PasswordSolution.psm1
function Convert-ADSchemaToGuid { <# .SYNOPSIS Converts name of schema properties to guids .DESCRIPTION Converts name of schema properties to guids .PARAMETER SchemaName Schema Name to convert to guid .PARAMETER All Get hashtable of all schema properties and their guids .PARAMETER Domain Domain to query. By default the current domain is used .PARAMETER RootDSE RootDSE to query. By default RootDSE is queried from the domain .PARAMETER AsString Return the guid as a string .EXAMPLE Convert-ADSchemaToGuid -SchemaName 'ms-Exch-MSO-Forward-Sync-Cookie' .EXAMPLE Convert-ADSchemaToGuid -SchemaName 'ms-Exch-MSO-Forward-Sync-Cookie' -AsString .NOTES General notes #> [CmdletBinding()] param( [string] $SchemaName, [string] $Domain, [Microsoft.ActiveDirectory.Management.ADEntity] $RootDSE, [switch] $AsString ) if (-not $Script:ADGuidMap -or -not $Script:ADGuidMapString) { if ($RootDSE) { $Script:RootDSE = $RootDSE } elseif (-not $Script:RootDSE) { if ($Domain) { $Script:RootDSE = Get-ADRootDSE -Server $Domain } else { $Script:RootDSE = Get-ADRootDSE } } $DomainCN = ConvertFrom-DistinguishedName -DistinguishedName $Script:RootDSE.defaultNamingContext -ToDomainCN $QueryServer = (Get-ADDomainController -DomainName $DomainCN -Discover -ErrorAction Stop).Hostname[0] $Script:ADGuidMap = [ordered] @{ 'All' = [System.GUID]'00000000-0000-0000-0000-000000000000' } $Script:ADGuidMapString = [ordered] @{ 'All' = '00000000-0000-0000-0000-000000000000' } Write-Verbose "Convert-ADSchemaToGuid - Querying Schema from $QueryServer" $Time = [System.Diagnostics.Stopwatch]::StartNew() if (-not $Script:StandardRights) { $Script:StandardRights = Get-ADObject -SearchBase $Script:RootDSE.schemaNamingContext -LDAPFilter "(schemaidguid=*)" -Properties name, lDAPDisplayName, schemaIDGUID -Server $QueryServer -ErrorAction Stop | Select-Object name, lDAPDisplayName, schemaIDGUID } foreach ($Guid in $Script:StandardRights) { $Script:ADGuidMapString[$Guid.lDAPDisplayName] = ([System.GUID]$Guid.schemaIDGUID).Guid $Script:ADGuidMapString[$Guid.Name] = ([System.GUID]$Guid.schemaIDGUID).Guid $Script:ADGuidMap[$Guid.lDAPDisplayName] = ([System.GUID]$Guid.schemaIDGUID) $Script:ADGuidMap[$Guid.Name] = ([System.GUID]$Guid.schemaIDGUID) } $Time.Stop() $TimeToExecute = "$($Time.Elapsed.Days) days, $($Time.Elapsed.Hours) hours, $($Time.Elapsed.Minutes) minutes, $($Time.Elapsed.Seconds) seconds, $($Time.Elapsed.Milliseconds) milliseconds" Write-Verbose "Convert-ADSchemaToGuid - Querying Schema from $QueryServer took $TimeToExecute" Write-Verbose "Convert-ADSchemaToGuid - Querying Extended Rights from $QueryServer" $Time = [System.Diagnostics.Stopwatch]::StartNew() if (-not $Script:ExtendedRightsGuids) { $Script:ExtendedRightsGuids = Get-ADObject -SearchBase $Script:RootDSE.ConfigurationNamingContext -LDAPFilter "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties name, displayName, lDAPDisplayName, rightsGuid -Server $QueryServer -ErrorAction Stop | Select-Object name, displayName, lDAPDisplayName, rightsGuid } foreach ($Guid in $Script:ExtendedRightsGuids) { $Script:ADGuidMapString[$Guid.Name] = ([System.GUID]$Guid.RightsGuid).Guid $Script:ADGuidMapString[$Guid.DisplayName] = ([System.GUID]$Guid.RightsGuid).Guid $Script:ADGuidMap[$Guid.Name] = ([System.GUID]$Guid.RightsGuid) $Script:ADGuidMap[$Guid.DisplayName] = ([System.GUID]$Guid.RightsGuid) } $Time.Stop() $TimeToExecute = "$($Time.Elapsed.Days) days, $($Time.Elapsed.Hours) hours, $($Time.Elapsed.Minutes) minutes, $($Time.Elapsed.Seconds) seconds, $($Time.Elapsed.Milliseconds) milliseconds" Write-Verbose "Convert-ADSchemaToGuid - Querying Extended Rights from $QueryServer took $TimeToExecute" } if ($SchemaName) { if ($AsString) { return $Script:ADGuidMapString[$SchemaName] } else { return $Script:ADGuidMap[$SchemaName] } } else { if ($AsString) { $Script:ADGuidMapString } else { $Script:ADGuidMap } } } function Convert-CountryCodeToCountry { <# .SYNOPSIS Converts a country code to a country name, or when used with a switch to full culture information .DESCRIPTION Converts a country code to a country name, or when used with a switch to full culture information .PARAMETER CountryCode Country code .PARAMETER All Provide full culture information rather than just the country name .EXAMPLE Convert-CountryCodeToCountry -CountryCode 'PL' .EXAMPLE Convert-CountryCodeToCountry -CountryCode 'PL' -All .EXAMPLE $Test = Convert-CountryCodeToCountry $Test['PL']['Culture'] | fl $Test['PL']['RegionInformation'] .EXAMPLE Convert-CountryCodeToCountry -CountryCode 'PL' Convert-CountryCodeToCountry -CountryCode 'POL' .NOTES General notes #> [cmdletBinding()] param( [string] $CountryCode, [switch] $All ) if ($Script:QuickSearch) { if ($PSBoundParameters.ContainsKey('CountryCode')) { if ($All) { $Script:QuickSearch[$CountryCode] } else { $Script:QuickSearch[$CountryCode].RegionInformation.EnglishName } } else { $Script:QuickSearch } } else { $Script:QuickSearch = [ordered] @{} $AllCultures = [cultureinfo]::GetCultures([System.Globalization.CultureTypes]::SpecificCultures) foreach ($Culture in $AllCultures) { $RegionInformation = [System.Globalization.RegionInfo]::new($Culture) $Script:QuickSearch[$RegionInformation.TwoLetterISORegionName] = @{ 'Culture' = $Culture 'RegionInformation' = $RegionInformation } $Script:QuickSearch[$RegionInformation.ThreeLetterISORegionName] = @{ 'Culture' = $Culture 'RegionInformation' = $RegionInformation } } if ($PSBoundParameters.ContainsKey('CountryCode')) { if ($All) { $Script:QuickSearch[$CountryCode] } else { $Script:QuickSearch[$CountryCode].RegionInformation.EnglishName } } else { $Script:QuickSearch } } } function Convert-CountryToContinent { <# .SYNOPSIS Convert country to continent .DESCRIPTION Convert country to continent or return a hashtable of countries and their corresponding continent. If the country is not found (for example empty), it will return "Unknown" .PARAMETER Country Country to convert. If country is not given it will return a hashtable of countries and their corresponding continent. .EXAMPLE Convert-CountryToContinent -Country "Poland" .EXAMPLE Convert-CountryToContinent .NOTES General notes #> [CmdletBinding()] param( [string] $Country, [switch] $ReturnHashTable ) $CountryToContinent = [ordered] @{ "Afghanistan" = "Asia" "Albania" = "Europe" "Algeria" = "Africa" "Andorra" = "Europe" "Angola" = "Africa" "Antigua and Barbuda" = "North America" "Argentina" = "South America" "Armenia" = "Asia" "Australia" = "Australia/Oceania" "Austria" = "Europe" "Azerbaijan" = "Asia" "Bahamas" = "North America" "Bahrain" = "Asia" "Bangladesh" = "Asia" "Barbados" = "North America" "Belarus" = "Europe" "Belgium" = "Europe" "Belize" = "North America" "Benin" = "Africa" "Bhutan" = "Asia" "Bolivia" = "South America" "Bosnia and Herzegovina" = "Europe" "Botswana" = "Africa" "Brazil" = "South America" "Brunei" = "Asia" "Bulgaria" = "Europe" "Burkina Faso" = "Africa" "Burundi" = "Africa" "Cabo Verde" = "Africa" "Cambodia" = "Asia" "Cameroon" = "Africa" "Canada" = "North America" "Central African Republic" = "Africa" "Chad" = "Africa" "Chile" = "South America" "China" = "Asia" "Colombia" = "South America" "Comoros" = "Africa" "Congo, Democratic Republic of the" = "Africa" "Congo, Republic of the" = "Africa" "Costa Rica" = "North America" "Cote d'Ivoire" = "Africa" "Croatia" = "Europe" "Cuba" = "North America" "Cyprus" = "Asia" "Czechia" = "Europe" "Denmark" = "Europe" "Djibouti" = "Africa" "Dominica" = "North America" "Dominican Republic" = "North America" "Ecuador" = "South America" "Egypt" = "Africa" "El Salvador" = "North America" "Equatorial Guinea" = "Africa" "Eritrea" = "Africa" "Estonia" = "Europe" "Eswatini" = "Africa" "Ethiopia" = "Africa" "Fiji" = "Australia/Oceania" "Finland" = "Europe" "France" = "Europe" "Gabon" = "Africa" "Gambia" = "Africa" "Georgia" = "Asia" "Germany" = "Europe" "Ghana" = "Africa" "Greece" = "Europe" "Grenada" = "North America" "Guatemala" = "North America" "Guinea" = "Africa" "Guinea-Bissau" = "Africa" "Guyana" = "South America" "Haiti" = "North America" "Honduras" = "North America" "Hungary" = "Europe" "Iceland" = "Europe" "India" = "Asia" "Indonesia" = "Asia" "Iran" = "Asia" "Iraq" = "Asia" "Ireland" = "Europe" "Israel" = "Asia" "Italy" = "Europe" "Jamaica" = "North America" "Japan" = "Asia" "Jordan" = "Asia" "Kazakhstan" = "Asia" "Kenya" = "Africa" "Kiribati" = "Australia/Oceania" "Kosovo" = "Europe" "Kuwait" = "Asia" "Kyrgyzstan" = "Asia" "Laos" = "Asia" "Latvia" = "Europe" "Lebanon" = "Asia" "Lesotho" = "Africa" "Liberia" = "Africa" "Libya" = "Africa" "Liechtenstein" = "Europe" "Lithuania" = "Europe" "Luxembourg" = "Europe" "Madagascar" = "Africa" "Malawi" = "Africa" "Malaysia" = "Asia" "Maldives" = "Asia" "Mali" = "Africa" "Malta" = "Europe" "Marshall Islands" = "Australia/Oceania" "Mauritania" = "Africa" "Mauritius" = "Africa" "Mexico" = "North America" "Micronesia" = "Australia/Oceania" "Moldova" = "Europe" "Monaco" = "Europe" "Mongolia" = "Asia" "Montenegro" = "Europe" "Morocco" = "Africa" "Mozambique" = "Africa" "Myanmar" = "Asia" "Namibia" = "Africa" "Nauru" = "Australia/Oceania" "Nepal" = "Asia" "Netherlands" = "Europe" "New Zealand" = "Australia/Oceania" "Nicaragua" = "North America" "Niger" = "Africa" "Nigeria" = "Africa" "North Korea" = "Asia" "North Macedonia" = "Europe" "Norway" = "Europe" "Oman" = "Asia" "Pakistan" = "Asia" "Palau" = "Australia/Oceania" "Panama" = "North America" "Papua New Guinea" = "Australia/Oceania" "Paraguay" = "South America" "Peru" = "South America" "Philippines" = "Asia" "Poland" = "Europe" "Portugal" = "Europe" "Qatar" = "Asia" "Romania" = "Europe" "Russia" = "Asia" "Rwanda" = "Africa" "Saint Kitts and Nevis" = "North America" "Saint Lucia" = "North America" "Saint Vincent and the Grenadines" = "North America" "Samoa" = "Australia/Oceania" "San Marino" = "Europe" "Sao Tome and Principe" = "Africa" "Saudi Arabia" = "Asia" "Senegal" = "Africa" "Serbia" = "Europe" "Seychelles" = "Africa" "Sierra Leone" = "Africa" "Singapore" = "Asia" "Slovakia" = "Europe" "Slovenia" = "Europe" "Solomon Islands" = "Australia/Oceania" "Somalia" = "Africa" "South Africa" = "Africa" "South Korea" = "Asia" "South Sudan" = "Africa" "Spain" = "Europe" "Sri Lanka" = "Asia" "Sudan" = "Africa" "Suriname" = "South America" "Sweden" = "Europe" "Switzerland" = "Europe" "Syria" = "Asia" "Taiwan" = "Asia" "Tajikistan" = "Asia" "Tanzania" = "Africa" "Thailand" = "Asia" "Timor-Leste" = "Asia" "Togo" = "Africa" "Tonga" = "Australia/Oceania" "Trinidad and Tobago" = "North America" "Tunisia" = "Africa" "Turkey" = "Asia" "Turkmenistan" = "Asia" "Tuvalu" = "Australia/Oceania" "Uganda" = "Africa" "Ukraine" = "Europe" "United Arab Emirates" = "Asia" "United Kingdom" = "Europe" "United States of America" = "North America" "Uruguay" = "South America" "Uzbekistan" = "Asia" "Vanuatu" = "Australia/Oceania" "Vatican City (Holy See)" = "Europe" "Venezuela" = "South America" "Vietnam" = "Asia" "Yemen" = "Asia" "Zambia" = "Africa" "Zimbabwe" = "Africa" } if ($PSBoundParameters.ContainsKey('Country')) { if ($CountryToContinent[$Country]) { $CountryToContinent[$Country] } else { "Unknown" } } else { $CountryToContinent } } function Convert-CountryToCountryCode { <# .SYNOPSIS Converts a country name to a country code, or when used with a switch to full culture information .DESCRIPTION Converts a country name to a country code, or when used with a switch to full culture information .PARAMETER CountryName Country name in it's english name .PARAMETER All Provide full culture information rather than just the country code .EXAMPLE Convert-CountryToCountryCode -CountryName 'Poland' .EXAMPLE Convert-CountryToCountryCode -CountryName 'Poland' -All .EXAMPLE $Test = Convert-CountryToCountryCode $Test['India']['Culture'] $Test['India']['RegionInformation'] .EXAMPLE $Test = Convert-CountryToCountryCode $Test['Poland']['Culture'] $Test['Poland']['RegionInformation'] .EXAMPLE Convert-CountryToCountryCode -CountryName 'Polska' Convert-CountryToCountryCode -CountryName 'Poland' Convert-CountryToCountryCode -CountryName 'CZECH REPUBLIC' Convert-CountryToCountryCode -CountryName 'USA' .NOTES General notes #> [cmdletBinding()] param( [string] $CountryName, [switch] $All ) if ($Script:QuickSearchCountries) { if ($CountryName) { if ($All) { $Script:QuickSearchCountries[$CountryName] } else { if ($Script:QuickSearchCountries[$CountryName]) { $Script:QuickSearchCountries[$CountryName].RegionInformation.TwoLetterISORegionName.ToUpper() } else { if ($PSBoundParameters.ErrorAction -eq 'Stop') { throw "Country $CountryName not found" } else { Write-Warning -Message "Convert-CountryToCountryCode - Country $CountryName name not found" } } } } else { $Script:QuickSearchCountries } } else { $AllCultures = [cultureinfo]::GetCultures([System.Globalization.CultureTypes]::SpecificCultures) $Script:QuickSearchCountries = [ordered] @{ 'Czech Republic' = @{ 'Culture' = [cultureinfo] 'CZ' 'RegionInformation' = [System.Globalization.RegionInfo] 'CZ' } 'Korea, REPUBLIC OF' = @{ 'Culture' = [cultureinfo] 'KR' 'RegionInformation' = [System.Globalization.RegionInfo] 'KR' } 'VIET NAM' = @{ 'Culture' = [cultureinfo] 'VN' 'RegionInformation' = [System.Globalization.RegionInfo] 'VN' } } foreach ($Culture in $AllCultures) { $RegionInformation = [System.Globalization.RegionInfo]::new($Culture) $Script:QuickSearchCountries[$RegionInformation.EnglishName] = @{ 'Culture' = $Culture 'RegionInformation' = $RegionInformation } $Script:QuickSearchCountries[$RegionInformation.DisplayName] = @{ 'Culture' = $Culture 'RegionInformation' = $RegionInformation } $Script:QuickSearchCountries[$RegionInformation.NativeName] = @{ 'Culture' = $Culture 'RegionInformation' = $RegionInformation } $Script:QuickSearchCountries[$RegionInformation.ThreeLetterISORegionName] = @{ 'Culture' = $Culture 'RegionInformation' = $RegionInformation } } if ($CountryName) { if ($All) { $Script:QuickSearchCountries[$CountryName] } else { if ($Script:QuickSearchCountries[$CountryName]) { $Script:QuickSearchCountries[$CountryName].RegionInformation.TwoLetterISORegionName.ToUpper() } else { if ($PSBoundParameters.ErrorAction -eq 'Stop') { throw "Country $CountryName not found" } else { Write-Warning -Message "Convert-CountryToCountryCode - Country $CountryName name not found" } } } } else { $Script:QuickSearchCountries } } } function Convert-UserAccountControl { <# .SYNOPSIS Converts the UserAccountControl flags to their corresponding names. .DESCRIPTION This function takes a UserAccountControl value and converts it into a human-readable format by matching the flags to their corresponding names. .PARAMETER UserAccountControl Specifies the UserAccountControl value to be converted. .PARAMETER Separator Specifies the separator to use when joining the converted flags. If not provided, the flags will be returned as a list. .EXAMPLE Convert-UserAccountControl -UserAccountControl 66048 Outputs: "DONT_EXPIRE_PASSWORD, PASSWORD_EXPIRED" .EXAMPLE Convert-UserAccountControl -UserAccountControl 512 -Separator ', ' Outputs: "NORMAL_ACCOUNT" #> [cmdletBinding()] param( [alias('UAC')][int] $UserAccountControl, [string] $Separator ) $UserAccount = [ordered] @{ "SCRIPT" = 1 "ACCOUNTDISABLE" = 2 "HOMEDIR_REQUIRED" = 8 "LOCKOUT" = 16 "PASSWD_NOTREQD" = 32 "ENCRYPTED_TEXT_PWD_ALLOWED" = 128 "TEMP_DUPLICATE_ACCOUNT" = 256 "NORMAL_ACCOUNT" = 512 "INTERDOMAIN_TRUST_ACCOUNT" = 2048 "WORKSTATION_TRUST_ACCOUNT" = 4096 "SERVER_TRUST_ACCOUNT" = 8192 "DONT_EXPIRE_PASSWORD" = 65536 "MNS_LOGON_ACCOUNT" = 131072 "SMARTCARD_REQUIRED" = 262144 "TRUSTED_FOR_DELEGATION" = 524288 "NOT_DELEGATED" = 1048576 "USE_DES_KEY_ONLY" = 2097152 "DONT_REQ_PREAUTH" = 4194304 "PASSWORD_EXPIRED" = 8388608 "TRUSTED_TO_AUTH_FOR_DELEGATION" = 16777216 "PARTIAL_SECRETS_ACCOUNT" = 67108864 } $Output = foreach ($_ in $UserAccount.Keys) { $binaryAnd = $UserAccount[$_] -band $UserAccountControl if ($binaryAnd -ne "0") { $_ } } if ($Separator) { $Output -join $Separator } else { $Output } } function ConvertFrom-DistinguishedName { <# .SYNOPSIS Converts a Distinguished Name to CN, OU, Multiple OUs or DC .DESCRIPTION Converts a Distinguished Name to CN, OU, Multiple OUs or DC .PARAMETER DistinguishedName Distinguished Name to convert .PARAMETER ToOrganizationalUnit Converts DistinguishedName to Organizational Unit .PARAMETER ToDC Converts DistinguishedName to DC .PARAMETER ToDomainCN Converts DistinguishedName to Domain Canonical Name (CN) .PARAMETER ToCanonicalName Converts DistinguishedName to Canonical Name .EXAMPLE $DistinguishedName = 'CN=Przemyslaw Klys,OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz' ConvertFrom-DistinguishedName -DistinguishedName $DistinguishedName -ToOrganizationalUnit Output: OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz .EXAMPLE $DistinguishedName = 'CN=Przemyslaw Klys,OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz' ConvertFrom-DistinguishedName -DistinguishedName $DistinguishedName Output: Przemyslaw Klys .EXAMPLE ConvertFrom-DistinguishedName -DistinguishedName 'OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz' -ToMultipleOrganizationalUnit -IncludeParent Output: OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz OU=Production,DC=ad,DC=evotec,DC=xyz .EXAMPLE ConvertFrom-DistinguishedName -DistinguishedName 'OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz' -ToMultipleOrganizationalUnit Output: OU=Production,DC=ad,DC=evotec,DC=xyz .EXAMPLE $Con = @( 'CN=Windows Authorization Access Group,CN=Builtin,DC=ad,DC=evotec,DC=xyz' 'CN=Mmm,DC=elo,CN=nee,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=ad,DC=evotec,DC=xyz' 'CN=e6d5fd00-385d-4e65-b02d-9da3493ed850,CN=Operations,CN=DomainUpdates,CN=System,DC=ad,DC=evotec,DC=xyz' 'OU=Domain Controllers,DC=ad,DC=evotec,DC=pl' 'OU=Microsoft Exchange Security Groups,DC=ad,DC=evotec,DC=xyz' ) ConvertFrom-DistinguishedName -DistinguishedName $Con -ToLastName Output: Windows Authorization Access Group Mmm e6d5fd00-385d-4e65-b02d-9da3493ed850 Domain Controllers Microsoft Exchange Security Groups .EXAMPLEE ConvertFrom-DistinguishedName -DistinguishedName 'DC=ad,DC=evotec,DC=xyz' -ToCanonicalName ConvertFrom-DistinguishedName -DistinguishedName 'OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz' -ToCanonicalName ConvertFrom-DistinguishedName -DistinguishedName 'CN=test,OU=Users,OU=Production,DC=ad,DC=evotec,DC=xyz' -ToCanonicalName Output: ad.evotec.xyz ad.evotec.xyz\Production\Users ad.evotec.xyz\Production\Users\test .NOTES General notes #> [CmdletBinding(DefaultParameterSetName = 'Default')] param( [Parameter(ParameterSetName = 'ToOrganizationalUnit')] [Parameter(ParameterSetName = 'ToMultipleOrganizationalUnit')] [Parameter(ParameterSetName = 'ToDC')] [Parameter(ParameterSetName = 'ToDomainCN')] [Parameter(ParameterSetName = 'Default')] [Parameter(ParameterSetName = 'ToLastName')] [Parameter(ParameterSetName = 'ToCanonicalName')] [alias('Identity', 'DN')][Parameter(ValueFromPipeline, ValueFromPipelineByPropertyName, Position = 0)][string[]] $DistinguishedName, [Parameter(ParameterSetName = 'ToOrganizationalUnit')][switch] $ToOrganizationalUnit, [Parameter(ParameterSetName = 'ToMultipleOrganizationalUnit')][alias('ToMultipleOU')][switch] $ToMultipleOrganizationalUnit, [Parameter(ParameterSetName = 'ToMultipleOrganizationalUnit')][switch] $IncludeParent, [Parameter(ParameterSetName = 'ToDC')][switch] $ToDC, [Parameter(ParameterSetName = 'ToDomainCN')][switch] $ToDomainCN, [Parameter(ParameterSetName = 'ToLastName')][switch] $ToLastName, [Parameter(ParameterSetName = 'ToCanonicalName')][switch] $ToCanonicalName ) Process { foreach ($Distinguished in $DistinguishedName) { if ($ToDomainCN) { $DN = $Distinguished -replace '.*?((DC=[^=]+,)+DC=[^=]+)$', '$1' $CN = $DN -replace ',DC=', '.' -replace "DC=" if ($CN) { $CN } } elseif ($ToOrganizationalUnit) { $Value = [Regex]::Match($Distinguished, '(?=OU=)(.*\n?)(?<=.)').Value if ($Value) { $Value } } elseif ($ToMultipleOrganizationalUnit) { if ($IncludeParent) { $Distinguished } while ($true) { $Distinguished = $Distinguished -replace '^.+?,(?=..=)' if ($Distinguished -match '^DC=') { break } $Distinguished } } elseif ($ToDC) { $Value = $Distinguished -replace '.*?((DC=[^=]+,)+DC=[^=]+)$', '$1' if ($Value) { $Value } } elseif ($ToLastName) { $NewDN = $Distinguished -split ",DC=" if ($NewDN[0].Contains(",OU=")) { [Array] $ChangedDN = $NewDN[0] -split ",OU=" } elseif ($NewDN[0].Contains(",CN=")) { [Array] $ChangedDN = $NewDN[0] -split ",CN=" } else { [Array] $ChangedDN = $NewDN[0] } if ($ChangedDN[0].StartsWith('CN=')) { $ChangedDN[0] -replace 'CN=', '' } else { $ChangedDN[0] -replace 'OU=', '' } } elseif ($ToCanonicalName) { $Domain = $null $Rest = $null foreach ($O in $Distinguished -split '(?<!\\),') { if ($O -match '^DC=') { $Domain += $O.Substring(3) + '.' } else { $Rest = $O.Substring(3) + '\' + $Rest } } if ($Domain -and $Rest) { $Domain.Trim('.') + '\' + ($Rest.TrimEnd('\') -replace '\\,', ',') } elseif ($Domain) { $Domain.Trim('.') } elseif ($Rest) { $Rest.TrimEnd('\') -replace '\\,', ',' } } else { $Regex = '^CN=(?<cn>.+?)(?<!\\),(?<ou>(?:(?:OU|CN).+?(?<!\\),)+(?<dc>DC.+?))$' $Found = $Distinguished -match $Regex if ($Found) { $Matches.cn } } } } } function Get-FileInformation { <# .SYNOPSIS Get information about file such as Name, FullName and Size .DESCRIPTION Get information about file such as Name, FullName and Size .PARAMETER File File to get information about .EXAMPLE Get-FileInformation -File 'C:\Support\GitHub\PSSharedGoods\Public\FilesFolders\Get-FileInformation.ps1' #> [CmdletBinding()] param( [alias('LiteralPath', 'Path')][string] $File ) if (Test-Path -LiteralPath $File) { $Item = Get-Item -LiteralPath $File [PSCustomObject] @{ Name = $Item.Name FullName = $Item.FullName Size = Get-FileSize -Bytes $Item.Length IsReadOnly = $Item.IsReadOnly LastWriteTime = $Item.LastWriteTime } } } function Get-GitHubVersion { <# .SYNOPSIS Get the latest version of a GitHub repository and compare with local version .DESCRIPTION Get the latest version of a GitHub repository and compare with local version .PARAMETER Cmdlet Cmdlet to find module for .PARAMETER RepositoryOwner Repository owner .PARAMETER RepositoryName Repository name .EXAMPLE Get-GitHubVersion -Cmdlet 'Start-DelegationModel' -RepositoryOwner 'evotecit' -RepositoryName 'DelegationModel' .NOTES General notes #> [cmdletBinding()] param( [Parameter(Mandatory)][string] $Cmdlet, [Parameter(Mandatory)][string] $RepositoryOwner, [Parameter(Mandatory)][string] $RepositoryName ) $App = Get-Command -Name $Cmdlet -ErrorAction SilentlyContinue if ($App) { [Array] $GitHubReleases = (Get-GitHubLatestRelease -Url "https://api.github.com/repos/$RepositoryOwner/$RepositoryName/releases" -Verbose:$false) $LatestVersion = $GitHubReleases[0] if (-not $LatestVersion.Errors) { if ($App.Version -eq $LatestVersion.Version) { "Current/Latest: $($LatestVersion.Version) at $($LatestVersion.PublishDate)" } elseif ($App.Version -lt $LatestVersion.Version) { "Current: $($App.Version), Published: $($LatestVersion.Version) at $($LatestVersion.PublishDate). Update?" } elseif ($App.Version -gt $LatestVersion.Version) { "Current: $($App.Version), Published: $($LatestVersion.Version) at $($LatestVersion.PublishDate). Lucky you!" } } else { "Current: $($App.Version)" } } else { "Current: Unknown" } } function Get-WinADForestDetails { <# .SYNOPSIS Get details about Active Directory Forest, Domains and Domain Controllers in a single query .DESCRIPTION Get details about Active Directory Forest, Domains and Domain Controllers in a single query .PARAMETER Forest Target different Forest, by default current forest is used .PARAMETER ExcludeDomains Exclude domain from search, by default whole forest is scanned .PARAMETER IncludeDomains Include only specific domains, by default whole forest is scanned .PARAMETER ExcludeDomainControllers Exclude specific domain controllers, by default there are no exclusions, as long as VerifyDomainControllers switch is enabled. Otherwise this parameter is ignored. .PARAMETER IncludeDomainControllers Include only specific domain controllers, by default all domain controllers are included, as long as VerifyDomainControllers switch is enabled. Otherwise this parameter is ignored. .PARAMETER SkipRODC Skip Read-Only Domain Controllers. By default all domain controllers are included. .PARAMETER ExtendedForestInformation Ability to provide Forest Information from another command to speed up processing .PARAMETER Filter Filter for Get-ADDomainController .PARAMETER TestAvailability Check if Domain Controllers are available .PARAMETER Test Pick what to check for availability. Options are: All, Ping, WinRM, PortOpen, Ping+WinRM, Ping+PortOpen, WinRM+PortOpen. Default is All .PARAMETER Ports Ports to check for availability. Default is 135 .PARAMETER PortsTimeout Ports timeout for availability check. Default is 100 .PARAMETER PingCount How many pings to send. Default is 1 .PARAMETER PreferWritable Prefer writable domain controllers over read-only ones when returning Query Servers .PARAMETER Extended Return extended information about domains with NETBIOS names .EXAMPLE Get-WinADForestDetails | Format-Table .EXAMPLE Get-WinADForestDetails -Forest 'ad.evotec.xyz' | Format-Table .NOTES General notes #> [CmdletBinding()] param( [alias('ForestName')][string] $Forest, [string[]] $ExcludeDomains, [string[]] $ExcludeDomainControllers, [alias('Domain', 'Domains')][string[]] $IncludeDomains, [alias('DomainControllers', 'ComputerName')][string[]] $IncludeDomainControllers, [switch] $SkipRODC, [string] $Filter = '*', [switch] $TestAvailability, [ValidateSet('All', 'Ping', 'WinRM', 'PortOpen', 'Ping+WinRM', 'Ping+PortOpen', 'WinRM+PortOpen')] $Test = 'All', [int[]] $Ports = 135, [int] $PortsTimeout = 100, [int] $PingCount = 1, [switch] $PreferWritable, [switch] $Extended, [System.Collections.IDictionary] $ExtendedForestInformation ) if ($Global:ProgressPreference -ne 'SilentlyContinue') { $TemporaryProgress = $Global:ProgressPreference $Global:ProgressPreference = 'SilentlyContinue' } if (-not $ExtendedForestInformation) { $Findings = [ordered] @{ } try { if ($Forest) { $ForestInformation = Get-ADForest -ErrorAction Stop -Identity $Forest } else { $ForestInformation = Get-ADForest -ErrorAction Stop } } catch { Write-Warning "Get-WinADForestDetails - Error discovering DC for Forest - $($_.Exception.Message)" return } if (-not $ForestInformation) { return } $Findings['Forest'] = $ForestInformation $Findings['ForestDomainControllers'] = @() $Findings['QueryServers'] = @{ } $Findings['DomainDomainControllers'] = @{ } [Array] $Findings['Domains'] = foreach ($Domain in $ForestInformation.Domains) { if ($IncludeDomains) { if ($Domain -in $IncludeDomains) { $Domain.ToLower() } continue } if ($Domain -notin $ExcludeDomains) { $Domain.ToLower() } } [Array] $DomainsActive = foreach ($Domain in $Findings['Forest'].Domains) { try { $DC = Get-ADDomainController -DomainName $Domain -Discover -ErrorAction Stop -Writable:$PreferWritable.IsPresent $OrderedDC = [ordered] @{ Domain = $DC.Domain Forest = $DC.Forest HostName = [Array] $DC.HostName IPv4Address = $DC.IPv4Address IPv6Address = $DC.IPv6Address Name = $DC.Name Site = $DC.Site } } catch { Write-Warning "Get-WinADForestDetails - Error discovering DC for domain $Domain - $($_.Exception.Message)" continue } if ($Domain -eq $Findings['Forest']['Name']) { $Findings['QueryServers']['Forest'] = $OrderedDC } $Findings['QueryServers']["$Domain"] = $OrderedDC $Domain } [Array] $Findings['Domains'] = foreach ($Domain in $Findings['Domains']) { if ($Domain -notin $DomainsActive) { Write-Warning "Get-WinADForestDetails - Domain $Domain doesn't seem to be active (no DCs). Skipping." continue } $Domain } [Array] $Findings['ForestDomainControllers'] = foreach ($Domain in $Findings.Domains) { $QueryServer = $Findings['QueryServers'][$Domain]['HostName'][0] [Array] $AllDC = try { try { $DomainControllers = Get-ADDomainController -Filter $Filter -Server $QueryServer -ErrorAction Stop } catch { Write-Warning "Get-WinADForestDetails - Error listing DCs for domain $Domain - $($_.Exception.Message)" continue } foreach ($S in $DomainControllers) { if ($IncludeDomainControllers.Count -gt 0) { If (-not $IncludeDomainControllers[0].Contains('.')) { if ($S.Name -notin $IncludeDomainControllers) { continue } } else { if ($S.HostName -notin $IncludeDomainControllers) { continue } } } if ($ExcludeDomainControllers.Count -gt 0) { If (-not $ExcludeDomainControllers[0].Contains('.')) { if ($S.Name -in $ExcludeDomainControllers) { continue } } else { if ($S.HostName -in $ExcludeDomainControllers) { continue } } } $DSAGuid = (Get-ADObject -Identity $S.NTDSSettingsObjectDN -Server $QueryServer).ObjectGUID $Server = [ordered] @{ Domain = $Domain HostName = $S.HostName Name = $S.Name Forest = $ForestInformation.RootDomain Site = $S.Site IPV4Address = $S.IPV4Address IPV6Address = $S.IPV6Address IsGlobalCatalog = $S.IsGlobalCatalog IsReadOnly = $S.IsReadOnly IsSchemaMaster = ($S.OperationMasterRoles -contains 'SchemaMaster') IsDomainNamingMaster = ($S.OperationMasterRoles -contains 'DomainNamingMaster') IsPDC = ($S.OperationMasterRoles -contains 'PDCEmulator') IsRIDMaster = ($S.OperationMasterRoles -contains 'RIDMaster') IsInfrastructureMaster = ($S.OperationMasterRoles -contains 'InfrastructureMaster') OperatingSystem = $S.OperatingSystem OperatingSystemVersion = $S.OperatingSystemVersion OperatingSystemLong = ConvertTo-OperatingSystem -OperatingSystem $S.OperatingSystem -OperatingSystemVersion $S.OperatingSystemVersion LdapPort = $S.LdapPort SslPort = $S.SslPort DistinguishedName = $S.ComputerObjectDN NTDSSettingsObjectDN = $S.NTDSSettingsObjectDN DsaGuid = $DSAGuid DsaGuidName = "$DSAGuid._msdcs.$($ForestInformation.RootDomain)" Pingable = $null WinRM = $null PortOpen = $null Comment = '' } if ($TestAvailability) { if ($Test -eq 'All' -or $Test -like 'Ping*') { $Server.Pingable = Test-Connection -ComputerName $Server.IPV4Address -Quiet -Count $PingCount } if ($Test -eq 'All' -or $Test -like '*WinRM*') { $Server.WinRM = (Test-WinRM -ComputerName $Server.HostName).Status } if ($Test -eq 'All' -or '*PortOpen*') { $Server.PortOpen = (Test-ComputerPort -Server $Server.HostName -PortTCP $Ports -Timeout $PortsTimeout).Status } } [PSCustomObject] $Server } } catch { [PSCustomObject]@{ Domain = $Domain HostName = '' Name = '' Forest = $ForestInformation.RootDomain IPV4Address = '' IPV6Address = '' IsGlobalCatalog = '' IsReadOnly = '' Site = '' SchemaMaster = $false DomainNamingMasterMaster = $false PDCEmulator = $false RIDMaster = $false InfrastructureMaster = $false LdapPort = '' SslPort = '' DistinguishedName = '' NTDSSettingsObjectDN = '' DsaGuid = '' DsaGuidName = '' Pingable = $null WinRM = $null PortOpen = $null Comment = $_.Exception.Message -replace "`n", " " -replace "`r", " " } } if ($SkipRODC) { [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC | Where-Object { $_.IsReadOnly -eq $false } } else { [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC } if ($null -ne $Findings['DomainDomainControllers'][$Domain]) { [Array] $Findings['DomainDomainControllers'][$Domain] } } if ($Extended) { $Findings['DomainsExtended'] = @{ } $Findings['DomainsExtendedNetBIOS'] = @{ } foreach ($DomainEx in $Findings['Domains']) { try { $Findings['DomainsExtended'][$DomainEx] = Get-ADDomain -Server $Findings['QueryServers'][$DomainEx].HostName[0] | ForEach-Object { [ordered] @{ AllowedDNSSuffixes = $_.AllowedDNSSuffixes | ForEach-Object -Process { $_ } ChildDomains = $_.ChildDomains | ForEach-Object -Process { $_ } ComputersContainer = $_.ComputersContainer DeletedObjectsContainer = $_.DeletedObjectsContainer DistinguishedName = $_.DistinguishedName DNSRoot = $_.DNSRoot DomainControllersContainer = $_.DomainControllersContainer DomainMode = $_.DomainMode DomainSID = $_.DomainSID.Value ForeignSecurityPrincipalsContainer = $_.ForeignSecurityPrincipalsContainer Forest = $_.Forest InfrastructureMaster = $_.InfrastructureMaster LastLogonReplicationInterval = $_.LastLogonReplicationInterval LinkedGroupPolicyObjects = $_.LinkedGroupPolicyObjects | ForEach-Object -Process { $_ } LostAndFoundContainer = $_.LostAndFoundContainer ManagedBy = $_.ManagedBy Name = $_.Name NetBIOSName = $_.NetBIOSName ObjectClass = $_.ObjectClass ObjectGUID = $_.ObjectGUID ParentDomain = $_.ParentDomain PDCEmulator = $_.PDCEmulator PublicKeyRequiredPasswordRolling = $_.PublicKeyRequiredPasswordRolling | ForEach-Object -Process { $_ } QuotasContainer = $_.QuotasContainer ReadOnlyReplicaDirectoryServers = $_.ReadOnlyReplicaDirectoryServers | ForEach-Object -Process { $_ } ReplicaDirectoryServers = $_.ReplicaDirectoryServers | ForEach-Object -Process { $_ } RIDMaster = $_.RIDMaster SubordinateReferences = $_.SubordinateReferences | ForEach-Object -Process { $_ } SystemsContainer = $_.SystemsContainer UsersContainer = $_.UsersContainer } } $NetBios = $Findings['DomainsExtended'][$DomainEx]['NetBIOSName'] $Findings['DomainsExtendedNetBIOS'][$NetBios] = $Findings['DomainsExtended'][$DomainEx] } catch { Write-Warning "Get-WinADForestDetails - Error gathering Domain Information for domain $DomainEx - $($_.Exception.Message)" continue } } } if ($TemporaryProgress) { $Global:ProgressPreference = $TemporaryProgress } $Findings } else { $Findings = Copy-DictionaryManual -Dictionary $ExtendedForestInformation [Array] $Findings['Domains'] = foreach ($_ in $Findings.Domains) { if ($IncludeDomains) { if ($_ -in $IncludeDomains) { $_.ToLower() } continue } if ($_ -notin $ExcludeDomains) { $_.ToLower() } } foreach ($_ in [string[]] $Findings.DomainDomainControllers.Keys) { if ($_ -notin $Findings.Domains) { $Findings.DomainDomainControllers.Remove($_) } } foreach ($_ in [string[]] $Findings.DomainsExtended.Keys) { if ($_ -notin $Findings.Domains) { $Findings.DomainsExtended.Remove($_) $NetBiosName = $Findings.DomainsExtended.