tests/Test-CmSiteInstallAccountRoles.ps1

function Test-CmSiteInstallAccountRoles {
    [CmdletBinding()]
    [OutputType()]
    param (
        [parameter()][string] $TestName = "ConfigMgr Install Account Roles and Permissions",
        [parameter()][string] $TestGroup = "configuration",
        [parameter()][string] $TestCategory = "CM",
        [parameter()][string] $Description = "Check if site install account has appropriate permissions/roles",
        [parameter()][hashtable] $ScriptParams
    )
    try {
        $startTime = (Get-Date)
        #[int]$Setting = Get-CmHealthDefaultValue -KeySet "keygroup:keyname" -DataSet $CmHealthConfig
        [System.Collections.Generic.List[PSObject]]$tempdata = @() # for detailed test output to return if needed
        $stat   = "PASS" # do not change this
        $except = "WARNING" # or "FAIL"
        $msg    = "No issues found" # do not change this either
        [array]$localAdmins = Get-LocalGroupMember -Group "Administrators" -ErrorAction Stop
        [array]$sysadmins = Get-DbaServerRoleMember -SqlInstance $ScriptParams.SqlInstance -ServerRole "sysadmin" -ErrorAction Stop

        $query = "SELECT TOP (1) LogonName FROM dbo.vRBAC_Permissions WHERE CategoryID = 'SMS00ALL'"
        $res = Get-CmSqlQueryResult -Query $query -Params $ScriptParams
        $isLocalAdmin  = $False
        $isDomainAdmin = $False
        $isEntAdmin    = $False
        $isSchemaAdmin = $False
        $isSysAdmin    = $False
        if ($null -ne $res) {
            [string]$msg = @()
            $username = $res.LogonName
            $basename = $($username -split '\\')[1]
            if ($localAdmins.Name -contains $username) {
                Write-Log -Message "install account is a direct member of local Administrators group"
                $isLocalAdmin = $True
            } else {
                Write-Log -Message "install account is not a member of local Administrators group"
                $stat = $except
                $msg += "install account is not a local Administrators group member"
            }
            if ($sysadmins -contains $username) {
                Write-Log -Message "install account is a direct member of SQL sysadmins group"
                $isSysAdmin = $True
            }
            $dagroup = Get-ADSIGroupMember -Identity "Domain Admins" | Select-Object -expand name
            if ($dagroup -contains $basename) {
                Write-Log -Message "install account is a direct member of Domain Admins group"
                $isDomainAdmin = $True
                $stat = $except
                $msg += "install account is in Domain Admins group"
            }
            $eagroup = Get-ADSIGroupMember -Identity "Enterprise Admins" | Select-Object -expand name
            if ($eagroup -contains $basename) {
                Write-Log -Message "install account is a direct member of Enterprise Admins group"
                $isEntAdmin = $True
                $stat = $except
                $msg += "install account is in Enterprise Admins group"
            }
            $sagroup = Get-ADSIGroupMember -Identity "Schema Admins" | Select-Object -expand name
            if ($sagroup -contains $basename) {
                Write-Log -Message "install account is a direct member of Schema Admins group"
                $isSchemaAdmin = $True
                $stat = $except
                $msg += "install account is in Schema Admins group"
            }
            $tempdata.Add([pscustomobject]@{
                InstallAccount = $username
                IsLocalAdmin   = $isLocalAdmin
                IsDomainAdmin  = $isDomainAdmin
                IsEnterpriseAdmin = $isEntAdmin
                IsSchemaAdmin  = $isSchemaAdmin
                IsSqlSysAdmin  = $isSysAdmin
            })
        } else {
            Write-Warning "unable to query site installation account from database"
        }
    }
    catch {
        $stat = 'ERROR'
        $msg += $_.Exception.Message -join ';'
    }
    finally {
        Set-CmhOutputData
    }
}