16 July, 2020

Remote Domain policy (GPO) audit - Per user, and computer.

The following Powershell script (run this in ISE) will, when given a computer 'hostname', and a domain users 'username'...
 - The user MUST be logged into the machine, too.

First, force-updated the domain policy on that machine - Then...

Audit that machine, for all applied domain policies, etc...

 And list them out nicely.

I added about 90 lines to this thing, by including the 'Well Known Groups' found on this page:
https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

 This is to then, point 'Well Known Groups' out, when the script is listing the security groups the user is a part of... 'Well Known Groups' don't all have an AD Directory entry, so may not always be recognized by the peraon running this.

    ~ Note - About the Test-WSMan, PsExec, and the winrm config...
    ~ These just make sure WinRM is enabled. 
     ~ 'Invoke-Command' requires WinRM

Script is below - Here is a sample output:


RSOP data for DOMAIN\Username on DomainComputerName
COMPUTER:
    Last time Group Policy was applied: 7/16/2020 at 9:31:53 AM
    Applied Group Policy Objects
    -----------------------------
        LAPS
        Office Workstations
        Workstation Ownership
        Windows 10 restrictions
        Citrix Receiver Config
        Citrix Keyboard settings
        WSUS - KACE Patching
        Printers - Delete old printers from workstations
        Default Domain Policy
        Disable EFS
        Enable WMI
        AWN Audit Policy
        Local Group Policy

RSOP data for DOMAIN\Username on DomainComputerName
USER:
    Last time Group Policy was applied: 7/16/2020 at 9:31:56 AM
    Applied Group Policy Objects
    -----------------------------
        Auto Screen-Lock
        C-Systems Registry Settings
        Office Users
        Disable Outlook Credential Saving
        Office Drive Maps
        Printers - Delete old printers from workstations
        Disable Outlook Junk Email feature
        Printers Western City
        Printers Remote Office
        Default Domain Policy
        Local Group Policy

RSOP data for DOMAIN\Username on DomainComputerName
    The user is a part of the following security groups
    ---------------------------------------------------
        Administration Share ('Vendor and Customer Forms') Drive Map
        ASG Remote Desktop Users
        Authentication authority asserted identity
        Auto-Lock
        Administrators (Well Known Group)
        Users (Well Known Group)
        Citrix Admins
        Citrix App-Chrome
        Citrix App-EquipSoft
        Citrix App-Excel
        Citrix App-FaxFinder
        Citrix App-File Explorer
        Citrix App-Internet Explorer
        Citrix App-New Farm Testers
        Citrix App-OneNote
        Citrix App-Outlook
        Citrix App-PowerPoint
        Citrix App-Publisher
        Citrix App-Word
        HQ Share Drive Map
        CONSOLE LOGON (Well Known Group)
        Denied RODC Password Replication Group (Well Known Group)
        Domain Admins (Well Known Group)
        Domain Users (Well Known Group)
        Elevated Security
        EMLibrary Users
        Everyone (Well Known Group)
        High Mandatory Level (Well Known Group)
        Remote Share Drive Map
        Intact Editors - CB - All
        K1000 Admins
        KACEApp-Aspen
        KACEApp-OpenVPN
        KACEApp-ShoreTel
        Liquid Files Users
        LOCAL (Well Known Group)
        Middletown Share Drive Map
        Authenticated Users (Well Known Group)
        INTERACTIVE (Well Known Group)
        Office 365 Enterprise Users
        Orion Admin Users
        Printers - Accounting3
        Printers Western City
        Self Service Password Reset
        SolarWinds DPA - Read Only Admins
        SonicWall - VPN Access
        Sophos DB Users
        SophosAdministrator
        SophosUser
        TdFUsers
        Terminal Server Users (Well Known Group)
        This Organization (Well Known Group)
        Twinsburg Share Drive Map
        VMware Virtual Machine Power Users
        Western City Share Drive Map
        Zoom Pro




$TargetPC = "DomainComputerName"
$Target_User = "Username"

$TestCommand = $null
$TestCommand = Test-WSMan -ComputerName $TargetPC
If (!($TestCommand)){C:\SysInternals\PsExec.exe -s -nobanner \\$TargetPC /accepteula cmd /c "c:\windows\system32\winrm.cmd quickconfig -quiet"}

If (!($TestCommand)){
$TestCommand = Test-WSMan -ComputerName $TargetPC
If (!($TestCommand)){Write-Host "Windows Remote Managment (WinRM) did not enable... Can't run this - EXITING." -ForegroundColor Yellow -BackgroundColor DarkMagenta }
}

Write-Host "Forcing Group policy to update..." -ForegroundColor Green -BackgroundColor DarkGray
Invoke-Command -ComputerName $TargetPC {gpupdate /force}
Write-Host "Gathering Group policy info..." -ForegroundColor Yellow -BackgroundColor DarkGreen
$GPO_out = gpresult /s $TargetPC /user $Target_User  /R