$_.'NetBIOSName' if ($NetBiosName) { $Findings.DomainsExtendedNetBIOS.Remove($NetBiosName) } } } [Array] $Findings['ForestDomainControllers'] = foreach ($Domain in $Findings.Domains) { [Array] $AllDC = foreach ($S in $Findings.DomainDomainControllers["$Domain"]) { if ($IncludeDomainControllers.Count -gt 0) { If (-not $IncludeDomainControllers[0].Contains('.')) { if ($S.Name -notin $IncludeDomainControllers) { continue } } else { if ($S.HostName -notin $IncludeDomainControllers) { continue } } } if ($ExcludeDomainControllers.Count -gt 0) { If (-not $ExcludeDomainControllers[0].Contains('.')) { if ($S.Name -in $ExcludeDomainControllers) { continue } } else { if ($S.HostName -in $ExcludeDomainControllers) { continue } } } $S } if ($SkipRODC) { [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC | Where-Object { $_.IsReadOnly -eq $false } } else { [Array] $Findings['DomainDomainControllers'][$Domain] = $AllDC } [Array] $Findings['DomainDomainControllers'][$Domain] } $Findings } } function Remove-EmptyValue { <# .SYNOPSIS Removes empty values from a hashtable recursively. .DESCRIPTION This function removes empty values from a given hashtable. It can be used to clean up a hashtable by removing keys with null, empty string, empty array, or empty dictionary values. The function supports recursive removal of empty values. .PARAMETER Hashtable The hashtable from which empty values will be removed. .PARAMETER ExcludeParameter An array of keys to exclude from the removal process. .PARAMETER Recursive Indicates whether to recursively remove empty values from nested hashtables. .PARAMETER Rerun Specifies the number of times to rerun the removal process recursively. .PARAMETER DoNotRemoveNull If specified, null values will not be removed. .PARAMETER DoNotRemoveEmpty If specified, empty string values will not be removed. .PARAMETER DoNotRemoveEmptyArray If specified, empty array values will not be removed. .PARAMETER DoNotRemoveEmptyDictionary If specified, empty dictionary values will not be removed. .EXAMPLE $hashtable = @{ 'Key1' = ''; 'Key2' = $null; 'Key3' = @(); 'Key4' = @{} } Remove-EmptyValue -Hashtable $hashtable -Recursive Description ----------- This example removes empty values from the $hashtable recursively. #> [alias('Remove-EmptyValues')] [CmdletBinding()] param( [alias('Splat', 'IDictionary')][Parameter(Mandatory)][System.Collections.IDictionary] $Hashtable, [string[]] $ExcludeParameter, [switch] $Recursive, [int] $Rerun, [switch] $DoNotRemoveNull, [switch] $DoNotRemoveEmpty, [switch] $DoNotRemoveEmptyArray, [switch] $DoNotRemoveEmptyDictionary ) foreach ($Key in [string[]] $Hashtable.Keys) { if ($Key -notin $ExcludeParameter) { if ($Recursive) { if ($Hashtable[$Key] -is [System.Collections.IDictionary]) { if ($Hashtable[$Key].Count -eq 0) { if (-not $DoNotRemoveEmptyDictionary) { $Hashtable.Remove($Key) } } else { Remove-EmptyValue -Hashtable $Hashtable[$Key] -Recursive:$Recursive } } else { if (-not $DoNotRemoveNull -and $null -eq $Hashtable[$Key]) { $Hashtable.Remove($Key) } elseif (-not $DoNotRemoveEmpty -and $Hashtable[$Key] -is [string] -and $Hashtable[$Key] -eq '') { $Hashtable.Remove($Key) } elseif (-not $DoNotRemoveEmptyArray -and $Hashtable[$Key] -is [System.Collections.IList] -and $Hashtable[$Key].Count -eq 0) { $Hashtable.Remove($Key) } } } else { if (-not $DoNotRemoveNull -and $null -eq $Hashtable[$Key]) { $Hashtable.Remove($Key) } elseif (-not $DoNotRemoveEmpty -and $Hashtable[$Key] -is [string] -and $Hashtable[$Key] -eq '') { $Hashtable.Remove($Key) } elseif (-not $DoNotRemoveEmptyArray -and $Hashtable[$Key] -is [System.Collections.IList] -and $Hashtable[$Key].Count -eq 0) { $Hashtable.Remove($Key) } } } } if ($Rerun) { for ($i = 0; $i -lt $Rerun; $i++) { Remove-EmptyValue -Hashtable $Hashtable -Recursive:$Recursive } } } function Start-TimeLog { <# .SYNOPSIS Starts a new stopwatch for logging time. .DESCRIPTION This function starts a new stopwatch that can be used for logging time durations. .EXAMPLE Start-TimeLog Starts a new stopwatch for logging time. #> [CmdletBinding()] param() [System.Diagnostics.Stopwatch]::StartNew() } function Stop-TimeLog { <# .SYNOPSIS Stops the stopwatch and returns the elapsed time in a specified format. .DESCRIPTION The Stop-TimeLog function stops the provided stopwatch and returns the elapsed time in a specified format. The function can output the elapsed time as a single string or an array of days, hours, minutes, seconds, and milliseconds. .PARAMETER Time Specifies the stopwatch object to stop and retrieve the elapsed time from. .PARAMETER Option Specifies the format in which the elapsed time should be returned. Valid values are 'OneLiner' (default) or 'Array'. .PARAMETER Continue Indicates whether the stopwatch should continue running after retrieving the elapsed time. .EXAMPLE $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() # Perform some operations Stop-TimeLog -Time $stopwatch # Output: "0 days, 0 hours, 0 minutes, 5 seconds, 123 milliseconds" .EXAMPLE $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() # Perform some operations Stop-TimeLog -Time $stopwatch -Option Array # Output: ["0 days", "0 hours", "0 minutes", "5 seconds", "123 milliseconds"] #> [CmdletBinding()] param ( [Parameter(ValueFromPipeline = $true)][System.Diagnostics.Stopwatch] $Time, [ValidateSet('OneLiner', 'Array')][string] $Option = 'OneLiner', [switch] $Continue ) Begin { } Process { if ($Option -eq 'Array') { $TimeToExecute = "$($Time.Elapsed.Days) days", "$($Time.Elapsed.Hours) hours", "$($Time.Elapsed.Minutes) minutes", "$($Time.Elapsed.Seconds) seconds", "$($Time.Elapsed.Milliseconds) milliseconds" } else { $TimeToExecute = "$($Time.Elapsed.Days) days, $($Time.Elapsed.Hours) hours, $($Time.Elapsed.Minutes) minutes, $($Time.Elapsed.Seconds) seconds, $($Time.Elapsed.Milliseconds) milliseconds" } } End { if (-not $Continue) { $Time.Stop() } return $TimeToExecute } } function Write-Color { <# .SYNOPSIS Write-Color is a wrapper around Write-Host delivering a lot of additional features for easier color options. .DESCRIPTION Write-Color is a wrapper around Write-Host delivering a lot of additional features for easier color options. It provides: - Easy manipulation of colors, - Logging output to file (log) - Nice formatting options out of the box. - Ability to use aliases for parameters .PARAMETER Text Text to display on screen and write to log file if specified. Accepts an array of strings. .PARAMETER Color Color of the text. Accepts an array of colors. If more than one color is specified it will loop through colors for each string. If there are more strings than colors it will start from the beginning. Available colors are: Black, DarkBlue, DarkGreen, DarkCyan, DarkRed, DarkMagenta, DarkYellow, Gray, DarkGray, Blue, Green, Cyan, Red, Magenta, Yellow, White .PARAMETER BackGroundColor Color of the background. Accepts an array of colors. If more than one color is specified it will loop through colors for each string. If there are more strings than colors it will start from the beginning. Available colors are: Black, DarkBlue, DarkGreen, DarkCyan, DarkRed, DarkMagenta, DarkYellow, Gray, DarkGray, Blue, Green, Cyan, Red, Magenta, Yellow, White .PARAMETER StartTab Number of tabs to add before text. Default is 0. .PARAMETER LinesBefore Number of empty lines before text. Default is 0. .PARAMETER LinesAfter Number of empty lines after text. Default is 0. .PARAMETER StartSpaces Number of spaces to add before text. Default is 0. .PARAMETER LogFile Path to log file. If not specified no log file will be created. .PARAMETER DateTimeFormat Custom date and time format string. Default is yyyy-MM-dd HH:mm:ss .PARAMETER LogTime If set to $true it will add time to log file. Default is $true. .PARAMETER LogRetry Number of retries to write to log file, in case it can't write to it for some reason, before skipping. Default is 2. .PARAMETER Encoding Encoding of the log file. Default is Unicode. .PARAMETER ShowTime Switch to add time to console output. Default is not set. .PARAMETER NoNewLine Switch to not add new line at the end of the output. Default is not set. .PARAMETER NoConsoleOutput Switch to not output to console. Default all output goes to console. .EXAMPLE Write-Color -Text "Red ", "Green ", "Yellow " -Color Red,Green,Yellow .EXAMPLE Write-Color -Text "This is text in Green ", "followed by red ", "and then we have Magenta... ", "isn't it fun? ", "Here goes DarkCyan" -Color Green,Red,Magenta,White,DarkCyan .EXAMPLE Write-Color -Text "This is text in Green ", "followed by red ", "and then we have Magenta... ", "isn't it fun? ", "Here goes DarkCyan" -Color Green,Red,Magenta,White,DarkCyan -StartTab 3 -LinesBefore 1 -LinesAfter 1 .EXAMPLE Write-Color "1. ", "Option 1" -Color Yellow, Green Write-Color "2. ", "Option 2" -Color Yellow, Green Write-Color "3. ", "Option 3" -Color Yellow, Green Write-Color "4. ", "Option 4" -Color Yellow, Green Write-Color "9. ", "Press 9 to exit" -Color Yellow, Gray -LinesBefore 1 .EXAMPLE Write-Color -LinesBefore 2 -Text "This little ","message is ", "written to log ", "file as well." ` -Color Yellow, White, Green, Red, Red -LogFile "C:\testing.txt" -TimeFormat "yyyy-MM-dd HH:mm:ss" Write-Color -Text "This can get ","handy if ", "want to display things, and log actions to file ", "at the same time." ` -Color Yellow, White, Green, Red, Red -LogFile "C:\testing.txt" .EXAMPLE Write-Color -T "My text", " is ", "all colorful" -C Yellow, Red, Green -B Green, Green, Yellow Write-Color -t "my text" -c yellow -b green Write-Color -text "my text" -c red .EXAMPLE Write-Color -Text "Testuję czy się ładnie zapisze, czy będą problemy" -Encoding unicode -LogFile 'C:\temp\testinggg.txt' -Color Red -NoConsoleOutput .NOTES Understanding Custom date and time format strings: https://learn.microsoft.com/en-us/dotnet/standard/base-types/custom-date-and-time-format-strings Project support: https://github.com/EvotecIT/PSWriteColor Original idea: Josh (https://stackoverflow.com/users/81769/josh) #> [alias('Write-Colour')] [CmdletBinding()] param ( [alias ('T')] [String[]]$Text, [alias ('C', 'ForegroundColor', 'FGC')] [ConsoleColor[]]$Color = [ConsoleColor]::White, [alias ('B', 'BGC')] [ConsoleColor[]]$BackGroundColor = $null, [alias ('Indent')][int] $StartTab = 0, [int] $LinesBefore = 0, [int] $LinesAfter = 0, [int] $StartSpaces = 0, [alias ('L')] [string] $LogFile = '', [Alias('DateFormat', 'TimeFormat')][string] $DateTimeFormat = 'yyyy-MM-dd HH:mm:ss', [alias ('LogTimeStamp')][bool] $LogTime = $true, [int] $LogRetry = 2, [ValidateSet('unknown', 'string', 'unicode', 'bigendianunicode', 'utf8', 'utf7', 'utf32', 'ascii', 'default', 'oem')][string]$Encoding = 'Unicode', [switch] $ShowTime, [switch] $NoNewLine, [alias('HideConsole')][switch] $NoConsoleOutput ) if (-not $NoConsoleOutput) { $DefaultColor = $Color[0] if ($null -ne $BackGroundColor -and $BackGroundColor.Count -ne $Color.Count) { Write-Error "Colors, BackGroundColors parameters count doesn't match. Terminated." return } if ($LinesBefore -ne 0) { for ($i = 0; $i -lt $LinesBefore; $i++) { Write-Host -Object "`n" -NoNewline } } if ($StartTab -ne 0) { for ($i = 0; $i -lt $StartTab; $i++) { Write-Host -Object "`t" -NoNewline } } if ($StartSpaces -ne 0) { for ($i = 0; $i -lt $StartSpaces; $i++) { Write-Host -Object ' ' -NoNewline } } if ($ShowTime) { Write-Host -Object "[$([datetime]::Now.ToString($DateTimeFormat))] " -NoNewline } if ($Text.Count -ne 0) { if ($Color.Count -ge $Text.Count) { if ($null -eq $BackGroundColor) { for ($i = 0; $i -lt $Text.Length; $i++) { Write-Host -Object $Text[$i] -ForegroundColor $Color[$i] -NoNewline } } else { for ($i = 0; $i -lt $Text.Length; $i++) { Write-Host -Object $Text[$i] -ForegroundColor $Color[$i] -BackgroundColor $BackGroundColor[$i] -NoNewline } } } else { if ($null -eq $BackGroundColor) { for ($i = 0; $i -lt $Color.Length ; $i++) { Write-Host -Object $Text[$i] -ForegroundColor $Color[$i] -NoNewline } for ($i = $Color.Length; $i -lt $Text.Length; $i++) { Write-Host -Object $Text[$i] -ForegroundColor $DefaultColor -NoNewline } } else { for ($i = 0; $i -lt $Color.Length ; $i++) { Write-Host -Object $Text[$i] -ForegroundColor $Color[$i] -BackgroundColor $BackGroundColor[$i] -NoNewline } for ($i = $Color.Length; $i -lt $Text.Length; $i++) { Write-Host -Object $Text[$i] -ForegroundColor $DefaultColor -BackgroundColor $BackGroundColor[0] -NoNewline } } } } if ($NoNewLine -eq $true) { Write-Host -NoNewline } else { Write-Host } if ($LinesAfter -ne 0) { for ($i = 0; $i -lt $LinesAfter; $i++) { Write-Host -Object "`n" -NoNewline } } } if ($Text.Count -and $LogFile) { $TextToFile = "" for ($i = 0; $i -lt $Text.Length; $i++) { $TextToFile += $Text[$i] } $Saved = $false $Retry = 0 Do { $Retry++ try { if ($LogTime) { "[$([datetime]::Now.ToString($DateTimeFormat))] $TextToFile" | Out-File -FilePath $LogFile -Encoding $Encoding -Append -ErrorAction Stop -WhatIf:$false } else { "$TextToFile" | Out-File -FilePath $LogFile -Encoding $Encoding -Append -ErrorAction Stop -WhatIf:$false } $Saved = $true } catch { if ($Saved -eq $false -and $Retry -eq $LogRetry) { Write-Warning "Write-Color - Couldn't write to log file $($_.Exception.Message). Tried ($Retry/$LogRetry))" } else { Write-Warning "Write-Color - Couldn't write to log file $($_.Exception.Message). Retrying... ($Retry/$LogRetry)" } } } Until ($Saved -eq $true -or $Retry -ge $LogRetry) } } function ConvertTo-OperatingSystem { <# .SYNOPSIS Allows easy conversion of OperatingSystem, Operating System Version to proper Windows 10 naming based on WMI or AD .DESCRIPTION Allows easy conversion of OperatingSystem, Operating System Version to proper Windows 10 naming based on WMI or AD .PARAMETER OperatingSystem Operating System as returned by Active Directory .PARAMETER OperatingSystemVersion Operating System Version as returned by Active Directory .EXAMPLE $Computers = Get-ADComputer -Filter * -Properties OperatingSystem, OperatingSystemVersion | ForEach-Object { $OPS = ConvertTo-OperatingSystem -OperatingSystem $_.OperatingSystem -OperatingSystemVersion $_.OperatingSystemVersion Add-Member -MemberType NoteProperty -Name 'OperatingSystemTranslated' -Value $OPS -InputObject $_ -Force $_ } $Computers | Select-Object DNS*, Name, SamAccountName, Enabled, OperatingSystem*, DistinguishedName | Format-Table .EXAMPLE $Registry = Get-PSRegistry -ComputerName 'AD1' -RegistryPath 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion' ConvertTo-OperatingSystem -OperatingSystem $Registry.ProductName -OperatingSystemVersion $Registry.CurrentBuildNumber .NOTES General notes #> [CmdletBinding()] param( [string] $OperatingSystem, [string] $OperatingSystemVersion ) if ($OperatingSystem -like 'Windows 10*' -or $OperatingSystem -like 'Windows 11*') { $Systems = @{ '10.0 (22621)' = 'Windows 11 22H2' '10.0 (22000)' = 'Windows 11 21H2' '10.0 (19045)' = 'Windows 10 22H2' '10.0 (19044)' = 'Windows 10 21H2' '10.0 (19043)' = 'Windows 10 21H1' '10.0 (19042)' = 'Windows 10 20H2' '10.0 (19041)' = 'Windows 10 2004' '10.0 (18898)' = 'Windows 10 Insider Preview' '10.0 (18363)' = "Windows 10 1909" '10.0 (18362)' = "Windows 10 1903" '10.0 (17763)' = "Windows 10 1809" '10.0 (17134)' = "Windows 10 1803" '10.0 (16299)' = "Windows 10 1709" '10.0 (15063)' = "Windows 10 1703" '10.0 (14393)' = "Windows 10 1607" '10.0 (10586)' = "Windows 10 1511" '10.0 (10240)' = "Windows 10 1507" '10.0.22621' = 'Windows 11 22H2' '10.0.22000' = 'Windows 11 21H2' '10.0.19045' = 'Windows 10 22H2' '10.0.19044' = 'Windows 10 21H2' '10.0.19043' = 'Windows 10 21H1' '10.0.19042' = 'Windows 10 20H2' '10.0.19041' = 'Windows 10 2004' '10.0.18898' = 'Windows 10 Insider Preview' '10.0.18363' = "Windows 10 1909" '10.0.18362' = "Windows 10 1903" '10.0.17763' = "Windows 10 1809" '10.0.17134' = "Windows 10 1803" '10.0.16299' = "Windows 10 1709" '10.0.15063' = "Windows 10 1703" '10.0.14393' = "Windows 10 1607" '10.0.10586' = "Windows 10 1511" '10.0.10240' = "Windows 10 1507" '22621' = 'Windows 11 22H2' '22000' = 'Windows 11 21H2' '19045' = 'Windows 10 22H2' '19044' = 'Windows 10 21H2' '19043' = 'Windows 10 21H1' '19042' = 'Windows 10 20H2' '19041' = 'Windows 10 2004' '18898' = 'Windows 10 Insider Preview' '18363' = "Windows 10 1909" '18362' = "Windows 10 1903" '17763' = "Windows 10 1809" '17134' = "Windows 10 1803" '16299' = "Windows 10 1709" '15063' = "Windows 10 1703" '14393' = "Windows 10 1607" '10586' = "Windows 10 1511" '10240' = "Windows 10 1507" } $System = $Systems[$OperatingSystemVersion] if (-not $System) { $System = $OperatingSystemVersion } } elseif ($OperatingSystem -like 'Windows Server*') { $Systems = @{ '10.0 (20348)' = 'Windows Server 2022' '10.0 (19042)' = 'Windows Server 2019 20H2' '10.0 (19041)' = 'Windows Server 2019 2004' '10.0 (18363)' = 'Windows Server 2019 1909' '10.0 (18362)' = "Windows Server 2019 1903" '10.0 (17763)' = "Windows Server 2019 1809" '10.0 (17134)' = "Windows Server 2016 1803" '10.0 (14393)' = "Windows Server 2016 1607" '6.3 (9600)' = 'Windows Server 2012 R2' '6.1 (7601)' = 'Windows Server 2008 R2' '5.2 (3790)' = 'Windows Server 2003' '10.0.20348' = 'Windows Server 2022' '10.0.19042' = 'Windows Server 2019 20H2' '10.0.19041' = 'Windows Server 2019 2004' '10.0.18363' = 'Windows Server 2019 1909' '10.0.18362' = "Windows Server 2019 1903" '10.0.17763' = "Windows Server 2019 1809" '10.0.17134' = "Windows Server 2016 1803" '10.0.14393' = "Windows Server 2016 1607" '6.3.9600' = 'Windows Server 2012 R2' '6.1.7601' = 'Windows Server 2008 R2' '5.2.3790' = 'Windows Server 2003' '20348' = 'Windows Server 2022' '19042' = 'Windows Server 2019 20H2' '19041' = 'Windows Server 2019 2004' '18363' = 'Windows Server 2019 1909' '18362' = "Windows Server 2019 1903" '17763' = "Windows Server 2019 1809" '17134' = "Windows Server 2016 1803" '14393' = "Windows Server 2016 1607" '9600' = 'Windows Server 2012 R2' '7601' = 'Windows Server 2008 R2' '3790' = 'Windows Server 2003' } $System = $Systems[$OperatingSystemVersion] if (-not $System) { $System = $OperatingSystemVersion } } else { $System = $OperatingSystem } if ($System) { $System } else { 'Unknown' } } function Copy-DictionaryManual { <# .SYNOPSIS Copies a dictionary recursively, handling nested dictionaries and lists. .DESCRIPTION This function copies a dictionary recursively, handling nested dictionaries and lists. It creates a deep copy of the input dictionary, ensuring that modifications to the copied dictionary do not affect the original dictionary. .PARAMETER Dictionary The dictionary to be copied. .EXAMPLE $originalDictionary = @{ 'Key1' = 'Value1' 'Key2' = @{ 'NestedKey1' = 'NestedValue1' } } $copiedDictionary = Copy-DictionaryManual -Dictionary $originalDictionary This example demonstrates how to copy a dictionary with nested values. #> [CmdletBinding()] param( [System.Collections.IDictionary] $Dictionary ) $clone = [ordered] @{} foreach ($Key in $Dictionary.Keys) { $value = $Dictionary.$Key $clonedValue = switch ($Dictionary.$Key) { { $null -eq $_ } { $null continue } { $_ -is [System.Collections.IDictionary] } { Copy-DictionaryManual -Dictionary $_ continue } { $type = $_.GetType() $type.IsPrimitive -or $type.IsValueType -or $_ -is [string] } { $_ continue } default { $_ | Select-Object -Property * } } if ($value -is [System.Collections.IList]) { $clone[$Key] = @($clonedValue) } else { $clone[$Key] = $clonedValue } } $clone } function Get-FileSize { <# .SYNOPSIS Get-FileSize function calculates the file size in human-readable format. .DESCRIPTION This function takes a file size in bytes and converts it into a human-readable format (e.g., KB, MB, GB, etc.). .PARAMETER Bytes Specifies the size of the file in bytes. .EXAMPLE Get-FileSize -Bytes 1024 Output: 1 KB .EXAMPLE Get-FileSize -Bytes 1048576 Output: 1 MB #> [CmdletBinding()] param( $Bytes ) $sizes = 'Bytes,KB,MB,GB,TB,PB,EB,ZB' -split ',' for ($i = 0; ($Bytes -ge 1kb) -and ($i -lt $sizes.Count); $i++) { $Bytes /= 1kb } $N = 2; if ($i -eq 0) { $N = 0 } return "{0:N$($N)} {1}" -f $Bytes, $sizes[$i] } function Get-GitHubLatestRelease { <# .SYNOPSIS Gets one or more releases from GitHub repository .DESCRIPTION Gets one or more releases from GitHub repository .PARAMETER Url Url to github repository .EXAMPLE Get-GitHubLatestRelease -Url "https://api.github.com/repos/evotecit/Testimo/releases" | Format-Table .NOTES General notes #> [CmdLetBinding()] param( [parameter(Mandatory)][alias('ReleasesUrl')][uri] $Url ) $ProgressPreference = 'SilentlyContinue' $Responds = Test-Connection -ComputerName $URl.Host -Quiet -Count 1 if ($Responds) { Try { [Array] $JsonOutput = (Invoke-WebRequest -Uri $Url -ErrorAction Stop | ConvertFrom-Json) foreach ($JsonContent in $JsonOutput) { [PSCustomObject] @{ PublishDate = [DateTime] $JsonContent.published_at CreatedDate = [DateTime] $JsonContent.created_at PreRelease = [bool] $JsonContent.prerelease Version = [version] ($JsonContent.name -replace 'v', '') Tag = $JsonContent.tag_name Branch = $JsonContent.target_commitish Errors = '' } } } catch { [PSCustomObject] @{ PublishDate = $null CreatedDate = $null PreRelease = $null Version = $null Tag = $null Branch = $null Errors = $_.Exception.Message } } } else { [PSCustomObject] @{ PublishDate = $null CreatedDate = $null PreRelease = $null Version = $null Tag = $null Branch = $null Errors = "No connection (ping) to $($Url.Host)" } } $ProgressPreference = 'Continue' } function Test-ComputerPort { <# .SYNOPSIS Tests the connectivity of a computer on specified TCP and UDP ports. .DESCRIPTION The Test-ComputerPort function tests the connectivity of a computer on specified TCP and UDP ports. It checks if the specified ports are open and reachable on the target computer. .PARAMETER ComputerName Specifies the name of the computer to test the port connectivity. .PARAMETER PortTCP Specifies an array of TCP ports to test connectivity. .PARAMETER PortUDP Specifies an array of UDP ports to test connectivity. .PARAMETER Timeout Specifies the timeout value in milliseconds for the connection test. Default is 5000 milliseconds. .EXAMPLE Test-ComputerPort -ComputerName "Server01" -PortTCP 80,443 -PortUDP 53 -Timeout 3000 Tests the connectivity of Server01 on TCP ports 80 and 443, UDP port 53 with a timeout of 3000 milliseconds. .EXAMPLE Test-ComputerPort -ComputerName "Server02" -PortTCP 3389 -PortUDP 123 Tests the connectivity of Server02 on TCP port 3389, UDP port 123 with the default timeout of 5000 milliseconds. #> [CmdletBinding()] param ( [alias('Server')][string[]] $ComputerName, [int[]] $PortTCP, [int[]] $PortUDP, [int]$Timeout = 5000 ) begin { if ($Global:ProgressPreference -ne 'SilentlyContinue') { $TemporaryProgress = $Global:ProgressPreference $Global:ProgressPreference = 'SilentlyContinue' } } process { foreach ($Computer in $ComputerName) { foreach ($P in $PortTCP) { $Output = [ordered] @{ 'ComputerName' = $Computer 'Port' = $P 'Protocol' = 'TCP' 'Status' = $null 'Summary' = $null 'Response' = $null } $TcpClient = Test-NetConnection -ComputerName $Computer -Port $P -InformationLevel Detailed -WarningAction SilentlyContinue if ($TcpClient.TcpTestSucceeded) { $Output['Status'] = $TcpClient.TcpTestSucceeded $Output['Summary'] = "TCP $P Successful" } else { $Output['Status'] = $false $Output['Summary'] = "TCP $P Failed" $Output['Response'] = $Warnings } [PSCustomObject]$Output } foreach ($P in $PortUDP) { $Output = [ordered] @{ 'ComputerName' = $Computer 'Port' = $P 'Protocol' = 'UDP' 'Status' = $null 'Summary' = $null } $UdpClient = [System.Net.Sockets.UdpClient]::new($Computer, $P) $UdpClient.Client.ReceiveTimeout = $Timeout $Encoding = [System.Text.ASCIIEncoding]::new() $byte = $Encoding.GetBytes("Evotec") [void]$UdpClient.Send($byte, $byte.length) $RemoteEndpoint = [System.Net.IPEndPoint]::new([System.Net.IPAddress]::Any, 0) try { $Bytes = $UdpClient.Receive([ref]$RemoteEndpoint) [string]$Data = $Encoding.GetString($Bytes) If ($Data) { $Output['Status'] = $true $Output['Summary'] = "UDP $P Successful" $Output['Response'] = $Data } } catch { $Output['Status'] = $false $Output['Summary'] = "UDP $P Failed" $Output['Response'] = $_.Exception.Message } $UdpClient.Close() $UdpClient.Dispose() [PSCustomObject]$Output } } } end { if ($TemporaryProgress) { $Global:ProgressPreference = $TemporaryProgress } } } function Test-WinRM { <# .SYNOPSIS Tests the WinRM connectivity on the specified computers. .DESCRIPTION The Test-WinRM function tests the WinRM connectivity on the specified computers and returns the status of the connection. .PARAMETER ComputerName Specifies the names of the computers to test WinRM connectivity on. .EXAMPLE Test-WinRM -ComputerName "Server01", "Server02" Tests the WinRM connectivity on Server01 and Server02. .EXAMPLE Test-WinRM -ComputerName "Server03" Tests the WinRM connectivity on Server03. #> [CmdletBinding()] param ( [alias('Server')][string[]] $ComputerName ) $Output = foreach ($Computer in $ComputerName) { $Test = [PSCustomObject] @{ Output = $null Status = $null ComputerName = $Computer } try { $Test.Output = Test-WSMan -ComputerName $Computer -ErrorAction Stop $Test.Status = $true } catch { $Test.Status = $false } $Test } $Output } function Add-ManagerInformation { [CmdletBinding()] param( [System.Collections.IDictionary] $SummaryDictionary, [string] $Type, [string] $ManagerType, [Object] $Key, [PSCustomObject] $User, [PSCustomObject] $Rule, [System.Collections.IDictionary] $Entra ) if ($Key) { if ($Entra.Enabled) { $UserSearchString = $User.UserPrincipalName if ($Key -is [string]) { $KeyDN = $Key } else { $KeyDN = $Key.AdditionalProperties.displayName } } else { $UserSearchString = $User.DistinguishedName if ($Key -is [string]) { $KeyDN = $Key } else { $KeyDN = $Key.DisplayName } } if (-not $SummaryDictionary[$KeyDN]) { $SummaryDictionary[$KeyDN] = [ordered] @{ Manager = $Key ManagerDefault = [ordered] @{} ManagerNotCompliant = [ordered] @{} Security = [ordered] @{} } } $SummaryDictionary[$KeyDN][$Type][$UserSearchString] = [ordered] @{ Manager = $User.ManagerDN User = $User Rule = $Rule ManagerOption = $Type Output = [ordered] @{} } $Default = [ordered] @{ DisplayName = $User.DisplayName Enabled = $User.Enabled SamAccountName = $User.SamAccountName Domain = $User.Domain DateExpiry = $User.DateExpiry DaysToExpire = $User.DaysToExpire PasswordLastSet = $User.PasswordLastSet PasswordExpired = $User.PasswordExpired } if ($Type -ne 'ManagerDefault') { $Extended = [ordered] @{ 'Status' = $ManagerType 'Manager' = $User.Manager 'Manager Email' = $User.ManagerEmail } $SummaryDictionary[$KeyDN][$Type][$UserSearchString]['Output'] = [PSCustomObject] ( $Extended + $Default) } else { $SummaryDictionary[$KeyDN][$Type][$UserSearchString]['Output'] = [PSCustomObject] $Default } } } function Add-ParametersToString { <# .SYNOPSIS Short description .DESCRIPTION Long description .PARAMETER String Parameter description .PARAMETER Parameter Parameter description .EXAMPLE $Test = 'this is a string $Test - and $Test2 AND $tEST3' Add-ParametersToString -String $Test -Parameter @{ Testooo = 'sdsds' Test = 'oh my god' Test2 = 'ole ole' TEST3 = '56555' } .NOTES General notes #> [CmdletBinding()] param( [string] $String, [System.Collections.IDictionary] $Parameter ) $Sorted = $Parameter.Keys | Sort-Object { $_.length } -Descending foreach ($Key in $Sorted) { $String = $String -ireplace [Regex]::Escape("`$$Key"), $Parameter[$Key] } $String } function Export-SearchInformation { [CmdletBinding()] param( [string] $SearchPath, [System.Collections.IDictionary] $SummarySearch, [string] $Today, [Array] $SummaryUsersEmails, [Array] $SummaryManagersEmails, [Array] $SummaryEscalationEmails ) if ($SearchPath) { Write-Color -Text "[i]" , " Saving Search report " -Color White, Yellow, Green if ($SummaryUsersEmails) { $SummarySearch['EmailSent'][$Today] += $SummaryUsersEmails } if ($SummaryEscalationEmails) { $SummarySearch['EmailEscalations'][$Today] += $SummaryEscalationEmails } if ($SummaryManagersEmails) { $SummarySearch['EmailManagers'][$Today] += $SummaryManagersEmails } try { $SummarySearch | Export-Clixml -LiteralPath $SearchPath -ErrorAction Stop } catch { Write-Color -Text "[e]", " Couldn't save to file $SearchPath", ". Error: ", $_.Exception.Message -Color White, Yellow, White, Yellow, White, Yellow, White } Write-Color -Text "[i]" , " Saving Search report ", "Done" -Color White, Yellow, Green } } function Import-SearchInformation { [CmdletBinding()] param( [string] $SearchPath ) if ($SearchPath) { if (Test-Path -LiteralPath $SearchPath) { try { Write-Color -Text "[i]", " Loading file ", $SearchPath -Color White, Yellow, White, Yellow, White, Yellow, White $SummarySearch = Import-Clixml -LiteralPath $SearchPath -ErrorAction Stop } catch { Write-Color -Text "[e]", " Couldn't load the file $SearchPath", ". Skipping...", $_.Exception.Message -Color White, Yellow, White, Yellow, White, Yellow, White } } } if (-not $SummarySearch) { $SummarySearch = [ordered] @{ EmailSent = [ordered] @{} EmailManagers = [ordered] @{} EmailEscalations = [ordered] @{} } } $SummarySearch } function Invoke-PasswordRuleProcessing { [CmdletBinding()] param( [System.Collections.IDictionary] $Rule, [System.Collections.IDictionary] $Summary, [System.Collections.IDictionary] $CachedUsers, [System.Collections.IDictionary] $AllSkipped, [System.Collections.IDictionary] $Locations, [System.Collections.IDictionary] $Logging, [System.Collections.IDictionary] $UsersExternalSystem, [DateTime] $TodayDate, [System.Collections.IDictionary] $Entra ) if ($Rule.Enable -eq $true) { Write-Color -Text "[i]", " Processing rule ", $Rule.Name, ' status: ', $Rule.Enable -Color Yellow, White, Green, White, Green, White, Green, White if (-not $Summary['Rules'][$Rule.Name] ) { $Summary['Rules'][$Rule.Name] = [ordered] @{} } $Rule.Reminders = $Rule.Reminders | ForEach-Object { $_ } foreach ($User in $CachedUsers.Values) { if ($Entra.Enabled) { $UserSearchString = $User.UserPrincipalName } else { $UserSearchString = $User.DistinguishedName } if ($User.Enabled -eq $false) { continue } if ($Rule.ExcludeOU.Count -gt 0) { $FoundOU = $false foreach ($OU in $Rule.ExcludeOU) { if ($User.OrganizationalUnit -like $OU) { $FoundOU = $true break } } if ($FoundOU) { continue } } if ($Rule.IncludeOU.Count -gt 0) { $FoundOU = $false foreach ($OU in $Rule.IncludeOU) { if ($User.OrganizationalUnit -like $OU) { $FoundOU = $true break } } if (-not $FoundOU) { continue } } if ($Rule.ExcludeGroup.Count -gt 0) { $FoundGroup = $false foreach ($Group in $Rule.ExcludeGroup) { if ($User.MemberOf -contains $Group) { $FoundGroup = $true break } } if ($FoundGroup) { continue } } if ($Rule.IncludeGroup.Count -gt 0) { $FoundGroup = $false foreach ($Group in $Rule.IncludeGroup) { if ($User.MemberOf -contains $Group) { $FoundGroup = $true break } } if (-not $FoundGroup) { continue } } if ($Rule.IncludeName.Count -gt 0) { $IncludeName = $false foreach ($Name in $Rule.IncludeName) { foreach ($Property in $Rule.IncludeNameProperties) { if ($User.$Property -like $Name) { $IncludeName = $true break } } if ($IncludeName) { break } } if (-not $IncludeName) { continue } } if ($Rule.ExcludeName.Count -gt 0) { $ExcludeName = $false foreach ($Name in $Rule.ExcludeName) { foreach ($Property in $Rule.ExcludeNameProperties) { if ($User.$Property -like $Name) { $ExcludeName = $true break } } if ($ExcludeName) { break } } if ($ExcludeName) { continue } } if ($Summary['Notify'][$UserSearchString] -and $Summary['Notify'][$UserSearchString].ProcessManagersOnly -ne $true) { continue } if ($Rule.IncludePasswordNeverExpires -and $Rule.IncludeExpiring) { if ($User.PasswordNeverExpires -eq $true) { $DaysToPasswordExpiry = $Rule.PasswordNeverExpiresDays - $User.PasswordDays $User.DaysToExpire = $DaysToPasswordExpiry } } elseif ($Rule.IncludeExpiring) { if ($User.PasswordNeverExpires -eq $true) { continue } } elseif ($Rule.IncludePasswordNeverExpires) { if ($User.PasswordNeverExpires -eq $true) { $DaysToPasswordExpiry = $Rule.PasswordNeverExpiresDays - $User.PasswordDays $User.DaysToExpire = $DaysToPasswordExpiry } else { continue } } else { Write-Color -Text "[i]", " Processing rule ", $Rule.Name, " doesn't include IncludePasswordNeverExpires nor IncludeExpiring so skipping." -Color Yellow, White, Green, White, Green, White, Green, White continue } if ($null -eq $User.DaysToExpire) { if ($Logging.NotifyOnUserDaysToExpireNull) { Write-Color -Text @( "[i]", " User ", $User.DisplayName, " (", $User.UserPrincipalName, ")", " days to expire not set. ", "(", "Password Last Set: ", $User.PasswordLastSet, ")", " (Password at next logon: ", $User.PasswordAtNextLogon, ")" ) -Color Yellow, White, Yellow, White, Yellow, White, White, White, Yellow, DarkCyan, White, Yellow, DarkCyan, White } $AllSkipped[$UserSearchString] = $User $Location = $User.OrganizationalUnit if (-not $Location) { $Location = 'Default' } if (-not $Locations[$Location]) { $Locations[$Location] = [PSCustomObject] @{ Location = $Location Count = 0 CountExpired = 0 Names = [System.Collections.Generic.List[string]]::new() NamesExpired = [System.Collections.Generic.List[string]]::new() } } if ($User.PasswordExpired) { $Locations[$Location].CountExpired++ $Locations[$Location].NamesExpired.Add($User.SamAccountName) } else { $Locations[$Location].Count++ $Locations[$Location].Names.Add($User.SamAccountName) } } if ($null -ne $User.DaysToExpire -and $User.DaysToExpire -in $Rule.Reminders) { if (-not $Rule.ProcessManagersOnly) { if ($Logging.NotifyOnUserMatchingRule) { Write-Color -Text "[i]", " User ", $User.DisplayName, " (", $User.UserPrincipalName, ")", " days to expire: ", $User.DaysToExpire, " " -Color Yellow, White, Yellow, White, Yellow, White, White, Blue } if ($Rule.OverwriteEmailProperty) { $NewPropertyWithEmail = $Rule.OverwriteEmailProperty if ($NewPropertyWithEmail -and $User.$NewPropertyWithEmail) { $User.EmailAddress = $User.$NewPropertyWithEmail } } if ($Rule.OverwriteEmailFromExternalUsers) { $ExternalUser = $null $ADProperty = $UsersExternalSystem.ActiveDirectoryProperty $EmailProperty = $UsersExternalSystem.EmailProperty $ExternalUser = $UsersExternalSystem['Users'][$User.$ADProperty] if ($ExternalUser -and $ExternalUser.$EmailProperty -like '*@*') { $User.EmailAddress = $ExternalUser.$EmailProperty } } $Summary['Notify'][$UserSearchString] = [ordered] @{ User = $User Rule = $Rule ProcessManagersOnly = $Rule.ProcessManagersOnly } if ($Summary['Rules'][$Rule.Name][$UserSearchString]) { $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleOptions.Add('User') $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleName = $Rule.Name } else { $Summary['Rules'][$Rule.Name][$UserSearchString] = [ordered] @{ User = $User Rule = $Rule ProcessManagersOnly = $Rule.ProcessManagersOnly } $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleOptions.Add('User') $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleName = $Rule.Name } } } if ($Rule.OverwriteManagerProperty) { $NewPropertyWithManager = $Rule.OverwriteManagerProperty if ($NewPropertyWithManager -and $User.$NewPropertyWithManager) { $NewManager = $CachedUsers[$User.