Few PowerShell Functions Around Windows Security

As parts of the PowerShell project that I’m currently working on, with the help with other people’s contribution in various forums and blogs, I have produced few PowerShell functions around Windows security:

Validate Credential

[sourcecode language=”PowerShell”]
function Validate-Credential($Cred)
{
$UserName = $Cred.Username
$Password = $Cred.GetNetworkCredential().Password
Add-Type -assemblyname System.DirectoryServices.AccountManagement
$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
Try {
$ValidCredential = $DS.ValidateCredentials($UserName, $Password)
} Catch {
#if the account does not have required logon rights to the local machine, validation failed.
$ValidCredential = $false
}
Return $ValidCredential
}
[/sourcecode]

Usage:

[sourcecode language=”PowerShell”]
$MyCredential = Get-Credential

$ValidCredential = Validate-Credential $MyCredential
[/sourcecode]

Get Current User Name

[sourcecode language=”PowerShell”]
function Get-CurrentUser
{
$me = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
Return $me
}
[/sourcecode]

Usage:

[sourcecode language=”PowerShell”]
$me = Get-CurrentUser
[/sourcecode]

Check If Current User has Local Admin Rights

[sourcecode language=”PowerShell”]
function AmI-LocalAdmin
{
return ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
}
[/sourcecode]

Usage:

[sourcecode language=”PowerShell”]
$IAmAdmin = AmI-LocalAdmin

$IAmAdmin
[/sourcecode]

Check if a user is a member of a group

[sourcecode language=”PowerShell”]
function Check-GroupMembership ([System.Security.Principal.WindowsIdentity]$User, [string]$GroupName)
{
$WindowsPrincipal = New-Object System.Security.Principal.WindowsPrincipal($User)

if($WindowsPrincipal.IsInRole($GroupName))
{
$bIsMember = $true
} else {
$bIsMember = $false
}
return $bIsMember
}
[/sourcecode]

Usage:

[sourcecode language=”PowerShell”]
#Current User:

$me = [System.Security.Principal.WindowsIdentity]::GetCurrent()

$group = “\domain admins”

$IsMember = Check-GroupMembership $me $group

#Another User (Using User Principal Name @):

$user = new-object system.security.principal.windowsidentity("tyang@corp.tyang.org")

$group = “\domain admins”

$IsMember = Check-GroupMembership $user $group
[/sourcecode]

Get Local Machine’s SID

[sourcecode language=”PowerShell”]
function Get-LocalMachineSID
{
$LocalAdmin = Get-WmiObject -query "SELECT * FROM Win32_UserAccount WHERE domain=’$env:computername’ AND SID LIKE ‘%-500’"
$MachineSID = $localAdmin.SID.TrimEnd("-500")
Return $MachineSID
}
[/sourcecode]

Usage:

[sourcecode language=”PowerShell”]
$LocalMachineSID = Get-LocalMachineSID
[/sourcecode]

Check If an account is a domain account (as opposed to local account)

Note: This function also requires the Get-LocalMachineSID function listed above

[sourcecode language=”PowerShell”]
Function Is-DomainAccount ([System.Security.Principal.WindowsIdentity]$User)
{
$LocalMachineSID = Get-LocalMachineSID
if ($User.user.value -ine $LocalMachineSID)
{
$bIsDomainAccount = $true
} else {
$bIsDomainAccount = $false
}
$bIsDomainAccount
}
[/sourcecode]

Usage:

[sourcecode language=”PowerShell”]
#Current User:

$me = [System.Security.Principal.WindowsIdentity]::GetCurrent()

$IsDomainAccount = Is-DomainAccount $me

#Another User (Using User Principal Name @):

$user = new-object system.security.principal.windowsidentity(<a href="mailto:tyang@corp.tyang.org">tyang@corp.tyang.org</a>)

$IsDomainAccount = Is-DomainAccount $user
[/sourcecode]

4 comments

  1. Grateful for this. How about a function to rename the local admin account on computers and change password. Nice if it could use whaif to check problem machines beforehand.

  2. To test if current user is system, etc.:

    [System.Security.Principal.WindowsIdentity]::GetCurrent().User.IsWellKnown([System.Security.Principal.WellKnownSidType]::LocalServiceSid)
    [System.Security.Principal.WindowsIdentity]::GetCurrent().User.IsWellKnown([System.Security.Principal.WellKnownSidType]::LocalSid)
    [System.Security.Principal.WindowsIdentity]::GetCurrent().User.IsWellKnown([System.Security.Principal.WellKnownSidType]::NetworkServiceSid)
    [System.Security.Principal.WindowsIdentity]::GetCurrent().User.IsWellKnown([System.Security.Principal.WellKnownSidType]::NetworkSid)
    [System.Security.Principal.WindowsIdentity]::GetCurrent().User.IsWellKnown([System.Security.Principal.WellKnownSidType]::NTAuthoritySid)
    [System.Security.Principal.WindowsIdentity]::GetCurrent().User.IsWellKnown([System.Security.Principal.WellKnownSidType]::LocalSystemSid)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: