"@
}
$strHTMLText =@"
$strHTMLText
$strFontOU $DSObject
"@
if ($Canonical)
{
$strHTMLText =@"
$strHTMLText
| $strFontOU $Canonical
"@
}
if ($bolObjClass -eq $true)
{
$strHTMLText =@"
$strHTMLText
| $strFontOU $strObjClass
"@
}
if ($boolReplMetaDate -eq $true)
{
$strHTMLText =@"
$strHTMLText
| $strFontOU $strReplMetaDate
"@
}
if ($boolACLSize -eq $true)
{
$strHTMLText =@"
$strHTMLText
| $strFontOU $strACLSize bytes
"@
}
if ($boolOUProtected -eq $true)
{
if ($bolOUProtected -eq $true)
{
$strHTMLText =@"
$strHTMLText
| $strFontOU $bolOUProtected
"@
}
else
{
$strHTMLText =@"
$strHTMLText
| $strFontOU $bolOUProtected
"@
}
}
$strHTMLText =@"
$strHTMLText
|
"@
}
Switch ($strColorTemp)
{
"1"
{
$strColor = "DDDDDD"
$strColorTemp = "2"
}
"2"
{
$strColor = "AAAAAA"
$strColorTemp = "1"
}
"3"
{
$strColor = "FF1111"
}
"4"
{
$strColor = "00FFAA"
}
"5"
{
$strColor = "FFFF00"
}
}# End Switch
}#End if HTM
if ($bolACLExist)
{
$sd | foreach{
if($null -ne $_.AccessControlType)
{
$objAccess = $($_.AccessControlType.toString())
}
else
{
$objAccess = $($_.AuditFlags.toString())
}
$objFlags = $($_.ObjectFlags.toString())
$objType = $($_.ObjectType.toString())
$objIsInheried = $($_.IsInherited.toString())
$objInheritedType = $($_.InheritedObjectType.toString())
$objRights = $($_.ActiveDirectoryRights.toString())
$objInheritanceType = $($_.InheritanceType.toString())
Switch ($objRights)
{
"Self"
{
#Self right are never express in gui it's a validated write ( 0x00000008 ACTRL_DS_SELF)
$objRights = ""
}
"GenericRead"
{
$objRights = "Read Permissions,List Contents,Read All Properties,List"
}
"CreateChild"
{
$objRights = "Create"
}
"DeleteChild"
{
$objRights = "Delete"
}
"GenericAll"
{
$objRights = "Full Control"
}
"CreateChild, DeleteChild"
{
$objRights = "Create/Delete"
}
"ReadProperty"
{
Switch ($objInheritanceType)
{
"None"
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$objRights = "Read"
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Read"
}
default
{$objRights = "Read All Properties" }
}#End switch
}
"Children"
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$objRights = "Read"
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Read"
}
default
{$objRights = "Read All Properties" }
}#End switch
}
"Descendents"
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$objRights = "Read"
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Read"
}
default
{$objRights = "Read All Properties" }
}#End switch
}
default
{$objRights = "Read All Properties" }
}#End switch
}
"ReadProperty, WriteProperty"
{
$objRights = "Read All Properties;Write All Properties"
}
"WriteProperty"
{
Switch ($objInheritanceType)
{
"None"
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$objRights = "Write"
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Write"
}
default
{
$objRights = "Write All Properties"
}
}#End switch
}
"Children"
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$objRights = "Write"
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Write"
}
default
{
$objRights = "Write All Properties"
}
}#End switch
}
"Descendents"
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$objRights = "Write"
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$objRights = "Write"
}
default
{
$objRights = "Write All Properties"
}
}#End switch
}
default
{
$objRights = "Write All Properties"
}
}#End switch
}
default
{
}
}# End Switch
if($bolShowCriticalityColor)
{
$intCriticalityValue = Get-Criticality -Returns "Color" $_.IdentityReference.toString() $_.ActiveDirectoryRights.toString() $_.AccessControlType.toString() $_.ObjectFlags.toString() $_.InheritanceType.toString() $_.ObjectType.toString() $_.InheritedObjectType.toString() 0