$NewPropertyWithManager] if ($NewManager -and $NewManager.Mail -like "*@*") { $User.ManagerEmail = $NewManager.Mail $User.Manager = $NewManager.DisplayName $User.ManagerSamAccountName = $NewManager.SamAccountName $User.ManagerEnabled = $NewManager.Enabled $User.ManagerLastLogon = $NewManager.LastLogonDate if ($User.ManagerLastLogon) { $User.ManagerLastLogonDays = $( - $($User.ManagerLastLogon - $Today).Days) } else { $User.ManagerLastLogonDays = $null } $User.ManagerType = $NewManager.ObjectClass $User.ManagerDN = $NewManager.DistinguishedName } } } if ($null -ne $User.DaysToExpire -and $Rule.SendToManager) { if ($Rule.SendToManager.Manager -and $Rule.SendToManager.Manager.Enable -eq $true -and $User.ManagerStatus -eq 'Enabled' -and $User.ManagerEmail -like "*@*") { $SendToManager = $true if ($Rule.SendToManager.Manager.IncludeOU.Count -gt 0) { $FoundOU = $false foreach ($OU in $Rule.SendToManager.Manager.IncludeOU) { if ($User.OrganizationalUnit -like $OU) { $FoundOU = $true break } } if (-not $FoundOU) { $SendToManager = $false } } if ($SendToManager -and $Rule.SendToManager.Manager.ExcludeOU.Count -gt 0) { $FoundOU = $false foreach ($OU in $Rule.SendToManager.Manager.ExcludeOU) { if ($User.OrganizationalUnit -like $OU) { $FoundOU = $true break } } if ($FoundOU) { $SendToManager = $false } } if ($SendToManager -and $Rule.SendToManager.Manager.ExcludeGroup.Count -gt 0) { $FoundGroup = $false foreach ($Group in $Rule.SendToManager.Manager.ExcludeGroup) { if ($User.MemberOf -contains $Group) { $FoundGroup = $true break } } if ($FoundGroup) { $SendToManager = $false } } if ($SendToManager -and $Rule.SendToManager.Manager.IncludeGroup.Count -gt 0) { $FoundGroup = $false foreach ($Group in $Rule.SendToManager.Manager.IncludeGroup) { if ($User.MemberOf -contains $Group) { $FoundGroup = $true break } } if (-not $FoundGroup) { $SendToManager = $false } } if ($SendToManager) { $SendToManager = $false if ($Rule.SendToManager.Manager.Reminders.Default.Enable -eq $true -and $null -eq $Rule.SendToManager.Manager.Reminders.Default.Reminder -and $User.DaysToExpire -in $Rule.Reminders) { $SendToManager = $true } elseif ($Rule.SendToManager.Manager.Reminders.Default.Enable -eq $true -and $Rule.SendToManager.Manager.Reminders.Default.Reminder -and $User.DaysToExpire -in $Rule.SendToManager.Manager.Reminders.Default.Reminder) { $SendToManager = $true } if (-not $SendToManager -and $Rule.SendToManager.Manager.Reminders.OnDay -and $Rule.SendToManager.Manager.Reminders.OnDay.Enable -eq $true) { foreach ($Day in $Rule.SendToManager.Manager.Reminders.OnDay.Days) { if ($Day -eq "$($TodayDate.DayOfWeek)") { if ($Rule.SendToManager.Manager.Reminders.OnDay.ComparisonType -eq 'lt') { if ($User.DaysToExpire -lt $Rule.SendToManager.Manager.Reminders.OnDay.Reminder) { $SendToManager = $true break } } elseif ($Rule.SendToManager.Manager.Reminders.OnDay.ComparisonType -eq 'gt') { if ($User.DaysToExpire -gt $Rule.SendToManager.Manager.Reminders.OnDay.Reminder) { $SendToManager = $true break } } elseif ($Rule.SendToManager.Manager.Reminders.OnDay.ComparisonType -eq 'eq') { if ($User.DaysToExpire -eq $Rule.SendToManager.Manager.Reminders.OnDay.Reminder) { $SendToManager = $true break } } elseif ($Rule.SendtoManager.Manager.Reminders.OnDay.ComparisonType -eq 'in') { if ($User.DaysToExpire -in $Rule.SendToManager.Manager.Reminders.OnDay.Reminder) { $SendToManager = $true break } } } } } if (-not $SendToManager -and $Rule.SendToManager.Manager.Reminders.OnDayOfMonth -and $Rule.SendToManager.Manager.Reminders.OnDayOfMonth.Enable -eq $true) { foreach ($Day in $Rule.SendToManager.Manager.Reminders.OnDayOfMonth.Days) { if ($Day -eq $TodayDate.Day) { if ($Rule.SendToManager.Manager.Reminders.OnDayOfMonth.ComparisonType -eq 'lt') { if ($User.DaysToExpire -lt $Rule.SendToManager.Manager.Reminders.OnDayOfMonth.Reminder) { $SendToManager = $true break } } elseif ($Rule.SendToManager.Manager.Reminders.OnDayOfMonth.ComparisonType -eq 'gt') { if ($User.DaysToExpire -gt $Rule.SendToManager.Manager.Reminders.OnDayOfMonth.Reminder) { $SendToManager = $true break } } elseif ($Rule.SendToManager.Manager.Reminders.OnDayOfMonth.ComparisonType -eq 'eq') { if ($User.DaysToExpire -eq $Rule.SendToManager.Manager.Reminders.OnDayOfMonth.Reminder) { $SendToManager = $true break } } elseif ($Rule.SendtoManager.Manager.Reminders.OnDayOfMonth.ComparisonType -eq 'in') { if ($User.DaysToExpire -in $Rule.SendToManager.Manager.Reminders.OnDayOfMonth.Reminder) { $SendToManager = $true break } } } } } if ($SendToManager) { if ($Logging.NotifyOnUserMatchingRuleForManager) { Write-Color -Text "[i]", " User (manager rule) ", $User.DisplayName, " (", $User.UserPrincipalName, ")", " days to expire: ", $User.DaysToExpire, " " -Color Yellow, White, Yellow, White, Yellow, White, White, Blue } if ($Summary['Rules'][$Rule.Name][$UserSearchString]) { $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleOptions.Add('Manager') $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleName = $Rule.Name } else { $Summary['Rules'][$Rule.Name][$UserSearchString] = [ordered] @{ User = $User Rule = $Rule ProcessManagersOnly = $Rule.ProcessManagersOnly } $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleOptions.Add('Manager') $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleName = $Rule.Name } $Splat = [ordered] @{ SummaryDictionary = $Summary['NotifyManager'] Type = 'ManagerDefault' ManagerType = 'Ok' Key = $User.ManagerDN User = $User Rule = $Rule Entra = $Entra } Add-ManagerInformation @Splat } } } else { if ($Rule.SendToManager.Manager -and $Rule.SendToManager.Manager.Enable -eq $true) { if ($Logging.NotifyOnUserMatchingRuleForManagerButNotCompliant) { Write-Color -Text "[i]", " User (manager rule) ", $User.DisplayName, " (", $User.UserPrincipalName, ")", " days to expire: ", $User.DaysToExpire, ", manager status: ", $User.ManagerStatus, ". Reason to skip: ", "No manager or manager is not enabled or manager has no email " -Color Yellow, White, Yellow, White, Yellow, White, White, Red, White, Red, White, Red } } } } if ($Rule.SendToManager -and $Rule.SendToManager.ManagerNotCompliant -and $Rule.SendToManager.ManagerNotCompliant.Enable -eq $true -and $Rule.SendToManager.ManagerNotCompliant.Manager) { if ($Rule.SendToManager.ManagerNotCompliant -and $Rule.SendToManager.ManagerNotCompliant.Enable -and $Rule.SendToManager.ManagerNotCompliant.Manager) { $ManagerNotCompliant = $true if ($Rule.SendToManager.ManagerNotCompliant.IncludeOU.Count -gt 0) { $FoundOU = $false foreach ($OU in $Rule.SendToManager.ManagerNotCompliant.IncludeOU) { if ($User.OrganizationalUnit -like $OU) { $FoundOU = $true break } } if (-not $FoundOU) { $ManagerNotCompliant = $false } } if ($ManagerNotCompliant -and $Rule.SendToManager.ManagerNotCompliant.ExcludeOU.Count -gt 0) { $FoundOU = $false foreach ($OU in $Rule.SendToManager.ManagerNotCompliant.ExcludeOU) { if ($User.OrganizationalUnit -like $OU) { $FoundOU = $true break } } if ($FoundOU) { $ManagerNotCompliant = $false } } if ($ManagerNotCompliant -and $Rule.SendToManager.ManagerNotCompliant.ExcludeGroup.Count -gt 0) { $FoundGroup = $false foreach ($Group in $Rule.SendToManager.ManagerNotCompliant.ExcludeGroup) { if ($User.MemberOf -contains $Group) { $FoundGroup = $true break } } if ($FoundGroup) { $ManagerNotCompliant = $false } } if ($ManagerNotCompliant -and $Rule.SendToManager.ManagerNotCompliant.IncludeGroup.Count -gt 0) { $FoundGroup = $false foreach ($Group in $Rule.SendToManager.ManagerNotCompliant.IncludeGroup) { if ($User.MemberOf -contains $Group) { $FoundGroup = $true break } } if (-not $FoundGroup) { $ManagerNotCompliant = $false } } if ($Rule.SendToManager.ManagerNotCompliant.Reminders) { $ManagerNotCompliant = $false if ($Rule.SendToManager.ManagerNotCompliant.Reminders.Default -and $Rule.SendToManager.ManagerNotCompliant.Reminders.Default.Enable -eq $true) { $Rule.SendToManager.ManagerNotCompliant.Reminders.Default.Reminder = $Rule.SendToManager.ManagerNotCompliant.Reminders.Default.Reminder | ForEach-Object { $_ } if ($User.DaysToExpire -in $Rule.SendToManager.ManagerNotCompliant.Reminders.Default.Reminder) { $ManagerNotCompliant = $true } } if ($Rule.SendToManager.ManagerNotCompliant.Reminders.OnDay -and $Rule.SendToManager.ManagerNotCompliant.Reminders.OnDay.Enable -eq $true) { foreach ($Day in $Rule.SendToManager.ManagerNotCompliant.Reminders.OnDay.Days) { if ($Day -eq "$($TodayDate.DayOfWeek)") { if ($Rule.SendToManager.ManagerNotCompliant.Reminders.OnDay.ComparisonType -eq 'lt') { if ($User.DaysToExpire -lt $Rule.SendToManager.ManagerNotCompliant.Reminders.OnDay.Reminder) { $ManagerNotCompliant = $true break } } elseif ($Rule.SendToManager.ManagerNotCompliant.Reminders.OnDay.ComparisonType -eq 'gt') { if ($User.DaysToExpire -gt $Rule.SendToManager.ManagerNotCompliant.Reminders.OnDay.Reminder) { $ManagerNotCompliant = $true break } } elseif ($Rule.SendToManager.ManagerNotCompliant.Reminders.OnDay.ComparisonType -eq 'eq') { if ($User.DaysToExpire -eq $Rule.SendToManager.ManagerNotCompliant.Reminders.OnDay.Reminder) { $ManagerNotCompliant = $true break } } elseif ($Rule.SendtoManager.ManagerNotCompliant.Reminders.OnDay.ComparisonType -eq 'in') { if ($User.DaysToExpire -in $Rule.SendToManager.ManagerNotCompliant.Reminders.OnDay.Reminder) { $ManagerNotCompliant = $true break } } } } } if ($Rule.SendToManager.ManagerNotCompliant.Reminders.OnDayOfMonth -and $Rule.SendToManager.ManagerNotCompliant.Reminders.OnDayOfMonth.Enable -eq $true) { foreach ($Day in $Rule.SendToManager.ManagerNotCompliant.Reminders.OnDayOfMonth.Days) { if ($Day -eq $TodayDate.Day) { if ($Rule.SendToManager.ManagerNotCompliant.Reminders.OnDayOfMonth.ComparisonType -eq 'lt') { if ($User.DaysToExpire -lt $Rule.SendToManager.ManagerNotCompliant.Reminders.OnDayOfMonth.Reminder) { $ManagerNotCompliant = $true break } } elseif ($Rule.SendToManager.ManagerNotCompliant.Reminders.OnDayOfMonth.ComparisonType -eq 'gt') { if ($User.DaysToExpire -gt $Rule.SendToManager.ManagerNotCompliant.Reminders.OnDayOfMonth.Reminder) { $ManagerNotCompliant = $true break } } elseif ($Rule.SendToManager.ManagerNotCompliant.Reminders.OnDayOfMonth.ComparisonType -eq 'eq') { if ($User.DaysToExpire -eq $Rule.SendToManager.ManagerNotCompliant.Reminders.OnDayOfMonth.Reminder) { $ManagerNotCompliant = $true break } } elseif ($Rule.SendtoManager.ManagerNotCompliant.Reminders.OnDayOfMonth.ComparisonType -eq 'in') { if ($User.DaysToExpire -in $Rule.SendToManager.ManagerNotCompliant.Reminders.OnDayOfMonth.Reminder) { $ManagerNotCompliant = $true break } } } } } } if ($ManagerNotCompliant -eq $true) { $ManagerNotCompliantMatched = $false if ($Rule.SendToManager.ManagerNotCompliant.MissingEmail -and $User.ManagerStatus -in 'Enabled, bad email', 'No email') { $Splat = [ordered] @{ SummaryDictionary = $Summary['NotifyManager'] Type = 'ManagerNotCompliant' ManagerType = if ($User.ManagerStatus -eq 'Enabled, bad email') { 'Manager has bad email' } else { 'Manager has no email' } Key = $Rule.SendToManager.ManagerNotCompliant.Manager User = $User Rule = $Rule } Add-ManagerInformation @Splat $ManagerNotCompliantMatched = $true } elseif ($Rule.SendToManager.ManagerNotCompliant.Disabled -and $User.ManagerStatus -eq 'Disabled') { $Splat = [ordered] @{ SummaryDictionary = $Summary['NotifyManager'] Type = 'ManagerNotCompliant' ManagerType = 'Manager disabled' Key = $Rule.SendToManager.ManagerNotCompliant.Manager User = $User Rule = $Rule } Add-ManagerInformation @Splat $ManagerNotCompliantMatched = $true } elseif ($Rule.SendToManager.ManagerNotCompliant.LastLogon -and $User.ManagerLastLogonDays -ge $Rule.SendToManager.ManagerNotCompliant.LastLogonDays) { $Splat = [ordered] @{ SummaryDictionary = $Summary['NotifyManager'] Type = 'ManagerNotCompliant' ManagerType = 'Manager not logging in' Key = $Rule.SendToManager.ManagerNotCompliant.Manager User = $User Rule = $Rule } Add-ManagerInformation @Splat $ManagerNotCompliantMatched = $true } elseif ($Rule.SendToManager.ManagerNotCompliant.Missing -and $User.ManagerStatus -eq 'Missing') { $Splat = [ordered] @{ SummaryDictionary = $Summary['NotifyManager'] Type = 'ManagerNotCompliant' ManagerType = 'Manager not set' Key = $Rule.SendToManager.ManagerNotCompliant.Manager User = $User Rule = $Rule } Add-ManagerInformation @Splat $ManagerNotCompliantMatched = $true } if ($ManagerNotCompliantMatched) { if ($Logging.NotifyOnUserMatchingRuleForManagerNotCompliant) { Write-Color -Text "[i]", " User (manager not compliant rule) ", $User.DisplayName, " (", $User.UserPrincipalName, ")", " days to expire: ", $User.DaysToExpire, " " -Color Yellow, White, Yellow, White, Yellow, White, White, Blue } if ($Summary['Rules'][$Rule.Name][$UserSearchString]) { $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleOptions.Add('Manager Not Compliant') $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleName = $Rule.Name } else { $Summary['Rules'][$Rule.Name][$UserSearchString] = [ordered] @{ User = $User Rule = $Rule ProcessManagersOnly = $Rule.ProcessManagersOnly } $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleOptions.Add('Manager Not Compliant') $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleName = $Rule.Name } } else { if ($User.ManagerStatus -eq 'Enabled') { } else { if ($Logging.NotifyOnUserMatchingRuleForManagerNotCompliant) { Write-Color -Text "[i]", " User (manager not compliant rule not processed) ", $User.DisplayName, " (", $User.UserPrincipalName, ")", " days to expire: ", $User.DaysToExpire, " manager status: ", $User.ManagerStatus -Color Yellow, White, Yellow, White, Yellow, White, White, Blue } } } } } } if ($null -ne $User.DaysToExpire -and $Rule.SendToManager -and $Rule.SendToManager.SecurityEscalation -and $Rule.SendToManager.SecurityEscalation.Enable -eq $true -and $Rule.SendToManager.SecurityEscalation.Manager) { $SecurityEscalation = $true if ($Rule.SendToManager.SecurityEscalation.IncludeOU.Count -gt 0) { $FoundOU = $false foreach ($OU in $Rule.SendToManager.SecurityEscalation.IncludeOU) { if ($User.OrganizationalUnit -like $OU) { $FoundOU = $true break } } if (-not $FoundOU) { $SecurityEscalation = $false } } if ($SecurityEscalation -and $Rule.SendToManager.SecurityEscalation.ExcludeOU.Count -gt 0) { $FoundOU = $false foreach ($OU in $Rule.SendToManager.SecurityEscalation.ExcludeOU) { if ($User.OrganizationalUnit -like $OU) { $FoundOU = $true break } } if ($FoundOU) { $SecurityEscalation = $false } } if ($SecurityEscalation -and $Rule.SendToManager.SecurityEscalation.ExcludeGroup.Count -gt 0) { $FoundGroup = $false foreach ($Group in $Rule.SendToManager.SecurityEscalation.ExcludeGroup) { if ($User.MemberOf -contains $Group) { $FoundGroup = $true break } } if ($FoundGroup) { $SecurityEscalation = $false } } if ($SecurityEscalation -and $Rule.SendToManager.SecurityEscalation.IncludeGroup.Count -gt 0) { $FoundGroup = $false foreach ($Group in $Rule.SendToManager.SecurityEscalation.IncludeGroup) { if ($User.MemberOf -contains $Group) { $FoundGroup = $true break } } if (-not $FoundGroup) { $SecurityEscalation = $false } } if ($Rule.SendToManager.SecurityEscalation.Reminders) { $SecurityEscalation = $false if ($Rule.SendToManager.SecurityEscalation.Reminders.Default -and $Rule.SendToManager.SecurityEscalation.Reminders.Default.Enable -eq $true) { $Rule.SendToManager.SecurityEscalation.Reminders.Default.Reminder = $Rule.SendToManager.SecurityEscalation.Reminders.Default.Reminder | ForEach-Object { $_ } if ($User.DaysToExpire -in $Rule.SendToManager.SecurityEscalation.Reminders.Default.Reminder) { $SecurityEscalation = $true } } if ($Rule.SendToManager.SecurityEscalation.Reminders.OnDay -and $Rule.SendToManager.SecurityEscalation.Reminders.OnDay.Enable -eq $true) { foreach ($Day in $Rule.SendToManager.SecurityEscalation.Reminders.OnDay.Days) { if ($Day -eq "$($TodayDate.DayOfWeek)") { if ($Rule.SendToManager.SecurityEscalation.Reminders.OnDay.ComparisonType -eq 'lt') { if ($User.DaysToExpire -lt $Rule.SendToManager.SecurityEscalation.Reminders.OnDay.Reminder) { $SecurityEscalation = $true break } } elseif ($Rule.SendToManager.SecurityEscalation.Reminders.OnDay.ComparisonType -eq 'gt') { if ($User.DaysToExpire -gt $Rule.SendToManager.SecurityEscalation.Reminders.OnDay.Reminder) { $SecurityEscalation = $true break } } elseif ($Rule.SendToManager.SecurityEscalation.Reminders.OnDay.ComparisonType -eq 'eq') { if ($User.DaysToExpire -eq $Rule.SendToManager.SecurityEscalation.Reminders.OnDay.Reminder) { $SecurityEscalation = $true break } } elseif ($Rule.SendtoManager.SecurityEscalation.Reminders.OnDay.ComparisonType -eq 'in') { if ($User.DaysToExpire -in $Rule.SendToManager.SecurityEscalation.Reminders.OnDay.Reminder) { $SecurityEscalation = $true break } } } } } if ($Rule.SendToManager.SecurityEscalation.Reminders.OnDayOfMonth -and $Rule.SendToManager.SecurityEscalation.Reminders.OnDayOfMonth.Enable -eq $true) { foreach ($Day in $Rule.SendToManager.SecurityEscalation.Reminders.OnDayOfMonth.Days) { if ($Day -eq $TodayDate.Day) { if ($Rule.SendToManager.SecurityEscalation.Reminders.OnDayOfMonth.ComparisonType -eq 'lt') { if ($User.DaysToExpire -lt $Rule.SendToManager.SecurityEscalation.Reminders.OnDayOfMonth.Reminder) { $SecurityEscalation = $true break } } elseif ($Rule.SendToManager.SecurityEscalation.Reminders.OnDayOfMonth.ComparisonType -eq 'gt') { if ($User.DaysToExpire -gt $Rule.SendToManager.SecurityEscalation.Reminders.OnDayOfMonth.Reminder) { $SecurityEscalation = $true break } } elseif ($Rule.SendToManager.SecurityEscalation.Reminders.OnDayOfMonth.ComparisonType -eq 'eq') { if ($User.DaysToExpire -eq $Rule.SendToManager.SecurityEscalation.Reminders.OnDayOfMonth.Reminder) { $SecurityEscalation = $true break } } elseif ($Rule.SendtoManager.SecurityEscalation.Reminders.OnDayOfMonth.ComparisonType -eq 'in') { if ($User.DaysToExpire -in $Rule.SendToManager.SecurityEscalation.Reminders.OnDayOfMonth.Reminder) { $SecurityEscalation = $true break } } } } } } if ($SecurityEscalation) { if ($Logging.NotifyOnUserMatchingRuleForSecurityEscalation) { Write-Color -Text "[i]", " User (security escalation) ", $User.DisplayName, " (", $User.UserPrincipalName, ")", " days to expire: ", $User.DaysToExpire, " " -Color Yellow, White, Yellow, White, Yellow, White, White, Blue } if ($Summary['Rules'][$Rule.Name][$UserSearchString]) { $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleOptions.Add('Security esclation') $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleName = $Rule.Name } else { $Summary['Rules'][$Rule.Name][$UserSearchString] = [ordered] @{ User = $User Rule = $Rule ProcessManagersOnly = $Rule.ProcessManagersOnly } $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleOptions.Add('Security esclation') $Summary['Rules'][$Rule.Name][$UserSearchString].User.RuleName = $Rule.Name } $Splat = [ordered] @{ SummaryDictionary = $Summary['NotifySecurity'] Type = 'Security' ManagerType = 'Escalation' Key = $Rule.SendToManager.SecurityEscalation.Manager User = $User Rule = $Rule } Add-ManagerInformation @Splat } } } } else { if ($null -ne $Rule.Name -and $null -ne $Rule.Enable) { Write-Color -Text "[i]", " Processing rule ", $Rule.Name, ' status: ', $Rule.Enable -Color Red, White, Red, White, Red, White, Red, White } } } function New-HTMLReport { [CmdletBinding()] param( [System.Collections.IDictionary] $Report, [System.Collections.IDictionary] $EmailParameters, [System.Collections.IDictionary] $Logging, [string] $SearchPath, [Array] $Rules, [System.Collections.IDictionary] $UserSection, [System.Collections.IDictionary] $ManagerSection, [System.Collections.IDictionary] $SecuritySection, [System.Collections.IDictionary] $AdminSection, [System.Collections.IDictionary] $CachedUsers, [System.Collections.IDictionary] $Summary, [Array] $SummaryUsersEmails, [Array] $SummaryManagersEmails, [Array] $SummaryEscalationEmails, [System.Collections.IDictionary] $SummarySearch, [System.Collections.IDictionary] $Locations, [System.Collections.IDictionary] $AllSkipped, [System.Collections.IDictionary] $ExternalSystemReplacements ) $TranslateOperators = @{ 'lt' = 'Less than' 'gt' = 'Greater than' 'eq' = 'Equal to' 'ne' = 'Not equal to' 'le' = 'Less than or equal to' 'ge' = 'Greater than or equal to' 'in' = 'In' } Write-Color -Text "[i]", " Generating HTML report ", $Report.Title -Color White, Yellow, Green if ($Report.DisableWarnings -eq $true) { $WarningAction = 'SilentlyContinue' } else { $WarningAction = 'Continue' } if (-not $Report.Title) { $Report.Title = "Password Solution Report" } New-HTML { New-HTMLTabStyle -BorderRadius 0px -TextTransform capitalize -BackgroundColorActive SlateGrey New-HTMLSectionStyle -BorderRadius 0px -HeaderBackGroundColor Grey -RemoveShadow New-HTMLPanelStyle -BorderRadius 0px New-HTMLTableOption -DataStore JavaScript -BoolAsString -ArrayJoinString ', ' -ArrayJoin New-HTMLHeader { New-HTMLSection -Invisible { New-HTMLSection { New-HTMLText -Text "Report generated on $(Get-Date)" -Color Blue } -JustifyContent flex-start -Invisible New-HTMLSection { New-HTMLText -Text "Password Solution - $($Script:Reporting['Version'])" -Color Blue } -JustifyContent flex-end -Invisible } } if ($Report.ShowConfiguration) { New-HTMLTab -Name "About" { New-HTMLTab -Name "Configuration" { New-HTMLSection -Invisible { New-HTMLSection -HeaderText "Email Configuration" { New-HTMLList { foreach ($Key in $EmailParameters.Keys) { if ($Key -eq 'Body') { } elseif ($Key -ne 'Password') { New-HTMLListItem -Text $Key, ": ", $EmailParameters[$Key] -FontWeight normal, normal, bold } else { New-HTMLListItem -Text $Key, ": ", "REDACTED" -FontWeight normal, normal, bold } } } } New-HTMLSection -HeaderText "Logging" { New-HTMLList { foreach ($Key in $Logging.Keys) { if ($Key -ne 'Password') { New-HTMLListItem -Text $Key, ": ", $Logging[$Key] -FontWeight normal, normal, bold } else { New-HTMLListItem -Text $Key, ": ", "REDACTED" -FontWeight normal, normal, bold } } } } New-HTMLSection -HeaderText "Other" { New-HTMLList { New-HTMLListItem -Text 'FilePath', ": ", $Report.FilePath -FontWeight normal, normal, bold New-HTMLListItem -Text 'SearchPath', ": ", $SearchPath -FontWeight normal, normal, bold } } } New-HTMLSection -Invisible { New-HTMLSection -HeaderText "User Section" { New-HTMLList { New-HTMLListItem -Text "Enabled: ", $UserSection.Enable -FontWeight normal, bold -TextDecoration underline, none New-HTMLListItem -Text "SendCountMaximum: ", $UserSection.SendCountMaximum -FontWeight normal, bold -TextDecoration underline, none New-HTMLListItem -Text "SendToDefaultEmail: ", $UserSection.SendToDefaultEmail -FontWeight normal, bold -TextDecoration underline, none New-HTMLListItem -Text "DefaultEmail: ", ($UserSection.DefaultEmail -join ", ") -FontWeight normal, bold -TextDecoration underline, none } } New-HTMLSection -HeaderText "Manager Section" { New-HTMLList { New-HTMLListItem -Text "Enabled: ", $ManagerSection.Enable -FontWeight normal, bold -TextDecoration underline, none New-HTMLListItem -Text "SendCountMaximum: ", $ManagerSection.SendCountMaximum -FontWeight normal, bold -TextDecoration underline, none New-HTMLListItem -Text "SendToDefaultEmail: ", $ManagerSection.SendToDefaultEmail -FontWeight normal, bold -TextDecoration underline, none New-HTMLListItem -Text "DefaultEmail: ", ($ManagerSection.DefaultEmail -join ", ") -FontWeight normal, bold -TextDecoration underline, none } } New-HTMLSection -HeaderText "Security Section" { New-HTMLList { New-HTMLListItem -Text "Enabled: ", $SecuritySection.Enable -FontWeight normal, bold -TextDecoration underline, none New-HTMLListItem -Text "SendCountMaximum: ", $SecuritySection.SendCountMaximum -FontWeight normal, bold -TextDecoration underline, none New-HTMLListItem -Text "SendToDefaultEmail: ", $SecuritySection.SendToDefaultEmail -FontWeight normal, bold -TextDecoration underline, none New-HTMLListItem -Text "DefaultEmail: ", ($SecuritySection.DefaultEmail -join ", ") -FontWeight normal, bold -TextDecoration underline, none New-HTMLListItem -Text "Attach CSV: ", ($SecuritySection.AttachCSV -join ",") -FontWeight normal, bold -TextDecoration underline, none } } New-HTMLSection -HeaderText "Admin Section" { New-HTMLList { New-HTMLListItem -Text "Enabled: ", $AdminSection.Enable -FontWeight normal, bold -TextDecoration underline, none New-HTMLListItem -Text "Subject: ", $AdminSection.Subject -FontWeight normal, bold -TextDecoration underline, none New-HTMLListItem -Text "Manager: ", $AdminSection.Manager.DisplayName -FontWeight normal, bold -TextDecoration underline, none New-HTMLListItem -Text "Manager Email: ", ($AdminSection.Manager.EmailAddress -join ", ") -FontWeight normal, bold -TextDecoration underline, none } } } } New-HTMLTab -Name 'Rules Configuration' { New-HTMLText -Text "There are ", $Rules.Count, " rules defined in the Password Solution. ", "Please keep in mind that order of the rules matter." -FontWeight normal, bold, normal -Color None, Blue, None foreach ($Rule in $Rules) { if ($Rule.Enable) { $SectionColor = 'SpringGreen' } else { $SectionColor = 'Coral' } New-HTMLSection -HeaderText "Rule $($Rule.Name)" -CanCollapse -HeaderBackGroundColor $SectionColor { New-HTMLList { if ($Rule.Enable) { New-HTMLListItem -Text "Rule ", $Rule.Name, " is ", "enabled" -FontWeight normal, bold, normal, bold, normal, normal -Color None, None, None, Green } else { New-HTMLListItem -Text "Rule ", $Rule.Name, " is ", "disabled" -FontWeight normal, bold, normal, bold, normal, normal -Color None, None, None, Red } New-HTMLList { New-HTMLListItem -Text "Notify till expiry on ", $($Rule.Reminders -join ","), " day " -FontWeight normal, bold, normal if ($Rule.IncludeExpiring) { New-HTMLListItem -Text "Include expiring accounts is ", "enabled" -FontWeight bold, bold -Color None, Green } else { New-HTMLListItem -Text "Include expiring accounts is ", "disabled" -FontWeight bold, bold -Color None, Red } if ($Rule.IncludePasswordNeverExpires) { New-HTMLListItem -Text "Include passwords never expiring with ", $Rule.PasswordNeverExpiresDays, " days rule" -FontWeight bold -Color Amethyst } else { New-HTMLListItem -Text "Do not include passwords that never expire." -FontWeight bold -Color Blue } if ($Rule.IncludeName.Count -gt 0 -and $Rule.IncludeNameProperties.Count -gt 0) { New-HTMLListItem -Text "Apply naming rule to require that account contains of of names ", $($Rule.IncludeName -join ", "), " in at least one property ", ($Rule.IncludeNameProperties -join ", ") -FontWeight normal, bold, normal, bold, normal -Color None, Blue, None, Blue } else { New-HTMLListItem -Text "Do not apply special name rules" -Color Blue -FontWeight bold } if ($Rule.IncludeOU) { New-HTMLListItem -Text "Apply Organizational Unit inclusion on ", ($Rule.IncludeOU -join ", ") -FontWeight normal, bold -Color None, Blue } else { New-HTMLListItem -Text "Do not apply Organizational Unit limit" -Color Blue -FontWeight bold } if ($Rule.ExcludeOU) { New-HTMLListItem -Text "Apply Organizational Unit exclusion on ", $Rule.ExcludeOU -FontWeight normal, bold -Color None, Green } else { New-HTMLListItem -Text "Do not exclude any Organizational Unit" -Color Blue -FontWeight bold } if ($Rule.IncludeGroup) { New-HTMLListItem -Text "Appply Group Membership inclusion (direct only) ", ($Rule.IncludeGroup -join ", ") } else { New-HTMLListItem -Text "Do not apply Group Membership limit" } if ($Rule.ExcludeGroup) { New-HTMLListItem -Text "Apply Group Membership exclusion (direct only): ", ($Rule.ExcludeGroup -join ", ") } else { New-HTMLListItem -Text "Do not apply Group Membership exclusion" } New-HTMLListItem -Text "Send to manager" -NestedListItems { New-HTMLList { if ($Rule.SendToManager.Manager.Enable) { New-HTMLListItem -Text "Manager ", " is ", 'enabled' -FontWeight bold, normal, bold -Color None, None, Green { New-HTMLList { New-HTMLListItem -Text "Rules: " { New-HTMLList { if ($Rule.SendToManager.Manager.Reminders.Default.Enable) { if ($Rule.SendToManager.Manager.Reminders.Default.Reminder) { New-HTMLListItem -Text "Default ", "is enabled", " sent on ", $($Rule.SendToManager.Manager.Reminders.Default.Reminder -join ", "), " days to expiry of user." -FontWeight normal, bold, normal, bold, normal -Color None, Green, None, Green } else { New-HTMLListItem -Text "Default ", "is enabled", " sent on ", $($Rule.Reminders -join ", "), " days to expiry of user." -FontWeight normal, bold, normal, bold, normal -Color None, Green, None, Green } } else { New-HTMLListItem -Text "Default rule is ", "disabled" -FontWeight bold, bold -Color None, Red } if ($Rule.SendToManager.Manager.Reminders.OnDay.Enable) { New-HTMLListItem -Text @( "On day of the week ", "is ", "enabled" " on days: ", ($Rule.SendToManager.Manager.Reminders.OnDay.Days -join ", "), " with comparison ", $TranslateOperators[$Rule.SendToManager.Manager.Reminders.OnDay.ComparisonType], ' value ', $Rule.SendToManager.Manager.Reminders.OnDay.Reminder ) -FontWeight bold, normal, bold, normal, bold, normal, bold, normal, bold -Color None, None, Green, None, Green, None, Green, None, Green } else { New-HTMLListItem -Text "On day of week rule is ", "disabled" -FontWeight bold, bold -Color None, Red } if ($Rule.SendToManager.Manager.Reminders.OnDayOfMonth.Enable) { New-HTMLListItem -Text @( "On day of the month rule ", "is", " enabled", " on days ", ($Rule.SendToManager.Manager.Reminders.OnDayOfMonth.Days -join ","), " with comparison ", $TranslateOperators[$Rule.SendToManager.Manager.Reminders.OnDayOfMonth.ComparisonType], ' value ', $Rule.SendToManager.Manager.Reminders.OnDayOfMonth.Reminder ) -FontWeight bold, normal, bold, normal, bold, normal, bold, normal, bold -Color None, None, Green, None, Green, None, Green, None, Green } else { New-HTMLListItem -Text "On day of month rule is ", "disabled" -FontWeight bold, bold -Color None, Red } } } } } } else { New-HTMLListItem -Text "Manager ", " is ", 'disabled' -FontWeight bold, normal, bold -Color None, None, Red } if ($Rule.SendToManager.ManagerNotCompliant.Enable) { New-HTMLListItem -Text "Manager Escalation", " is ", 'enabled' -FontWeight bold, normal, bold -Color None, None, Green { New-HTMLList { New-HTMLListItem -Text "Manager Name: ", $Rule.SendToManager.ManagerNotCompliant.Manager.DisplayName -FontWeight normal, bold -TextDecoration underline, none New-HTMLListItem -Text "Manager Email Address: ", $Rule.SendToManager.ManagerNotCompliant.Manager.EmailAddress -FontWeight normal, bold -TextDecoration underline, none } New-HTMLList { New-HTMLListItem -Text "Rules: " { New-HTMLList { if ($Rule.SendToManager.ManagerNotCompliant.Reminders.Default.Enable) { if ($Rule.SendToManager.ManagerNotCompliant.Reminders.Default.Reminder) { New-HTMLListItem -Text "Default ", "is enabled", " sent on ", $($Rule.SendToManager.ManagerNotCompliant.Reminders.Default.Reminder -join ", "), " days to expiry of user." -FontWeight normal, bold, normal, bold, normal -Color None, Green, None, Green } else { New-HTMLListItem -Text "Default ", "is enabled", " sent on ", $($Rule.Reminders -join ", "), " days to expiry of user." -FontWeight normal, bold, normal, bold, normal -Color None, Green, None, Green } } else { New-HTMLListItem -Text "Default rule is ", "disabled" -FontWeight bold, bold -Color None, Red } if ($Rule.SendToManager.ManagerNotCompliant.Reminders.OnDay.Enable) { New-HTMLListItem -Text @( "On day of the week ", "is ", "enabled" " on days: ", ($Rule.SendToManager.ManagerNotCompliant.Reminders.OnDay.Days -join ", "), " with comparison ", $TranslateOperators[$Rule.SendToManager.ManagerNotCompliant.Reminders.OnDay.ComparisonType], ' value ', $Rule.SendToManager.ManagerNotCompliant.Reminders.OnDay.Reminder ) -FontWeight bold, normal, bold, normal, bold, normal, bold, normal, bold -Color None, None, Green, None, Green, None, Green, None, Green } else { New-HTMLListItem -Text "On day of week rule is ", "disabled" -FontWeight bold, bold -Color None, Red } if ($Rule.SendToManager.ManagerNotCompliant.Reminders.OnDayOfMonth.Enable) { New-HTMLListItem -Text @( "On day of the month rule ", "is", " enabled", " on days ", ($Rule.SendToManager.ManagerNotCompliant.Reminders.OnDayOfMonth.Days -join ", "), " with comparison ", $TranslateOperators[$Rule.SendToManager.ManagerNotCompliant.Reminders.OnDayOfMonth.ComparisonType], ' value ', $Rule.SendToManager.ManagerNotCompliant.Reminders.OnDayOfMonth.Reminder ) -FontWeight bold, normal, bold, normal, bold, normal, bold, normal, bold -Color None, None, Green, None, Green, None, Green, None, Green } else { New-HTMLListItem -Text "On day of month rule is ", "disabled" -FontWeight bold, bold -Color None, Red } } } } } } else { New-HTMLListItem -Text "Manager Escalation", " is ", "disabled" -FontWeight bold, normal, bold -Color None, None, Red } if ($Rule.SendToManager.SecurityEscalation.Enable) { New-HTMLListItem -Text "Security Escalation ", "is", " enabled" -FontWeight bold, normal, bold -Color None, None, Green { New-HTMLList { New-HTMLListItem -Text "Manager Name: ", $Rule.SendToManager.SecurityEscalation.Manager.DisplayName -FontWeight normal, bold -TextDecoration underline, none New-HTMLListItem -Text "Manager Email Address: ", $Rule.SendToManager.SecurityEscalation.Manager.EmailAddress -FontWeight normal, bold -TextDecoration underline, none } New-HTMLList { New-HTMLListItem -Text "Rules: " { New-HTMLList { if ($Rule.SendToManager.SecurityEscalation.Reminders.Default.Enable) { if ($Rule.SendToManager.SecurityEscalation.Reminders.Default.Reminder) { New-HTMLListItem -Text "Default ", "is enabled", " sent on ", $($Rule.SendToManager.SecurityEscalation.Reminders.Default.Reminder -join ", "), " days to expiry of user." -FontWeight normal, bold, normal, bold, normal -Color None, Green, None, Green } else { New-HTMLListItem -Text "Default ", "is enabled", " sent on ", $($Rule.Reminders -join ", "), " days to expiry of user." -FontWeight normal, bold, normal, bold, normal -Color None, Green, None, Green } } else { New-HTMLListItem -Text "Default rule is ", "disabled" -FontWeight bold, bold -Color None, Red } if ($Rule.SendToManager.SecurityEscalation.Reminders.OnDay.Enable) { New-HTMLListItem -Text @( "On day of the week ", "is ", "enabled" " on days: ", ($Rule.SendToManager.SecurityEscalation.Reminders.OnDay.Days -join ", "), " with comparison ", $TranslateOperators[$Rule.SendToManager.SecurityEscalation.Reminders.OnDay.ComparisonType], ' value ', $Rule.SendToManager.SecurityEscalation.Reminders.OnDay.Reminder ) -FontWeight bold, normal, bold, normal, bold, normal, bold, normal, bold -Color None, None, Green, None, Green, None, Green, None, Green } else { New-HTMLListItem -Text "On day of week rule is ", "disabled" -FontWeight bold, bold -Color None, Red } if ($Rule.SendToManager.SecurityEscalation.Reminders.OnDayOfMonth.Enable) { New-HTMLListItem -Text @( "On day of the month rule ", "is", " enabled", " on days ", ($Rule.SendToManager.SecurityEscalation.Reminders.OnDayOfMonth.Days -join ", "), " with comparison ", $TranslateOperators[$Rule.SendToManager.SecurityEscalation.Reminders.OnDayOfMonth.ComparisonType], ' value ', $Rule.SendToManager.SecurityEscalation.Reminders.OnDayOfMonth.Reminder ) -FontWeight bold, normal, bold, normal, bold, normal, bold, normal, bold -Color None, None, Green, None, Green, None, Green, None, Green } else { New-HTMLListItem -Text "On day of month rule is ", "disabled" -FontWeight bold, bold -Color None, Red } } } } } } else { New-HTMLListItem -Text "Security Escalation", " is ", "disabled" -FontWeight bold, normal, bold -Color None, None, Red } } } } } } } } } } if ($Report.ShowAllUsers) { $AllUsers = foreach ($User in $CachedUsers.Values) { if ($User.Type -eq 'Contact') { continue } $User } New-HTMLTab -Name 'All Users' { New-HTMLTable -DataTable $AllUsers -Filtering { New-TableCondition -Name 'Enabled' -BackgroundColor LawnGreen -FailBackgroundColor BlueSmoke -Value $true -ComparisonType string -Operator eq New-TableCondition -Name 'HasMailbox' -BackgroundColor LawnGreen -FailBackgroundColor BlueSmoke -Value $true -ComparisonType string -Operator eq New-TableCondition -Name 'PasswordExpired' -BackgroundColor LawnGreen -Value $false -ComparisonType string New-TableCondition -Name 'PasswordExpired' -BackgroundColor Salmon -Value $true -ComparisonType string New-TableCondition -Name 'PasswordNeverExpires' -BackgroundColor LawnGreen -FailBackgroundColor Salmon -Value $false -ComparisonType string New-TableCondition -Name 'PasswordAtNextLogon' -BackgroundColor BlueSmoke -Value $true -ComparisonType string New-TableCondition -Name 'PasswordAtNextLogon' -BackgroundColor LawnGreen -Value $false -ComparisonType string New-TableCondition -Name 'ManagerStatus' -HighlightHeaders Manager, ManagerSamAccountName, ManagerEmail, ManagerStatus -ComparisonType string -Value 'Missing', 'Disabled' -BackgroundColor Salmon -Operator in New-TableCondition -Name 'ManagerStatus' -HighlightHeaders Manager, ManagerSamAccountName, ManagerEmail, ManagerStatus -ComparisonType string -Value 'Enabled' -BackgroundColor LawnGreen