-
Notifications
You must be signed in to change notification settings - Fork 4
/
Get-CurrentComputerLATER.ps1
118 lines (109 loc) · 6.04 KB
/
Get-CurrentComputerLATER.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
function Get-CurrentComputerLATER {
<#
.SYNOPSIS
Finds admin password for current computer
.DESCRIPTION
Finds local admin password and password expiration timestamp for current computer
.EXAMPLE
Get-CurrentComputerLATER -ComputerName CLIENT012
Gets password of local administrator on computer CLIENT012
#>
[CmdletBinding(
SupportsShouldProcess
)]
param (
# Input a valid Computer Name to request local administrator password.
[Parameter(
Mandatory
)]
[ValidateNotNullOrEmpty()]
[string]$ComputerName
)
begin {
[string]$TablePolicy = 'Policy'
[string]$TableRequests = 'Requests'
[string]$TableFailedRequests = 'FailedRequests'
$BasePolicyQuery = @"
SELECT [Id]
,[GroupId]
,[Computers]
,[TimesPerDay]
FROM [$Database].[$Schema].[$TablePolicy] WHERE GroupId IN (REPLACESID)
"@
$BasePastLaterQuery = @"
SELECT TOP 1000 [UserId]
,[ComputerName]
,[Timestamp]
FROM [$Database].[$Schema].[$TableRequests] WHERE UserId = 'REPLACESID' Order By TimeStamp Desc
"@
}
process {
if ($PSCmdlet.ShouldProcess($ComputerName)) {
try {
$Request = Get-LaterRequesterInfo -ComputerName $ComputerName -ErrorAction Stop
$PolicySQLQuery = $BasePolicyQuery -replace 'REPLACESID', ("'{0}'" -f ($Request.UserPolicyGroups -join "', '"))
try {
[Object[]]$Policies = Invoke-DbaQuery -SqlInstance $SqlInstance -Database $Database -Query $PolicySQLQuery -ErrorAction Stop | Sort-Object -Property Computers
$Policy = $Policies[0]
# Preferably log that the user has more than one policy if ($Policies.Count -gt 1)
}
catch {
throw [System.AccessViolationException]::New('No L.A.T.E.R policy found for user.')
}
$PastLaterSQLQuery = $BasePastLaterQuery -replace 'REPLACESID', $Request.UserId
[Object[]]$PastLater = Invoke-DbaQuery -SqlInstance $SqlInstance -Database $Database -Query $PastLaterSQLQuery -ErrorAction Stop
$Request.psobject.Properties.Remove('UserPolicyGroups')
$Now = [datetime]::Now
if ($null -ne $PastLater) {
$ThrottleReached = $false
$CurrentComputerPastLater = $PastLater | Where-Object { $_.ComputerName -eq $ComputerName }
$CurrentComputerTimeStampString = $CurrentComputerPastLater.TimeStamp.ForEach( { $_.ToString() })
$CurrentComputerRequestsToday = ($CurrentComputerTimeStampString -replace '\s.*$') -match $Today
$TimeStampString = $PastLater.TimeStamp.ForEach( { $_.ToString() })
$RequestsToday = ($TimeStampString -replace '\s.*$') -match $Today
$ComputersRequested = ([array]$PastLater.ComputerName | Sort-Object -Unique).Count
if (([array]$RequestsToday).Count -ge ($Policy.TimesPerDay * $Policy.Computers)) {
$ThrottleReached = $true
$ErrorNotification = 'No more requests allowed for {0} today.' -f $Request.UserId
}
elseif (([array]$CurrentComputerRequestsToday).Count -ge $Policy.TimesPerDay) {
$ThrottleReached = $true
$ErrorNotification = 'No more requests allowed for user {0} on computer name {1} today.' -f $Request.UserId, $ComputerName
}
elseif ($ComputersRequested -eq 1 -and $ComputerName -notin $PastLater.ComputerName) {
$ThrottleReached = $true
$ErrorNotification = 'User {0} only permitted to request for this computer {1}. Limit reached, contact support.' -f $Request.UserId, $PastLater.ComputerName
}
elseif ($ComputersRequested -ne 1 -and $ComputersRequested -ge $Policy.Computers) {
$ThrottleReached = $true
$ErrorNotification = 'User {0} only permitted to request for {1} computers. Limit reached, contact support.' -f $Request.UserId, $Policy.Computers
}
elseif (([array]$CurrentComputerRequestsToday).Count -gt 0) {
if (($CurrentComputerPastLater.Timestamp)[0] -ge $Now.AddHours(-1)) {
$ThrottleReached = $true
$ErrorNotification = 'Request already submitted for {0}, wait time {1} Minutes.' -f $Request.UserId, ($PastLater[0].Timestamp - $Now.AddHours(-1)).Minutes
}
}
if ($ThrottleReached) {
$Request | Add-Member -MemberType NoteProperty -Name Error -Value $ErrorNotification -ErrorAction Stop
$Request | Write-DbaDbTableData -SqlInstance $SqlInstance -Database $Database -Table $TableFailedRequests -ErrorAction Stop
throw [System.AccessViolationException]::New($ErrorNotification -replace ($Request.UserId, ($PSSenderInfo.ConnectedUser -replace '^(?:.+\\)')))
}
}
try {
Get-AdmPwdPassword -ComputerName $ComputerName -ErrorAction Stop
$Request | Write-DbaDbTableData -SqlInstance $SqlInstance -Database $Database -Table $TableRequests -ErrorAction Stop
}
catch {
$ErrorNotification = 'Unknown error: {0}' -f $_.Exception.Message
$Request | Add-Member -MemberType NoteProperty -Name Error -Value $ErrorNotification -ErrorAction Stop
$Request | Write-DbaDbTableData -SqlInstance $SqlInstance -Database $Database -Table $TableFailedRequests -ErrorAction Stop
throw [System.SystemException]::New($ErrorNotification)
}
}
catch {
$PSCmdlet.ThrowTerminatingError($_)
}
}
}
}