invoke-Command -Session $TempPssSession {Get-ADGroup -Server $using:DC -Filter * | Select-Object -Property SID,Name | Where-Object {$_.SID -like $using:GroupSID}}
+                                    if ($Group) {
+                                        Write-PscriboMessage "Collecting Privileged Group $($Group.Name) with SID $($Group.SID)"
+                                        $GroupObject = Invoke-Command -Session $TempPssSession {Get-ADGroupMember -Server $using:DC -Identity ($using:Group).Name -Recursive -ErrorAction SilentlyContinue}
+                                        $inObj = [ordered] @{
+                                            'Group Name' = $Group.Name
+                                            'Count' = ($GroupObject | Measure-Object).Count
+                                        }
+                                        $OutObj += [pscustomobject]$inobj
+                                    }
                                 }
-                                $OutObj += [pscustomobject]$inobj
+                                catch {
+                                    Write-PscriboMessage -IsWarning "$($_.Exception.Message) (Privileged Group in Active Directory item)"
+                                }
+                            }
+
+                            if ($HealthCheck.Domain.Security) {
+                                $OutObj | Where-Object { $_.'Group Name' -eq 'Schema Admins' -and $_.Count -gt 1 } | Set-Style -Style Warning
                             }
 
                             $TableParams = @{
@@ -238,7 +254,11 @@ function Get-AbrADDomainObject {
                             if ($Report.ShowTableCaptions) {
                                 $TableParams['Caption'] = "- $($TableParams.Name)"
                             }
-                            $OutObj | Sort-Object -Property 'Group Name' |  Table @TableParams
+                            $OutObj | Sort-Object -Property 'Group Name' | Table @TableParams
+                            if ($HealthCheck.Domain.Security -and ($OutObj | Where-Object { $_.'Group Name' -eq 'Schema Admins' -and $_.Count -gt 1 })) {
+                                Paragraph "Health Check:" -Italic -Bold -Underline
+                                Paragraph "Secutiry Best Practice: The Schema Admins group is a privileged group in a forest root domain. Members of the Schema Admins group can make changes to the schema, which is the framework for the Active Directory forest. Changes to the schema are not frequently required. This group only contains the Built-in Administrator account by default. Additional accounts must only be added when changes to the schema are necessary and then must be removed." -Italic -Bold
+                            }
                         }
                     }
                     catch {

Src/Private/Get-AbrADSiteReplication.ps1

@@ -133,6 +133,7 @@ function Get-AbrADSiteReplication {
                                 if ($HealthCheck.Site.Replication -and ($OutObj | Where-Object {$NULL -notlike $_.'Last Error'})) {
                                     Paragraph "Health Check:" -Italic -Bold -Underline
                                     Paragraph "Best Practices: Failing SYSVOL replication may cause Group Policy problems." -Italic -Bold
+                                    BlankLine
                                 }
                             }
                             catch {