New-TableCondition -Name 'ManagerStatus' -HighlightHeaders Manager, ManagerSamAccountName, ManagerEmail, ManagerStatus -ComparisonType string -Value 'Not available' -BackgroundColor BlueSmoke } -ExcludeProperty $Report.ExcludeProperties -ScrollX } } if ($Report.ShowRules) { if ($Report.NestedRules) { if ($Summary['Rules'].Keys.Count -gt 0) { New-HTMLTab -Name 'Rules Information' { foreach ($Rule in $Summary['Rules'].Keys) { if ((Measure-Object -InputObject $Summary['Rules'][$Rule].Values.User).Count -gt 0) { $Color = 'LawnGreen' $IconSolid = 'Star' } else { $Color = 'Salmon' $IconSolid = 'Stop' } New-HTMLTab -Name $Rule -TextColor $Color -IconColor $Color -IconSolid $IconSolid { New-HTMLTable -DataTable $Summary['Rules'][$Rule].Values.User -Filtering { New-TableCondition -Name 'Enabled' -BackgroundColor LawnGreen -FailBackgroundColor BlueSmoke -Value $true -ComparisonType string New-TableCondition -Name 'HasMailbox' -BackgroundColor LawnGreen -FailBackgroundColor BlueSmoke -Value $true -ComparisonType string -Operator eq New-TableCondition -Name 'PasswordExpired' -BackgroundColor LawnGreen -Value $false -ComparisonType string New-TableCondition -Name 'PasswordExpired' -BackgroundColor Salmon -Value $true -ComparisonType string New-TableCondition -Name 'PasswordNeverExpires' -BackgroundColor LawnGreen -FailBackgroundColor Salmon -Value $false -ComparisonType string New-TableCondition -Name 'PasswordAtNextLogon' -BackgroundColor BlueSmoke -Value $true -ComparisonType string New-TableCondition -Name 'PasswordAtNextLogon' -BackgroundColor LawnGreen -Value $false -ComparisonType string New-TableCondition -Name 'ManagerStatus' -HighlightHeaders Manager, ManagerSamAccountName, ManagerEmail, ManagerStatus -ComparisonType string -Value 'Missing', 'Disabled' -BackgroundColor Salmon -Operator in New-TableCondition -Name 'ManagerStatus' -HighlightHeaders Manager, ManagerSamAccountName, ManagerEmail, ManagerStatus -ComparisonType string -Value 'Enabled' -BackgroundColor LawnGreen New-TableCondition -Name 'ManagerStatus' -HighlightHeaders Manager, ManagerSamAccountName, ManagerEmail, ManagerStatus -ComparisonType string -Value 'Not available' -BackgroundColor BlueSmoke } -ExcludeProperty $Report.ExcludeProperties -ScrollX } } } } } else { foreach ($Rule in $Summary['Rules'].Keys) { if ((Measure-Object -InputObject $Summary['Rules'][$Rule].Values.User).Count -gt 0) { $Color = 'LawnGreen' $IconSolid = 'Star' } else { $Color = 'Salmon' $IconSolid = 'Stop' } New-HTMLTab -Name $Rule -TextColor $Color -IconColor $Color -IconSolid $IconSolid { New-HTMLTable -DataTable $Summary['Rules'][$Rule].Values.User -Filtering { New-TableCondition -Name 'Enabled' -BackgroundColor LawnGreen -FailBackgroundColor BlueSmoke -Value $true -ComparisonType string New-TableCondition -Name 'HasMailbox' -BackgroundColor LawnGreen -FailBackgroundColor BlueSmoke -Value $true -ComparisonType string -Operator eq New-TableCondition -Name 'PasswordExpired' -BackgroundColor LawnGreen -Value $false -ComparisonType string New-TableCondition -Name 'PasswordExpired' -BackgroundColor Salmon -Value $true -ComparisonType string New-TableCondition -Name 'PasswordNeverExpires' -BackgroundColor LawnGreen -FailBackgroundColor Salmon -Value $false -ComparisonType string New-TableCondition -Name 'PasswordAtNextLogon' -BackgroundColor BlueSmoke -Value $true -ComparisonType string New-TableCondition -Name 'PasswordAtNextLogon' -BackgroundColor LawnGreen -Value $false -ComparisonType string New-TableCondition -Name 'ManagerStatus' -HighlightHeaders Manager, ManagerSamAccountName, ManagerEmail, ManagerStatus -ComparisonType string -Value 'Missing', 'Disabled' -BackgroundColor Salmon -Operator in New-TableCondition -Name 'ManagerStatus' -HighlightHeaders Manager, ManagerSamAccountName, ManagerEmail, ManagerStatus -ComparisonType string -Value 'Enabled' -BackgroundColor LawnGreen New-TableCondition -Name 'ManagerStatus' -HighlightHeaders Manager, ManagerSamAccountName, ManagerEmail, ManagerStatus -ComparisonType string -Value 'Not available' -BackgroundColor BlueSmoke } -ExcludeProperty $Report.ExcludeProperties -ScrollX } } } } if ($Report.ShowUsersSent) { if ((Measure-Object -InputObject $SummaryUsersEmails).Count -gt 0) { $Color = 'BrightTurquoise' $IconSolid = 'sticky-note' } else { $Color = 'Amaranth' $IconSolid = 'stop-circle' } New-HTMLTab -Name 'Email sent to users' -TextColor $Color -IconColor $Color -IconSolid $IconSolid { New-HTMLTable -DataTable $SummaryUsersEmails { New-TableHeader -Names 'Status', 'StatusError', 'SentTo', 'StatusWhen' -Title 'Email Summary' New-TableCondition -Name 'Status' -BackgroundColor LawnGreen -FailBackgroundColor Salmon -Value $true -ComparisonType string -HighlightHeaders 'Status', 'StatusWhen', 'StatusError', 'SentTo' New-TableCondition -Name 'PasswordExpired' -BackgroundColor LawnGreen -Value $false -ComparisonType string New-TableCondition -Name 'PasswordExpired' -BackgroundColor Salmon -Value $true -ComparisonType string New-TableCondition -Name 'PasswordNeverExpires' -BackgroundColor LawnGreen -FailBackgroundColor Salmon -Value $false -ComparisonType string } -Filtering } } if ($Report.ShowManagersSent) { if ((Measure-Object -InputObject $SummaryManagersEmails).Count -gt 0) { $Color = 'BrightTurquoise' $IconSolid = 'sticky-note' } else { $Color = 'Amaranth' $IconSolid = 'stop-circle' } New-HTMLTab -Name 'Email sent to manager' -TextColor $Color -IconColor $Color -IconSolid $IconSolid { New-HTMLTable -DataTable $SummaryManagersEmails { New-TableHeader -Names 'Status', 'StatusError', 'SentTo', 'StatusWhen' -Title 'Email Summary' New-TableCondition -Name 'Status' -BackgroundColor LawnGreen -FailBackgroundColor Salmon -Value $true -ComparisonType string -HighlightHeaders 'Status', 'StatusWhen', 'StatusError', 'SentTo' } -Filtering } } if ($Report.ShowEscalationSent) { if ((Measure-Object -InputObject $SummaryEscalationEmails).Count -gt 0) { $Color = 'BrightTurquoise' $IconSolid = 'sticky-note' } else { $Color = 'Amaranth' $IconSolid = 'stop-circle' } New-HTMLTab -Name 'Email sent to Security' -TextColor $Color -IconColor $Color -IconSolid $IconSolid { New-HTMLTable -DataTable $SummaryEscalationEmails { New-TableHeader -Names 'Status', 'StatusError', 'SentTo', 'StatusWhen' -Title 'Email Summary' New-TableCondition -Name 'Status' -BackgroundColor LawnGreen -FailBackgroundColor Salmon -Value $true -ComparisonType string -HighlightHeaders 'Status', 'StatusWhen', 'StatusError', 'SentTo' } -Filtering } } if ($Report.ShowExternalSystemReplacementsUsers) { if ($ExternalSystemReplacements.Users.Count -gt 0) { $Color = 'BrightTurquoise' $IconSolid = 'sticky-note' } else { $Color = 'Amaranth' $IconSolid = 'stop-circle' } New-HTMLTab -Name 'External System Users' -TextColor $Color -IconColor $Color -IconSolid $IconSolid { New-HTMLTable -DataTable $ExternalSystemReplacements.Users { } -Filtering } } if ($Report.ShowExternalSystemReplacementsManagers) { if ($ExternalSystemReplacements.Managers.Count -gt 0) { $Color = 'BrightTurquoise' $IconSolid = 'sticky-note' } else { $Color = 'Amaranth' $IconSolid = 'stop-circle' } New-HTMLTab -Name 'External System Managers' -TextColor $Color -IconColor $Color -IconSolid $IconSolid { New-HTMLTable -DataTable $ExternalSystemReplacements.Managers { } -Filtering } } if ($Report.ShowSearchUsers) { [Array] $UsersSent = $SummarySearch['EmailSent'].Values if ($UsersSent.Count -gt 0) { $Color = 'BrightTurquoise' $IconSolid = 'sticky-note' } else { $Color = 'Amaranth' $IconSolid = 'stop-circle' } New-HTMLTab -Name 'History Emails To Users' -TextColor $Color -IconColor $Color -IconSolid $IconSolid { New-HTMLTable -DataTable $UsersSent { New-TableHeader -Names 'Status', 'StatusError', 'SentTo', 'StatusWhen' -Title 'Email Summary' New-TableCondition -Name 'Status' -BackgroundColor LawnGreen -FailBackgroundColor Salmon -Value $true -ComparisonType string -HighlightHeaders 'Status', 'StatusWhen', 'StatusError', 'SentTo' New-TableCondition -Name 'PasswordExpired' -BackgroundColor LawnGreen -Value $false -ComparisonType string New-TableCondition -Name 'PasswordExpired' -BackgroundColor Salmon -Value $true -ComparisonType string New-TableCondition -Name 'PasswordNeverExpires' -BackgroundColor LawnGreen -FailBackgroundColor Salmon -Value $false -ComparisonType string } -Filtering } } if ($Report.ShowSearchManagers) { [Array] $ShowSearchManagers = $SummarySearch['EmailManagers'].Values if ($ShowSearchManagers.Count -gt 0) { $Color = 'BrightTurquoise' $IconSolid = 'sticky-note' } else { $Color = 'Amaranth' $IconSolid = 'stop-circle' } New-HTMLTab -Name 'History Emails To Managers' -TextColor $Color -IconColor $Color -IconSolid $IconSolid { New-HTMLTable -DataTable $ShowSearchManagers { New-TableHeader -Names 'Status', 'StatusError', 'SentTo', 'StatusWhen' -Title 'Email Summary' New-TableCondition -Name 'Status' -BackgroundColor LawnGreen -FailBackgroundColor Salmon -Value $true -ComparisonType string -HighlightHeaders 'Status', 'StatusWhen', 'StatusError', 'SentTo' } -Filtering } } if ($Report.ShowSearchEscalations) { [Array] $ShowSearchEscalations = $SummarySearch['EmailEscalations'].Values if ($ShowSearchEscalations.Count -gt 0) { $Color = 'BrightTurquoise' $IconSolid = 'sticky-note' } else { $Color = 'Amaranth' $IconSolid = 'stop-circle' } New-HTMLTab -Name 'History Email To Security' -TextColor $Color -IconColor $Color -IconSolid $IconSolid { New-HTMLTable -DataTable $ShowSearchEscalations { New-TableHeader -Names 'Status', 'StatusError', 'SentTo', 'StatusWhen' -Title 'Email Summary' New-TableCondition -Name 'Status' -BackgroundColor LawnGreen -FailBackgroundColor Salmon -Value $true -ComparisonType string -HighlightHeaders 'Status', 'StatusWhen', 'StatusError', 'SentTo' } -Filtering } } if ($Report.ShowSkippedUsers) { New-HTMLTab -Name 'Skipped Users' -IconSolid users { $SkippedUsers = foreach ($User in $AllSkipped.Values) { if ($User.Type -ne 'Contact') { $User } } New-HTMLPanel -AlignContentText center { New-HTMLText -FontSize 15pt -Text "Those users have no password date set. This means account running expiration checks doesn't have permissions or acccout never had password set or account is set to change password on logon. " } -Invisible New-HTMLTable -DataTable $SkippedUsers -Filtering { New-TableCondition -Name 'Enabled' -BackgroundColor LawnGreen -FailBackgroundColor BlueSmoke -Value $true -ComparisonType string -Operator eq New-TableCondition -Name 'HasMailbox' -BackgroundColor LawnGreen -FailBackgroundColor BlueSmoke -Value $true -ComparisonType string -Operator eq New-TableCondition -Name 'PasswordExpired' -BackgroundColor LawnGreen -Value $false -ComparisonType string New-TableCondition -Name 'PasswordExpired' -BackgroundColor Salmon -Value $true -ComparisonType string New-TableCondition -Name 'PasswordNeverExpires' -BackgroundColor LawnGreen -FailBackgroundColor Salmon -Value $false -ComparisonType string New-TableCondition -Name 'PasswordAtNextLogon' -BackgroundColor BlueSmoke -Value $true -ComparisonType string New-TableCondition -Name 'PasswordAtNextLogon' -BackgroundColor LawnGreen -Value $false -ComparisonType string New-TableCondition -Name 'ManagerStatus' -HighlightHeaders Manager, ManagerSamAccountName, ManagerEmail, ManagerStatus -ComparisonType string -Value 'Missing', 'Disabled' -BackgroundColor Salmon -Operator in New-TableCondition -Name 'ManagerStatus' -HighlightHeaders Manager, ManagerSamAccountName, ManagerEmail, ManagerStatus -ComparisonType string -Value 'Enabled' -BackgroundColor LawnGreen New-TableCondition -Name 'ManagerStatus' -HighlightHeaders Manager, ManagerSamAccountName, ManagerEmail, ManagerStatus -ComparisonType string -Value 'Not available' -BackgroundColor BlueSmoke } } } if ($Report.ShowSkippedLocations) { New-HTMLTab -Name 'Skipped Locations' -IconSolid building { New-HTMLPanel -AlignContentText center { New-HTMLText -FontSize 15pt -Text "Users in those Organizational Units have no password date set. This means account running expiration checks doesn't have permissions or acccout never had password set or account is set to change password on logon. " } -Invisible New-HTMLTable -DataTable $Locations.Values -Filtering { New-TableHeader -ResponsiveOperations none -Names 'Names', 'NamesExpired' } } } } -ShowHTML:$Report.ShowHTML -FilePath $Report.FilePath -Online:$Report.Online -WarningAction $WarningAction -TitleText $Report.Title Write-Color -Text "[i]" , " Generating HTML report ", $Report.Title, ". Done" -Color White, Yellow, Green } function Send-PasswordAdminNotifications { [CmdletBinding()] param( $AdminSection, $TemplateAdmin, $TemplateAdminSubject, $TimeEnd, $EmailParameters, $HtmlAttachments, $Logging ) if ($AdminSection.Enable) { Write-Color -Text "[i] Sending summary information " -Color White, Yellow, White, Yellow, White, Yellow, White $CountSecurity = 0 [Array] $SummaryEmail = @( $CountSecurity++ $ManagerUser = $AdminSection.Manager $EmailSplat = [ordered] @{} $EmailSplat.Template = $TemplateAdmin $EmailSplat.Subject = $TemplateAdminSubject $EmailSplat.User = $ManagerUser $EmailSplat.SummaryUsersEmails = $SummaryUsersEmails $EmailSplat.SummaryManagersEmails = $SummaryManagersEmails $EmailSplat.SummaryEscalationEmails = $SummaryEscalationEmails $EmailSplat.TimeToProcess = $TimeEnd $EmailSplat.EmailParameters = $EmailParameters $EmailSplat.EmailParameters.To = $AdminSection.Manager.EmailAddress $EmailSplat.EmailDateFormat = $Logging.EmailDateFormat $EmailSplat.EmailDateFormatUTCConversion = $Logging.EmailDateFormatUTCConversion if ($HtmlAttachments.Count -gt 0) { $EmailSplat.Attachments = $HtmlAttachments } Write-Color -Text "[i] Sending summary information ", $ManagerUser.DisplayName, " (", $ManagerUser.EmailAddress, ") (SendToDefaultEmail: ", $ManagerSection.SendToDefaultEmail, ")" -Color White, Yellow, White, Yellow, White, Yellow, White, Yellow, White, Yellow $EmailResult = Send-PasswordEmail @EmailSplat Write-Color -Text "[r] Sending summary information ", $ManagerUser.DisplayName, " (", $ManagerUser.EmailAddress, ") (SendToDefaultEmail: ", $ManagerSection.SendToDefaultEmail, ") (status: ", $EmailResult.Status, " sent to: ", $EmailResult.SentTo, ")" -Color White, Yellow, White, Yellow, White, Yellow, White, Yellow, White, Yellow if ($EmailResult.Error) { Write-Color -Text "[r] Error: ", $EmailResult.Error -Color White, Yellow, White, Yellow, White, Yellow, White, Yellow, White, Yellow } [PSCustomObject] @{ DisplayName = $ManagerUser.DisplayName SamAccountName = $ManagerUser.SamAccountName Domain = $ManagerUser.Domain Status = $EmailResult.Status StatusWhen = Get-Date -Format "yyyy-MM-dd HH:mm:ss" SentTo = $EmailResult.SentTo StatusError = $EmailResult.Error Template = 'Unknown' } ) Write-Color -Text "[i] Sending summary information (sent: ", $SummaryEmail.Count, ")" -Color White, Yellow, White, Yellow, White, Yellow, White } else { Write-Color -Text "[i] Sending summary information is ", "disabled!" -Color White, Yellow, DarkMagenta } } function Send-PasswordEmail { [CmdletBinding()] param( [scriptblock] $Template, [PSCustomObject] $User, [Array] $ManagedUsers, [Array] $ManagedUsersManagerNotCompliant, [Array] $SummaryUsersEmails, [Array] $SummaryManagersEmails, [Array] $SummaryEscalationEmails, [string] $TimeToProcess, [Array] $Attachments, [System.Collections.IDictionary] $EmailParameters, [string] $Subject, [string] $EmailDateFormat, [switch] $EmailDateFormatUTCConversion ) if ($Template) { if ($User.PasswordLastSet) { if ($EmailDateFormat) { if ($EmailDateFormatUTCConversion) { $PasswordLastSet = $User.PasswordLastSet.ToUniversalTime().ToString($EmailDateFormat) } else { $PasswordLastSet = $User.PasswordLastSet.ToString($EmailDateFormat) } } else { if ($EmailDateFormatUTCConversion) { $PasswordLastSet = $User.PasswordLastSet.ToUniversalTime() } else { $PasswordLastSet = $User.PasswordLastSet } } } else { $PasswordLastSet = $User.PasswordLastSet } if ($User.DateExpiry) { if ($EmailDateFormat) { if ($EmailDateFormatUTCConversion) { $ExpiryDate = $User.DateExpiry.ToUniversalTime().ToString($EmailDateFormat) } else { $ExpiryDate = $User.DateExpiry.ToString($EmailDateFormat) } } else { if ($EmailDateFormatUTCConversion) { $ExpiryDate = $User.DateExpiry.ToUniversalTime() } else { $ExpiryDate = $User.DateExpiry } } } else { $ExpiryDate = $User.DateExpiry } $SourceParameters = [ordered] @{ ManagerDisplayName = $User.DisplayName ManagerUsersTable = $ManagedUsers ManagerUsersTableManagerNotCompliant = $ManagedUsersManagerNotCompliant SummaryEscalationEmails = $SummaryEscalationEmails SummaryManagersEmails = $SummaryManagersEmails SummaryUsersEmails = $SummaryUsersEmails TimeToProcess = $TimeToProcess UserPrincipalName = $User.UserPrincipalName SamAccountName = $User.SamAccountName Domain = $User.Domain Enabled = $User.Enabled EmailAddress = $User.EmailAddress DateExpiry = $ExpiryDate DaysToExpire = $User.DaysToExpire PasswordExpired = $User.PasswordExpired PasswordLastSet = $PasswordLastSet PasswordNotRequired = $User.PasswordNotRequired PasswordNeverExpires = $User.PasswordNeverExpires ManagerSamAccountName = $User.ManagerSamAccountName ManagerEmail = $User.ManagerEmail ManagerStatus = $User.ManagerStatus ManagerLastLogonDays = $User.ManagerLastLogonDays Manager = $User.Manager DisplayName = $User.DisplayName GivenName = $User.GivenName Surname = $User.Surname OrganizationalUnit = $User.OrganizationalUnit MemberOf = $User.MemberOf DistinguishedName = $User.DistinguishedName ManagerDN = $User.ManagerDN } $Body = EmailBody -EmailBody $Template -Parameter $SourceParameters $EmailParameters.Subject = Add-ParametersToString -String $Subject -Parameter $SourceParameters $EmailParameters.Body = $Body if ($Attachments) { $EmailParameters.Attachment = $Attachments } else { $EmailParameters.Attachment = @() } try { Send-EmailMessage @EmailParameters -ErrorAction Stop -WarningAction SilentlyContinue } catch { if ($_.Exception.Message -like "*Credential*") { Write-Color -Text "[e] " , "Failed to send email to $($EmailParameters.EmailParameters) because error: $($_.Exception.Message)" -Color Yellow, White, Red Write-Color -Text "[i] " , "Please make sure you have valid credentials in your configuration file (graph encryption issue?)" -Color Yellow, White, Red } else { Write-Color -Text "[e] " , "Failed to send email to $($EmailParameters.EmailParameters) because error: $($_.Exception.Message)" -Color Yellow, White, Red } } } } function Send-PasswordManagerNofifications { [CmdletBinding()] param( [System.Collections.IDictionary] $ManagerSection, [System.Collections.IDictionary] $Summary, [System.Collections.IDictionary] $CachedUsers, [ScriptBlock] $TemplateManager, [string] $TemplateManagerSubject, [ScriptBlock] $TemplateManagerNotCompliant, [string] $TemplateManagerNotCompliantSubject, [System.Collections.IDictionary] $EmailParameters, [System.Collections.IDictionary] $Logging, [System.Collections.IDictionary] $GlobalManagersCache ) if ($ManagerSection.Enable) { Write-Color -Text "[i] Sending notifications to managers " -Color White, Yellow, White, Yellow, White, Yellow, White $CountManagers = 0 [Array] $SummaryManagersEmails = foreach ($Manager in $Summary['NotifyManager'].Keys) { $CountManagers++ if ($CachedUsers[$Manager]) { $ManagerUser = $CachedUsers[$Manager] } elseif ($GlobalManagersCache[$Manager]) { $ManagerUser = $GlobalManagersCache[$Manager] } else { $ManagerUser = $Summary['NotifyManager'][$Manager]['Manager'] } [Array] $ManagedUsers = $Summary['NotifyManager'][$Manager]['ManagerDefault'].Values.Output [Array] $ManagedUsersManagerNotCompliant = $Summary['NotifyManager'][$Manager]['ManagerNotCompliant'].Values.Output $EmailSplat = [ordered] @{} if ($Summary['NotifyManager'][$Manager].ManagerDefault.Count -gt 0) { if ($TemplateManager) { $EmailSplat.Template = $TemplateManager } else { $EmailSplat.Template = { } } if ($TemplateManagerSubject) { $EmailSplat.Subject = $TemplateManagerSubject } else { $EmailSplat.Subject = "[Password Expiring] Dear Manager - Your accounts are expiring!" } } elseif ($Summary['NotifyManager'][$Manager].ManagerNotCompliant.Count -gt 0) { if ($TemplateManagerNotCompliant) { $EmailSplat.Template = $TemplateManagerNotCompliant } else { $EmailSplat.Template = { } } if ($TemplateManagerNotCompliantSubject) { $EmailSplat.Subject = $TemplateManagerNotCompliantSubject } else { $EmailSplat.Subject = "[Password Escalation] Accounts are expiring with non-compliant manager" } } $EmailSplat.User = $ManagerUser $EmailSplat.ManagedUsers = $ManagedUsers $EmailSplat.ManagedUsersManagerNotCompliant = $ManagedUsersManagerNotCompliant $EmailSplat.EmailParameters = $EmailParameters $EmailSplat.EmailDateFormat = $Logging.EmailDateFormat $EmailSplat.EmailDateFormatUTCConversion = $Logging.EmailDateFormatUTCConversion if ($ManagerSection.SendToDefaultEmail -ne $true) { $EmailSplat.EmailParameters.To = $ManagerUser.EmailAddress } else { $EmailSplat.EmailParameters.To = $ManagerSection.DefaultEmail } if ($Logging.NotifyOnManagerSend) { Write-Color -Text "[i] Sending notifications to managers ", $ManagerUser.DisplayName, " (", $ManagerUser.EmailAddress, ") (SendToDefaultEmail: ", $ManagerSection.SendToDefaultEmail, ")" -Color White, Yellow, White, Yellow, White, Yellow, White, Yellow, White, Yellow } $EmailResult = Send-PasswordEmail @EmailSplat if ($Logging.NotifyOnManagerSend) { if ($EmailResult.SentTo) { Write-Color -Text "[r] Sending notifications to managers ", $ManagerUser.DisplayName, " (", $ManagerUser.EmailAddress, ") (SendToDefaultEmail: ", $ManagerSection.SendToDefaultEmail, ") (status: ", $EmailResult.Status, " sent to: ", $EmailResult.SentTo, ")" -Color White, Yellow, White, Yellow, White, Yellow, White, Yellow, White, Yellow } else { Write-Color -Text "[r] Sending notifications to managers ", $ManagerUser.DisplayName, " (", $ManagerUser.EmailAddress, ") (SendToDefaultEmail: ", $ManagerSection.SendToDefaultEmail, ") (status: ", $EmailResult.Status -Color White, Yellow, White, Yellow, White, Yellow, White, Yellow, White, Yellow } } [PSCustomObject] @{ DisplayName = $ManagerUser.DisplayName SamAccountName = $ManagerUser.SamAccountName Domain = $ManagerUser.Domain Status = $EmailResult.Status StatusWhen = Get-Date -Format "yyyy-MM-dd HH:mm:ss" SentTo = $EmailResult.SentTo StatusError = $EmailResult.Error Accounts = $ManagedUsers.SamAccountName AccountsCount = $ManagedUsers.Count Template = 'Unknown' ManagerNotCompliant = $ManagedUsersManagerNotCompliant.SamAccountName ManagerNotCompliantCount = $ManagedUsersManagerNotCompliant.Count } if ($ManagerSection.SendCountMaximum -gt 0) { if ($ManagerSection.SendCountMaximum -le $CountManagers) { Write-Color -Text "[i]", " Send count maximum reached. There may be more managers that match the rule." -Color Red, DarkRed break } } } Write-Color -Text "[i] Sending notifications to managers (sent: ", $SummaryManagersEmails.Count, " out of ", $Summary['NotifyManager'].Values.Count, ")" -Color White, Yellow, White, Yellow, White, Yellow, White $SummaryManagersEmails } else { Write-Color -Text "[i] Sending notifications to managers is ", "disabled!" -Color White, Yellow, DarkRed } } function Send-PasswordSecurityNotifications { [CmdletBinding()] param( [System.Collections.IDictionary] $SecuritySection, [System.Collections.IDictionary] $Summary, [ScriptBlock] $TemplateSecurity, [string] $TemplateSecuritySubject, [System.Collections.IDictionary] $Logging ) if ($SecuritySection.Enable) { Write-Color -Text "[i] Sending notifications to security " -Color White, Yellow, White, Yellow, White, Yellow, White $CountSecurity = 0 [Array] $SummaryEscalationEmails = foreach ($Manager in $Summary['NotifySecurity'].Keys) { $CountSecurity++ $ManagerUser = $Summary['NotifySecurity'][$Manager]['Manager'] [Array] $ManagedUsers = $Summary['NotifySecurity'][$Manager]['Security'].Values.Output $EmailSplat = [ordered] @{} if ($Summary['NotifySecurity'][$Manager].Security.Count -gt 0) { $EmailSplat.Template = $TemplateSecurity if ($TemplateSecuritySubject) { $EmailSplat.Subject = $TemplateSecuritySubject } else { $EmailSplat.Subject = "[Password Expiring] Dear Security - Accounts expired" } } else { continue } if ($SecuritySection.AttachCSV -and $ManagedUsers.Count -gt 0) { $ManagedUsers | Export-Csv -LiteralPath $Env:TEMP\ManagedUsersSecurity.csv -NoTypeInformation -Force -Encoding UTF8 -ErrorAction Stop $EmailSplat.Attachments = @( if (Test-Path -LiteralPath "$Env:TEMP\ManagedUsersSecurity.csv") { "$Env:TEMP\ManagedUsersSecurity.csv" } ) } $EmailSplat.User = $ManagerUser $EmailSplat.ManagedUsers = $ManagedUsers | Select-Object -Property 'Status', 'DisplayName', 'Enabled', 'SamAccountName', 'Domain', 'DateExpiry', 'DaysToExpire', 'PasswordLastSet', 'PasswordExpired' $EmailSplat.EmailParameters = $EmailParameters $EmailSplat.EmailDateFormat = $Logging.EmailDateFormat $EmailSplat.EmailDateFormatUTCConversion = $Logging.EmailDateFormatUTCConversion if ($SecuritySection.SendToDefaultEmail -ne $true) { $EmailSplat.EmailParameters.To = $ManagerUser.EmailAddress } else { $EmailSplat.EmailParameters.To = $SecuritySection.DefaultEmail } if ($Logging.NotifyOnSecuritySend) { Write-Color -Text "[i] Sending notifications to security ", $ManagerUser.DisplayName, " (", $ManagerUser.EmailAddress, ") (SendToDefaultEmail: ", $ManagerSection.SendToDefaultEmail, ")" -Color White, Yellow, White, Yellow, White, Yellow, White, Yellow, White, Yellow } $EmailResult = Send-PasswordEmail @EmailSplat if ($Logging.NotifyOnSecuritySend) { Write-Color -Text "[r] Sending notifications to security ", $ManagerUser.DisplayName, " (", $ManagerUser.EmailAddress, ") (SendToDefaultEmail: ", $ManagerSection.SendToDefaultEmail, ") (status: ", $EmailResult.Status, " sent to: ", $EmailResult.SentTo, ")" -Color White, Yellow, White, Yellow, White, Yellow, White, Yellow, White, Yellow } [PSCustomObject] @{ DisplayName = $ManagerUser.DisplayName SamAccountName = $ManagerUser.SamAccountName Domain = $ManagerUser.Domain Status = $EmailResult.Status StatusWhen = Get-Date -Format "yyyy-MM-dd HH:mm:ss" SentTo = $EmailResult.SentTo StatusError = $EmailResult.Error Accounts = $ManagedUsers.SamAccountName AccountsCount = $ManagedUsers.Count Template = 'Unknown' } if ($SecuritySection.SendCountMaximum -gt 0) { if ($SecuritySection.SendCountMaximum -le $CountSecurity) { Write-Color -Text "[i]", " Send count maximum reached. There may be more managers that match the rule." -Color Red, DarkRed break } } } Write-Color -Text "[i] Sending notifications to security (sent: ", $SummaryEscalationEmails.Count, " out of ", $Summary['NotifySecurity'].Values.Count, ")" -Color White, Yellow, White, Yellow, White, Yellow, White $SummaryEscalationEmails } else { Write-Color -Text "[i] Sending notifications to security is ", "disabled!" -Color White, Yellow, DarkRed } } function Send-PasswordUserNofifications { [CmdletBinding()] param( [System.Collections.IDictionary] $UserSection, [System.Collections.IDictionary] $Summary, [System.Collections.IDictionary] $Logging, [ScriptBlock] $TemplatePreExpiry, [string] $TemplatePreExpirySubject, [scriptBlock] $TemplatePostExpiry, [string] $TemplatePostExpirySubject, [System.Collections.IDictionary] $EmailParameters ) if ($UserSection.Enable) { Write-Color -Text "[i] Sending notifications to users " -Color White, Yellow, White, Yellow, White, Yellow, White $CountUsers = 0 [Array] $SummaryUsersEmails = foreach ($Notify in $Summary['Notify'].Values) { $CountUsers++ $User = $Notify.User $Rule = $Notify.Rule if ($Notify.ProcessManagersOnly -eq $true) { if ($Logging.NotifyOnSkipUserManagerOnly) { Write-Color -Text "[i]", " Skipping User (Manager Only - $($Rule.Name)) ", $User.DisplayName, " (", $User.UserPrincipalName, ")", " days to expire: ", $User.DaysToExpire -Color Yellow, White, Magenta, White, Magenta, White, White, Blue } continue } $EmailSplat = [ordered] @{} if ($Notify.User.DaysToExpire -ge 0) { if ($Notify.Rule.TemplatePreExpiry) { $EmailSplat.Template = $Notify.Rule.TemplatePreExpiry } elseif ($TemplatePreExpiry) { $EmailSplat.Template = $TemplatePreExpiry } else { $EmailSplat.Template = { } } if ($Notify.Rule.TemplatePreExpirySubject) { $EmailSplat.Subject = $Notify.Rule.TemplatePreExpirySubject } elseif ($TemplatePreExpirySubject) { $EmailSplat.Subject = $TemplatePreExpirySubject } else { $EmailSplat.Subject = '[Password] Your password will expire on $DateExpiry ($DaysToExpire days)' } } else { if ($Notify.Rule.TemplatePostExpiry) { $EmailSplat.Template = $Notify.Rule.TemplatePostExpiry } elseif ($TemplatePostExpiry) { $EmailSplat.Template = $TemplatePostExpiry } else { $EmailSplat.Template = { } } if ($Notify.Rule.TemplatePostExpirySubject) { $EmailSplat.Subject = $Notify.Rule.TemplatePostExpirySubject } elseif ($TemplatePostExpirySubject) { $EmailSplat.Subject = $TemplatePostExpirySubject } else { $EmailSplat.Subject = '[Password] Your password expired on $DateExpiry ($DaysToExpire days ago)' } } $EmailSplat.User = $Notify.User $EmailSplat.EmailParameters = $EmailParameters $EmailSplat.EmailDateFormat = $Logging.EmailDateFormat $EmailSplat.EmailDateFormatUTCConversion = $Logging.EmailDateFormatUTCConversion if ($UserSection.SendToDefaultEmail -ne $true) { $EmailSplat.EmailParameters.To = $Notify.User.EmailAddress } else { $EmailSplat.EmailParameters.To = $UserSection.DefaultEmail } if ($Notify.User.EmailAddress -like "*@*") { $EmailResult = Send-PasswordEmail @EmailSplat [PSCustomObject] @{ UserPrincipalName = $EmailSplat.User.UserPrincipalName SamAccountName = $EmailSplat.User.SamAccountName Domain = $EmailSplat.User.Domain Rule = $Notify.Rule.Name Status = $EmailResult.Status StatusWhen = Get-Date -Format "yyyy-MM-dd HH:mm:ss" StatusError = $EmailResult.Error SentTo = $EmailResult.SentTo DateExpiry = $EmailSplat.User.DateExpiry DaysToExpire = $EmailSplat.User.DaysToExpire PasswordExpired = $EmailSplat.User.PasswordExpired PasswordNeverExpires = $EmailSplat.User.PasswordNeverExpires PasswordLastSet = $EmailSplat.User.PasswordLastSet EmailFrom = $EmailSplat.User.EmailFrom } } else { $EmailResult = @{ Status = $false Error = 'No email address for user' SentTo = '' } [PSCustomObject] @{ UserPrincipalName = $EmailSplat.User.UserPrincipalName SamAccountName = $EmailSplat.User.SamAccountName Domain = $EmailSplat.User.Domain Rule = $Notify.Rule.Name Status = $EmailResult.Status StatusWhen = Get-Date -Format "yyyy-MM-dd HH:mm:ss" StatusError = $EmailResult.Error SentTo = $EmailResult.SentTo DateExpiry = $EmailSplat.User.DateExpiry DaysToExpire = $EmailSplat.User.DaysToExpire PasswordExpired = $EmailSplat.User.PasswordExpired PasswordNeverExpires = $EmailSplat.User.PasswordNeverExpires PasswordLastSet = $EmailSplat.User.PasswordLastSet EmailFrom = $EmailSplat.User.EmailFrom } } if ($Logging.NotifyOnUserSend) { if ($EmailResult.SentTo) { Write-Color -Text "[i]", " Sending notifications to user ", $Notify.User.DisplayName, " (", $Notify.User.EmailAddress, ")", " status: ", $EmailResult.Status, " sent to: ", $EmailResult.SentTo, ", details: ", $EmailResult.Error -Color Yellow, White, Yellow, White, Yellow, White, White, Blue, White, Blue } else { Write-Color -Text "[i]", " Skipping notifications to user ", $Notify.User.DisplayName, " (", $Notify.User.EmailAddress, ")", " status: ", $EmailResult.Status, " details: ", $EmailResult.Error -Color Yellow, White, Yellow, White, Yellow, White, White, Blue, White, Blue } } if ($UserSection.SendCountMaximum -gt 0) { if ($UserSection.SendCountMaximum -le $CountUsers) { Write-Color -Text "[i]", " Send count maximum reached. There may be more accounts that match the rule." -Color Red, DarkRed break } } } Write-Color -Text "[i] Sending notifications to users (sent: ", $SummaryUsersEmails.Count, " out of ", $Summary['Notify'].Values.Count, ")" -Color White, Yellow, White, Yellow, White, Yellow, White $SummaryUsersEmails } else { Write-Color -Text "[i] Sending notifications to users is ", "disabled!" -Color White, Yellow, DarkRed } } function Set-LoggingCapabilities { [CmdletBinding()] param( [string] $LogPath, [int] $LogMaximum, [switch] $ShowTime, [string] $TimeFormat ) $Script:PSDefaultParameterValues = @{ "Write-Color:LogFile" = $LogPath "Write-Color:ShowTime" = if ($PSBoundParameters.ContainsKey('ShowTime')) { $ShowTime.IsPresent } else { $null } "Write-Color:TimeFormat" = $TimeFormat } Remove-EmptyValue -Hashtable $Script:PSDefaultParameterValues if ($LogPath) { $FolderPath = [io.path]::GetDirectoryName($LogPath) if (-not (Test-Path -LiteralPath $FolderPath)) { $null = New-Item -Path $FolderPath -ItemType Directory -Force -WhatIf:$false } if ($LogMaximum -gt 0) { $CurrentLogs = Get-ChildItem -LiteralPath $FolderPath | Sort-Object -Property CreationTime -Descending | Select-Object -Skip $LogMaximum if ($CurrentLogs) { Write-Color -Text '[i] ', "Logs directory has more than ", $LogMaximum, " log files. Cleanup required..." -Color Yellow, DarkCyan, Red, DarkCyan foreach ($Log in $CurrentLogs) { try { Remove-Item -LiteralPath $Log.FullName -Confirm:$false -WhatIf:$false Write-Color -Text '[+] ', "Deleted ", "$($Log.FullName)" -Color Yellow, White, Green } catch { Write-Color -Text '[-] ', "Couldn't delete log file $($Log.FullName). Error: ', "$($_.Exception.Message) -Color Yellow, White, Red } } } } else { Write-Color -Text '[i] ', "LogMaximum is set to 0 (Unlimited). No log files will be deleted." -Color Yellow, DarkCyan } } } function Set-PasswordConfiguration { [CmdletBinding()] param( [System.Collections.IDictionary] $Logging, [scriptblock] $ConfigurationDSL, [scriptblock] $TemplatePreExpiry, [string] $TemplatePreExpirySubject, [scriptblock] $TemplatePostExpiry, [string] $TemplatePostExpirySubject, [scriptblock] $TemplateManager, [string] $TemplateManagerSubject, [scriptblock] $TemplateSecurity, [string] $TemplateSecuritySubject, [scriptblock] $TemplateManagerNotCompliant, [string] $TemplateManagerNotCompliantSubject, [scriptblock] $TemplateAdmin, [string] $TemplateAdminSubject, [System.Collections.IDictionary] $EmailParameters, [System.Collections.IDictionary] $UserSection, [System.Collections.IDictionary] $ManagerSection, [System.Collections.IDictionary] $SecuritySection, [System.Collections.IDictionary] $AdminSection, [System.Collections.IDictionary] $UsersExternalSystem, [Array] $HTMLReports, [Array] $Rules, [string] $SearchPath, [string] $OverwriteEmailProperty, [string] $OverwriteManagerProperty, [string[]] $FilterOrganizationalUnit, [System.Collections.IDictionary] $Entra ) if (-not $Rules) { $Rules = @() } if (-not $HTMLReports) { $HTMLReports = @() } if ($ConfigurationDSL) { try { $ConfigurationExecuted = & $ConfigurationDSL foreach ($Configuration in $ConfigurationExecuted) { if ($Configuration.Type -eq 'PasswordConfigurationOption') { if ($Configuration.Settings.SearchPath) { $SearchPath = $Configuration.Settings.SearchPath } if ($Configuration.Settings.OverwriteEmailProperty) { $OverwriteEmailProperty = $Configuration.Settings.OverwriteEmailProperty } if ($Configuration.Settings.OverwriteManagerProperty) { $OverwriteManagerProperty = $Configuration.Settings.OverwriteManagerProperty } if ($Configuration.Settings.FilterOrganizationalUnit) { $FilterOrganizationalUnit = $Configuration.Settings.FilterOrganizationalUnit } foreach ($Setting in $Configuration.Settings.Keys) { if ($Setting -notin 'SearchPath', 'OverwriteEmailProperty', 'OverwriteManagerProperty', 