$RSOP = (($GPO_out | ? {$_ -match "RSOP data for "}).Split(':')[0]).Trim()

$ComputerPolicyTime = (((($GPO_out) | select-String "Last time Group Policy was applied" ).LineNumber | measure -Minimum).Minimum) - 1
$ComputerSettingsPolicy00 = (((($GPO_out) | select-String "Applied Group Policy Objects" ).LineNumber | measure -Minimum).Minimum) - 1
$ComputerSettingsPolicy01 = (((($GPO_out) | select-String "The following GPOs were not applied because they were filtered out" ).LineNumber | measure -Minimum).Minimum) -2
Write-Host $RSOP -ForegroundColor Green -BackgroundColor DarkGreen
Write-Host "COMPUTER: " -ForegroundColor Yellow
$GPO_out[$ComputerPolicyTime]
$GPO_out[$ComputerSettingsPolicy00..$ComputerSettingsPolicy01]

$UserPolicyTime = (((($GPO_out) | select-String "Last time Group Policy was applied" ).LineNumber | measure -Maximum).Maximum)  - 1
$UserSettingsPolicy00 = (((($GPO_out) | select-String "Applied Group Policy Objects" ).LineNumber | measure -Maximum).Maximum) - 1
$UserSettingsPolicy01 = (((($GPO_out) | select-String "The following GPOs were not applied because they were filtered out" ).LineNumber | measure -Maximum).Maximum) -2
Write-Host $RSOP -ForegroundColor Green -BackgroundColor DarkGreen
Write-Host "USER: " -ForegroundColor Yellow
$GPO_out[$UserPolicyTime]
$GPO_out[$UserSettingsPolicy00..$UserSettingsPolicy01]

$WellKnownSecurityGroups = ("Access Control Assistance Operators
Account Operators
Administrator
Administrators
All Services
Allowed RODC Password Replication Group
Anonymous
Authenticated Users
Backup Operators
Batch
Cert Publishers
Certificate Service DCOM Access
Cloneable Domain Controllers
Console Logon
Creator Authority
Creator Group
Creator Group Server
Creator Owner
Creator Owner Server
Cryptographic Operators
Denied RODC Password Replication Group
Dialup
Digest Authentication
Distributed COM Users
Domain Admins
Domain Computers
Domain Controllers
Domain Guests
Domain Users
Enterprise Admins
Enterprise Domain Controllers
Enterprise Key Admins
Enterprise Read-only Domain Controllers
Event Log Readers
Everyone
Group Policy Creator Owners
Guest
Guests
High Mandatory Level
Hyper-V Administrators
Incoming Forest Trust Builders
Interactive
Key Admins
KRBTGT
Local
Local Authority
Local System
Logon Session
Low Mandatory Level
Medium Mandatory Level
Medium Plus Mandatory Level
Name
Network
Network Configuration Operators
Nobody
Non-unique Authority
NT Authority
NT Service
NT Services\All Services
NT Virtual Machine\Virtual Machines
NTLM Authentication
Null Authority
Owner Rights
Performance Log Users
Performance Monitor Users
Power Users
Pre-Windows 2000 Compatible Access
Principal Self
Print Operators
Protected Process Mandatory Level
Proxy
RAS and IAS Servers
RDS Endpoint Servers
RDS Management Servers
RDS Remote Access Servers
Read-only Domain Controllers
Remote Desktop Users
Remote Interactive Logon
Remote Management Users
Replicators
Restricted Code
SChannel Authentication
Schema Admins
Secure Process Mandatory Level
Server Operators
Service
Storage Replica Administrators
System Mandatory Level
Terminal Server License Servers
Terminal Server Users
This Organization
Untrusted Mandatory Level
Users
Windows Authorization Access Group
Windows Manager\Windows Manager Group
World Authority
").Split("`n|`r",[System.StringSplitOptions]::RemoveEmptyEntries)

Write-Host $RSOP -ForegroundColor Green -BackgroundColor DarkGreen
$UserSecurityGroups = (((($GPO_out) | select-String "The user is a part of the following security groups" ).LineNumber | measure -Maximum).Maximum)  - 1
$GPO_out[($UserSecurityGroups)..($UserSecurityGroups + 1)] | % {Write-Host $_ -ForegroundColor Yellow}
$GPO_out[($UserSecurityGroups + 2)..(($GPO_out).Count)] | sort -Unique | % {
    If ($_.length -gt 12) {
        If ( $WellKnownSecurityGroups -match ((($_).Trim()).Replace('BUILTIN\','')).Replace('NT AUTHORITY\','') ) {   
        Write-Host "       " $(((($_).Trim()).Replace('BUILTIN\','')).Replace('NT AUTHORITY\','')) -NoNewline
        Write-Host " (Well Known Group)" -ForegroundColor Yellow
        }
        Else {    Write-Host "        " -NoNewline; ((($_).Trim()).Replace('BUILTIN\','')).Replace('NT AUTHORITY\','') }
    }
}




Posted by at
Labels: , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)