Switch ($intCriticalityValue)
{
0 {$strLegendText = "Info";$strLegendColor = $strLegendColorInfo}
1 {$strLegendText = "Low";$strLegendColor = $strLegendColorLow}
2 {$strLegendText = "Medium";$strLegendColor = $strLegendColorMedium}
3 {$strLegendText = "Warning";$strLegendColor = $strLegendColorWarning}
4 {$strLegendText = "Critical";$strLegendColor = $strLegendColorCritical}
}
$strLegendTextVal = $strLegendText
if($intCriticalityValue -gt $global:intShowCriticalityLevel)
{
$global:intShowCriticalityLevel = $intCriticalityValue
}
}
$IdentityReference = $($_.IdentityReference.toString())
If ($IdentityReference.contains("S-1-"))
{
$strNTAccount = ConvertSidToName -server $global:strDomainLongName -Sid $IdentityReference
}
else
{
$strNTAccount = $IdentityReference
}
Switch ($strColorTemp)
{
"1"
{
$strColor = "DDDDDD"
$strColorTemp = "2"
}
"2"
{
$strColor = "AAAAAA"
$strColorTemp = "1"
}
"3"
{
$strColor = "FF1111"
}
"4"
{
$strColor = "00FFAA"
}
"5"
{
$strColor = "FFFF00"
}
}# End Switch
Switch ($objInheritanceType)
{
"All"
{
Switch ($objFlags)
{
"InheritedObjectAceTypePresent"
{
$strApplyTo = "This object and all child objects"
$strPerm = "$objRights $(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName -strGUIDAsString $objInheritedType -Domain $global:strDomainDNName})"
}
"ObjectAceTypePresent"
{
$strApplyTo = "This object and all child objects"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingName -strGUIDAsString $objType -Domain $global:strDomainDNName})"
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$strApplyTo = "$(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName -strGUIDAsString $objInheritedType -Domain $global:strDomainDNName})"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingName -strGUIDAsString $objType -Domain $global:strDomainDNName})"
}
"None"
{
$strApplyTo ="This object and all child objects"
$strPerm = "$objRights"
}
default
{
$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 1K"
}
}# End Switch
}
"Descendents"
{
Switch ($objFlags)
{
"InheritedObjectAceTypePresent"
{
$strApplyTo = "$(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName -strGUIDAsString $objInheritedType -Domain $global:strDomainDNName})"
$strPerm = "$objRights"
}
"None"
{
$strApplyTo = "Child Objects Only"
$strPerm = "$objRights"
}
"ObjectAceTypePresent"
{
$strApplyTo = "Child Objects Only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingName -strGUIDAsString $objType -Domain $global:strDomainDNName})"
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$strApplyTo = "$(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName -strGUIDAsString $objInheritedType -Domain $global:strDomainDNName})"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingName -strGUIDAsString $objType -Domain $global:strDomainDNName})"
}
default
{
$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 2K"
}
}
}
"None"
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$strApplyTo = "This Object Only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingName -strGUIDAsString $objType -Domain $global:strDomainDNName})"
}
"None"
{
$strApplyTo = "This Object Only"
$strPerm = "$objRights"
}
default
{
$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 4K"
}
}
}
"SelfAndChildren"
{
Switch ($objFlags)
{
"ObjectAceTypePresent"
{
$strApplyTo = "This object and all child objects within this conatainer only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingName -strGUIDAsString $objType -Domain $global:strDomainDNName})"
}
"InheritedObjectAceTypePresent"
{
$strApplyTo = "Children within this conatainer only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName -strGUIDAsString $objInheritedType -Domain $global:strDomainDNName})"
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$strApplyTo = "$(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName -strGUIDAsString $objInheritedType -Domain $global:strDomainDNName})"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingName -strGUIDAsString $objType -Domain $global:strDomainDNName})"
}
"None"
{
$strApplyTo = "This object and all child objects"
$strPerm = "$objRights"
}
default
{
$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 5K"
}
}
}
"Children"
{
Switch ($objFlags)
{
"InheritedObjectAceTypePresent"
{
$strApplyTo = "Children within this conatainer only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName -strGUIDAsString $objInheritedType -Domain $global:strDomainDNName})"
}
"None"
{
$strApplyTo = "Children within this conatainer only"
$strPerm = "$objRights"
}
"ObjectAceTypePresent, InheritedObjectAceTypePresent"
{
$strApplyTo = "$(if($bolTranslateGUID){$objInheritedType}else{MapGUIDToMatchingName -strGUIDAsString $objInheritedType -Domain $global:strDomainDNName})"
$strPerm = "$(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingName -strGUIDAsString $objType -Domain $global:strDomainDNName}) $objRights"
}
"ObjectAceTypePresent"
{
$strApplyTo = "Children within this conatainer only"
$strPerm = "$objRights $(if($bolTranslateGUID){$objType}else{MapGUIDToMatchingName -strGUIDAsString $objType -Domain $global:strDomainDNName})"
}
default
{
$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 6K"
}
}
}
default
{
$strApplyTo = "Error"
$strPerm = "Error: Failed to display permissions 7K"
}
}# End Switch
##
If($Excel)
{
if($Canonical)
{
if($GPO)
{
$objhashtableACE = [pscustomobject][ordered]@{
GPO = $GPOdisplayname ;`
Object = $DSObject ;`
CanonicalName = $Canonical ;`
ObjectClass = $strObjClass ;`
IdentityReference = $IdentityReference ;`
Trustee = $strNTAccount ;`
Access = $objAccess ;`
Inhereted = $objIsInheried ;`
'Apply To' = $strApplyTo ;`
Permission = $strPerm}
}
else
{
$objhashtableACE = [pscustomobject][ordered]@{
Object = $DSObject ;`
CanonicalName = $Canonical ;`
ObjectClass = $strObjClass ;`
IdentityReference = $IdentityReference ;`
Trustee = $strNTAccount ;`
Access = $objAccess ;`
Inhereted = $objIsInheried ;`
'Apply To' = $strApplyTo ;`
Permission = $strPerm}
}
}
else
{
if($GPO)
{
$objhashtableACE = [pscustomobject][ordered]@{
GPO = $GPOdisplayname ;`
Object = $DSObject ;`
ObjectClass = $strObjClass ;`
IdentityReference = $IdentityReference ;`
Trustee = $strNTAccount ;`
Access = $objAccess ;`
Inhereted = $objIsInheried ;`
'Apply To' = $strApplyTo ;`
Permission = $strPerm}
}
else
{
$objhashtableACE = [pscustomobject][ordered]@{
Object = $DSObject ;`
ObjectClass = $strObjClass ;`
IdentityReference = $IdentityReference ;`
Trustee = $strNTAccount ;`
Access = $objAccess ;`
Inhereted = $objIsInheried ;`
'Apply To' = $strApplyTo ;`
Permission = $strPerm}
}
}
if($boolOUProtected)
{
$objhashtableACE | Add-Member NoteProperty "Inheritance Disabled" $bolOUProtected.toString()
}
if($boolReplMetaDate)
{
$objhashtableACE | Add-Member NoteProperty "Security Descriptor Modified" $strReplMetaDate
}
if($CompareMode)
{
$objhashtableACE | Add-Member NoteProperty State $($_.State.toString())
}
if ($bolCriticalityLevel -or $bolShowCriticalityColor)
{
$objhashtableACE | Add-Member NoteProperty 'Criticality Level' $strLegendTextVal
}
[VOID]$global:ArrayAllACE.Add($objhashtableACE)
}
If($HTM)
{
if ($GPO)
{
$strACLHTMLText =@"
$strACLHTMLText
"@
}
$strACLHTMLText =@"
$strACLHTMLText
$strFont $DSObject |
"@
if ($Canonical)
{
$strACLHTMLText =@"
$strACLHTMLText
$strFont $Canonical |
"@
}
if ($bolObjClass -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
$strFont $strObjClass |
"@
}
if ($boolReplMetaDate -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
$strFont $strReplMetaDate |
"@
}
if ($boolACLSize -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
$strFont $strACLSize bytes |
"@
}
if ($boolOUProtected -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
$strFont $bolOUPRotected |
"@
}
$strACLHTMLText =@"
$strACLHTMLText
$strFont $strNTAccount |
$strFont $objAccess |
$strFont $objIsInheried |
$strFont $strApplyTo |
$strFontRights $strPerm |
"@
if($CompareMode)
{
$strACLHTMLText =@"
$strACLHTMLText
$strFont $($_.State.toString()) |
"@
}
if ($bolCriticalityLevel -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
$strFont $strLegendTextVal |
"@
}
}#End If HTM
}# End Foreach
}
else
{
if($HTM)
{
if ($OUHeader -eq $false)
{
if ($FilterMode)
{
if ($boolReplMetaDate -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
$strFont $strReplMetaDate |
"@
}
if ($boolACLSize -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
$strFont $strACLSize bytes |
"@
}
if ($boolOUProtected -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
$strFont $bolOUPRotected |
"@
}
$strACLHTMLText =@"
$strACLHTMLText
$strFont N/A |
$strFont N/A |
$strFont N/A |
$strFont N/A |
$strFont No Matching Permissions Set |
"@
if ($bolCriticalityLevel -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
$strFont $strLegendTextVal |
"@
}
}
else
{
if ($boolReplMetaDate -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
$strFont $strReplMetaDate |
"@
}
if ($boolACLSize -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
$strFont $strACLSize bytes |
"@
}
if ($boolOUProtected -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
$strFont $bolOUPRotected |
"@
}
$strACLHTMLText =@"
$strACLHTMLText
$strFont N/A |
$strFont N/A |
$strFont N/A |
$strFont N/A |
$strFont No Permissions Set |
"@
if ($bolCriticalityLevel -eq $true)
{
$strACLHTMLText =@"
$strACLHTMLText
$strFont $strLegendTextVal |
"@
}
}# End If
}#end If OUHeader false
}#End if HTM
} #End if bolACLExist
if($HTM)
{
$strACLHTMLText =@"
$strACLHTMLText
"@
#end ifelse OUHEader
$strHTMLText = $strHTMLText + $strACLHTMLText
Out-File -InputObject $strHTMLText -Append -FilePath $fileout
Out-File -InputObject $strHTMLText -Append -FilePath $strFileHTM
$strHTMLText = $null
$strACLHTMLText = $null
Remove-Variable -Name "strHTMLText"
Remove-Variable -Name "strACLHTMLText"
}#End if HTM
}
#==========================================================================
# Function : WriteDefSDAccessHTM
# Arguments : Security Descriptor, OU dn string, Output htm file
# Returns : n/a
# Description : Wites the SD info to a HTM table, it appends info if the file exist
#==========================================================================
function WriteDefSDAccessHTM
{
Param([bool]$bolACLExist, $sd, [bool]$bolObjClass,[string]$strObjectClass, [string]$strColorTemp,[string]$htmfileout, [string]$strFileHTM, [bool]$OUHeader, [bool]$boolReplMetaDate, [string]$strReplMetaVer, [string]$strReplMetaDate, [bool]$bolCriticalityLevel,[boolean]$CompareMode,[string]$xlsxout,[string]$Type)
if($Type -eq "HTML")
{
$htm = $true
$fileout = $htmfileout
}
if($Type -eq "EXCEL")
{
$EXCEL = $true
$fileout = $xlsxout
}
if($HTM)
{
$strTHOUColor = "E5CF00"
$strTHColor = "EFAC00"
if ($bolCriticalityLevel -eq $true)
{
$strLegendColor =@"
bgcolor="#A4A4A4"
"@
}
else
{
$strLegendColor = ""
}
$strLegendColorInfo=@"
bgcolor="#A4A4A4"
"@
$strLegendColorLow =@"
bgcolor="#0099FF"
"@
$strLegendColorMedium=@"
bgcolor="#FFFF00"
"@
$strLegendColorWarning=@"
bgcolor="#FFD700"
"@
$strLegendColorCritical=@"
bgcolor="#DF0101"
"@
$strFont =@"