'FilterOrganizationalUnit') { $Logging[$Setting] = $Configuration.Settings[$Setting] } } } elseif ($Configuration.Type -eq 'PasswordConfigurationEmail') { $EmailParameters = $Configuration.Settings } elseif ($Configuration.Type -eq 'PasswordConfigurationTypeUser') { $UserSection = $Configuration.Settings } elseif ($Configuration.Type -eq 'PasswordConfigurationTypeManager') { $ManagerSection = $Configuration.Settings } elseif ($Configuration.Type -eq 'PasswordConfigurationTypeSecurity') { $SecuritySection = $Configuration.Settings } elseif ($Configuration.Type -eq 'PasswordConfigurationTypeAdmin') { $AdminSection = $Configuration.Settings } elseif ($Configuration.Type -eq 'PasswordConfigurationReport') { $HTMLReports += $Configuration.Settings } elseif ($Configuration.Type -eq 'PasswordConfigurationRule') { if ($Configuration.Error) { return } $Rules += $Configuration.Settings } elseif ($Configuration.Type -eq "PasswordConfigurationTemplatePreExpiry") { $TemplatePreExpiry = $Configuration.Settings.Template $TemplatePreExpirySubject = $Configuration.Settings.Subject } elseif ($Configuration.Type -eq "PasswordConfigurationTemplatePostExpiry") { $TemplatePostExpiry = $Configuration.Settings.Template $TemplatePostExpirySubject = $Configuration.Settings.Subject } elseif ($Configuration.Type -eq "PasswordConfigurationTemplateManager") { $TemplateManager = $Configuration.Settings.Template $TemplateManagerSubject = $Configuration.Settings.Subject } elseif ($Configuration.Type -eq "PasswordConfigurationTemplateSecurity") { $TemplateSecurity = $Configuration.Settings.Template $TemplateSecuritySubject = $Configuration.Settings.Subject } elseif ($Configuration.Type -eq "PasswordConfigurationTemplateManagerNotCompliant") { $TemplateManagerNotCompliant = $Configuration.Settings.Template $TemplateManagerNotCompliantSubject = $Configuration.Settings.Subject } elseif ($Configuration.Type -eq "PasswordConfigurationTemplateAdmin") { $TemplateAdmin = $Configuration.Settings.Template $TemplateAdminSubject = $Configuration.Settings.Subject } elseif ($Configuration.Type -eq 'ExternalUsers') { $UsersExternalSystem = $Configuration } elseif ($Configuration.Type -eq 'PasswordConfigurationEntra') { $Entra = $Configuration.Settings } } } catch { Write-Color -Text "[e]", " Processing configuration failed because of error in line ", $_.InvocationInfo.ScriptLineNumber, " in ", $_.InvocationInfo.InvocationName, " with message: ", $_.Exception.Message -Color Yellow, White, Red return } } if (-not $TemplatePreExpiry) { Write-Color -Text "[i]", " TemplatePreExpiry not defined. Using default template (built-in)" -Color Yellow, Red $TemplatePreExpiry = { EmailText -LineBreak EmailText -Text "Dear ", "$DisplayName," -LineBreak EmailText -Text "Your password will expire in $DaysToExpire days and if you do not change it, you will not be able to connect to the Network and IT services. " EmailText -Text "Depending on your situation, please follow one of the methods below to change your password." -LineBreak EmailText -Text "If you are connected to the Internal Network (either directly or through VPN):" EmailList { EmailListItem -Text "Press CTRL+ALT+DEL" EmailListItem -Text "Choose Change password" EmailListItem -Text "Type in your old password and then type the new one according to the password policy (twice)" EmailListItem -Text "After the change is complete you will be prompted with information that the password has been changed" } EmailText -Text "If you are not connected to the Internal Network:" EmailList { EmailListItem -Text "Open [Password Change Link](https://account.activedirectory.windowsazure.com/ChangePassword.aspx) using your web browser" EmailListItem -Text "Login using your current credentials" EmailListItem -Text "On the change password form, type your old password and the new password that you want to set (twice)" EmailListItem -Text "Click Submit" } EmailText -Text "Please also remember to modify your password on the email configuration of your Smartphone or Tablet." -LineBreak EmailText -Text "Kind regards," EmailText -Text "IT Service Desk" } } if (-not $TemplatePreExpirySubject) { Write-Color -Text "[i]", " TemplatePreExpirySubject not defined. Using default template (built-in)" -Color Yellow, Red $TemplatePreExpirySubject = '[Password Expiring] Your password will expire on $DateExpiry ($DaysToExpire days)' } if (-not $TemplatePostExpiry) { Write-Color -Text "[i]", " TemplatePostExpiry not defined. Using default template (built-in)" -Color Yellow, Red $TemplatePostExpiry = { EmailText -LineBreak EmailText -Text "Dear ", "$DisplayName," -LineBreak EmailText -Text "Your password already expired on $PasswordLastSet. If you do not change it, you will not be able to connect to the Network and IT services. " EmailText -Text "Depending on your situation, please follow one of the methods below to change your password." -LineBreak EmailText -Text "If you are connected to the Network (either directly or through VPN):" EmailList { EmailListItem -Text "Press CTRL+ALT+DEL" EmailListItem -Text "Choose Change password" EmailListItem -Text "Type in your old password and then type the new one according to the password policy (twice)" EmailListItem -Text "After the change is complete you will be prompted with information that the password has been changed" } EmailText -Text "If you are not connected to the Internal Network:" EmailList { EmailListItem -Text "Open [Password Change Link](https://account.activedirectory.windowsazure.com/ChangePassword.aspx) using your web browser" EmailListItem -Text "Login using your current credentials" EmailListItem -Text "On the change password form, type your old password and the new password that you want to set (twice)" EmailListItem -Text "Click Submit" } EmailText -Text "Please also remember to modify your password on the email configuration of your Smartphone or Tablet." -LineBreak EmailText -Text "Kind regards," EmailText -Text "IT Service Desk" } } if (-not $TemplatePostExpirySubject) { Write-Color -Text "[i]", " TemplatePostExpirySubject not defined. Using default template (built-in)" -Color Yellow, Red $TemplatePostExpirySubject = '[Password Expired] Your password expired on $DateExpiry ($DaysToExpire days ago)' } if (-not $TemplateSecurity) { Write-Color -Text "[i]", " TemplateSecurity not defined. Using default template (built-in)" -Color Yellow, Red $TemplateSecurity = { EmailText -LineBreak EmailText -Text "Hello ", "$ManagerDisplayName", "," -LineBreak -FontWeight normal, bold, normal EmailText -Text @( "Below is a summary of ", "all service accounts", " where the passwords have exceeded the time limit stipulated in the password policy. These accounts are all in violation of the policy and immediate action/escalation should take place." ) -LineBreak -FontWeight normal, bold, normal EmailText -Text "It has been agreed that the ", "password never expires", " flag has been set to ", "true", " to avoid business disruption/loss of service. As a result we require your escalation to the managers of the account to take immediate action to change the password ASAP." -LineBreak -FontWeight normal, bold, normal, bold, normal EmailText -Text "Numerous automated reminders have been sent to the Manager, but no response/action has been taken yet." -LineBreak EmailText -Text "Please reach out directly to the manager/site to ensure that these passwords are changed immediately." -LineBreak EmailText -Text "If there is still lack of responses/action taken, it will be in your (IT Security) discretion to disable the account(s) question and take any appropriate action." -LineBreak -FontWeight bold EmailTable -DataTable $ManagerUsersTable -HideFooter EmailText -LineBreak EmailText -Text "Many thanks in advance." -LineBreak EmailText -Text "Kind regards," EmailText -Text "IT Service Desk" } } if (-not $TemplateSecuritySubject) { Write-Color -Text "[i]", " TemplateSecuritySubject not defined. Using default template (built-in)" -Color Yellow, Red $TemplateSecuritySubject = "[Passsword Expired] Following accounts are expired!" } if (-not $TemplateManager) { Write-Color -Text "[i]", " TemplateManager not defined. Using default template (built-in)" -Color Yellow, Red $TemplateManager = { EmailText -LineBreak EmailText -Text "Hello $ManagerDisplayName," -LineBreak EmailText -Text "Below is a summary of accounts where the password is due to expire soon. These accounts are either:" EmailList { EmailListItem -Text 'Managed by you' EmailListItem -Text 'You are the manager of the owner of these accounts.' } EmailText -Text "Where you are the owner, please action the password change on each account outlined below, according to the rules specified by Password Policy." -LineBreak EmailTable -DataTable $ManagerUsersTable -HideFooter EmailText -LineBreak EmailText -Text @( "Please note that for Service Accounts, even though the ", "'password never expires' " "flag remains set to " "'true' " ", the password MUST be changed before the expiry date specified in the above table. " "It is the responsibility of the manager of the account to ensure that this takes place. " ) -FontWeight normal, bold, normal, bold, normal, normal -LineBreak EmailText -Text @( "Please make an effort " "to change password yourself using known methods rather than asking the Service Desk to change the password for you. " "If password is changed by Service Desk agent, there are at least 2 people knowing the password - Service Desk Agent and You! " "Do you really want the Service Desk agent to know the password to critical system you manage/own? " "Be responsible!" ) -FontWeight bold, normal, normal, normal, bold -LineBreak -Color None, None, None, None, Red EmailText -Text "One of the ways to change the password is: " -FontWeight bold EmailList { EmailListItem -Text "Press CTRL+ALT+DEL" EmailListItem -Text "Choose Change password" EmailListItem -Text "In the account name - change it to the account you want to change password for." -FontWeight bold EmailListItem -Text "Type in current password for the account and then type the new one according to the rules specified in the password policy." EmailListItem -Text "After the change is complete you will be provided with information that the password has been changed" } EmailText -Text "Failure to take action could result in loss of service/escalation to the IT Security team." -LineBreak -FontWeight bold EmailText -Text "Kind regards," EmailText -Text "IT Service Desk" } } if (-not $TemplateManagerSubject) { Write-Color -Text "[i]", " TemplateManagerSubject not defined. Using default template (built-in)" -Color Yellow, Red $TemplateManagerSubject = "[Passsword Expiring] Accounts you manage/own are expiring or already expired" } if (-not $TemplateManagerNotCompliant) { $TemplateManagerNotCompliant = { EmailText -LineBreak EmailText -Text "Hello $ManagerDisplayName," -LineBreak EmailText -Text "Below is a summary of accounts where there is missing 'critical' information. These accounts are either:" EmailList { EmailListItem -Text "Missing a Manager in the AD - please add an active manager" EmailListItem -Text "The Manager in AD is Disabled - please add an active manager" EmailListItem -Text "Manager Last logon >90 days - please confirm if the manager is still an employee/change the manager to an active manager" EmailListItem -Text "Manager is missing email - add manager email" } EmailText -Text "Please contact the respective local IT Service Desk (outlined in the below table) to update this Manager's attributes in the AD directly. The suggested action to take can be found in the below table." -LineBreak EmailTable -DataTable $ManagerUsersTableManagerNotCompliant -HideFooter EmailText -LineBreak EmailText -Text "Kind regards," -LineBreak EmailText -Text "IT Service Desk" -LineBreak } } if (-not $TemplateManagerNotCompliantSubject) { $TemplateManagerNotCompliantSubject = "[Password Escalation] Accounts are expiring with non-compliant manager" } if (-not $TemplateAdmin) { $TemplateAdmin = { EmailText -LineBreak EmailText -Text "Hello $ManagerDisplayName," -LineBreak EmailText -Text "Here's the summary of password notifications:" EmailList { EmailListItem -Text "Found users matching rule to send emails: ", $SummaryUsersEmails.Count EmailListItem -Text "Sent emails to users: ", ($SummaryUsersEmails | Where-Object { $_.Status -eq $true }).Count EmailListItem -Text "Couldn't send emails because of no email: ", ($SummaryUsersEmails | Where-Object { $_.Status -eq $false -and $_.StatusError -eq 'No email address for user' }).Count EmailListItem -Text "Couldn't send emails because other reasons: ", ($SummaryUsersEmails | Where-Object { $_.Status -eq $false -and $_.StatusError -ne 'No email address for user' }).Count EmailListItem -Text "Sent emails to managers: ", $SummaryManagersEmails.Count EmailListItem -Text "Sent emails to security: ", $SummaryEscalationEmails.Count } EmailText -Text "It took ", $TimeToProcess , " seconds to process the template." -LineBreak EmailText -Text "Hope everything works correctly! " -LineBreak EmailText -Text "Kind regards," -LineBreak EmailText -Text "IT Service Desk" -LineBreak } if (-not $TemplateAdminSubject) { $TemplateAdminSubject = '[Password Summary] Passwords summary' } } $OutputInformation = [ordered] @{ EmailParameters = $EmailParameters UserSection = $UserSection ManagerSection = $ManagerSection SecuritySection = $SecuritySection AdminSection = $AdminSection HTMLReports = $HTMLReports Rules = $Rules SearchPath = $SearchPath OverwriteEmailProperty = $OverwriteEmailProperty OverwriteManagerProperty = $OverwriteManagerProperty Logging = $Logging TemplatePreExpiry = $TemplatePreExpiry TemplatePreExpirySubject = $TemplatePreExpirySubject TemplatePostExpiry = $TemplatePostExpiry TemplatePostExpirySubject = $TemplatePostExpirySubject TemplateManager = $TemplateManager TemplateManagerSubject = $TemplateManagerSubject TemplateSecurity = $TemplateSecurity TemplateSecuritySubject = $TemplateSecuritySubject TemplateManagerNotCompliant = $TemplateManagerNotCompliant TemplateManagerNotCompliantSubject = $TemplateManagerNotCompliantSubject TemplateAdmin = $TemplateAdmin TemplateAdminSubject = $TemplateAdminSubject UsersExternalSystem = $UsersExternalSystem FilterOrganizationalUnit = $FilterOrganizationalUnit Entra = $Entra } $OutputInformation } function Find-Password { <# .SYNOPSIS Scan Active Directory forest for all users and their password expiration date .DESCRIPTION Scan Active Directory forest for all users and their password expiration date .PARAMETER Forest Target different Forest, by default current forest is used .PARAMETER ExcludeDomains Exclude domain from search, by default whole forest is scanned .PARAMETER IncludeDomains Include only specific domains, by default whole forest is scanned .PARAMETER ExtendedForestInformation Ability to provide Forest Information from another command to speed up processing .PARAMETER OverwriteEmailProperty Overwrite EmailAddress property with different property name .PARAMETER OverwriteManagerProperty Overwrite Manager property with different property name. Can use DistinguishedName or SamAccountName .PARAMETER RulesProperties Add additional properties to be returned from rules .PARAMETER UsersExternalSystem .PARAMETER ExternalSystemReplacements .PARAMETER FilterOrganizationalUnit .PARAMETER AsHashTable .PARAMETER AsHashTableObject .PARAMETER AddEmptyProperties .PARAMETER ReturnObjectsType .PARAMETER Cache .PARAMETER HashtableField .PARAMETER CacheManager .EXAMPLE Find-Password | ft .NOTES General notes #> [CmdletBinding()] param( [alias('ForestName')][string] $Forest, [string[]] $ExcludeDomains, [alias('Domain', 'Domains')][string[]] $IncludeDomains, [System.Collections.IDictionary] $ExtendedForestInformation, [string] $OverwriteEmailProperty, [Parameter(DontShow)][switch] $AsHashTable, [Parameter(DontShow)][string] $HashtableField = 'DistinguishedName', [ValidateSet('Users', 'Contacts')][string[]] $ReturnObjectsType = @('Users', 'Contacts'), [Parameter(DontShow)][switch] $AsHashTableObject, [Parameter(DontShow)][string[]] $AddEmptyProperties = @(), [Parameter(DontShow)][string[]] $RulesProperties, [string] $OverwriteManagerProperty, [Parameter(DontShow)][System.Collections.IDictionary] $UsersExternalSystem, [Parameter(DontShow)][System.Collections.IDictionary] $ExternalSystemReplacements = [ordered] @{ Managers = [System.Collections.Generic.List[PSCustomObject]]::new() Users = [System.Collections.Generic.List[PSCustomObject]]::new() }, [string[]] $FilterOrganizationalUnit, [System.Collections.IDictionary] $Cache = [ordered] @{}, [System.Collections.IDictionary] $CacheManager = [ordered] @{} ) $ExternalSystemManagers = [ordered]@{} if ($UsersExternalSystem.Name) { Write-Color -Text '[i] ', "Using external system ", $UsersExternalSystem.Name, " for EMAIL replacement functionality" -Color Yellow, White, Yellow, White Write-Color -Text '[i] ', "There are ", $UsersExternalSystem.Users.Count, " users in the external system" -Color Yellow, White, Yellow, White } if (-not $ExternalSystemReplacements.Users) { $ExternalSystemReplacements.Users = [System.Collections.Generic.List[PSCustomObject]]::new() } if (-not $ExternalSystemReplacements.Managers) { $ExternalSystemReplacements.Managers = [System.Collections.Generic.List[PSCustomObject]]::new() } $Today = Get-Date $GuidForExchange = Convert-ADSchemaToGuid -SchemaName 'msExchMailboxGuid' if ($GuidForExchange) { $ExchangeProperty = 'msExchMailboxGuid' } $Properties = @( 'Manager', 'DisplayName', 'GivenName', 'Surname', 'SamAccountName', 'EmailAddress', 'msDS-UserPasswordExpiryTimeComputed', 'PasswordExpired', 'PasswordLastSet', 'PasswordNotRequired', 'Enabled', 'PasswordNeverExpires', 'Mail', 'MemberOf', 'LastLogonDate', 'Name' 'userAccountControl' 'pwdLastSet', 'ObjectClass' 'LastLogonDate' 'Country' if ($UsersExternalSystem -and $UsersExternalSystem.Type -eq 'ExternalUsers') { $UsersExternalSystem.ActiveDirectoryProperty } if ($ExchangeProperty) { $ExchangeProperty } if ($OverwriteEmailProperty) { $OverwriteEmailProperty } if ($OverwriteManagerProperty) { $OverwriteManagerProperty } foreach ($Rule in $RulesProperties) { $Rule } ) $Properties = $Properties | Sort-Object -Unique [Array] $ExtendedProperties = foreach ($Rule in $RulesProperties) { $Rule } [Array] $ExtendedProperties = $ExtendedProperties | Sort-Object -Unique $PropertiesContacts = @( 'SamAccountName', 'CanonicalName', 'WhenChanged', 'WhenChanged', 'DisplayName', 'DistinguishedName', 'Name', 'Mail', 'TargetAddress', 'ObjectClass' ) if (-not $Cache) { $Cache = [ordered] @{ } } if (-not $CachedUsers) { $CachedUsers = [ordered] @{ } } Write-Color -Text '[i] ', "Discovering forest information" -Color Yellow, White $ForestInformation = Get-WinADForestDetails -PreferWritable -Extended -Forest $Forest -ExcludeDomains $ExcludeDomains -IncludeDomains $IncludeDomains -ExtendedForestInformation $ExtendedForestInformation $DNSNetBios = @{ } foreach ($NETBIOS in $ForestInformation.DomainsExtendedNetBIOS.Keys) { $DNSNetBios[$ForestInformation.DomainsExtendedNetBIOS[$NETBIOS].DnsRoot] = $NETBIOS } [Array] $Users = foreach ($Domain in $ForestInformation.Domains) { Write-Color -Text "[i] ", "Discovering DC for domain ", "$($Domain)", " in forest ", $ForestInformation.Name -Color Yellow, White, Yellow, White $Server = $ForestInformation['QueryServers'][$Domain]['HostName'][0] Write-Color -Text "[i] ", "Getting users from ", "$($Domain)", " using ", $Server -Color Yellow, White, Yellow, White try { Get-ADUser -Server $Server -Filter '*' -Properties $Properties -ErrorAction Stop } catch { $ErrorMessage = $_.Exception.Message -replace "`n", " " -replace "`r", " " Write-Color '[e] Error: ', $ErrorMessage -Color White, Red } } Write-Color -Text "[i] ", "Caching users for easy access" -Color Yellow, White foreach ($User in $Users) { $Cache[$User.DistinguishedName] = $User $Cache[$User.SamAccountName] = $User } if ($ReturnObjectsType -contains 'Contacts') { [Array] $Contacts = foreach ($Domain in $ForestInformation.Domains) { Write-Color -Text "[i] ", "Discovering DC for domain ", "$($Domain)", " in forest ", $ForestInformation.Name -Color Yellow, White, Yellow, White $Server = $ForestInformation['QueryServers'][$Domain]['HostName'][0] Write-Color -Text "[i] ", "Getting contacts from ", "$($Domain)", " using ", $Server -Color Yellow, White, Yellow, White try { Get-ADObject -LDAPFilter "objectClass=Contact" -Server $Server -Properties $PropertiesContacts -ErrorAction Stop } catch { $ErrorMessage = $_.Exception.Message -replace "`n", " " -replace "`r", " " Write-Color '[e] Error: ', $ErrorMessage -Color White, Red } } foreach ($Contact in $Contacts) { $Cache[$Contact.DistinguishedName] = $Contact } } Write-Color -Text "[i] ", "Preparing users ", $Users.Count, " for password expirations in forest ", $Forest.Name -Color Yellow, White, Yellow, White, Yellow, White foreach ($OU in $FilterOrganizationalUnit) { Write-Color -Text "[i] ", "Filtering users by Organizational Unit ", $OU -Color Yellow, White, Yellow, White } $CountUsers = 0 foreach ($User in $Users) { $CountUsers++ Write-Verbose -Message "Processing $($User.DisplayName) / $($User.DistinguishedName) - $($CountUsers)/$($Users.Count)" $SkipUser = $false $DateExpiry = $null $DaysToExpire = $null $PasswordDays = $null $PasswordNeverExpires = $null $PasswordAtNextLogon = $null $HasMailbox = $null $OUPath = ConvertFrom-DistinguishedName -DistinguishedName $User.DistinguishedName -ToOrganizationalUnit foreach ($OU in $FilterOrganizationalUnit) { if ($null -ne $OUPath -and $OUPath -like "$OU") { $SkipUser = $false break } else { $SkipUser = $true } } if ($SkipUser) { continue } if ($OverwriteManagerProperty) { $ManagerTemp = $User.$OverwriteManagerProperty if ($ManagerTemp) { $ManagerSpecial = $Cache[$ManagerTemp] } else { $ManagerSpecial = $null } } else { $ManagerSpecial = $null } if ($ManagerSpecial) { $ManagerDN = $ManagerSpecial.DistinguishedName $Manager = $ManagerSpecial.DisplayName $ManagerSamAccountName = $ManagerSpecial.SamAccountName $ManagerDisplayName = $ManagerSpecial.DisplayName $ManagerEmail = $ManagerSpecial.Mail if ($ManagerSamAccountName -and $UsersExternalSystem -and $UsersExternalSystem.Global -eq $true) { $ADProperty = $UsersExternalSystem.ActiveDirectoryProperty if ($ADProperty -eq 'SamAccountName') { $EmailProperty = $UsersExternalSystem.EmailProperty $ExternalUser = $UsersExternalSystem['Users'][$ManagerSamAccountName] if ($ExternalUser -and $ExternalUser.$EmailProperty -like '*@*' -and $ExternalUser.$EmailProperty -ne $ManagerEmail) { $ReplacedManagerEmail = $ManagerEmail $ManagerEmail = $ExternalUser.$EmailProperty if (-not $ExternalSystemManagers[$ManagerSamAccountName]) { $ExternalSystemManagers[$ManagerSamAccountName] = $ManagerSamAccountName $ExternalSystemReplacements.Managers.Add( [PSCustomObject]@{ ManagerSamAccountName = $ManagerSamAccountName ExternalEmail = $ManagerEmail ADEmailAddress = $ReplacedManagerEmail ExternalSystem = $UsersExternalSystem.Name } ) } } } } $ManagerEnabled = $ManagerSpecial.Enabled $ManagerLastLogon = $ManagerSpecial.LastLogonDate if ($ManagerLastLogon) { $ManagerLastLogonDays = $( - $($ManagerLastLogon - $Today).Days) } else { $ManagerLastLogonDays = $null } $ManagerType = $ManagerSpecial.ObjectClass } elseif ($User.Manager) { $ManagerDN = $Cache[$User.Manager].DistinguishedName $Manager = $Cache[$User.Manager].DisplayName $ManagerSamAccountName = $Cache[$User.Manager].SamAccountName $ManagerDisplayName = $Cache[$User.Manager].DisplayName $ManagerEmail = $Cache[$User.Manager].Mail if ($ManagerSamAccountName -and $UsersExternalSystem -and $UsersExternalSystem.Global -eq $true) { $ADProperty = $UsersExternalSystem.ActiveDirectoryProperty if ($ADProperty -eq 'SamAccountName') { $EmailProperty = $UsersExternalSystem.EmailProperty $ExternalUser = $UsersExternalSystem['Users'][$ManagerSamAccountName] if ($ExternalUser -and $ExternalUser.$EmailProperty -like '*@*' -and $ExternalUser.$EmailProperty -ne $ManagerEmail) { $ReplacedManagerEmail = $ManagerEmail $ManagerEmail = $ExternalUser.$EmailProperty if (-not $ExternalSystemManagers[$ManagerSamAccountName]) { $ExternalSystemManagers[$ManagerSamAccountName] = $ManagerSamAccountName $ExternalSystemReplacements.Managers.Add( [PSCustomObject]@{ ManagerSamAccountName = $ManagerSamAccountName ExternalEmail = $ManagerEmail ADEmailAddress = $ReplacedManagerEmail ExternalSystem = $UsersExternalSystem.Name } ) } } } } $ManagerEnabled = $Cache[$User.Manager].Enabled $ManagerLastLogon = $Cache[$User.Manager].LastLogonDate if ($ManagerLastLogon) { $ManagerLastLogonDays = $( - $($ManagerLastLogon - $Today).Days) } else { $ManagerLastLogonDays = $null } $ManagerType = $Cache[$User.Manager].ObjectClass } else { if ($User.ObjectClass -eq 'user') { $ManagerStatus = 'Missing' } else { $ManagerStatus = 'Not available' } $ManagerDN = $null $Manager = $null $ManagerSamAccountName = $null $ManagerDisplayName = $null $ManagerEmail = $null $ManagerEnabled = $null $ManagerLastLogon = $null $ManagerLastLogonDays = $null $ManagerType = $null } if ($ManagerDN -and -not $CacheManager[$ManagerDN]) { $CacheManager[$ManagerDN] = [PSCustomObject] @{ DistinguishedName = $ManagerDN Domain = ConvertFrom-DistinguishedName -DistinguishedName $ManagerDN -ToDomainCN DisplayName = $ManagerDisplayName SamAccountName = $ManagerSamAccountName EmailAddress = $ManagerEmail Enabled = $ManagerEnabled LastLogonDate = $ManagerLastLogon LastLogonDays = $ManagerLastLogonDays Type = $ManagerType } } if ($OverwriteEmailProperty) { $EmailTemp = $User.$OverwriteEmailProperty if ($EmailTemp -like '*@*') { $EmailAddress = $EmailTemp } else { $EmailAddress = $User.EmailAddress } if ($Cache["$($User.Manager)"]) { if ($Cache["$($User.Manager)"].$OverwriteEmailProperty -like '*@*') { $ManagerEmail = $Cache["$($User.Manager)"].$OverwriteEmailProperty } } } else { $EmailAddress = $User.EmailAddress } if ($UsersExternalSystem -and $UsersExternalSystem.Global -eq $true) { if ($UsersExternalSystem.Type -eq 'ExternalUsers') { $ADProperty = $UsersExternalSystem.ActiveDirectoryProperty $EmailProperty = $UsersExternalSystem.EmailProperty $ExternalUser = $UsersExternalSystem['Users'][$User.$ADProperty] $EmailFrom = 'AD' if ($ExternalUser -and $ExternalUser.$EmailProperty -like '*@*' -and $EmailAddress -ne $ExternalUser.$EmailProperty) { $EmailFrom = 'ILM' $EmailAddress = $ExternalUser.$EmailProperty $ExternalSystemReplacements.Users.Add( [PSCustomObject]@{ UserSamAccountName = $User.SamAccountName ExternalEmail = $EmailAddress ADEmailAddress = $User.EmailAddress ExternalSystem = $UsersExternalSystem.Name } ) } } else { Write-Color -Text '[-] ', "External system type not supported. Please use only type as provided using 'New-PasswordConfigurationExternalUsers'." -Color Yellow, White, Red return } } else { $EmailFrom = 'AD' } if ($User.PasswordLastSet) { $PasswordDays = (New-TimeSpan -Start ($User.PasswordLastSet) -End ($Today)).Days } else { $PasswordDays = $null } if ($User.Manager) { if ($ManagerEnabled -and $ManagerEmail) { if ((Test-EmailAddress -EmailAddress $ManagerEmail).IsValid -eq $true) { $ManagerStatus = 'Enabled' } else { $ManagerStatus = 'Enabled, bad email' } } elseif ($ManagerEnabled) { $ManagerStatus = 'No email' } elseif ($Cache[$User.Manager].ObjectClass -eq 'Contact') { $ManagerStatus = 'Enabled' } else { $ManagerStatus = 'Disabled' } } if ($User."msDS-UserPasswordExpiryTimeComputed" -ne 9223372036854775807) { try { $DateExpiry = ([datetime]::FromFileTime($User."msDS-UserPasswordExpiryTimeComputed")) } catch { $DateExpiry = $User."msDS-UserPasswordExpiryTimeComputed" } try { $DaysToExpire = (New-TimeSpan -Start ($Today) -End ([datetime]::FromFileTime($User."msDS-UserPasswordExpiryTimeComputed"))).Days } catch { $DaysToExpire = $null } $PasswordNeverExpires = $User.PasswordNeverExpires } else { $PasswordNeverExpires = $true } if ($User.pwdLastSet -eq 0 -and $DateExpiry.Year -eq 1601) { $PasswordAtNextLogon = $true } else { $PasswordAtNextLogon = $false } if ($PasswordNeverExpires -or $null -eq $User.PasswordLastSet) { $DateExpiry = $null $DaysToExpire = $null } $UserAccountControl = Convert-UserAccountControl -UserAccountControl $User.UserAccountControl if ($UserAccountControl -contains 'INTERDOMAIN_TRUST_ACCOUNT') { continue } if ($ExchangeProperty) { if ($User.'msExchMailboxGuid') { $HasMailbox = 'Yes' } else { $HasMailbox = 'No' } } else { $HasMailbox = 'Unknown' } if ($User.LastLogonDate) { $LastLogonDays = $( - $($User.LastLogonDate - $Today).Days) } else { $LastLogonDays = $null } if ($User.Country) { $Country = Convert-CountryCodeToCountry -CountryCode $User.Country $CountryCode = $User.Country } else { $Country = 'Unknown' $CountryCode = 'Unknown' } if ($AddEmptyProperties.Count -gt 0) { $StartUser = [ordered] @{ UserPrincipalName = $User.UserPrincipalName SamAccountName = $User.SamAccountName Domain = ConvertFrom-DistinguishedName -DistinguishedName $User.DistinguishedName -ToDomainCN RuleName = '' RuleOptions = [System.Collections.Generic.List[string]]::new() Enabled = $User.Enabled HasMailbox = $HasMailbox EmailAddress = $EmailAddress SystemEmailAddress = $User.EmailAddress DateExpiry = $DateExpiry DaysToExpire = $DaysToExpire PasswordExpired = $User.PasswordExpired PasswordDays = $PasswordDays PasswordAtNextLogon = $PasswordAtNextLogon PasswordLastSet = $User.PasswordLastSet PasswordNotRequired = $User.PasswordNotRequired PasswordNeverExpires = $PasswordNeverExpires LastLogonDate = $User.LastLogonDate LastLogonDays = $LastLogonDays } foreach ($Property in $AddEmptyProperties) { $StartUser.$Property = $null } $EndUser = [ordered] @{ Manager = $Manager ManagerDisplayName = $ManagerDisplayName ManagerSamAccountName = $ManagerSamAccountName ManagerEmail = $ManagerEmail ManagerStatus = $ManagerStatus ManagerLastLogonDays = $ManagerLastLogonDays ManagerType = $ManagerType DisplayName = $User.DisplayName Name = $User.Name GivenName = $User.GivenName Surname = $User.Surname OrganizationalUnit = $OUPath MemberOf = $User.MemberOf DistinguishedName = $User.DistinguishedName ManagerDN = $User.Manager Country = $Country CountryCode = $CountryCode Type = 'User' EmailFrom = $EmailFrom } $MyUser = $StartUser + $EndUser } else { $MyUser = [ordered] @{ UserPrincipalName = $User.UserPrincipalName SamAccountName = $User.SamAccountName Domain = ConvertFrom-DistinguishedName -DistinguishedName $User.DistinguishedName -ToDomainCN RuleName = '' RuleOptions = [System.Collections.Generic.List[string]]::new() Enabled = $User.Enabled HasMailbox = $HasMailbox EmailAddress = $EmailAddress SystemEmailAddress = $User.EmailAddress DateExpiry = $DateExpiry DaysToExpire = $DaysToExpire PasswordExpired = $User.PasswordExpired PasswordDays = $PasswordDays PasswordAtNextLogon = $PasswordAtNextLogon PasswordLastSet = $User.PasswordLastSet PasswordNotRequired = $User.PasswordNotRequired PasswordNeverExpires = $PasswordNeverExpires LastLogonDate = $User.LastLogonDate LastLogonDays = $LastLogonDays Manager = $Manager ManagerDisplayName = $ManagerDisplayName ManagerSamAccountName = $ManagerSamAccountName ManagerEmail = $ManagerEmail ManagerStatus = $ManagerStatus ManagerLastLogonDays = $ManagerLastLogonDays ManagerType = $ManagerType DisplayName = $User.DisplayName Name = $User.Name GivenName = $User.GivenName Surname = $User.Surname OrganizationalUnit = ConvertFrom-DistinguishedName -DistinguishedName $User.DistinguishedName -ToOrganizationalUnit MemberOf = $User.MemberOf DistinguishedName = $User.DistinguishedName ManagerDN = $User.Manager Country = $Country CountryCode = $CountryCode Type = 'User' EmailFrom = $EmailFrom } } foreach ($Property in $ConditionProperties) { $MyUser["$Property"] = $User.$Property } foreach ($E in $ExtendedProperties) { $MyUser[$E] = $User.$E } if ($HashtableField -eq 'NetBiosSamAccountName') { $HashField = $DNSNetBios[$MyUser.Domain] + '\' + $MyUser.SamAccountName if ($AsHashTableObject) { $CachedUsers["$HashField"] = $MyUser } else { $CachedUsers["$HashField"] = [PSCustomObject] $MyUser } } else { if ($AsHashTableObject) { $CachedUsers["$($User.$HashtableField)"] = $MyUser } else { $CachedUsers["$($User.$HashtableField)"] = [PSCustomObject] $MyUser } } } if ($ReturnObjectsType -contains 'Contacts') { $CountContacts = 0 foreach ($Contact in $Contacts) { $CountContacts++ $OUPath = ConvertFrom-DistinguishedName -DistinguishedName $Contact.DistinguishedName -ToOrganizationalUnit foreach ($OU in $FilterOrganizationalUnit) { if ($null -eq $OUPath) { $SkipUser = $true break } elseif ($OUPath -notlike "$OU") { $SkipUser = $true break } } if ($SkipUser) { continue } Write-Verbose -Message "Processing $($Contact.DisplayName) - $($CountContacts)/$($Contacts.Count)" $MyUser = [ordered] @{ UserPrincipalName = $null SamAccountName = $null Domain = ConvertFrom-DistinguishedName -DistinguishedName $Contact.DistinguishedName -ToDomainCN RuleName = '' RuleOptions = [System.Collections.Generic.List[string]]::new() Enabled = $true HasMailbox = $null EmailAddress = $Contact.Mail SystemEmailAddress = $Contact.Mail DateExpiry = $null DaysToExpire = $null PasswordExpired = $null PasswordDays = $null PasswordAtNextLogon = $null PasswordLastSet = $null PasswordNotRequired = $null PasswordNeverExpires = $null LastLogonDate = $null LastLogonDays = $null Manager = $null ManagerDisplayName = $null ManagerSamAccountName = $null ManagerEmail = $null ManagerStatus = $null ManagerLastLogonDays = $null ManagerType = $null DisplayName = $Contact.DisplayName Name = $Contact.Name GivenName = $null Surname = $null OrganizationalUnit = $OUPath MemberOf = $Contact.MemberOf DistinguishedName = $Contact.DistinguishedName ManagerDN = $null Country = $null CountryCode = $null Type = 'Contact' EmailFrom = $EmailFrom } foreach ($E in $ExtendedProperties) { $MyUser[$E] = $User.$E } if ($HashtableField -eq 'NetBiosSamAccountName') { continue } else { if ($AsHashTableObject) { $CachedUsers["$($Contact.$HashtableField)"] = $MyUser } else { $CachedUsers["$($Contact.