- The user MUST be logged into the machine, too.
First, force-updated the domain policy on that machine - Then...
Audit that machine, for all applied domain policies, etc...
And list them out nicely.
I added about 90 lines to this thing, by including the 'Well Known Groups' found on this page:
https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
This is to then, point 'Well Known Groups' out, when the script is listing the security groups the user is a part of... 'Well Known Groups' don't all have an AD Directory entry, so may not always be recognized by the peraon running this.
~ Note - About the Test-WSMan, PsExec, and the winrm config...
~ These just make sure WinRM is enabled.
~ 'Invoke-Command' requires WinRM
Script is below - Here is a sample output:
RSOP data for DOMAIN\Username
on DomainComputerName
COMPUTER:
Last time Group
Policy was applied: 7/16/2020 at 9:31:53 AM
Applied Group
Policy Objects
-----------------------------
LAPS
Office
Workstations
Workstation
Ownership
Windows 10
restrictions
Citrix
Receiver Config
Citrix
Keyboard settings
WSUS - KACE
Patching
Printers -
Delete old printers from workstations
Default
Domain Policy
Disable EFS
Enable WMI
AWN Audit
Policy
Local Group
Policy
RSOP data for DOMAIN\Username
on DomainComputerName
USER:
Last time Group
Policy was applied: 7/16/2020 at 9:31:56 AM
Applied Group
Policy Objects
-----------------------------
Auto
Screen-Lock
C-Systems
Registry Settings
Office Users
Disable
Outlook Credential Saving
Office Drive Maps
Printers -
Delete old printers from workstations
Disable
Outlook Junk Email feature
Printers – Western City
Printers – Remote Office
Default
Domain Policy
Local Group
Policy
RSOP data for DOMAIN\Username
on DomainComputerName
The user is a part of
the following security groups
---------------------------------------------------
Administration Share ('Vendor and Customer Forms') Drive Map
ASG Remote
Desktop Users
Authentication
authority asserted identity
Auto-Lock
Administrators (Well Known Group)
Users (Well Known Group)
Citrix Admins
Citrix
App-Chrome
Citrix
App-EquipSoft
Citrix
App-Excel
Citrix
App-FaxFinder
Citrix
App-File Explorer
Citrix
App-Internet Explorer
Citrix
App-New Farm Testers
Citrix
App-OneNote
Citrix
App-Outlook
Citrix
App-PowerPoint
Citrix
App-Publisher
Citrix
App-Word
HQ Share
Drive Map
CONSOLE LOGON (Well Known Group)
Denied RODC
Password Replication Group (Well
Known Group)
Domain Admins (Well Known Group)
Domain Users (Well Known Group)
Elevated Security
EMLibrary
Users
Everyone (Well Known Group)
High
Mandatory Level (Well Known Group)
Remote Share
Drive Map
Intact
Editors - CB - All
K1000 Admins
KACEApp-Aspen
KACEApp-OpenVPN
KACEApp-ShoreTel
Liquid Files
Users
LOCAL (Well Known Group)
Middletown
Share Drive Map
Authenticated
Users (Well Known Group)
INTERACTIVE (Well Known Group)
Office 365
Enterprise Users
Orion Admin
Users
Printers -
Accounting3
Printers – Western City
Self Service
Password Reset
SolarWinds
DPA - Read Only Admins
SonicWall -
VPN Access
Sophos DB
Users
SophosAdministrator
SophosUser
TdFUsers
Terminal
Server Users (Well Known Group)
This
Organization (Well Known Group)
Twinsburg
Share Drive Map
VMware
Virtual Machine Power Users
Western City
Share Drive Map
Zoom Pro
|
$TargetPC = "DomainComputerName"
$Target_User = "Username"
$TestCommand = $null
$TestCommand = Test-WSMan -ComputerName $TargetPC
If (!($TestCommand)){C:\SysInternals\PsExec.exe -s -nobanner \\$TargetPC /accepteula cmd /c "c:\windows\system32\winrm.cmd
quickconfig -quiet"}
If (!($TestCommand)){
$TestCommand = Test-WSMan -ComputerName $TargetPC
If (!($TestCommand)){Write-Host "Windows Remote Managment (WinRM) did not enable... Can't
run this - EXITING." -ForegroundColor Yellow -BackgroundColor DarkMagenta }
}
Write-Host "Forcing Group policy to update..." -ForegroundColor Green -BackgroundColor DarkGray
Invoke-Command -ComputerName $TargetPC {gpupdate /force}
Write-Host "Gathering Group policy info..." -ForegroundColor Yellow -BackgroundColor DarkGreen
$GPO_out = gpresult /s $TargetPC /user $Target_User /R
$RSOP =
(($GPO_out | ? {$_ -match "RSOP
data for "}).Split(':')[0]).Trim()
$ComputerPolicyTime = (((($GPO_out) | select-String "Last time Group
Policy was applied" ).LineNumber
| measure -Minimum).Minimum) - 1
$ComputerSettingsPolicy00 = (((($GPO_out) | select-String "Applied Group
Policy Objects" ).LineNumber
| measure -Minimum).Minimum) - 1
$ComputerSettingsPolicy01 = (((($GPO_out) | select-String "The following GPOs
were not applied because they were filtered out" ).LineNumber | measure -Minimum).Minimum)
-2
Write-Host $RSOP -ForegroundColor Green -BackgroundColor DarkGreen
Write-Host "COMPUTER: " -ForegroundColor Yellow
$GPO_out[$ComputerPolicyTime]
$GPO_out[$ComputerSettingsPolicy00..$ComputerSettingsPolicy01]
$UserPolicyTime = (((($GPO_out) | select-String "Last time Group
Policy was applied" ).LineNumber
| measure -Maximum).Maximum) - 1
$UserSettingsPolicy00 = (((($GPO_out) | select-String "Applied Group
Policy Objects" ).LineNumber
| measure -Maximum).Maximum) - 1
$UserSettingsPolicy01 = (((($GPO_out) | select-String "The following GPOs
were not applied because they were filtered out" ).LineNumber | measure -Maximum).Maximum)
-2
Write-Host $RSOP -ForegroundColor Green -BackgroundColor DarkGreen
Write-Host "USER: " -ForegroundColor Yellow
$GPO_out[$UserPolicyTime]
$GPO_out[$UserSettingsPolicy00..$UserSettingsPolicy01]
$WellKnownSecurityGroups = ("Access
Control Assistance Operators
Account Operators
Administrator
Administrators
All Services
Allowed RODC Password Replication Group
Anonymous
Authenticated Users
Backup Operators
Batch
Cert Publishers
Certificate Service DCOM Access
Cloneable Domain Controllers
Console Logon
Creator Authority
Creator Group
Creator Group Server
Creator Owner
Creator Owner Server
Cryptographic Operators
Denied RODC Password Replication Group
Dialup
Digest Authentication
Distributed COM Users
Domain Admins
Domain Computers
Domain Controllers
Domain Guests
Domain Users
Enterprise Admins
Enterprise Domain Controllers
Enterprise Key Admins
Enterprise Read-only Domain Controllers
Event Log Readers
Everyone
Group Policy Creator Owners
Guest
Guests
High Mandatory Level
Hyper-V Administrators
Incoming Forest Trust Builders
Interactive
Key Admins
KRBTGT
Local
Local Authority
Local System
Logon Session
Low Mandatory Level
Medium Mandatory Level
Medium Plus Mandatory Level
Name
Network
Network Configuration Operators
Nobody
Non-unique Authority
NT Authority
NT Service
NT Services\All Services
NT Virtual Machine\Virtual Machines
NTLM Authentication
Null Authority
Owner Rights
Performance Log Users
Performance Monitor Users
Power Users
Pre-Windows 2000 Compatible Access
Principal Self
Print Operators
Protected Process Mandatory Level
Proxy
RAS and IAS Servers
RDS Endpoint Servers
RDS Management Servers
RDS Remote Access Servers
Read-only Domain Controllers
Remote Desktop Users
Remote Interactive Logon
Remote Management Users
Replicators
Restricted Code
SChannel Authentication
Schema Admins
Secure Process Mandatory Level
Server Operators
Service
Storage Replica Administrators
System Mandatory Level
Terminal Server License Servers
Terminal Server Users
This Organization
Untrusted Mandatory Level
Users
Windows Authorization Access Group
Windows Manager\Windows Manager Group
World Authority
").Split("`n|`r",[System.StringSplitOptions]::RemoveEmptyEntries)
Write-Host $RSOP -ForegroundColor Green -BackgroundColor DarkGreen
$UserSecurityGroups = (((($GPO_out) | select-String "The user is a part
of the following security groups" ).LineNumber | measure -Maximum).Maximum) - 1
$GPO_out[($UserSecurityGroups)..($UserSecurityGroups + 1)] | % {Write-Host $_ -ForegroundColor Yellow}
$GPO_out[($UserSecurityGroups + 2)..(($GPO_out).Count)] | sort -Unique | % {
If ($_.length
-gt 12) {
If ( $WellKnownSecurityGroups -match ((($_).Trim()).Replace('BUILTIN\','')).Replace('NT AUTHORITY\','')
) {
Write-Host " " $(((($_).Trim()).Replace('BUILTIN\','')).Replace('NT AUTHORITY\',''))
-NoNewline
Write-Host "
(Well Known Group)" -ForegroundColor Yellow
}
Else {
Write-Host " " -NoNewline; ((($_).Trim()).Replace('BUILTIN\','')).Replace('NT AUTHORITY\','')
}
}
}
|
No comments:
Post a Comment