$HashtableField)"] = [PSCustomObject] $MyUser } } } } if ($AsHashTable) { $CachedUsers } else { $CachedUsers.Values } } function Find-PasswordEntra { [CmdletBinding()] param( [Parameter(DontShow)][string] $HashtableField = 'UserPrincipalName', [Parameter(DontShow)][switch] $AsHashTable, [string] $OverwriteEmailProperty, [Parameter(DontShow)][string[]] $AddEmptyProperties = @(), [Parameter(DontShow)][string[]] $RulesProperties, [string] $OverwriteManagerProperty, [System.Collections.IDictionary] $Cache = [ordered] @{}, [System.Collections.IDictionary] $CacheManager = [ordered] @{}, [Parameter(DontShow)][System.Collections.IDictionary] $UsersExternalSystem, [Parameter(DontShow)][System.Collections.IDictionary] $ExternalSystemReplacements = [ordered] @{ Managers = [System.Collections.Generic.List[PSCustomObject]]::new() Users = [System.Collections.Generic.List[PSCustomObject]]::new() }, [string[]] $FilterOrganizationalUnit ) $ExternalSystemManagers = [ordered]@{} if ($UsersExternalSystem.Name) { Write-Color -Text '[i] ', "Using external system ", $UsersExternalSystem.Name, " for EMAIL replacement functionality" -Color Yellow, White, Yellow, White Write-Color -Text '[i] ', "There are ", $UsersExternalSystem.Users.Count, " users in the external system" -Color Yellow, White, Yellow, White } if (-not $ExternalSystemReplacements.Users) { $ExternalSystemReplacements.Users = [System.Collections.Generic.List[PSCustomObject]]::new() } if (-not $ExternalSystemReplacements.Managers) { $ExternalSystemReplacements.Managers = [System.Collections.Generic.List[PSCustomObject]]::new() } $Today = Get-Date if (-not $Cache) { $Cache = [ordered] @{ } } if (-not $CachedUsers) { $CachedUsers = [ordered] @{ } } $Properties = @( 'DisplayName', 'GivenName', 'Surname', 'Mail', 'UserPrincipalName', 'Id' 'lastPasswordChangeDateTime', 'signInActivity' 'country', 'AccountEnabled' 'Manager', 'passwordPolicies', 'passwordProfile', 'OnPremisesDistinguishedName', 'OnPremisesSyncEnabled', 'OnPremisesLastSyncDateTime', 'OnPremisesSamAccountName', 'UserType' 'assignedLicenses' if ($UsersExternalSystem -and $UsersExternalSystem.Type -eq 'ExternalUsers') { $UsersExternalSystem.ActiveDirectoryProperty } if ($OverwriteEmailProperty) { $OverwriteEmailProperty } if ($OverwriteManagerProperty) { $OverwriteManagerProperty } foreach ($Rule in $RulesProperties) { $Rule } ) $Properties = $Properties | Sort-Object -Unique [Array] $ExtendedProperties = foreach ($Rule in $RulesProperties) { $Rule } [Array] $ExtendedProperties = $ExtendedProperties | Sort-Object -Unique try { $PasswordPolicies = Get-MgDomain -ErrorAction Stop } catch { Write-Color -Text '[-] ', "Couldn't get password policies. Unable to asses. Error: ", $_.Exception.Message -Color Yellow, White, Red return } if ($PasswordPolicies) { $PasswordPolicies = $PasswordPolicies.PasswordValidityPeriodInDays | Select-Object -First 1 } else { Write-Color -Text '[-] ', "Couldn't get password policies. Unable to asses." -Color Yellow, White, Red return } if ($PasswordPolicies -eq '2147483647') { $GlobalPasswordPolicy = 'PasswordNeverExpires' $GlobalPasswordPolicyDays = $null } else { $GlobalPasswordPolicy = "$PasswordPolicies days" $GlobalPasswordPolicyDays = $PasswordPolicies } Write-Color -Text "[i] ", "Global password policy is set to $GlobalPasswordPolicy" -Color Yellow, White Write-Color -Text "[i] ", "Preparing all users for password expirations in EntraID" -Color Yellow, White, Yellow, White try { $Users = Get-MgUser -All -ErrorAction Stop -Property $Properties -ConsistencyLevel eventual -ExpandProperty Manager | Select-Object -Property $Properties } catch { Write-Color -Text '[-] ', "Couldn't cache users. Please fix 'Find-PasswordEntra'. Error: ", "$($_.Exception.Message)" -Color Yellow, White, Red return } $CountUsers = 0 foreach ($User in $Users) { $CountUsers++ Write-Verbose -Message "Processing $($User.DisplayName) - $($CountUsers)/$($Users.Count)" $LastLogonDate = $null $LastLogonDays = $null if ($User.SignInActivity) { if ($User.SignInActivity -and $User.LastNonInteractiveSignInDateTime) { if ($User.SignInActivity.LastNonInteractiveSignInDateTime -gt $User.SignInActivity.LastSignInDateTime) { $LastLogonDate = $User.SignInActivity.LastNonInteractiveSignInDateTime } else { $LastLogonDate = $User.SignInActivity.LastSignInDateTime } } else { if ($User.SignInActivity.LastSignInDateTime) { $LastLogonDate = $User.SignInActivity.LastSignInDateTime } elseif ($User.SignInActivity.LastNonInteractiveSignInDateTime) { $LastLogonDate = $User.SignInActivity.LastNonInteractiveSignInDateTime } } if ($null -ne $LastLogonDate) { $LastLogonDays = ($Today - $LastLogonDate).Days } } $DateExpiry = $null $DaysToExpire = $null $PasswordDays = $null $PasswordNeverExpires = $false $PasswordAtNextLogon = $null $Country = $User.Country if ($Country) { $CountryCode = Convert-CountryToCountryCode -CountryName $User.Country } else { $CountryCode = $null } if ($User.Manager.AdditionalProperties) { $Manager = $User.Manager.AdditionalProperties $ManagerSamAccountName = $User.Manager.AdditionalProperties.onPremisesSamAccountName $ManagerDisplayName = $User.Manager.AdditionalProperties.displayName $ManagerEmail = $User.Manager.AdditionalProperties.mail $ManagerEnabled = $User.Manager.AdditionalProperties.accountEnabled $ManagerType = $User.Manager.AdditionalProperties.userType if ($ManagerEnabled -and $ManagerEmail) { if ((Test-EmailAddress -EmailAddress $ManagerEmail).IsValid -eq $true) { $ManagerStatus = 'Enabled' } else { $ManagerStatus = 'Enabled, bad email' } } elseif ($ManagerEnabled -eq $true) { $ManagerStatus = 'No email' } elseif ($ManagerEnabled -eq $false) { $ManagerStatus = 'Disabled' } else { $ManagerStatus = 'Missing' } } else { $Manager = $null $ManagerSamAccountName = $null $ManagerDisplayName = $null $ManagerEmail = $nullf $ManagerStatus = 'Missing' $ManagerLastLogonDays = $null $ManagerType = $null } $IsSynchronized = $null -ne $User.OnPremisesDistinguishedName $IsLicensed = $User.AssignedLicenses.Count -gt 0 if ($User.lastPasswordChangeDateTime) { $PasswordLastSet = $User.lastPasswordChangeDateTime $PasswordDays = ($Today - $PasswordLastSet).Days } if ($null -eq $User.PasswordPolicies -or $User.PasswordPolicies -eq 'None') { If ($GlobalPasswordPolicy -contains 'PasswordNeverExpires') { $PasswordNeverExpires = $true $DaysToExpire = $null $DateExpiry = $null } else { $PasswordNeverExpires = $false try { $DateExpiry = $PasswordLastSet.AddDays($GlobalPasswordPolicyDays) $DaysToExpire = ($DateExpiry - $Today).Days } catch { $DaysToExpire = $null $DateExpiry = $null } } } elseif ($User.PasswordPolicies -contains 'DisablePasswordExpiration') { $PasswordNeverExpires = $true $DaysToExpire = $null $DateExpiry = $null } else { Write-Color -Text '[-] ', "Password policy ($($User.PasswordPolicies)) not supported. We need to investigate what changed" -Color Yellow, White, Red return } if ($PasswordNeverExpires) { $PasswordExpired = $false } else { if ($PasswordDays -gt $GlobalPasswordPolicyDays) { $PasswordExpired = $true } else { $PasswordExpired = $false } } if ($OverwriteEmailProperty) { $EmailTemp = $User.$OverwriteEmailProperty if ($EmailTemp -like '*@*') { $EmailAddress = $EmailTemp } else { $EmailAddress = $User.Mail } if ($Cache["$($User.Manager)"]) { if ($Cache["$($User.Manager)"].$OverwriteEmailProperty -like '*@*') { $ManagerEmail = $Cache["$($User.Manager)"].$OverwriteEmailProperty } } } else { $EmailAddress = $User.Mail } if ($UsersExternalSystem -and $UsersExternalSystem.Global -eq $true) { if ($UsersExternalSystem.Type -eq 'ExternalUsers') { $ADProperty = $UsersExternalSystem.ActiveDirectoryProperty $EmailProperty = $UsersExternalSystem.EmailProperty $ExternalUser = $UsersExternalSystem['Users'][$User.$ADProperty] if ($ExternalUser -and $ExternalUser.$EmailProperty -like '*@*') { $EmailAddress = $ExternalUser.$EmailProperty } else { $EmailAddress = $User.Mail } } else { Write-Color -Text '[-] ', "External system type not supported. Please use only type as provided using 'New-PasswordConfigurationExternalUsers'." -Color Yellow, White, Red return } } if ($AddEmptyProperties.Count -gt 0) { $StartUser = [ordered] @{ UserPrincipalName = $User.UserPrincipalName SamAccountName = $User.OnPremisesSamAccountName Domain = ConvertFrom-DistinguishedName -DistinguishedName $User.OnPremisesDistinguishedName -ToDomainCN RuleName = '' RuleOptions = [System.Collections.Generic.List[string]]::new() Enabled = $User.AccountEnabled IsLicensed = $IsLicensed EmailAddress = $EmailAddress SystemEmailAddress = $User.Mail UserType = $User.UserType IsSynchronized = $IsSynchronized PasswordPolicies = if ($User.PasswordPolicies) { $User.PasswordPolicies } else { 'Not set' } ForceChangePasswordNextSignIn = $User.PasswordProfile.ForceChangePasswordNextSignIn ForceChangePasswordNextSignInWithMfa = $User.PasswordProfile.ForceChangePasswordNextSignInWithMfa DateExpiry = $DateExpiry DaysToExpire = $DaysToExpire PasswordExpired = $PasswordExpired PasswordDays = $PasswordDays PasswordAtNextLogon = $PasswordAtNextLogon PasswordLastSet = $User.lastPasswordChangeDateTime PasswordNeverExpires = $PasswordNeverExpires LastLogonDate = $LastLogonDate LastLogonDays = $LastLogonDays } foreach ($Property in $AddEmptyProperties) { $StartUser.$Property = $null } $EndUser = [ordered] @{ Manager = $Manager ManagerDisplayName = $ManagerDisplayName ManagerSamAccountName = $ManagerSamAccountName ManagerEmail = $ManagerEmail ManagerStatus = $ManagerStatus ManagerLastLogonDays = $ManagerLastLogonDays ManagerType = $ManagerType DisplayName = $User.DisplayName Name = $User.Name GivenName = $User.GivenName Surname = $User.Surname OrganizationalUnit = ConvertFrom-DistinguishedName -DistinguishedName $User.OnPremisesDistinguishedName -ToOrganizationalUnit MemberOf = $User.MemberOf DistinguishedName = $User.OnPremisesDistinguishedName ManagerDN = $User.Manager Country = $Country CountryCode = $CountryCode Type = 'User' } $MyUser = $StartUser + $EndUser } else { $MyUser = [ordered] @{ UserPrincipalName = $User.UserPrincipalName SamAccountName = $User.OnPremisesSamAccountName Domain = ConvertFrom-DistinguishedName -DistinguishedName $User.OnPremisesDistinguishedName -ToDomainCN RuleName = '' RuleOptions = [System.Collections.Generic.List[string]]::new() Enabled = $User.AccountEnabled IsLicensed = $IsLicensed EmailAddress = $EmailAddress SystemEmailAddress = $User.Mail UserType = $User.UserType IsSynchronized = $IsSynchronized PasswordPolicies = if ($User.PasswordPolicies) { $User.PasswordPolicies } else { 'Not set' } ForceChangePasswordNextSignIn = $User.PasswordProfile.ForceChangePasswordNextSignIn ForceChangePasswordNextSignInWithMfa = $User.PasswordProfile.ForceChangePasswordNextSignInWithMfa DateExpiry = $DateExpiry DaysToExpire = $DaysToExpire PasswordExpired = $PasswordExpired PasswordDays = $PasswordDays PasswordAtNextLogon = $PasswordAtNextLogon PasswordLastSet = $User.lastPasswordChangeDateTime PasswordNeverExpires = $PasswordNeverExpires LastLogonDate = $LastLogonDate LastLogonDays = $LastLogonDays Manager = $Manager ManagerDisplayName = $ManagerDisplayName ManagerSamAccountName = $ManagerSamAccountName ManagerEmail = $ManagerEmail ManagerStatus = $ManagerStatus ManagerLastLogonDays = $ManagerLastLogonDays ManagerType = $ManagerType DisplayName = $User.DisplayName Name = $User.Name GivenName = $User.GivenName Surname = $User.Surname OrganizationalUnit = ConvertFrom-DistinguishedName -DistinguishedName $User.OnPremisesDistinguishedName -ToOrganizationalUnit MemberOf = $User.MemberOf DistinguishedName = $User.OnPremisesDistinguishedName ManagerDN = $User.Manager Country = $Country CountryCode = $CountryCode Type = 'User' } } foreach ($Property in $ConditionProperties) { $MyUser["$Property"] = $User.$Property } foreach ($E in $ExtendedProperties) { $MyUser[$E] = $User.$E } if ($HashtableField -eq 'NetBiosSamAccountName') { $HashField = $DNSNetBios[$MyUser.Domain] + '\' + $MyUser.SamAccountName if ($AsHashTableObject) { $CachedUsers["$HashField"] = $MyUser } else { $CachedUsers["$HashField"] = [PSCustomObject] $MyUser } } else { if ($AsHashTableObject) { $CachedUsers["$($User.$HashtableField)"] = $MyUser } else { $CachedUsers["$($User.$HashtableField)"] = [PSCustomObject] $MyUser } } } if ($AsHashTable) { $CachedUsers } else { $CachedUsers.Values } } function Find-PasswordNotification { <# .SYNOPSIS Searches thru XML logs created by Password Solution .DESCRIPTION Searches thru XML logs created by Password Solution .PARAMETER SearchPath Path to file where the XML log is located .PARAMETER Manager Search thru manager escalations .EXAMPLE Find-PasswordNotification -SearchPath $PSScriptRoot\Search\SearchLog.xml | Format-Table .EXAMPLE Find-PasswordNotification -SearchPath "$PSScriptRoot\Search\SearchLog_2021-06.xml" -Manager | Format-Table .NOTES General notes #> [CmdletBinding()] param( [Parameter(Mandatory)][string] $SearchPath, [switch] $Manager ) if ($SearchPath) { if (Test-Path -LiteralPath $SearchPath) { try { $SummarySearch = Import-Clixml -LiteralPath $SearchPath -ErrorAction Stop } catch { Write-Color -Text "[e]", " Couldn't load the file $SearchPath", ". Skipping...", $_.Exception.Message -Color White, Yellow, White, Yellow, White, Yellow, White } if ($SummarySearch -and $Manager) { $SummarySearch.EmailEscalations.Values } elseif ($SummarySearch -and $Manager -eq $false) { $SummarySearch.EmailSent.Values } } } } function Find-PasswordQuality { <# .SYNOPSIS Scan Active Directory forest for asses password quality of users .DESCRIPTION Scan Active Directory forest for asses password quality of users including weak passwords, duplicate groups and more. .PARAMETER WeakPasswords List of weak passwords to check against .PARAMETER WeakPasswordsFilePath Path to a file that contains weak passwords, one password per line. .PARAMETER WeakPasswordsHashesFile Path to a file that contains NT hashes of weak passwords, one hash in HEX format per line. For performance reasons, the -WeakPasswordHashesSortedFile parameter should be used instead. .PARAMETER WeakPasswordsHashesSortedFile Path to a file that contains NT hashes of weak passwords, one hash in HEX format per line. The hashes must be sorted alphabetically, because a binary search is performed. This parameter is typically used with a list of leaked password hashes from HaveIBeenPwned. .PARAMETER IncludeStatistics Include statistics in output .PARAMETER Forest Target different Forest, by default current forest is used .PARAMETER ExcludeDomains Exclude domain from search, by default whole forest is scanned .PARAMETER IncludeDomains Include only specific domains, by default whole forest is scanned .PARAMETER ExtendedForestInformation Ability to provide Forest Information from another command to speed up processing .EXAMPLE Find-PasswordQuality -WeakPasswords "Test1", "Test2", "Test3" .EXAMPLE Find-PasswordQuality -WeakPasswords "Test1", "Test2", "Test3" -IncludeStatistics .NOTES General notes #> [CmdletBinding()] param( [string[]] $WeakPasswords, [string] $WeakPasswordsFilePath, [string] $WeakPasswordsHashesFile, [string] $WeakPasswordsHashesSortedFile, [switch] $IncludeStatistics, [alias('ForestName')][string] $Forest, [string[]] $ExcludeDomains, [alias('Domain', 'Domains')][string[]] $IncludeDomains, [System.Collections.IDictionary] $ExtendedForestInformation ) $PropertiesToAdd = @( 'ClearTextPassword' 'LMHash' 'EmptyPassword' 'WeakPassword' 'AESKeysMissing' 'PreAuthNotRequired' 'DESEncryptionOnly' 'Kerberoastable' 'DelegatableAdmins' 'SmartCardUsersWithPassword' 'DuplicatePasswordGroups' ) if ($WeakPasswordsHashesFile) { if (Test-Path -LiteralPath $WeakPasswordsHashesFile) { Write-Color -Text "[i] ", "Weak password hashes available to read from ", $WeakPasswordsHashesFile -Color Yellow, Gray, White, Yellow, White, Yellow, White $WeakPasswordHashesStats = Get-FileInformation -File $WeakPasswordsHashesFile } else { Write-Color -Text "[e] ", "Weak password hashes file not found at ", $WeakPasswordsHashesFile -Color Red, Yellow, White, Yellow, Red return } } if ($WeakPasswordsHashesSortedFile) { if (Test-Path -LiteralPath $WeakPasswordsHashesSortedFile) { Write-Color -Text "[i] ", "Weak passwords hashes (sorted) available to read from ", $WeakPasswordsHashesSortedFile -Color Yellow, Gray, White, Yellow, White, Yellow, White $WeakPasswordHashesSortedStats = Get-FileInformation -File $WeakPasswordsHashesSortedFile } else { Write-Color -Text "[e] ", "Weak passwords hashes (sorted) file not found at ", $WeakPasswordsHashesSortedFile -Color Red, Yellow, White, Yellow, Red return } } if ($WeakPasswordsFilePath) { if (Test-Path -LiteralPath $WeakPasswordsFilePath) { Write-Color -Text "[i] ", "Weak passwords available to read from ", $WeakPasswordsFilePath -Color Yellow, Gray, White, Yellow, White, Yellow, White $WeakPasswordsStats = Get-FileInformation -File $WeakPasswordsFilePath } else { Write-Color -Text "[e] ", "Weak passwords file not found at ", $WeakPasswordsFilePath -Color Red, Yellow, White, Yellow, Red return } } $ModuleExists = Get-Command -Module DSInternals -ErrorAction SilentlyContinue if (-not $ModuleExists) { Write-Color -Text "[e] ", "DSInternals module is not installed. Please install it using Install-Module DSInternals -Verbose" -Color Yellow, Red return } $AllUsers = Find-Password -AsHashTable -HashtableField NetBiosSamAccountName -ReturnObjectsType Users -AsHashTableObject -AddEmptyProperties $PropertiesToAdd -Forest $Forest -IncludeDomains $IncludeDomains -ExcludeDomains $ExcludeDomains Write-Color -Text "[i] ", "Discovering forest information" -Color Yellow, Gray, White, Yellow, White, Yellow, White $ForestInformation = Get-WinADForestDetails -PreferWritable -Forest $Forest -ExcludeDomains $ExcludeDomains -IncludeDomains $IncludeDomains -ExtendedForestInformation $ExtendedForestInformation $PasswordsInHash = [ordered] @{} $PasswordQuality = foreach ($Domain in $ForestInformation.Domains) { Write-Color -Text "[i] ", "Discovering DC for domain ", "$($Domain)", " in forest ", $ForestInformation.Name -Color Yellow, Gray, White, Yellow, White, Yellow, White $Server = $ForestInformation['QueryServers'][$Domain]['HostName'][0] Write-Color -Text "[i] ", "Getting replication data from ", "$($Domain)", " using ", $Server -Color Yellow, Gray, White, Yellow, White, Yellow, White $testPasswordQualitySplat = @{ WeakPasswords = $WeakPasswords WeakPasswordsFile = $WeakPasswordsFilePath WeakPasswordHashesFile = $WeakPasswordsHashesFile WeakPasswordHashesSortedFile = $WeakPasswordsHashesSortedFile IncludeDisabledAccounts = $true } Remove-EmptyValue -Hashtable $testPasswordQualitySplat try { Get-ADReplAccount -All -Server $Server -ErrorAction Stop } catch { Write-Color -Text "[e] ", "Unable to get replication data from ", "$($Domain)", " using ", $Server, ". Error: ", $_.Exception.Message -Color Red, Yellow, White, Yellow, Red, Red } } Write-Color -Text "[i] Testing password quality" -Color Yellow, Gray, White, Yellow, White, Yellow, White $Quality = $PasswordQuality | Test-PasswordQuality @testPasswordQualitySplat Write-Color -Text "[i] Processing results, merging data from DSInternals" -Color Yellow, Gray, White, Yellow, White, Yellow, White foreach ($Property in $Quality.PSObject.Properties.Name) { $PasswordsInHash[$Property] = $Quality.$Property } $PasswordGroupsUsers = [ordered] @{} $Count = 0 foreach ($Group in $PasswordsInHash.DuplicatePasswordGroups) { $Count++ foreach ($User in $Group) { $PasswordGroupsUsers[$User] = "Group $Count" } } $QualityStatistics = [ordered] @{ AESKeysMissing = $PasswordsInHash.AESKeysMissing.Count AESKeysMissingEnabledOnly = 0 AESKeysMissingDisabledOnly = 0 DESEncryptionOnly = $PasswordsInHash.DESEncryptionOnly.Count DESEncryptionOnlyEnabledOnly = 0 DESEncryptionOnlyDisabledOnly = 0 DelegatableAdmins = $PasswordsInHash.DelegatableAdmins.Count DelegatableAdminsEnabledOnly = 0 DelegatableAdminsDisabledOnly = 0 DuplicatePasswordGroups = $PasswordsInHash.DuplicatePasswordGroups.Count DuplicatePasswordUsers = $PasswordGroupsUsers.Keys.Count DuplicatePasswordUsersEnabledOnly = 0 DuplicatePasswordUsersDisabledOnly = 0 ClearTextPassword = $PasswordsInHash.ClearTextPassword.Count ClearTextPasswordEnabledOnly = 0 ClearTextPasswordDisabledOnly = 0 LMHash = $PasswordsInHash.LMHash.Count LMHashEnabledOnly = 0 LMHashDisabledOnly = 0 EmptyPassword = $PasswordsInHash.EmptyPassword.Count EmptyPasswordEnabledOnly = 0 EmptyPasswordDisabledOnly = 0 WeakPassword = $PasswordsInHash.WeakPassword.Count WeakPasswordEnabledOnly = 0 WeakPasswordDisabledOnly = 0 PasswordNotRequired = 0 PasswordNotRequiredEnabledOnly = 0 PasswordNotRequiredDisabledOnly = 0 PasswordNeverExpires = 0 PasswordNeverExpiresEnabledOnly = 0 PasswordNeverExpiresDisabledOnly = 0 PreAuthNotRequired = $PasswordsInHash.PreAuthNotRequired.Count PreAuthNotRequiredEnabledOnly = 0 PreAuthNotRequiredDisabledOnly = 0 Kerberoastable = $PasswordsInHash.Kerberoastable.Count KerberoastableEnabledOnly = 0 KerberoastableDisabledOnly = 0 SmartCardUsersWithPassword = $PasswordsInHash.SmartCardUsersWithPassword.Count SmartCardUsersWithPasswordEnabledOnly = 0 SmartCardUsersWithPasswordDisabledOnly = 0 } $CountryStatistics = [ordered] @{ DuplicatePasswordUsers = [ordered] @{} WeakPassword = [ordered] @{} } $ContinentStatistics = [ordered] @{ DuplicatePasswordUsers = [ordered] @{} WeakPassword = [ordered] @{} } $CountryCodeStatistics = [ordered] @{ DuplicatePasswordUsers = [ordered] @{} WeakPassword = [ordered] @{} } $CountryToContinent = Convert-CountryToContinent $OutputUsers = foreach ($User in $AllUsers.Keys) { if ($AllUsers[$User].Country) { $Continent = $CountryToContinent[$AllUsers[$User].Country] if (-not $Continent) { $Continent = 'Unknown' } } else { $Continent = 'Unknown' } if ($AllUsers[$User].PasswordNotRequired) { $QualityStatistics.PasswordNotRequired++ if ($AllUsers[$User].Enabled -eq $true) { $QualityStatistics.PasswordNotRequiredEnabledOnly++ } else { $QualityStatistics.PasswordNotRequiredDisabledOnly++ } } if ($AllUsers[$User].PasswordNeverExpires) { $QualityStatistics.PasswordNeverExpires++ if ($AllUsers[$User].Enabled -eq $true) { $QualityStatistics.PasswordNeverExpiresEnabledOnly++ } else { $QualityStatistics.PasswordNeverExpiresDisabledOnly++ } } foreach ($Property in $PasswordsInHash.Keys) { if ($Property -eq 'DuplicatePasswordGroups') { if ($PasswordGroupsUsers[$User]) { $AllUsers[$User][$Property] = $PasswordGroupsUsers[$User] if ($AllUsers[$User].Enabled -eq $true) { $QualityStatistics["$($Property)EnabledOnly"]++ $QualityStatistics.DuplicatePasswordUsersEnabledOnly++ } else { $QualityStatistics["$($Property)DisabledOnly"]++ $QualityStatistics.DuplicatePasswordUsersDisabledOnly++ } $CountryStatistics['DuplicatePasswordUsers'][$AllUsers[$User].Country]++ $ContinentStatistics['DuplicatePasswordUsers'][$Continent]++ $CountryCodeStatistics['DuplicatePasswordUsers'][$AllUsers[$User].CountryCode]++ } else { $AllUsers[$User][$Property] = '' } } elseif ($Property -in $PropertiesToAdd) { if ($PasswordsInHash[$Property] -contains $User) { $AllUsers[$User][$Property] = $true if ($AllUsers[$User].Enabled -eq $true) { $QualityStatistics["$($Property)EnabledOnly"]++ } else { $QualityStatistics["$($Property)DisabledOnly"]++ } if ($Property -eq 'WeakPassword') { $CountryStatistics[$Property][$AllUsers[$User].Country]++ $ContinentStatistics[$Property][$Continent]++ $CountryCodeStatistics[$Property][$AllUsers[$User].CountryCode]++ } } else { $AllUsers[$User][$Property] = $false } } } [PSCustomObject] $AllUsers[$User] } if ($IncludeStatistics) { [ordered] @{ Forest = $ForestInformation.Forest Domains = $ForestInformation.Domains Statistics = $QualityStatistics StatisticsCountry = $CountryStatistics StatisticsCountryCode = $CountryCodeStatistics StatisticsContinents = $ContinentStatistics Users = $OutputUsers WeakPasswordsFileInformation = [ordered] @{ WeakPasswordHashesStats = $WeakPasswordHashesStats WeakPasswordHashesSortedStats = $WeakPasswordHashesSortedStats WeakPasswordsStats = $WeakPasswordsStats } } } else { $OutputUsers } } function New-PasswordConfigurationEmail { [cmdletBinding(DefaultParameterSetName = 'Compatibility', SupportsShouldProcess)] param( [Parameter(ParameterSetName = 'SecureString')] [Parameter(ParameterSetName = 'oAuth')] [Parameter(ParameterSetName = 'Compatibility')] [alias('SmtpServer')][string] $Server, [Parameter(ParameterSetName = 'SecureString')] [Parameter(ParameterSetName = 'oAuth')] [Parameter(ParameterSetName = 'Compatibility')] [int] $Port, [Parameter(Mandatory, ParameterSetName = 'SecureString')] [Parameter(Mandatory, ParameterSetName = 'oAuth')] [Parameter(Mandatory, ParameterSetName = 'Graph')] [Parameter(Mandatory, ParameterSetName = 'MgGraphRequest')] [Parameter(Mandatory, ParameterSetName = 'Compatibility')] [Parameter(Mandatory, ParameterSetName = 'SendGrid')] [object] $From, [Parameter(ParameterSetName = 'SecureString')] [Parameter(ParameterSetName = 'oAuth')] [Parameter(ParameterSetName = 'Graph')] [Parameter(ParameterSetName = 'MgGraphRequest')] [Parameter(ParameterSetName = 'Compatibility')] [Parameter(ParameterSetName = 'SendGrid')] [string] $ReplyTo, [Parameter(ParameterSetName = 'SecureString')] [Parameter(ParameterSetName = 'oAuth')] [Parameter(ParameterSetName = 'Graph')] [Parameter(ParameterSetName = 'MgGraphRequest')] [Parameter(ParameterSetName = 'Compatibility')] [Parameter(ParameterSetName = 'SendGrid')] [alias('Importance')][ValidateSet('Low', 'Normal', 'High')][string] $Priority, [Parameter(ParameterSetName = 'SecureString')] [Parameter(ParameterSetName = 'oAuth')] [Parameter(ParameterSetName = 'Compatibility')] [ValidateSet('None', 'OnSuccess', 'OnFailure', 'Delay', 'Never')][string[]] $DeliveryNotificationOption, [Parameter(ParameterSetName = 'SecureString')] [Parameter(ParameterSetName = 'oAuth')] [Parameter(ParameterSetName = 'Compatibility')] [MailKit.Net.Smtp.DeliveryStatusNotificationType] $DeliveryStatusNotificationType, [Parameter(ParameterSetName = 'oAuth')] [Parameter(Mandatory, ParameterSetName = 'Graph')] [Parameter(ParameterSetName = 'Compatibility')] [Parameter(Mandatory, ParameterSetName = 'SendGrid')] [pscredential] $Credential, [Parameter(ParameterSetName = 'SecureString')] [string] $Username, [Parameter(ParameterSetName = 'SecureString')] [string] $Password, [Parameter(ParameterSetName = 'SecureString')] [Parameter(ParameterSetName = 'oAuth')] [Parameter(ParameterSetName = 'Compatibility')] [MailKit.Security.SecureSocketOptions] $SecureSocketOptions, [Parameter(ParameterSetName = 'SecureString')] [Parameter(ParameterSetName = 'oAuth')] [Parameter(ParameterSetName = 'Compatibility')] [switch] $UseSsl, [Parameter(ParameterSetName = 'SecureString')] [Parameter(ParameterSetName = 'oAuth')] [Parameter(ParameterSetName = 'Compatibility')] [switch] $SkipCertificateRevocation, [Parameter(ParameterSetName = 'SecureString')] [Parameter(ParameterSetName = 'oAuth')] [Parameter(ParameterSetName = 'Compatibility')] [alias('SkipCertificateValidatation')][switch] $SkipCertificateValidation, [Parameter(ParameterSetName = 'SecureString')] [Parameter(ParameterSetName = 'oAuth')] [Parameter(ParameterSetName = 'Compatibility')] [int] $Timeout, [Parameter(ParameterSetName = 'oAuth')] [alias('oAuth')][switch] $oAuth2, [Parameter(ParameterSetName = 'Graph')] [Parameter(ParameterSetName = 'MgGraphRequest')] [switch] $RequestReadReceipt, [Parameter(ParameterSetName = 'Graph')] [Parameter(ParameterSetName = 'MgGraphRequest')] [switch] $RequestDeliveryReceipt, [Parameter(ParameterSetName = 'Graph')] [Parameter(ParameterSetName = 'MgGraphRequest')] [switch] $Graph, [Parameter(ParameterSetName = 'MgGraphRequest')] [switch] $MgGraphRequest, [Parameter(ParameterSetName = 'SecureString')] [switch] $AsSecureString, [Parameter(ParameterSetName = 'SendGrid')] [switch] $SendGrid, [Parameter(ParameterSetName = 'SendGrid')] [switch] $SeparateTo, [Parameter(ParameterSetName = 'Graph')] [Parameter(ParameterSetName = 'MgGraphRequest')] [switch] $DoNotSaveToSentItems, [Parameter(ParameterSetName = 'SecureString')] [Parameter(ParameterSetName = 'oAuth')] [Parameter(ParameterSetName = 'Compatibility')] [string] $LocalDomain ) $Output = [ordered] @{ Type = 'PasswordConfigurationEmail' Settings = [ordered] @{ Server = if ($PSBoundParameters.ContainsKey('Server')) { $Server } else { $null } Port = if ($PSBoundParameters.ContainsKey('Port')) { $Port } else { $null } From = if ($PSBoundParameters.ContainsKey('From')) { $From } else { $null } ReplyTo = if ($PSBoundParameters.ContainsKey('ReplyTo')) { $ReplyTo } else { $null } Priority = if ($PSBoundParameters.ContainsKey('Priority')) { $Priority } else { $null } DeliveryNotificationOption = if ($PSBoundParameters.ContainsKey('DeliveryNotificationOption')) { $DeliveryNotificationOption } else { $null } DeliveryStatusNotificationType = if ($PSBoundParameters.ContainsKey('DeliveryStatusNotificationType')) { $DeliveryStatusNotificationType } else { $null } Credential = if ($PSBoundParameters.ContainsKey('Credential')) { $Credential } else { $null } Username = if ($PSBoundParameters.ContainsKey('Username')) { $Username } else { $null } Password = if ($PSBoundParameters.ContainsKey('Password')) { $Password } else { $null } SecureSocketOptions = if ($PSBoundParameters.ContainsKey('SecureSocketOptions')) { $SecureSocketOptions } else { $null } UseSsl = if ($PSBoundParameters.ContainsKey('UseSsl')) { $UseSsl } else { $null } SkipCertificateRevocation = if ($PSBoundParameters.ContainsKey('SkipCertificateRevocation')) { $SkipCertificateRevocation } else { $null } SkipCertificateValidation = if ($PSBoundParameters.ContainsKey('SkipCertificateValidatation')) { $SkipCertificateValidation } else { $null } Timeout = if ($PSBoundParameters.ContainsKey('Timeout')) { $Timeout } else { $null } oAuth2 = if ($PSBoundParameters.ContainsKey('oAuth2')) { $oAuth2 } else { $null } RequestReadReceipt = if ($PSBoundParameters.ContainsKey('RequestReadReceipt')) { $RequestReadReceipt } else { $null } RequestDeliveryReceipt = if ($PSBoundParameters.ContainsKey('RequestDeliveryReceipt')) { $RequestDeliveryReceipt } else { $null } Graph = if ($PSBoundParameters.ContainsKey('Graph')) { $Graph } else { $null } MgGraphRequest = if ($PSBoundParameters.ContainsKey('MgGraphRequest')) { $MgGraphRequest } else { $null } AsSecureString = if ($PSBoundParameters.ContainsKey('AsSecureString')) { $AsSecureString } else { $null } SendGrid = if ($PSBoundParameters.ContainsKey('SendGrid')) { $SendGrid } else { $null } SeparateTo = if ($PSBoundParameters.ContainsKey('SeparateTo')) { $SeparateTo } else { $null } DoNotSaveToSentItems = if ($PSBoundParameters.ContainsKey('DoNotSaveToSentItems')) { $DoNotSaveToSentItems } else { $null } WhatIf = $WhatIfPreference } } Remove-EmptyValue -Hashtable $Output.Settings $Output } function New-PasswordConfigurationEntra { [CmdletBinding()] param( [switch] $Enable ) $Output = [ordered] @{ Type = "PasswordConfigurationEntra" Settings = [ordered] @{ Enabled = $Enable.IsPresent } } $Output } function New-PasswordConfigurationExternalUsers { <# .SYNOPSIS This function caches users from external systems to be used in the password configuration. .DESCRIPTION This function caches users from external systems to be used in the password configuration. It provides ability to find user by some property and get another property of the user. .PARAMETER Users Parameter description .PARAMETER ActiveDirectoryProperty Property in Active Directory to search for when comparing against SearchProperty. .PARAMETER SearchProperty Property to cache on the user object. .PARAMETER EmailProperty How the email property is called in the user object. .PARAMETER Global Tells the solution to globally overwrite email addresses for all users. .PARAMETER Name Name of the configuration. Visible in HTML reports. .EXAMPLE New-PasswordConfigurationExternalUsers -Users $ExportDataFromHrSystem -SearchProperty '<property in the HR system>' -EmailProperty '<email property in HR system>' -ActiveDirectoryProperty 'SamAccountName' .NOTES General notes #> [CmdletBinding()] param( [parameter(Mandatory)][string] $Name, [parameter(Mandatory)][Array] $Users, [parameter(Mandatory)][string] $ActiveDirectoryProperty, [parameter(Mandatory)][string] $SearchProperty, [parameter(Mandatory)][string] $EmailProperty, [switch] $Global ) $CachedUsers = [ordered] @{} if ($Users.Count -gt 0 -and $Users[0].$SearchProperty -and $Users[0].$EmailProperty) { Write-Color -Text '[+] ', "Caching users for '$Name'" -Color Green, White } else { Write-Color -Text '[-] ', "Couldn't cache users as either users not provided or email/search property are invalid. Please fix 'New-PasswordConfigurationExternalUsers'" -Color Yellow, White return } try { foreach ($User in $Users) { if ($User.$SearchProperty) { $CachedUsers[$User.$SearchProperty] = $User | Select-Object -Property $EmailProperty } } } catch { Write-Color -Text '[-] ', "Couldn't cache users. Please fix 'New-PasswordConfigurationExternalUsers'. Error: ", "$($_.Exception.Message)" -Color Yellow, White, Red return } [ordered] @{ Type = 'ExternalUsers' ActiveDirectoryProperty = $ActiveDirectoryProperty SearchProperty = $SearchProperty EmailProperty = $EmailProperty Users = $CachedUsers Global = $Global.IsPresent Name = $Name } } function New-PasswordConfigurationOption { <# .SYNOPSIS Provides a way to create a PasswordConfigurationOption object. .DESCRIPTION This function provides a way to create a PasswordConfigurationOption object. The object is used to store configuration options for the Password Solution module. .PARAMETER ShowTime Show time in the console output. If not provided, time will not be shown. Time in the log file is always shown. .PARAMETER LogFile File path to the log file. If not provided, there will be no logging to file .PARAMETER TimeFormat Time format used in the logging functionality. .PARAMETER LogMaximum Maximum number of log files to keep. Default is 0 (unlimited). Once the number of log files exceeds the limit, the oldest log files will be deleted. .PARAMETER NotifyOnSkipUserManagerOnly Provides a way to control output to screen for SkipUserManagerOnly. .PARAMETER NotifyOnSecuritySend Provides a way to control output to screen for SecuritySend. .PARAMETER NotifyOnManagerSend Provides a way to control output to screen for ManagerSend. .PARAMETER NotifyOnUserSend Provides a way to control output to screen for UserSend. .PARAMETER NotifyOnUserMatchingRule Provides a way to control output to screen for UserMatchingRule. .PARAMETER NotifyOnUserDaysToExpireNull Provides a way to control output to screen for UserDaysToExpireNull. .PARAMETER NotifyOnUserMatchingRuleForManager Provides a way to control output to screen for UserMatchingRuleForManager. .PARAMETER NotifyOnUserMatchingRuleForManagerButNotCompliant Provides a way to control output to screen for UserMatchingRuleForManagerButNotCompliant. .PARAMETER SearchPath Path to XML file that will be used for storing search results. .PARAMETER EmailDateFormat Parameter description .PARAMETER EmailDateFormatUTCConversion Parameter description .PARAMETER OverwriteEmailProperty Parameter description .PARAMETER OverwriteManagerProperty Parameter description .PARAMETER FilterOrganizationalUnit Provides a way to filter users by Organizational Unit limiting the scope of the search. The search is performed using 'like' operator, so you can use wildcards if needed. .EXAMPLE $Options = @{ # Logging to file and to screen ShowTime = $true LogFile = "$PSScriptRoot\Logs\PasswordSolution_$(($Date).ToString('yyyy-MM-dd_HH_mm_ss')).log" TimeFormat = "yyyy-MM-dd HH:mm:ss" LogMaximum = 365 NotifyOnSkipUserManagerOnly = $false NotifyOnSecuritySend = $true NotifyOnManagerSend = $true NotifyOnUserSend = $true NotifyOnUserMatchingRule = $false NotifyOnUserDaysToExpireNull = $false SearchPath = "$PSScriptRoot\Search\SearchLog_$((Get-Date).ToString('yyyy-MM')).xml" EmailDateFormat = "yyyy-MM-dd" EmailDateFormatUTCConversion = $true FilterOrganizationalUnit = @( "*OU=Accounts,OU=Administration,DC=ad,DC=evotec,DC=xyz" "*OU=Administration,DC=ad,DC=evotec,DC=xyz" ) } New-PasswordConfigurationOption @Options .NOTES General notes #> [CmdletBinding()] param( [switch] $ShowTime , #= $true [string] $LogFile , #= "$PSScriptRoot\Logs\PasswordSolution_$(($Date).ToString('yyyy-MM-dd_HH_mm_ss')).log" [string] $TimeFormat , #= "yyyy-MM-dd HH:mm:ss" [int] $LogMaximum , #= 365 [switch] $NotifyOnSkipUserManagerOnly , #= $false [switch] $NotifyOnSecuritySend , #= $true [switch] $NotifyOnManagerSend , #= $true [switch] $NotifyOnUserSend , #= $true [switch] $NotifyOnUserMatchingRule , #= $true [switch] $NotifyOnUserDaysToExpireNull , #= $true [switch] $NotifyOnUserMatchingRuleForManager, [switch] $NotifyOnUserMatchingRuleForManagerButNotCompliant, [string] $SearchPath, [string] $EmailDateFormat, [switch] $EmailDateFormatUTCConversion, [string] $OverwriteEmailProperty, [string] $OverwriteManagerProperty, [string[]] $FilterOrganizationalUnit ) $Output = [ordered] @{ Type = "PasswordConfigurationOption" Settings = [ordered] @{ ShowTime = $ShowTime.IsPresent LogFile = $LogFile TimeFormat = $TimeFormat LogMaximum = $LogMaximum NotifyOnSkipUserManagerOnly = $NotifyOnSkipUserManagerOnly.IsPresent NotifyOnSecuritySend = $NotifyOnSecuritySend.IsPresent NotifyOnManagerSend = $NotifyOnManagerSend.IsPresent NotifyOnUserSend = $NotifyOnUserSend.IsPresent NotifyOnUserMatchingRule = $NotifyOnUserMatchingRule.IsPresent NotifyOnUserDaysToExpireNull = $NotifyOnUserDaysToExpireNull.IsPresent NotifyOnUserMatchingRuleForManager = $NotifyOnUserMatchingRuleForManager.IsPresent NotifyOnUserMatchingRuleForManagerButNotCompliant = $NotifyOnUserMatchingRuleForManagerButNotCompliant.IsPresent SearchPath = $SearchPath EmailDateFormat = $EmailDateFormat EmailDateFormatUTCConversion = $EmailDateFormatUTCConversion.IsPresent OverwriteEmailProperty = $OverwriteEmailProperty OverwriteManagerProperty = $OverwriteManagerProperty FilterOrganizationalUnit = $FilterOrganizationalUnit } } Remove-EmptyValue -Hashtable $Output.Settings $Output } function New-PasswordConfigurationReport { <# .SYNOPSIS Provides HTML report configuration for Password Notifications in Password Solution. .DESCRIPTION Provides HTML report configuration for Password Notifications in Password Solution. The New-PasswordConfigurationReport function generates configuration for HTML report. .PARAMETER Enable Specifies whether to enable the report generation. The default value is $false. .PARAMETER ShowHTML Specifies whether to display the report in HTML format right after it's generated in default browser. The default value is $false. .PARAMETER Title Specifies the title of the report. The default value is "Password Solution Summary". .PARAMETER Online Specifies whether to generate the report using CDN for CSS and JS scripts, or use it locally. It doesn't require internet connectivity during generation. Makes the final output 3MB smaller. The default value is $false. .PARAMETER DisableWarnings Specifies whether to disable warning messages during report generation. The default value is $false. .PARAMETER ShowConfiguration Specifies whether to display the current Password Solution configuration settings. The default value is $false. .PARAMETER ShowAllUsers Specifies whether to display information about all user accounts. The default value is $false. .PARAMETER ShowRules Specifies whether to display information from the rules. The default value is $false. .PARAMETER ShowUsersSent Specifies whether to display information about users who have received (or not) password expiry notifications. The default value is $false. .PARAMETER ShowManagersSent Specifies whether to display information about managers who have received password expiry notifications. The default value is $false. .PARAMETER ShowEscalationSent Specifies whether to display information about escalation contacts who have received password expiry notifications. The default value is $false. .PARAMETER ShowSkippedUsers Specifies whether to display information about users who were during password expiry notifications because of inability to asses their expiration date. The default value is $false. .PARAMETER ShowSkippedLocations Specifies whether to display information about locations where skipped users are located. The default value is $false. .PARAMETER ShowSearchUsers Specifies whether to display information for searching who got password expiry notifications. The default value is $false. .PARAMETER ShowSearchManagers Specifies whether to display information for searching who got password expiry notifications and for which accounts from managers. The default value is $false. .PARAMETER ShowSearchEscalations Specifies whether to display information for searching who got password escalation notifications and what's the status of that message. The default value is $false. .PARAMETER ShowExternalSystemReplacementsUsers Specifies whether to display information about users who's email address was replaced by an external system. The default value is $false. .PARAMETER ShowExternalSystemReplacementsManagers Specifies whether to display information about managers who's email address was replaced by an external system. The default value is $false. .PARAMETER FilePath Specifies the file path for the report .PARAMETER AttachToEmail Specifies whether to attach the report to an administrative email. The default value is $false. .PARAMETER NestedRules Specifies whether to display nested password rules. Each rule has it's own tab with output. Having many rules and all other settings enabled can result in a very long list of tabs that's hard to navigate. This setting forces separate tab for all rules. The default value is $false. .PARAMETER ExcludeProperties Specifies an array of properties to exclude from the report. The default value is @('Manager', 'ManagerDN', 'MemberOf'). Manager, ManagerDN are not really needed in the report as they are already displayed in other form. MemberOf is not needed as it's not really relevant to the report, and can take a lot of space. .OUTPUTS The function returns an ordered dictionary that contains the report settings. .EXAMPLE New-PasswordConfigurationReport -ShowHTML -Title "Password Configuration Report" -FilePath "C:\Reports\PasswordReport.html" .EXAMPLE $Date = Get-Date $Report = [ordered] @{ Enable = $true ShowHTML = $true Title = "Password Solution Summary" Online = $true DisableWarnings = $true ShowConfiguration = $true ShowAllUsers = $true ShowRules = $true ShowUsersSent = $true ShowManagersSent = $true ShowEscalationSent = $true ShowSkippedUsers = $true ShowSkippedLocations = $true ShowSearchUsers = $true ShowSearchManagers = $true ShowSearchEscalations = $true NestedRules = $false FilePath = "$PSScriptRoot\Reporting\PasswordSolution_$(($Date).ToString('yyyy-MM-dd_HH_mm_ss')).html" AttachToEmail = $true } New-PasswordConfigurationReport @Report #> [CmdletBinding()] param( [switch] $Enable, [switch] $ShowHTML, [string] $Title, [switch] $Online, [switch] $DisableWarnings, [switch] $ShowConfiguration, [switch] $ShowAllUsers, [switch] $ShowRules, [switch] $ShowUsersSent, [switch] $ShowManagersSent, [switch] $ShowEscalationSent, [switch] $ShowSkippedUsers, [switch] $ShowSkippedLocations, [switch] $ShowSearchUsers, [switch] $ShowSearchManagers, [switch] $ShowSearchEscalations , [string] $FilePath, [switch] $AttachToEmail, [switch] $NestedRules, [switch] $ShowExternalSystemReplacementsUsers, [switch] $ShowExternalSystemReplacementsManagers, [string[]] $ExcludeProperties = @('Manager', 'ManagerDN', 'MemberOf') ) $Output = [ordered] @{ Type = "PasswordConfigurationReport" Settings = [ordered] @{ Enable = $Enable.IsPresent ShowHTML = $ShowHTML.IsPresent Title = $Title Online = $Online.IsPresent DisableWarnings = $DisableWarnings.IsPresent ShowConfiguration = $ShowConfiguration.IsPresent ShowAllUsers = $ShowAllUsers.IsPresent ShowRules = $ShowRules.IsPresent ShowUsersSent = $ShowUsersSent.IsPresent ShowManagersSent = $ShowManagersSent.IsPresent ShowEscalationSent = $ShowEscalationSent.IsPresent ShowSkippedUsers = $ShowSkippedUsers.IsPresent ShowSkippedLocations = $ShowSkippedLocations.IsPresent ShowSearchUsers = $ShowSearchUsers.IsPresent ShowSearchManagers = $ShowSearchManagers.IsPresent ShowSearchEscalations = $ShowSearchEscalations.IsPresent FilePath = $FilePath AttachToEmail = $AttachToEmail.IsPresent NestedRules = $NestedRules.IsPresent ShowExternalSystemReplacementsUsers = $ShowExternalSystemReplacementsUsers.IsPresent ShowExternalSystemReplacementsManagers = $ShowExternalSystemReplacementsManagers.IsPresent ExcludeProperties = $ExcludeProperties } } $Output } function New-PasswordConfigurationRule { <# .SYNOPSIS Short description .DESCRIPTION Long description .PARAMETER ReminderConfiguration Parameter description .PARAMETER Name Parameter description .PARAMETER Enable Parameter description .PARAMETER IncludeExpiring Parameter description .PARAMETER IncludePasswordNeverExpires Parameter description .PARAMETER PasswordNeverExpiresDays Parameter description .PARAMETER IncludeName Include user in rule if any of the properties match the value of Name in the properties defined in IncludeNameProperties .PARAMETER IncludeNameProperties Include user in rule if any of the properties match the value as defined in IncludeName .PARAMETER ExcludeName Exclude user from rule if any of the properties match the value of Name in the properties defined in ExcludeNameProperties .PARAMETER ExcludeNameProperties Exclude user from rule if any of the properties match the value as defined in ExcludeName .PARAMETER IncludeOU Parameter description .PARAMETER ExcludeOU Parameter description .PARAMETER IncludeGroup Parameter description .PARAMETER ExcludeGroup Parameter description .PARAMETER ReminderDays Days before expiration to send reminder. If not set and ProcessManagersOnly is not set, the rule will be throw an error. .PARAMETER ManagerReminder Parameter description .PARAMETER ManagerNotCompliant Parameter description .PARAMETER ManagerNotCompliantDisplayName Parameter description .PARAMETER ManagerNotCompliantEmailAddress Parameter description .PARAMETER ManagerNotCompliantDisabled Parameter description .PARAMETER ManagerNotCompliantMissing Parameter description .PARAMETER ManagerNotCompliantMissingEmail Parameter description .PARAMETER ManagerNotCompliantLastLogonDays Parameter description .PARAMETER SecurityEscalation Parameter description .PARAMETER SecurityEscalationDisplayName Parameter description .PARAMETER SecurityEscalationEmailAddress Parameter description .PARAMETER OverwriteEmailProperty Parameter description .PARAMETER OverwriteManagerProperty Parameter description .PARAMETER OverwriteEmailFromExternalUsers Allow to overwrite email from external users for specific rule .PARAMETER ProcessManagersOnly This parameters is used to process users, but only managers will be notified. Sending emails to users within the rule will be skipped completly. This is useful if users would have email addresses, that would normally trigger an email to them. .EXAMPLE An example .NOTES General notes #> [CmdletBinding()] param( [scriptblock] $ReminderConfiguration, [parameter(Mandatory)][string] $Name, [switch] $Enable, [switch] $IncludeExpiring, [switch] $IncludePasswordNeverExpires, [nullable[int]]$PasswordNeverExpiresDays, [string[]] $IncludeNameProperties, [string[]] $IncludeName, [string[]] $ExcludeNameProperties, [string[]] $ExcludeName, [string[]] $IncludeOU, [string[]] $ExcludeOU, [string[]] $IncludeGroup, [string[]] $ExcludeGroup, [alias('ExpirationDays', 'Days')][Array] $ReminderDays, [switch] $ManagerReminder, [switch] $ManagerNotCompliant, [string] $ManagerNotCompliantDisplayName, [string] $ManagerNotCompliantEmailAddress, [switch] $ManagerNotCompliantDisabled, [switch] $ManagerNotCompliantMissing, [switch]$ManagerNotCompliantMissingEmail, [nullable[int]] $ManagerNotCompliantLastLogonDays, [switch] $SecurityEscalation, [string] $SecurityEscalationDisplayName, [string] $SecurityEscalationEmailAddress, [string] $OverwriteEmailProperty, [string] $OverwriteManagerProperty, [switch] $ProcessManagersOnly, [switch] $OverwriteEmailFromExternalUsers ) if (-not $ProcessManagersOnly) { if ($null -eq $ReminderDays) { $ErrorMessage = "'ReminderDays' is required for rule '$Name', unless 'ProcessManagersOnly' is set. This is to make sure the rule is not skipped completly." Write-Color -Text "[e]", " Processing rule ", $Name, " failed because of error: ", $ErrorMessage -Color Yellow, White, Red return [ordered] @{ Type = 'PasswordConfigurationRule' Error = $ErrorMessage } } } $Output = [ordered] @{ Name = $Name Enable = $Enable.IsPresent IncludeExpiring = $IncludeExpiring.IsPresent IncludePasswordNeverExpires = $IncludePasswordNeverExpires.IsPresent Reminders = $ReminderDays PasswordNeverExpiresDays = $PasswordNeverExpiresDays IncludeNameProperties = $IncludeNameProperties IncludeName = $IncludeName IncludeOU = $IncludeOU ExcludeOU = $ExcludeOU SendToManager = [ordered] @{} ProcessManagersOnly = $ProcessManagersOnly.IsPresent OverwriteEmailProperty = $OverwriteEmailProperty OverwriteManagerProperty = $OverwriteManagerProperty OverwriteEmailFromExternalUsers = $OverwriteEmailFromExternalUsers.IsPresent } $Output.SendToManager['Manager'] = [ordered] @{ Enable = $false Reminders = [ordered] @{} } $Output.SendToManager['ManagerNotCompliant'] = [ordered] @{ Enable = $false Manager = [ordered] @{ DisplayName = $ManagerNotCompliantDisplayName EmailAddress = $ManagerNotCompliantEmailAddress } Disabled = $ManagerNotCompliantDisabled Missing = $ManagerNotCompliantMissing MissingEmail = $ManagerNotCompliantMissingEmail LastLogon = if ($PSBoundParameters.ContainsKey('ManagerNotCompliantLastLogonDays')) { $true } else { $false } LastLogonDays = $ManagerNotCompliantLastLogonDays Reminders = [ordered] @{ } } $Output.SendToManager['SecurityEscalation'] = [ordered] @{ Enable = $false Manager = [ordered] @{ DisplayName = $SecurityEscalationDisplayName EmailAddress = $SecurityEscalationEmailAddress } Reminders = [ordered] @{} } if ($ManagerReminder) { $Output.SendToManager['Manager'].Enable = $true } if ($ManagerNotCompliant) { $Output.SendToManager['ManagerNotCompliant'].Enable = $true } if ($SecurityEscalation) { $Output.SendToManager['SecurityEscalation'].Enable = $true } if ($ReminderConfiguration) { try { $RemindersExecution = & $ReminderConfiguration } catch { Write-Color -Text "[e]", " Processing rule ", $Output.Name, " failed because of error: ", $_.Exception.Message -Color Yellow, White, Red return [ordered] @{ Type = 'PasswordConfigurationRule' Error = $_.Exception.Message } } foreach ($Reminder in $RemindersExecution) { if ($Reminder.Type -eq 'Manager') { foreach ($ReminderReminders in $Reminder.Reminders) { $Output.SendToManager['Manager'].Reminders += $ReminderReminders } } elseif ($Reminder.Type -eq 'ManagerNotCompliant') { foreach ($ReminderReminders in $Reminder.Reminders) { $Output.SendToManager['ManagerNotCompliant'].Reminders += $ReminderReminders } } elseif ($Reminder.Type -eq 'Security') { foreach ($ReminderReminders in $Reminder.Reminders) { $Output.SendToManager['SecurityEscalation'].Reminders += $ReminderReminders } } else { throw "Invalid reminder type: $($Reminder.Type)" } } } Remove-EmptyValue -Hashtable $Output -Recursive -Rerun 2 $Configuration = [ordered] @{ Type = 'PasswordConfigurationRule' Settings = $Output } $Configuration } function New-PasswordConfigurationRuleReminder { [CmdletBinding(DefaultParameterSetName = 'Daily')] param( [Parameter(Mandatory, ParameterSetName = 'Daily')] [Parameter(Mandatory, ParameterSetName = 'DayOfWeek')] [Parameter(Mandatory, ParameterSetName = 'DayOfMonth')] [ValidateSet('Manager', 'ManagerNotCompliant', 'Security')][string] $Type, [Parameter(Mandatory, ParameterSetName = 'Daily')] [Parameter(Mandatory, ParameterSetName = 'DayOfWeek')] [Parameter(Mandatory, ParameterSetName = 'DayOfMonth')] [alias('ConditionDays', 'Days')][Array] $ExpirationDays, [Parameter(Mandatory, ParameterSetName = 'DayOfWeek')] [ValidateSet( 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday', 'Sunday' )][Array] $DayOfWeek, [Parameter(Mandatory, ParameterSetName = 'DayOfMonth')] [Array] $DayOfMonth, [Parameter(ParameterSetName = 'Daily')] [Parameter(ParameterSetName = 'DayOfWeek')] [Parameter(ParameterSetName = 'DayOfMonth')] [ValidateSet('lt', 'gt', 'eq', 'in')][string] $ComparisonType = 'eq' ) if ($ComparisonType -in 'eq', 'lt', 'gt') { if ($ExpirationDays.Count -gt 1) { throw "Only one number for 'ExpirationDays' can be specified for RuleReminder when using comparison types 'eq', 'lt', and 'gt'. Current values are $($ExpirationDays -join ', ') for '$ComparisonType'" } else { $ExpirationDaysToUse = $ExpirationDays[0] } } else { $ExpirationDaysToUse = $ExpirationDays } if ($PSCmdlet.ParameterSetName -eq 'Daily') { $Reminders = [ordered] @{ Type = $Type Reminders = @{ Default = [ordered] @{ Enable = $true } } } } elseif ($PSCmdlet.ParameterSetName -eq 'DayOfWeek') { $Reminders = [ordered] @{ Type = $Type Reminders = @{ OnDay = [ordered] @{ Enable = $true Reminder = $ExpirationDaysToUse ComparisonType = $ComparisonType Days = $DayOfWeek } } } } elseif ($PSCmdlet.ParameterSetName -eq 'DayOfMonth') { $Reminders = [ordered] @{ Type = $Type Reminders = @{ OnDayOfMonth = [ordered] @{ Enable = $true Reminder = $ExpirationDaysToUse ComparisonType = $ComparisonType Days = $DayOfMonth } } } } $Reminders } function New-PasswordConfigurationTemplate { [CmdletBinding()] param( [parameter(Mandatory)][ScriptBlock] $Template, [parameter(Mandatory)][string] $Subject, [parameter(Mandatory)][ValidateSet('PreExpiry', 'PostExpiry', 'Manager', 'ManagerNotCompliant', 'Security', 'Admin')] $Type ) $Output = [ordered] @{ Type = "PasswordConfigurationTemplate$Type" Settings = [ordered] @{ Template = $Template Subject = $Subject } } $Output } function New-PasswordConfigurationType { [CmdletBinding()] param( [Parameter(Mandatory)][ValidateSet('User', 'Manager', 'Security', 'Admin')][string] $Type, [switch] $Enable, [int] $SendCountMaximum, [string] $DefaultEmail, [switch] $AttachCSV ) $Output = [ordered] @{ Type = "PasswordConfigurationType$Type" Settings = @{ Enable = $Enable.IsPresent SendCountMaximum = $SendCountMaximum SendToDefaultEmail = if ($DefaultEmail) { $true } else { $false } DefaultEmail = $DefaultEmail OverwriteEmailProperty = $OverwriteEmailProperty AttachCSV = $AttachCSV.IsPresent } } $Output } function Show-PasswordQuality { <# .SYNOPSIS Creates an HTML report showing password quality for all user objects in Active Directory. .DESCRIPTION Creates an HTML report showing password quality for all user objects in Active Directory. This comman utilizes DSInternals PowerShell module to get the data. Then it uses PSWriteHTML to create nice looking report. .PARAMETER FilePath Path to the file where report will be saved. .PARAMETER DontShow If specified, report will not be opened in a browser. .PARAMETER Online If specified report will use CDN for JS and CSS files. If not specified, it will merge all CSS and JS files into one HTML file. This makes the file at least 3MB bigger, even if there is very small amount of data. Keep in mind that this report can be created without internet access, just that opening it in a browser with -Online switch will require internet access. .PARAMETER WeakPasswords List of weak passwords that should be checked for. Provide a list of common passwords that you want to check for, and that your users may have used. .PARAMETER WeakPasswordsFilePath Path to a file that contains weak passwords, one password per line. .PARAMETER WeakPasswordsHashesFile Path to a file that contains NT hashes of weak passwords, one hash in HEX format per line. For performance reasons, the -WeakPasswordHashesSortedFile parameter should be used instead. .PARAMETER WeakPasswordsHashesSortedFile Path to a file that contains NT hashes of weak passwords, one hash in HEX format per line. The hashes must be sorted alphabetically, because a binary search is performed. This parameter is typically used with a list of leaked password hashes from HaveIBeenPwned. .PARAMETER SeparateDuplicateGroups If specified, report will show duplicate groups separately, one group per tab. .EXAMPLE Show-PasswordQuality -FilePath $PSScriptRoot\Reporting\PasswordQuality.html -Online -WeakPasswords "Test1", "Test2", "Test3" -Verbose .EXAMPLE Show-PasswordQuality -FilePath "C:\Support\GitHub\TheDashboard\Ignore\Reports\CustomReports\PasswordQuality_$(Get-Date -f yyyy-MM-dd_HHmmss).html" -WeakPasswords "Test1", "Test2", "Test3" #-Verbose .NOTES General notes #> [CmdletBinding()] param( [alias('ForestName')][string] $Forest, [string[]] $ExcludeDomains, [alias('Domain', 'Domains')][string[]] $IncludeDomains, [System.Collections.IDictionary] $ExtendedForestInformation, [string] $FilePath, [switch] $DontShow, [switch] $Online, [alias('KnownPasswords')][string[]] $WeakPasswords, [alias('KnownPasswordsFilePath')][string] $WeakPasswordsFilePath, [alias('KnownPasswordsHashesFile')][string] $WeakPasswordsHashesFile, [alias('KnownPasswordsHashesSortedFile')][string] $WeakPasswordsHashesSortedFile, [switch] $SeparateDuplicateGroups, [switch] $PassThru, [switch] $AddWorldMap, [alias('LogFile')][string] $LogPath, [int] $LogMaximum, [switch] $LogShowTime, [string] $LogTimeFormat = "yyyy-MM-dd HH:mm:ss" ) $TimeStart = Start-TimeLog $Script:Reporting = [ordered] @{} $Script:Reporting['Version'] = Get-GitHubVersion -Cmdlet 'Show-PasswordQuality' -RepositoryOwner 'evotecit' -RepositoryName 'PasswordSolution' Write-Color -Text '[i]', "[PasswordSolution] ", 'Version', ' [Informative] ', $Script:Reporting['Version'] -Color Yellow, DarkGray, Yellow, DarkGray, Magenta Set-LoggingCapabilities -LogPath $LogPath -LogMaximum $LogMaximum -ShowTime:$LogShowTime.IsPresent -TimeFormat $TimeFormat Write-Color -Text '[i]', "[PasswordSolution] ", 'Version', ' [Informative] ', $Script:Reporting['Version'] -Color Yellow, DarkGray, Yellow, DarkGray, Magenta -NoConsoleOutput Write-Color '[i]', ' Gathering passwords data' -Color Yellow, DarkGray, Yellow, DarkGray, Magenta Write-Color '[i]', ' Using provided ', $WeakPasswords.Count, " weak passwords to verify against." -Color Yellow, DarkGray, Yellow, DarkGray, Magenta $TimeStartPasswords = Start-TimeLog $findPasswordQualitySplat = @{ IncludeStatistics = $true WeakPasswords = $WeakPasswords WeakPasswordsFilePath = $WeakPasswordsFilePath WeakPasswordsHashesFile = $WeakPasswordsHashesFile WeakPasswordsHashesSortedFile = $WeakPasswordsHashesSortedFile Forest = $Forest ExcludeDomains = $ExcludeDomains IncludeDomains = $IncludeDomains ExtendedForestInformation = $ExtendedForestInformation } $PasswordQuality = Find-PasswordQuality @findPasswordQualitySplat if (-not $PasswordQuality) { return } $Users = $PasswordQuality.Users $Statistics = $PasswordQuality.Statistics $Countries = $PasswordQuality.StatisticsCountry $CountriesCodes = $PasswordQuality.StatisticsCountryCode $Continents = $PasswordQuality.StatisticsContinents $EndLogPasswords = Stop-TimeLog -Time $TimeStartPasswords -Option OneLiner Write-Color '[i]', ' Time to gather passwords data ', $EndLogPasswords -Color Yellow, DarkGray, Yellow, DarkGray, Magenta $TimeStartHTML = Start-TimeLog Write-Color -Text '[i] ', 'Generating HTML report...' -Color Yellow, DarkGray New-HTML { New-HTMLTabStyle -BorderRadius 0px -TextTransform capitalize -BackgroundColorActive SlateGrey New-HTMLSectionStyle -BorderRadius 0px -HeaderBackGroundColor Grey -RemoveShadow New-HTMLPanelStyle -BorderRadius 0px New-HTMLTableOption -DataStore JavaScript -BoolAsString -ArrayJoinString ', ' -ArrayJoin New-HTMLHeader { New-HTMLSection -Invisible { New-HTMLSection { New-HTMLText -Text "Report generated on $(Get-Date)" -Color Blue } -JustifyContent flex-start -Invisible New-HTMLSection { New-HTMLText -Text "Password Solution - $($Script:Reporting['Version'])" -Color Blue } -JustifyContent flex-end -Invisible } } Write-Color -Text '[i] ', 'Generating summary statistics' -Color Yellow, DarkGray New-HTMLSection { New-HTMLSection -Invisible { New-HTMLPanel -Invisible { New-HTMLText -Text @( "This report shows current status of an Active Directory forest $($PasswordQuality.Forest)." "It focuses on the password quality of users in the following domains: " ) -FontSize 12px New-HTMLList { foreach ($Domain in $PasswordQuality.Domains) { New-HTMLListItem -Text $Domain -Color Blue } } -FontSize 12px $WeakPasswordsFileInformation = $PasswordQuality.WeakPasswordsFileInformation if ($WeakPasswords.Count -gt 0 -or $WeakPasswordsFileInformation.WeakPasswordsStats -or $WeakPasswordsFileInformation.WeakPasswordHashesStats -or $WeakPasswordsFileInformation.WeakPasswordHashesSortedStats) { New-HTMLText -Text @( "The report uses following weak password features: " ) -FontSize 12px New-HTMLList { if ($WeakPasswords.Count -gt 0) { New-HTMLListItem -Text @( "This report uses ", $WeakPasswords.Count, " weak passwords to check for, as provided during runtime." ) -FontSize 12px -Color None, Red, None -FontWeight normal, bold, normal } if ($WeakPasswordsFileInformation.WeakPasswordsStats) { New-HTMLListItem -Text @( "This report uses weak passwords from ", $WeakPasswordsFileInformation.WeakPasswordsStats.FullName, " to check for, as provided during runtime, size ", $WeakPasswordsFileInformation.WeakPasswordsStats.Size, ", last write time ", $WeakPasswordsFileInformation.WeakPasswordsStats.LastWriteTime, "." ) -FontSize 12px -Color None, Red, None, Blue, None, Blue, None -FontWeight normal, bold, normal, bold, normal, bold, normal } if ($WeakPasswordsFileInformation.WeakPasswordHashesStats) { New-HTMLListItem -Text @( "This report uses weak passwords hashes from ", $WeakPasswordsFileInformation.WeakPasswordHashesStats.FullName, " to check for, as provided during runtime, size ", $WeakPasswordsFileInformation.WeakPasswordHashesStats.Size, ", last write time ", $WeakPasswordsFileInformation.WeakPasswordHashesStats.LastWriteTime, "." ) -FontSize 12px -Color None, Red, None, Blue, None, Blue, None -FontWeight normal, bold, normal, bold, normal, bold, normal } if ($WeakPasswordsFileInformation.WeakPasswordHashesSortedStats) { New-HTMLListItem -Text @( "This report uses weak passwords hashes from ", $WeakPasswordsFileInformation.WeakPasswordHashesSortedStats.FullName, " to check for, as provided during runtime, size ", $WeakPasswordsFileInformation.WeakPasswordHashesSortedStats.Size, ", last write time ", $WeakPasswordsFileInformation.WeakPasswordHashesSortedStats.LastWriteTime, "." ) -FontSize 12px -Color None, Red, None, Blue, None, Blue, None -FontWeight normal, bold, normal, bold, normal, bold, normal } } } New-HTMLText -Text "Here's a short overview of what this report shows:" -Color None -FontSize 12px New-HTMLList { foreach ($Statistic in $Statistics.Keys | Where-Object { $_ -notlike '*EnabledOnly' -and $_ -notlike '*DisabledOnly' } ) { $ValueTotal = $Statistics[$Statistic] if ($Statistic -eq "DuplicatePasswordGroups") { $ValueEnabled = $Statistics['DuplicatePasswordUsersEnabledOnly'] $ValueDisabled = $Statistics['DuplicatePasswordUsersDisabledOnly'] New-HTMLListItem -Text @( "$($Statistic)", " property shows there are " "$ValueTotal" " groups of people with duplicate passwords." ) -Color Blue, None, Salmon, None, LightSkyBlue, None -FontWeight bold, normal, bold, normal, bold, normal } elseif ($Statistic -eq 'DuplicatePasswordUsers') { $ValueEnabled = $Statistics['DuplicatePasswordUsersEnabledOnly'] $ValueDisabled = $Statistics['DuplicatePasswordUsersDisabledOnly'] New-HTMLListItem -Text @( "$($Statistic)", " property shows there are " "$ValueEnabled" "enabled accounts, and " $ValueDisabled " disabled accounts having duplicate passwords with other accounts." ) -Color Blue, None, Salmon, None, LightSkyBlue, None -FontWeight bold, normal, bold, normal, bold, normal } else { $ValueEnabled = $Statistics[$Statistic + 'EnabledOnly'] $ValueDisabled = $Statistics[$Statistic + 'DisabledOnly'] New-HTMLListItem -Text @( "$($Statistic)", " property shows there are " "$ValueEnabled " "enabled accounts, and " "$ValueDisabled " "that are disabled." ) -Color Blue, None, Salmon, None, LightSkyBlue, None -FontWeight bold, normal, bold, normal, bold, normal } } } -Type Unordered -FontSize 12px New-HTMLText -Text "Please review the report and make sure that you're happy with findings!" -Color Blue -FontSize 12px } } New-HTMLSection -Invisible { New-HTMLChart { New-ChartBarOptions -Type barStacked New-ChartAxisY -LabelMaxWidth 250 -Show -LabelAlign left New-ChartLegend -LegendPosition bottom -HorizontalAlign center -Color Alizarin, LightSkyBlue -Names 'Enabled', 'Disabled' foreach ($Statistic in $Statistics.Keys | Where-Object { $_ -notlike '*EnabledOnly' -and $_ -notlike '*DisabledOnly' } ) { if ($Statistic -eq "DuplicatePasswordGroups") { $ValueTotal = $Statistics[$Statistic] New-ChartBar -Name $Statistic -Value @($ValueTotal, 0) } else { $ValueEnabled = $Statistics[$Statistic + 'EnabledOnly'] $ValueDisabled = $Statistics[$Statistic + 'DisabledOnly'] New-ChartBar -Name $Statistic -Value @($ValueEnabled, $ValueDisabled) } } } } } $PropertiesHighlight = @( 'ClearTextPassword' 'LMHash' 'EmptyPassword' 'WeakPassword' 'AESKeysMissing' 'PreAuthNotRequired' 'DESEncryptionOnly' 'Kerberoastable' 'DelegatableAdmins' 'SmartCardUsersWithPassword' ) Write-Color -Text '[i] ', 'Generating users table with all information' -Color Yellow, DarkGray New-HTMLSection -HeaderText "Password Quality" { New-HTMLTable -DataTable $Users -Filtering { New-HTMLTableCondition -Name 'Enabled' -ComparisonType string -Operator eq -Value $true -BackgroundColor LimeGreen -FailBackgroundColor BlizzardBlue New-HTMLTableCondition -Name 'LastLogonDays' -ComparisonType number -Operator lt -Value 30 -BackgroundColor LimeGreen -HighlightHeaders LastLogonDays, LastLogonDate New-HTMLTableCondition -Name 'LastLogonDays' -ComparisonType number -Operator gt -Value 30 -BackgroundColor Orange -HighlightHeaders LastLogonDays, LastLogonDate New-HTMLTableCondition -Name 'LastLogonDays' -ComparisonType number -Operator gt -Value 60 -BackgroundColor Alizarin -HighlightHeaders LastLogonDays, LastLogonDate New-HTMLTableCondition -Name 'LastLogonDays' -ComparisonType string -Operator eq -Value '' -BackgroundColor None -HighlightHeaders LastLogonDays, LastLogonDate New-HTMLTableCondition -Name 'PasswordLastChangedDays' -ComparisonType number -Operator ge -Value 0 -BackgroundColor LimeGreen -HighlightHeaders PasswordLastSet, PasswordLastChangedDays New-HTMLTableCondition -Name 'PasswordLastChangedDays' -ComparisonType number -Operator gt -Value 300 -BackgroundColor Orange -HighlightHeaders PasswordLastSet, PasswordLastChangedDays New-HTMLTableCondition -Name 'PasswordLastChangedDays' -ComparisonType number -Operator gt -Value 360 -BackgroundColor Alizarin -HighlightHeaders PasswordLastSet, PasswordLastChangedDays New-HTMLTableCondition -Name 'PasswordNotRequired' -ComparisonType string -Operator eq -Value $false -BackgroundColor LimeGreen -FailBackgroundColor Alizarin New-HTMLTableCondition -Name 'PasswordExpired' -ComparisonType string -Operator eq -Value $false -BackgroundColor LimeGreen -FailBackgroundColor Alizarin -HighlightHeaders PasswordExpired, DaysToExpire, DateExpiry foreach ($Property in $PropertiesHighlight) { New-HTMLTableCondition -Name $Property -ComparisonType string -Operator eq -Value $true -BackgroundColor Salmon -FailBackgroundColor LightGreen } New-HTMLTableCondition -Name 'DuplicatePasswordGroups' -ComparisonType string -Operator ne -Value "" -BackgroundColor Orange -FailBackgroundColor LightGreen } -ScrollX -ExcludeProperty 'RuleName', 'RuleOptions', 'CountryCode', 'Type', 'ManagerDN', 'DistinguishedName', 'MemberOf' } if ($SeparateDuplicateGroups) { Write-Color -Text '[i] ', 'Generating duplicate password groups section' -Color Yellow, DarkGray New-HTMLSection -HeaderText "Duplicate Password Groups" { $TotalDuplicateGroups = 0 $EnabledUsersInDuplicateGroups = 0 $DisabledUsersInDuplicateGroups = 0 $DuplicateGroups = [ordered] @{} foreach ($User in $Users) { if ($User.DuplicatePasswordGroups) { if ($User.Enabled) { $EnabledUsersInDuplicateGroups++ } else { $DisabledUsersInDuplicateGroups++ } if (-not $DuplicateGroups[$User.DuplicatePasswordGroups]) { $DuplicateGroups[$User.DuplicatePasswordGroups] = [PSCustomObject] @{ GroupName = $User.DuplicatePasswordGroups UsersTotal = 0 UsersEnabled = 0 UsersDisabled = 0 WeakPassword = $false Users = [System.Collections.Generic.List[string]]::new() Country = [System.Collections.Generic.List[string]]::new() UsersBySamAccountName = [System.Collections.Generic.List[string]]::new() UsersByUPN = [System.Collections.Generic.List[string]]::new() UsersByEmail = [System.Collections.Generic.List[string]]::new() } } if ($User.WeakPassword) { $DuplicateGroups[$User.DuplicatePasswordGroups].WeakPassword = $true } $DuplicateGroups[$User.DuplicatePasswordGroups].Users.Add($User.Name) if ($User.Enabled) { $DuplicateGroups[$User.DuplicatePasswordGroups].UsersEnabled++ } else { $DuplicateGroups[$User.DuplicatePasswordGroups].UsersDisabled++ } $DuplicateGroups[$User.DuplicatePasswordGroups].UsersTotal++ if ($User.EmailAddress) { $DuplicateGroups[$User.DuplicatePasswordGroups].UsersByEmail.Add($User.EmailAddress) } if ($User.UserPrincipalName) { $DuplicateGroups[$User.DuplicatePasswordGroups].UsersByUPN.Add($User.UserPrincipalName) } if ($User.SamAccountName) { $DuplicateGroups[$User.DuplicatePasswordGroups].UsersBySamAccountName.Add($User.SamAccountName) } $DuplicateGroups[$User.DuplicatePasswordGroups].Country.Add($User.Country) } } $TotalDuplicateGroups = $DuplicateGroups.Keys.Count foreach ($Group in $DuplicateGroups.Values) { $Group.Country = $Group.Country | Select-Object -Unique } New-HTMLContainer { New-HTMLSection { New-HTMLPanel { New-HTMLToast -TextHeader 'Total Duplicate Groups' -Text "Groups of users to review: $TotalDuplicateGroups" -BarColorLeft MayaBlue -IconSolid info-circle -IconColor MayaBlue } -Invisible New-HTMLPanel { New-HTMLToast -TextHeader 'Enabled Users' -Text "Users with duplicate password that are enabled: $EnabledUsersInDuplicateGroups" -BarColorLeft OrangeRed -IconSolid info-circle -IconColor OrangeRed } -Invisible New-HTMLPanel { New-HTMLToast -TextHeader 'Disabled Users' -Text "Users with duplicate password that are disabled: $DisabledUsersInDuplicateGroups" -BarColorLeft OrangePeel -IconSolid info-circle -IconColor OrangePeel } -Invisible } -Invisible New-HTMLText -Text @( 'The following table shows the users that have the same password as other users in the same group. ' 'The table is sortable and filterable. ' 'The table also shows the country of the user. ' 'The table also shows the email address, UPN and SamAccountName of the user.' ) -FontSize 12px New-HTMLSection -Invisible { New-HTMLTable -DataTable $DuplicateGroups.Values -Filtering -Title "Duplicate Password Group: $DuplicateGroup" { New-HTMLTableCondition -Name 'WeakPassword' -ComparisonType string -Operator eq -Value $true -BackgroundColor Salmon -FailBackgroundColor LightBlue }-ScrollX -ExcludeProperty 'RuleName', 'RuleOptions', 'Type', 'CountryCode' } New-HTMLText -Text @( "Please NOTE: " "number of " "users" " , may not be the same as the number of users in " "UsersBySamAccountName" ", " "UsersByUpn" " or " "UsersByEmail" " columns. We only show users with email address, UPN or SamAccountName if it exists. " "If the account doesn't have email, UPN or SamAccountName, we don't show it in the table." ) -FontSize 12px -FontWeight bold, normal, bold, normal, bold, normal, bold, normal, bold, normal, normal } } } if ($AddWorldMap) { Write-Color -Text '[i] ', 'Generating duplicate passwords map' -Color Yellow, DarkGray New-HTMLSection -HeaderText 'Duplicate Passwords Per Country' { New-HTMLTabPanel { New-HTMLTab -Name 'Map showing duplicate passwords per country' { New-HTMLSection -Invisible { New-HTMLPanel { New-HTMLMap -Map world_countries { foreach ($Country in $CountriesCodes['DuplicatePasswordUsers'].Keys) { if ($Country -eq 'Unknown') { New-MapArea -Area 'GL' -Value $CountriesCodes['DuplicatePasswordUsers'][$Country] -Tooltip { New-HTMLText -Text @( 'Unknown / Unavailable' '<br>' "Users with duplicate passwords $($CountriesCodes['DuplicatePasswordUsers'][$Country])" ) -Color Black, Black, Blue -FontWeight bold, normal, normal -SkipParagraph -FontSize 15px, 14px, 14px } } else { New-MapArea -Area $Country -Value $CountriesCodes['DuplicatePasswordUsers'][$Country] -Tooltip { New-HTMLText -Text @( Convert-CountryCodeToCountry -CountryCode $Country '<br>' "Users with duplicate passwords $($CountriesCodes['DuplicatePasswordUsers'][$Country])" ) -Color Black, Black, Blue -FontWeight bold, normal, normal -SkipParagraph -FontSize 15px, 14px, 14px } } } New-MapLegendOption -Type 'Area' -Mode horizontal New-MapLegendOption -Type 'Plot' -Mode horizontal New-MapLegendSlice -Type 'Area' -Label 'Duplicate passwords up to 5' -Min 0 -Max 5 -SliceColor 'Bisque' -StrokeWidth 0 New-MapLegendSlice -Type 'Area' -Label 'Duplicate between 5 and 15' -Min 6 -Max 15 -SliceColor 'Amber' -StrokeWidth 0 New-MapLegendSlice -Type 'Area' -Label 'Duplicate between 16 and 30' -Min 16 -Max 30 -SliceColor 'CarnationPink' -StrokeWidth 0 New-MapLegendSlice -Type 'Area' -Label 'Duplicate between 31 and 50' -Min 31 -Max 50 -SliceColor 'BrinkPink' -StrokeWidth 0 New-MapLegendSlice -Type 'Area' -Label 'Duplicate over 50' -Min 51 -SliceColor 'Red' -StrokeWidth 0 } -ShowAreaLegend New-HTMLText -Text @( "The map shows the number of users with duplicate passwords per country. The legend shows the number of users with duplicate passwords per color." ) -FontSize 12px } } } New-HTMLTab -Name 'Duplicate Passwords Per Country' { New-HTMLTable -DataTable $Countries['DuplicatePasswordUsers'] -Filtering } New-HTMLTab -Name 'Duplicate Passwords Per Continent' { New-HTMLTable -DataTable $Continents['DuplicatePasswordUsers'] -Filtering } } } Write-Color -Text '[i] ', 'Generating weak password map' -Color Yellow, DarkGray New-HTMLSection -HeaderText 'Weak Password Per Country' { New-HTMLTabPanel { New-HTMLTab -Name 'Map showing weak password per country' { New-HTMLSection -Invisible { New-HTMLPanel { New-HTMLMap -Map world_countries { foreach ($Country in $CountriesCodes['WeakPassword'].Keys) { if ($Country -eq 'Unknown') { New-MapArea -Area 'GL' -Value $CountriesCodes['WeakPassword'][$Country] -Tooltip { New-HTMLText -Text @( 'Unknown / Unavailable' '<br>' "Users with weak passwords $($CountriesCodes['WeakPassword'][$Country])" ) -Color Black, Black, Blue -FontWeight bold, normal, normal -SkipParagraph -FontSize 15px, 14px, 14px } } else { New-MapArea -Area $Country -Value $CountriesCodes['WeakPassword'][$Country] -Tooltip { New-HTMLText -Text @( Convert-CountryCodeToCountry -CountryCode $Country '<br>' "Users with weak passwords $($CountriesCodes['WeakPassword'][$Country])" ) -Color Black, Black, Blue -FontWeight bold, normal, normal -SkipParagraph -FontSize 15px, 14px, 14px } } } New-MapLegendOption -Type 'Area' -Mode horizontal New-MapLegendOption -Type 'Plot' -Mode horizontal New-MapLegendSlice -Type 'Area' -Label 'Weak passwords up to 5' -Min 0 -Max 5 -SliceColor 'Bisque' -StrokeWidth 0 New-MapLegendSlice -Type 'Area' -Label 'Weak between 5 and 15' -Min 6 -Max 15 -SliceColor 'Amber' -StrokeWidth 0 New-MapLegendSlice -Type 'Area' -Label 'Weak between 16 and 30' -Min 16 -Max 30 -SliceColor 'CarnationPink' -StrokeWidth 0 New-MapLegendSlice -Type 'Area' -Label 'Weak between 31 and 50' -Min 31 -Max 50 -SliceColor 'BrinkPink' -StrokeWidth 0 New-MapLegendSlice -Type 'Area' -Label 'Weak over 50' -Min 51 -SliceColor 'Red' -StrokeWidth 0 } -ShowAreaLegend } } } New-HTMLTab -Name 'Weak Password Per Country' { New-HTMLTable -DataTable $Countries['WeakPassword'] -Filtering } New-HTMLTab -Name 'Weak Password Per Continent' { New-HTMLTable -DataTable $Continents['WeakPassword'] -Filtering } } } if ($LogPath -and (Test-Path -LiteralPath $LogPath)) { $LogContent = Get-Content -Raw -LiteralPath $LogPath New-HTMLSection -Name 'Log' { New-HTMLCodeBlock -Code $LogContent -Style generic } } } } -ShowHTML:(-not $DontShow.IsPresent) -Online:$Online.IsPresent -TitleText "Password Solution - Quality Password Check" -Author "Password Solution" -FilePath $FilePath $EndLogHTML = Stop-TimeLog -Time $TimeStartHTML -Option OneLiner $EndLog = Stop-TimeLog -Time $TimeStart -Option OneLiner Write-Color '[i]', ' Time to generate HTML ', $EndLogHTML -Color Yellow, DarkGray, Yellow, DarkGray, Magenta Write-Color '[i]', ' Time to generate ', $EndLog -Color Yellow, DarkGray, Yellow, DarkGray, Magenta Write-Color '[i]', "[PasswordSolution] ", 'Version', ' [Informative] ', $Script:Reporting['Version'] -Color Yellow, DarkGray, Yellow, DarkGray, Magenta if ($PassThru) { $PasswordQuality } } function Start-PasswordSolution { <# .SYNOPSIS Starts Password Expiry Notifications for the whole forest .DESCRIPTION Starts Password Expiry Notifications for the whole forest .PARAMETER ConfigurationDSL Parameter description .PARAMETER EmailParameters Parameters for Email. Uses Mailozaurr splatting behind the scenes, so it supports all options that Mailozaurr does. .PARAMETER OverwriteEmailProperty Property responsible for overwriting the default email field in Active Directory. Useful when the password notification has to go somewhere else than users email address. .PARAMETER UserSection Parameter description .PARAMETER ManagerSection Parameter description .PARAMETER SecuritySection Parameter description .PARAMETER AdminSection Parameter description .PARAMETER UsersExternalSystem Property responsible for overwriting the default email field in Active Directory. Useful when the password notification has to go somewhere else than users email address. It comes in a specific format as generated by `New-PasswordConfigurationExternalUsers` .PARAMETER Rules Parameter description .PARAMETER TemplatePreExpiry Parameter description .PARAMETER TemplatePreExpirySubject Parameter description .PARAMETER TemplatePostExpiry Parameter description .PARAMETER TemplatePostExpirySubject Parameter description .PARAMETER TemplateManager Parameter description .PARAMETER TemplateManagerSubject Parameter description .PARAMETER TemplateSecurity Parameter description .PARAMETER TemplateSecuritySubject Parameter description .PARAMETER TemplateManagerNotCompliant Parameter description .PARAMETER TemplateManagerNotCompliantSubject Parameter description .PARAMETER TemplateAdmin Parameter description .PARAMETER TemplateAdminSubject Parameter description .PARAMETER Entra Parameter description .PARAMETER OverwriteManagerProperty Parameter description .PARAMETER FilterOrganizationalUnit Parameter description .PARAMETER Logging Parameter description .PARAMETER HTMLReports Parameter description .PARAMETER SearchPath Parameter description .EXAMPLE An example .NOTES General notes #> [CmdletBinding(DefaultParameterSetName = 'DSL')] param( [Parameter(ParameterSetName = 'Legacy', Position = 0)] [Parameter(ParameterSetName = 'DSL', Position = 0)][scriptblock] $ConfigurationDSL, [Parameter(Mandatory, ParameterSetName = 'Legacy')][System.Collections.IDictionary] $EmailParameters, [Parameter(ParameterSetName = 'Legacy')][string] $OverwriteEmailProperty, [Parameter(ParameterSetName = 'Legacy')][string] $OverwriteManagerProperty, [Parameter(Mandatory, ParameterSetName = 'Legacy')][System.Collections.IDictionary] $UserSection, [Parameter(Mandatory, ParameterSetName = 'Legacy')][System.Collections.IDictionary] $ManagerSection, [Parameter(Mandatory, ParameterSetName = 'Legacy')][System.Collections.IDictionary] $SecuritySection, [Parameter(Mandatory, ParameterSetName = 'Legacy')][System.Collections.IDictionary] $AdminSection, [Parameter(ParameterSetName = 'Legacy')][System.Collections.IDictionary] $UsersExternalSystem, [Parameter(Mandatory, ParameterSetName = 'Legacy')][Array] $Rules, [Parameter(ParameterSetName = 'Legacy')][scriptblock] $TemplatePreExpiry, [Parameter(ParameterSetName = 'Legacy')][string] $TemplatePreExpirySubject, [Parameter(ParameterSetName = 'Legacy')][scriptblock] $TemplatePostExpiry, [Parameter(ParameterSetName = 'Legacy')][string] $TemplatePostExpirySubject, [Parameter(Mandatory, ParameterSetName = 'Legacy')][scriptblock] $TemplateManager, [Parameter(Mandatory, ParameterSetName = 'Legacy')][string] $TemplateManagerSubject, [Parameter(Mandatory, ParameterSetName = 'Legacy')][scriptblock] $TemplateSecurity, [Parameter(Mandatory, ParameterSetName = 'Legacy')][string] $TemplateSecuritySubject, [Parameter(Mandatory, ParameterSetName = 'Legacy')][scriptblock] $TemplateManagerNotCompliant, [Parameter(Mandatory, ParameterSetName = 'Legacy')][string] $TemplateManagerNotCompliantSubject, [Parameter(Mandatory, ParameterSetName = 'Legacy')][scriptblock] $TemplateAdmin, [Parameter(Mandatory, ParameterSetName = 'Legacy')][string] $TemplateAdminSubject, [Parameter(ParameterSetName = 'Legacy')][System.Collections.IDictionary] $Entra = [ordered] @{}, [Parameter(ParameterSetName = 'Legacy')][System.Collections.IDictionary] $Logging = [ordered] @{}, [Parameter(ParameterSetName = 'Legacy')][Array] $HTMLReports, [Parameter(ParameterSetName = 'Legacy')][string] $SearchPath, [Parameter(ParameterSetName = 'Legacy')][string[]] $FilterOrganizationalUnit ) $TimeStart = Start-TimeLog $Script:Reporting = [ordered] @{} $Script:Reporting['Version'] = Get-GitHubVersion -Cmdlet 'Start-PasswordSolution' -RepositoryOwner 'evotecit' -RepositoryName 'PasswordSolution' Write-Color -Text '[i]', "[PasswordSolution] ", 'Version', ' [Informative] ', $Script:Reporting['Version'] -Color Yellow, DarkGray, Yellow, DarkGray, Magenta $TodayDate = Get-Date $Today = Get-Date -Format "yyyy-MM-dd HH:mm:ss" $Summary = [ordered] @{} $Summary['Notify'] = [ordered] @{} $Summary['NotifyManager'] = [ordered] @{} $Summary['NotifySecurity'] = [ordered] @{} $Summary['Rules'] = [ordered] @{} $AllSkipped = [ordered] @{} $Locations = [ordered] @{} $SplatPasswordConfiguration = [ordered] @{ ConfigurationDSL = $ConfigurationDSL EmailParameters = $EmailParameters OverwriteEmailProperty = $OverwriteEmailProperty OverwriteManagerProperty = $OverwriteManagerProperty UserSection = $UserSection ManagerSection = $ManagerSection SecuritySection = $SecuritySection AdminSection = $AdminSection Rules = $Rules TemplatePreExpiry = $TemplatePreExpiry TemplatePreExpirySubject = $TemplatePreExpirySubject TemplatePostExpiry = $TemplatePostExpiry TemplatePostExpirySubject = $TemplatePostExpirySubject TemplateManager = $TemplateManager TemplateManagerSubject = $TemplateManagerSubject TemplateSecurity = $TemplateSecurity TemplateSecuritySubject = $TemplateSecuritySubject TemplateManagerNotCompliant = $TemplateManagerNotCompliant TemplateManagerNotCompliantSubject = $TemplateManagerNotCompliantSubject TemplateAdmin = $TemplateAdmin TemplateAdminSubject = $TemplateAdminSubject Logging = $Logging HTMLReports = $HTMLReports SearchPath = $SearchPath UsersExternalSystem = $UsersExternalSystem FilterOrganizationalUnit = $FilterOrganizationalUnit Entra = $Entra } $InitialVariables = Set-PasswordConfiguration @SplatPasswordConfiguration if (-not $InitialVariables) { return } $EmailParameters = $InitialVariables.EmailParameters $OverwriteEmailProperty = $InitialVariables.OverwriteEmailProperty $OverwriteManagerProperty = $InitialVariables.OverwriteManagerProperty $UserSection = $InitialVariables.UserSection $ManagerSection = $InitialVariables.ManagerSection $SecuritySection = $InitialVariables.SecuritySection $AdminSection = $InitialVariables.AdminSection $Rules = $InitialVariables.Rules $TemplatePreExpiry = $InitialVariables.TemplatePreExpiry $TemplatePreExpirySubject = $InitialVariables.TemplatePreExpirySubject $TemplatePostExpiry = $InitialVariables.TemplatePostExpiry $TemplatePostExpirySubject = $InitialVariables.TemplatePostExpirySubject $TemplateManager = $InitialVariables.TemplateManager $TemplateManagerSubject = $InitialVariables.TemplateManagerSubject $TemplateSecurity = $InitialVariables.TemplateSecurity $TemplateSecuritySubject = $InitialVariables.TemplateSecuritySubject $TemplateManagerNotCompliant = $InitialVariables.TemplateManagerNotCompliant $TemplateManagerNotCompliantSubject = $InitialVariables.TemplateManagerNotCompliantSubject $TemplateAdmin = $InitialVariables.TemplateAdmin $TemplateAdminSubject = $InitialVariables.TemplateAdminSubject $Logging = $InitialVariables.Logging $HTMLReports = $InitialVariables.HTMLReports $SearchPath = $InitialVariables.SearchPath $UsersExternalSystem = $InitialVariables.UsersExternalSystem $FilterOrganizationalUnit = $InitialVariables.FilterOrganizationalUnit $Entra = $InitialVariables.Entra Set-LoggingCapabilities -LogPath $Logging.LogFile -LogMaximum $Logging.LogMaximum -ShowTime:$Logging.ShowTime -TimeFormat $Logging.TimeFormat Write-Color -Text '[i]', "[PasswordSolution] ", 'Version', ' [Informative] ', $Script:Reporting['Version'] -Color Yellow, DarkGray, Yellow, DarkGray, Magenta -NoConsoleOutput [Array] $ExtendedProperties = foreach ($Rule in $Rules ) { if ($Rule.OverwriteEmailProperty) { $Rule.OverwriteEmailProperty } if ($Rule.OverwriteManagerProperty) { $Rule.OverwriteManagerProperty } } $SummarySearch = Import-SearchInformation -SearchPath $SearchPath Write-Color -Text "[i]", " Starting process to find expiring users" -Color Yellow, White, Green, White, Green, White, Green, White $ExternalSystemReplacements = [ordered] @{} $GlobalManagerCache = [ordered] @{} if ($Entra.Enabled) { $CachedUsers = Find-PasswordEntra -AsHashTable -OverwriteEmailProperty $OverwriteEmailProperty -RulesProperties $ExtendedProperties -OverwriteManagerProperty $OverwriteManagerProperty -UsersExternalSystem $UsersExternalSystem -ExternalSystemReplacements $ExternalSystemReplacements -FilterOrganizationalUnit $FilterOrganizationalUnit -CacheManager $GlobalManagerCache } else { $CachedUsers = Find-Password -AsHashTable -OverwriteEmailProperty $OverwriteEmailProperty -RulesProperties $ExtendedProperties -OverwriteManagerProperty $OverwriteManagerProperty -UsersExternalSystem $UsersExternalSystem -ExternalSystemReplacements $ExternalSystemReplacements -FilterOrganizationalUnit $FilterOrganizationalUnit -CacheManager $GlobalManagerCache } if (-not $CachedUsers -or $CachedUsers.Count -eq 0) { Write-Color -Text "[e]", " No users found to be processed by Password Rules according to filtering settings. Terminating" -Color Yellow, White, Red return } Write-Color -Text "[i]", " Found ", $CachedUsers.Count, " users to be processed by Password Rules according to filtering settings" -Color Yellow, White, Green, White, Green, White, Green, White if ($Rules.Count -eq 0) { Write-Color -Text "[e]", " No rules found. Please add some rules to configuration" -Color Yellow, White, Red return } foreach ($Rule in $Rules) { $SplatProcessingRule = [ordered] @{ Rule = $Rule Summary = $Summary CachedUsers = $CachedUsers AllSkipped = $AllSkipped Locations = $Locations Loggin = $Logging TodayDate = $TodayDate UsersExternalSystem = $UsersExternalSystem Entra = $Entra } Invoke-PasswordRuleProcessing @SplatProcessingRule } $SplatUserNotifications = [ordered] @{ UserSection = $UserSection Summary = $Summary Logging = $Logging TemplatePreExpiry = $TemplatePreExpiry TemplatePreExpirySubject = $TemplatePreExpirySubject TemplatePostExpiry = $TemplatePostExpiry TemplatePostExpirySubject = $TemplatePostExpirySubject EmailParameter = $EmailParameters } [Array] $SummaryUsersEmails = Send-PasswordUserNofifications @SplatUserNotifications $SplatManagerNotifications = [ordered] @{ ManagerSection = $ManagerSection Summary = $Summary CachedUsers = $CachedUsers TemplateManager = $TemplateManager TemplateManagerSubject = $TemplateManagerSubject TemplateManagerNotCompliant = $TemplateManagerNotCompliant TemplateManagerNotCompliantSubject = $TemplateManagerNotCompliantSubject EmailParameters = $EmailParameters Loggin = $Logging GlobalManagersCache = $GlobalManagerCache } [Array] $SummaryManagersEmails = Send-PasswordManagerNofifications @SplatManagerNotifications $SplatSecurityNotifications = [ordered] @{ SecuritySection = $SecuritySection Summary = $Summary TemplateSecurity = $TemplateSecurity TemplateSecuritySubject = $TemplateSecuritySubject Logging = $Logging } [Array] $SummaryEscalationEmails = Send-PasswordSecurityNotifications @SplatSecurityNotifications $TimeEnd = Stop-TimeLog -Time $TimeStart -Option OneLiner Export-SearchInformation -SearchPath $SearchPath -SummarySearch $SummarySearch -Today $Today -SummaryUsersEmails $SummaryUsersEmails -SummaryManagersEmails $SummaryManagersEmails -SummaryEscalationEmails $SummaryEscalationEmails $HtmlAttachments = [System.Collections.Generic.List[string]]::new() foreach ($Report in $HTMLReports) { if ($Report.Enable) { $ReportSettings = @{ Report = $Report EmailParameters = $EmailParameters Logging = $Logging SearchPath = $SearchPath Rules = $Rules UserSection = $UserSection ManagerSection = $ManagerSection SecuritySection = $SecuritySection AdminSection = $AdminSection CachedUsers = $CachedUsers Summary = $Summary SummaryUsersEmails = $SummaryUsersEmails SummaryManagersEmails = $SummaryManagersEmails SummaryEscalationEmails = $SummaryEscalationEmails SummarySearch = $SummarySearch Locations = $Locations AllSkipped = $AllSkipped ExternalSystemReplacements = $ExternalSystemReplacements } New-HTMLReport @ReportSettings if ($Report.AttachToEmail) { if (Test-Path -LiteralPath $Report.FilePath) { $HtmlAttachments.Add($Report.FilePath) } else { Write-Color -Text "[w] HTML report ", $Report.FilePath, " does not exist! Probably a temporary path was used. " -Color DarkYellow, Red, DarkYellow } } } } $AdminSplat = [ordered] @{ AdminSection = $AdminSection TemplateAdmin = $TemplateAdmin TemplateAdminSubject = $TemplateAdminSubject TimeEnd = $TimeEnd EmailParameters = $EmailParameters HtmlAttachment = $HtmlAttachments } Send-PasswordAdminNotifications @AdminSplat } Export-ModuleMember -Function @('Find-Password', 'Find-PasswordEntra', 'Find-PasswordNotification', 'Find-PasswordQuality', 'New-PasswordConfigurationEmail', 'New-PasswordConfigurationEntra', 'New-PasswordConfigurationExternalUsers', 'New-PasswordConfigurationOption', 'New-PasswordConfigurationReport', 'New-PasswordConfigurationRule', 'New-PasswordConfigurationRuleReminder', 'New-PasswordConfigurationTemplate', 'New-PasswordConfigurationType', 'Show-PasswordQuality', 'Start-PasswordSolution') -Alias @() # SIG # Begin signature block # MIItsQYJKoZIhvcNAQcCoIItojCCLZ4CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBgJR9ruVFrNwWv # nUchYHOJU/jWSZDh+FqjZgIuC7JLVqCCJrQwggWNMIIEdaADAgECAhAOmxiO+dAt # 5+/bUOIIQBhaMA0GCSqGSIb3DQEBDAUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV # BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0yMjA4MDEwMDAwMDBa # Fw0zMTExMDkyMzU5NTlaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2Vy # dCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lD # ZXJ0IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC # ggIBAL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3E # MB/zG6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKy # unWZanMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsF # xl7sWxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU1 # 5zHL2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJB # MtfbBHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObUR # WBf3JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6 # nj3cAORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxB # YKqxYxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5S # UUd0viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+x # q4aLT8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjggE6MIIB # NjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTs1+OC0nFdZEzfLmc/57qYrhwP # TzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzAOBgNVHQ8BAf8EBAMC # AYYweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp # Y2VydC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv # bS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcnQwRQYDVR0fBD4wPDA6oDigNoY0 # aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENB # LmNybDARBgNVHSAECjAIMAYGBFUdIAAwDQYJKoZIhvcNAQEMBQADggEBAHCgv0Nc # Vec4X6CjdBs9thbX979XB72arKGHLOyFXqkauyL4hxppVCLtpIh3bb0aFPQTSnov # Lbc47/T/gLn4offyct4kvFIDyE7QKt76LVbP+fT3rDB6mouyXtTP0UNEm0Mh65Zy # oUi0mcudT6cGAxN3J0TU53/oWajwvy8LpunyNDzs9wPHh6jSTEAZNUZqaVSwuKFW # juyk1T3osdz9HNj0d1pcVIxv76FQPfx2CWiEn2/K2yCNNWAcAgPLILCsWKAOQGPF # mCLBsln1VWvPJ6tsds5vIy30fnFqI2si/xK4VC0nftg62fC2h5b9W9FcrBjDTZ9z # twGpn1eqXijiuZQwggWQMIIDeKADAgECAhAFmxtXno4hMuI5B72nd3VcMA0GCSqG # SIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMx # GTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IFRy # dXN0ZWQgUm9vdCBHNDAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGIx # CzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3 # dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBH # NDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/mkHNo3rvkXUo8MCIw # aTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/zG6Q4FutWxpdtHauyefLK # EdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZanMylNEQRBAu34LzB4Tm # dDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7sWxq868nPzaw0QF+xembu # d8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL2pNe3I6PgNq2kZhAkHnD # eMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfbBHMqbpEBfCFM1LyuGwN1 # XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3JFxGj2T3wWmIdph2PVld # QnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3cAORFJYm2mkQZK37AlLTS # YW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqxYxhElRp2Yn72gLD76GSm # M9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0viastkF13nqsX40/ybzT # QRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aLT8LWRV+dIPyhHsXAj6Kx # fgommfXkaS+YHS312amyHeUbAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYD # VR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTs1+OC0nFdZEzfLmc/57qYrhwPTzANBgkq # hkiG9w0BAQwFAAOCAgEAu2HZfalsvhfEkRvDoaIAjeNkaA9Wz3eucPn9mkqZucl4 # XAwMX+TmFClWCzZJXURj4K2clhhmGyMNPXnpbWvWVPjSPMFDQK4dUPVS/JA7u5iZ # aWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK7VB6fWIhCoDIc2bRoAVg # X+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eBcg3AFDLvMFkuruBx8lbk # apdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp5aPNoiBB19GcZNnqJqGL # FNdMGbJQQXE9P01wI4YMStyB0swylIQNCAmXHE/A7msgdDDS4Dk0EIUhFQEI6FUy # 3nFJ2SgXUE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vriRbgjU2wGb2dVf0a1TD9u # KFp5JtKkqGKX0h7i7UqLvBv9R0oN32dmfrJbQdA75PQ79ARj6e/CVABRoIoqyc54 # zNXqhwQYs86vSYiv85KZtrPmYQ/ShQDnUBrkG5WdGaG5nLGbsQAe79APT0JsyQq8 # 7kP6OnGlyE0mpTX9iV28hWIdMtKgK1TtmlfB2/oQzxm3i0objwG2J5VT6LaJbVu8 # aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyBIa0HEEcRrYc9B9F1vM/zZn4w # ggauMIIElqADAgECAhAHNje3JFR82Ees/ShmKl5bMA0GCSqGSIb3DQEBCwUAMGIx # CzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3 # dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBH # NDAeFw0yMjAzMjMwMDAwMDBaFw0zNzAzMjIyMzU5NTlaMGMxCzAJBgNVBAYTAlVT # MRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjE7MDkGA1UEAxMyRGlnaUNlcnQgVHJ1 # c3RlZCBHNCBSU0E0MDk2IFNIQTI1NiBUaW1lU3RhbXBpbmcgQ0EwggIiMA0GCSqG # SIb3DQEBAQUAA4ICDwAwggIKAoICAQDGhjUGSbPBPXJJUVXHJQPE8pE3qZdRodbS # g9GeTKJtoLDMg/la9hGhRBVCX6SI82j6ffOciQt/nR+eDzMfUBMLJnOWbfhXqAJ9 # /UO0hNoR8XOxs+4rgISKIhjf69o9xBd/qxkrPkLcZ47qUT3w1lbU5ygt69OxtXXn # HwZljZQp09nsad/ZkIdGAHvbREGJ3HxqV3rwN3mfXazL6IRktFLydkf3YYMZ3V+0 # VAshaG43IbtArF+y3kp9zvU5EmfvDqVjbOSmxR3NNg1c1eYbqMFkdECnwHLFuk4f # sbVYTXn+149zk6wsOeKlSNbwsDETqVcplicu9Yemj052FVUmcJgmf6AaRyBD40Nj # gHt1biclkJg6OBGz9vae5jtb7IHeIhTZgirHkr+g3uM+onP65x9abJTyUpURK1h0 # QCirc0PO30qhHGs4xSnzyqqWc0Jon7ZGs506o9UD4L/wojzKQtwYSH8UNM/STKvv # mz3+DrhkKvp1KCRB7UK/BZxmSVJQ9FHzNklNiyDSLFc1eSuo80VgvCONWPfcYd6T # /jnA+bIwpUzX6ZhKWD7TA4j+s4/TXkt2ElGTyYwMO1uKIqjBJgj5FBASA31fI7tk # 42PgpuE+9sJ0sj8eCXbsq11GdeJgo1gJASgADoRU7s7pXcheMBK9Rp6103a50g5r # mQzSM7TNsQIDAQABo4IBXTCCAVkwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4E # FgQUuhbZbU2FL3MpdpovdYxqII+eyG8wHwYDVR0jBBgwFoAU7NfjgtJxXWRM3y5n # P+e6mK4cD08wDgYDVR0PAQH/BAQDAgGGMBMGA1UdJQQMMAoGCCsGAQUFBwMIMHcG # CCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu # Y29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln # aUNlcnRUcnVzdGVkUm9vdEc0LmNydDBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8v # Y3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNybDAgBgNV # HSAEGTAXMAgGBmeBDAEEAjALBglghkgBhv1sBwEwDQYJKoZIhvcNAQELBQADggIB # AH1ZjsCTtm+YqUQiAX5m1tghQuGwGC4QTRPPMFPOvxj7x1Bd4ksp+3CKDaopafxp # wc8dB+k+YMjYC+VcW9dth/qEICU0MWfNthKWb8RQTGIdDAiCqBa9qVbPFXONASIl # zpVpP0d3+3J0FNf/q0+KLHqrhc1DX+1gtqpPkWaeLJ7giqzl/Yy8ZCaHbJK9nXzQ # cAp876i8dU+6WvepELJd6f8oVInw1YpxdmXazPByoyP6wCeCRK6ZJxurJB4mwbfe # Kuv2nrF5mYGjVoarCkXJ38SNoOeY+/umnXKvxMfBwWpx2cYTgAnEtp/Nh4cku0+j # Sbl3ZpHxcpzpSwJSpzd+k1OsOx0ISQ+UzTl63f8lY5knLD0/a6fxZsNBzU+2QJsh # IUDQtxMkzdwdeDrknq3lNHGS1yZr5Dhzq6YBT70/O3itTK37xJV77QpfMzmHQXh6 # OOmc4d0j/R0o08f56PGYX/sr2H7yRp11LB4nLCbbbxV7HhmLNriT1ObyF5lZynDw # N7+YAN8gFk8n+2BnFqFmut1VwDophrCYoCvtlUG3OtUVmDG0YgkPCr2B2RP+v6TR # 81fZvAT6gt4y3wSJ8ADNXcL50CN/AAvkdgIm2fBldkKmKYcJRyvmfxqkhQ/8mJb2 # VVQrH4D6wPIOK+XW+6kvRBVK5xMOHds3OBqhK/bt1nz8MIIGsDCCBJigAwIBAgIQ # CK1AsmDSnEyfXs2pvZOu2TANBgkqhkiG9w0BAQwFADBiMQswCQYDVQQGEwJVUzEV # MBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29t # MSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwHhcNMjEwNDI5MDAw # MDAwWhcNMzYwNDI4MjM1OTU5WjBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGln # aUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBT # aWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMIICIjANBgkqhkiG9w0BAQEF # AAOCAg8AMIICCgKCAgEA1bQvQtAorXi3XdU5WRuxiEL1M4zrPYGXcMW7xIUmMJ+k # jmjYXPXrNCQH4UtP03hD9BfXHtr50tVnGlJPDqFX/IiZwZHMgQM+TXAkZLON4gh9 # NH1MgFcSa0OamfLFOx/y78tHWhOmTLMBICXzENOLsvsI8IrgnQnAZaf6mIBJNYc9 # URnokCF4RS6hnyzhGMIazMXuk0lwQjKP+8bqHPNlaJGiTUyCEUhSaN4QvRRXXegY # E2XFf7JPhSxIpFaENdb5LpyqABXRN/4aBpTCfMjqGzLmysL0p6MDDnSlrzm2q2AS # 4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3SvUQakhCBj7A7CdfHmzJa # wv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tvk2E0XLyTRSiDNipmKF+w # c86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+960IHnWmZcy740hQ83eR # Gv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3sMJN2FKZbS110YU0/EpF2 # 3r9Yy3IQKUHw1cVtJnZoEUETWJrcJisB9IlNWdt4z4FKPkBHX8mBUHOFECMhWWCK # ZFTBzCEa6DgZfGYczXg4RTCZT/9jT0y7qg0IU0F8WD1Hs/q27IwyCQLMbDwMVhEC # AwEAAaOCAVkwggFVMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFGg34Ou2 # O/hfEYb7/mF7CIhl9E5CMB8GA1UdIwQYMBaAFOzX44LScV1kTN8uZz/nupiuHA9P # MA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEFBQcDAzB3BggrBgEFBQcB # AQRrMGkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBBBggr # BgEFBQcwAoY1aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1 # c3RlZFJvb3RHNC5jcnQwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybDMuZGln # aWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5jcmwwHAYDVR0gBBUwEzAH # BgVngQwBAzAIBgZngQwBBAEwDQYJKoZIhvcNAQEMBQADggIBADojRD2NCHbuj7w6 # mdNW4AIapfhINPMstuZ0ZveUcrEAyq9sMCcTEp6QRJ9L/Z6jfCbVN7w6XUhtldU/ # SfQnuxaBRVD9nL22heB2fjdxyyL3WqqQz/WTauPrINHVUHmImoqKwba9oUgYftzY # gBoRGRjNYZmBVvbJ43bnxOQbX0P4PpT/djk9ntSZz0rdKOtfJqGVWEjVGv7XJz/9 # kNF2ht0csGBc8w2o7uCJob054ThO2m67Np375SFTWsPK6Wrxoj7bQ7gzyE84FJKZ # 9d3OVG3ZXQIUH0AzfAPilbLCIXVzUstG2MQ0HKKlS43Nb3Y3LIU/Gs4m6Ri+kAew # Q3+ViCCCcPDMyu/9KTVcH4k4Vfc3iosJocsL6TEa/y4ZXDlx4b6cpwoG1iZnt5Lm # Tl/eeqxJzy6kdJKt2zyknIYf48FWGysj/4+16oh7cGvmoLr9Oj9FpsToFpFSi0HA # SIRLlk2rREDjjfAVKM7t8RhWByovEMQMCGQ8M4+uKIw8y4+ICw2/O/TOHnuO77Xr # y7fwdxPm5yg/rBKupS8ibEH5glwVZsxsDsrFhsP2JjMMB0ug0wcCampAMEhLNKhR # ILutG4UI4lkNbcoFUCvqShyepf2gpx8GdOfy1lKQ/a+FSCH5Vzu0nAPthkX0tGFu # v2jiJmCG6sivqf6UHedjGzqGVnhOMIIGwjCCBKqgAwIBAgIQBUSv85SdCDmmv9s/ # X+VhFjANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGln # aUNlcnQsIEluYy4xOzA5BgNVBAMTMkRpZ2lDZXJ0IFRydXN0ZWQgRzQgUlNBNDA5 # NiBTSEEyNTYgVGltZVN0YW1waW5nIENBMB4XDTIzMDcxNDAwMDAwMFoXDTM0MTAx # MzIzNTk1OVowSDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMu # MSAwHgYDVQQDExdEaWdpQ2VydCBUaW1lc3RhbXAgMjAyMzCCAiIwDQYJKoZIhvcN # AQEBBQADggIPADCCAgoCggIBAKNTRYcdg45brD5UsyPgz5/X5dLnXaEOCdwvSKOX # ejsqnGfcYhVYwamTEafNqrJq3RApih5iY2nTWJw1cb86l+uUUI8cIOrHmjsvlmbj # aedp/lvD1isgHMGXlLSlUIHyz8sHpjBoyoNC2vx/CSSUpIIa2mq62DvKXd4ZGIX7 # ReoNYWyd/nFexAaaPPDFLnkPG2ZS48jWPl/aQ9OE9dDH9kgtXkV1lnX+3RChG4PB # uOZSlbVH13gpOWvgeFmX40QrStWVzu8IF+qCZE3/I+PKhu60pCFkcOvV5aDaY7Mu # 6QXuqvYk9R28mxyyt1/f8O52fTGZZUdVnUokL6wrl76f5P17cz4y7lI0+9S769Sg # LDSb495uZBkHNwGRDxy1Uc2qTGaDiGhiu7xBG3gZbeTZD+BYQfvYsSzhUa+0rRUG # FOpiCBPTaR58ZE2dD9/O0V6MqqtQFcmzyrzXxDtoRKOlO0L9c33u3Qr/eTQQfqZc # ClhMAD6FaXXHg2TWdc2PEnZWpST618RrIbroHzSYLzrqawGw9/sqhux7UjipmAmh # cbJsca8+uG+W1eEQE/5hRwqM/vC2x9XH3mwk8L9CgsqgcT2ckpMEtGlwJw1Pt7U2 # 0clfCKRwo+wK8REuZODLIivK8SgTIUlRfgZm0zu++uuRONhRB8qUt+JQofM604qD # y0B7AgMBAAGjggGLMIIBhzAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAW # BgNVHSUBAf8EDDAKBggrBgEFBQcDCDAgBgNVHSAEGTAXMAgGBmeBDAEEAjALBglg # hkgBhv1sBwEwHwYDVR0jBBgwFoAUuhbZbU2FL3MpdpovdYxqII+eyG8wHQYDVR0O # BBYEFKW27xPn783QZKHVVqllMaPe1eNJMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6 # Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNFJTQTQwOTZTSEEy # NTZUaW1lU3RhbXBpbmdDQS5jcmwwgZAGCCsGAQUFBwEBBIGDMIGAMCQGCCsGAQUF # BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wWAYIKwYBBQUHMAKGTGh0dHA6 # Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNFJTQTQwOTZT # SEEyNTZUaW1lU3RhbXBpbmdDQS5jcnQwDQYJKoZIhvcNAQELBQADggIBAIEa1t6g # qbWYF7xwjU+KPGic2CX/yyzkzepdIpLsjCICqbjPgKjZ5+PF7SaCinEvGN1Ott5s # 1+FgnCvt7T1IjrhrunxdvcJhN2hJd6PrkKoS1yeF844ektrCQDifXcigLiV4JZ0q # BXqEKZi2V3mP2yZWK7Dzp703DNiYdk9WuVLCtp04qYHnbUFcjGnRuSvExnvPnPp4 # 4pMadqJpddNQ5EQSviANnqlE0PjlSXcIWiHFtM+YlRpUurm8wWkZus8W8oM3NG6w # QSbd3lqXTzON1I13fXVFoaVYJmoDRd7ZULVQjK9WvUzF4UbFKNOt50MAcN7MmJ4Z # iQPq1JE3701S88lgIcRWR+3aEUuMMsOI5ljitts++V+wQtaP4xeR0arAVeOGv6wn # LEHQmjNKqDbUuXKWfpd5OEhfysLcPTLfddY2Z1qJ+Panx+VPNTwAvb6cKmx5Adza # ROY63jg7B145WPR8czFVoIARyxQMfq68/qTreWWqaNYiyjvrmoI1VygWy2nyMpqy # 0tg6uLFGhmu6F/3Ed2wVbK6rr3M66ElGt9V/zLY4wNjsHPW2obhDLN9OTH0eaHDA # dwrUAuBcYLso/zjlUlrWrBciI0707NMX+1Br/wd3H3GXREHJuEbTbDJ8WC9nR2Xl # G3O2mflrLAZG70Ee8PBf4NvZrZCARK+AEEGKMIIHXzCCBUegAwIBAgIQB8JSdCgU # otar/iTqF+XdLjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UE # ChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQg # Q29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDQxNjAw # MDAwMFoXDTI2MDcwNjIzNTk1OVowZzELMAkGA1UEBhMCUEwxEjAQBgNVBAcMCU1p # a2/FgsOzdzEhMB8GA1UECgwYUHJ6ZW15c8WCYXcgS8WCeXMgRVZPVEVDMSEwHwYD # VQQDDBhQcnplbXlzxYJhdyBLxYJ5cyBFVk9URUMwggIiMA0GCSqGSIb3DQEBAQUA # A4ICDwAwggIKAoICAQCUmgeXMQtIaKaSkKvbAt8GFZJ1ywOH8SwxlTus4McyrWmV # OrRBVRQA8ApF9FaeobwmkZxvkxQTFLHKm+8knwomEUslca8CqSOI0YwELv5EwTVE # h0C/Daehvxo6tkmNPF9/SP1KC3c0l1vO+M7vdNVGKQIQrhxq7EG0iezBZOAiukNd # GVXRYOLn47V3qL5PwG/ou2alJ/vifIDad81qFb+QkUh02Jo24SMjWdKDytdrMXi0 # 235CN4RrW+8gjfRJ+fKKjgMImbuceCsi9Iv1a66bUc9anAemObT4mF5U/yQBgAuA # o3+jVB8wiUd87kUQO0zJCF8vq2YrVOz8OJmMX8ggIsEEUZ3CZKD0hVc3dm7cWSAw # 8/FNzGNPlAaIxzXX9qeD0EgaCLRkItA3t3eQW+IAXyS/9ZnnpFUoDvQGbK+Q4/bP # 0ib98XLfQpxVGRu0cCV0Ng77DIkRF+IyR1PcwVAq+OzVU3vKeo25v/rntiXCmCxi # W4oHYO28eSQ/eIAcnii+3uKDNZrI15P7VxDrkUIc6FtiSvOhwc3AzY+vEfivUkFK # RqwvSSr4fCrrkk7z2Qe72Zwlw2EDRVHyy0fUVGO9QMuh6E3RwnJL96ip0alcmhKA # BGoIqSW05nXdCUbkXmhPCTT5naQDuZ1UkAXbZPShKjbPwzdXP2b8I9nQ89VSgQID # AQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYD # VR0OBBYEFHrxaiVZuDJxxEk15bLoMuFI5233MA4GA1UdDwEB/wQEAwIHgDATBgNV # HSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3Js # My5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQw # OTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQu # Y29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAy # MUNBMS5jcmwwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0 # cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGUBggrBgEFBQcBAQSBhzCBhDAkBggr # BgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBo # dHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2Rl # U2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqG # SIb3DQEBCwUAA4ICAQC3EeHXUPhpe31K2DL43Hfh6qkvBHyR1RlD9lVIklcRCR50 # ZHzoWs6EBlTFyohvkpclVCuRdQW33tS6vtKPOucpDDv4wsA+6zkJYI8fHouW6Tqa # 1W47YSrc5AOShIcJ9+NpNbKNGih3doSlcio2mUKCX5I/ZrzJBkQpJ0kYha/pUST2 # CbE3JroJf2vQWGUiI+J3LdiPNHmhO1l+zaQkSxv0cVDETMfQGZKKRVESZ6Fg61b0 # djvQSx510MdbxtKMjvS3ZtAytqnQHk1ipP+Rg+M5lFHrSkUlnpGa+f3nuQhxDb7N # 9E8hUVevxALTrFifg8zhslVRH5/Df/CxlMKXC7op30/AyQsOQxHW1uNx3tG1DMgi # zpwBasrxh6wa7iaA+Lp07q1I92eLhrYbtw3xC2vNIGdMdN7nd76yMIjdYnAn7r38 # wwtaJ3KYD0QTl77EB8u/5cCs3ShZdDdyg4K7NoJl8iEHrbqtooAHOMLiJpiL2i9Y # n8kQMB6/Q6RMO3IUPLuycB9o6DNiwQHf6Jt5oW7P09k5NxxBEmksxwNbmZvNQ65Z # n3exUAKqG+x31Egz5IZ4U/jPzRalElEIpS0rgrVg8R8pEOhd95mEzp5WERKFyXhe # 6nB6bSYHv8clLAV0iMku308rpfjMiQkqS3LLzfUJ5OHqtKKQNMLxz9z185UCszGC # BlMwggZPAgEBMH0waTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJ # bmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0IENvZGUgU2lnbmluZyBS # U0E0MDk2IFNIQTM4NCAyMDIxIENBMQIQB8JSdCgUotar/iTqF+XdLjANBglghkgB # ZQMEAgEFAKCBhDAYBgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJ # AzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8G # CSqGSIb3DQEJBDEiBCAFqxaNrXZNm+trCWHoH8jKPIh9ZxbTsJSyglsbsL1zCTAN # BgkqhkiG9w0BAQEFAASCAgAixHBvim5U6pt7dF0fDyF0srkHZpzF01OGCQhNYjTe # HDVnoTYWyup6JBUGskuLiQ+yep+TV4NezwJ1uLZxNJHtNCWZSqJM/iS4yCQUKvUu # b0jTC/V6mCtxALalSR3eF4eLVbUvN2Kr4ABOYV+l6Hz24usW6j0xFHhH4X7VNtaH # pzagC5ZQNScqc2+G5cWjxvpceIqybopgsT0OvRLyiCZY+1d6pq73jraraKP2okIz # MVwtxEgw3IyTiK6Sn2PPTPjnSxFZYYrLMKvPKQ+MMI6IRWBszlCWaw7AN9gV9zFW # GNw6eYaliPiOmGWmgpgbEs++BSvIJecPQ1cgKqzmyiNLJWm4Y6WM+0ZskOQvFAwb # s1+mQgaXh6FlgxB2MZgbcSaLYKJCNuOo6imrG+UuUte0T4liVxiozn0HFIl/vK6Q # NPX15TxcoSNV9i0hTPIb7KFIzIo3C3UONBbL4OGu3K/2J9Rt5VQhqtp9RzdlM3JR # U+WCqQrI73sk4mZ49wE8adVI6qEa+KOFXz85sbk08w5rxxu0hqEEMEYoa432hsja # AEfaQ/Ojo76KTQERywhM+J6OFanJOSDOUf5PViAFxwD44WNwCYLLHexPHNshMZt3 # N7Kj0PwL8mjlVmzjVZWfcqezmUMDuz4mZOB5G9qAeLANP67k+MhsJUVkFiMUkZAH # aqGCAyAwggMcBgkqhkiG9w0BCQYxggMNMIIDCQIBATB3MGMxCzAJBgNVBAYTAlVT # MRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjE7MDkGA1UEAxMyRGlnaUNlcnQgVHJ1 # c3RlZCBHNCBSU0E0MDk2IFNIQTI1NiBUaW1lU3RhbXBpbmcgQ0ECEAVEr/OUnQg5 # pr/bP1/lYRYwDQYJYIZIAWUDBAIBBQCgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN # AQcBMBwGCSqGSIb3DQEJBTEPFw0yNDA5MDgxMTUyMTRaMC8GCSqGSIb3DQEJBDEi # BCBui/kq6l2dfCbGmwtdhqauUe8Tbo5xJxeh4483y3dbkDANBgkqhkiG9w0BAQEF # AASCAgCNkteZj5pw00OqAs66YXQ4ngiUXjYLxsPp+LXOFVwZYMnFweNzIFdxJxku # IYdweuwSDGLf66ifi8oSfnDvPiDionsDPh8GCMqpPPamUsFSv9eLuZOqfjyyY1r3 # OG0PmtNZCafrlw087TlGGvSMdvd5DDJtWzOFnH2P4orWa+aQyxuxUiZvvooCHnXp # TX2WZMvstRLrDBYx99VbisoyviP/IfGSKyeiqDdeeDj+gRU2YbWooBc2uwDYOifQ # vnbC2cFd0c23TYvQYbZR77ly+txhXHE+yFFWMjcHFiMiLa65L04f9kPuRcWEuRQL # kC/6RMHncDGO63AfdNIT9gH2zwRxHueaIMQI15F1vCzVRvOwwZe9ZorFSkp9KwAz # +hg72YnmkGlUz6Ej26/xlkTo5mXCGNzcI7WFsS7FOwHzCk6qY9COoiFD1cCjixKa # uDQjuI8hAY9WbwTKhfxZEwBnrPKkepmypVDvuOxGNvifDgMfWV/MDkKDUcuIvTIc # Zs/wQEBHiodY1ZI8QoUeOz1yMsz5+CA5pXnseF6zPS+QZj2ozcF2AzNnXzTmlBhZ # 7SMRjaMVVeAtwzvO9tWO+xNt+2TyZXBD1Faefb5MN1Jx6jm1pYreIJxuB0bSVnhV # GJGcIg2IDhjuSCZJ5G9Uz7ZZ7fpJLOQAef38UPQgbz4GuTtpeQ== # SIG # End signature block |