We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script repository

Report on security roles

May 04, 2023 Views: 2046

The script creates an HTML-formatted report on all Adaxes security roles and sends it by e-mail. The script should be executed in Windows PowerShell on the computer where Adaxes service runs.

Parameters:

  • $to - Specifies email addresses of recipients of the report.
  • $from - Specifies the e-mail address from which the message will be sent.
  • $smtpServer - Specifies the SMTP server to use when sending a notification.
  • $subject - Specifies the subject of the email message with the report.
  • $reportHeader - Specifies the report header.
  • $reportFooter - Specifies the report footer.
Edit Remove
PowerShell
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

# Email message settings
$to = "recipient@domain.com" # TODO: modify me
$from = "noreply@domain.com" # TODO: modify me
$smtpServer = "mail.domain.com" # TODO: modify me
$subject = "Security Roles Report" # TODO: modify me
$reportHeader = "<h2><b>Security Roles Report</b></h2>
<table border='1'>
    <tr>
        <th>Name</th>
        <th>Description</th>
        <th>Assignments</th>
        <th>Permissions</th>
    </tr>" # TODO: modify me
$reportFooter = "<hr /><p><i>Please do not reply to this e-mail, it has been sent to you for notification purposes only.</i></p>" # TODO: modify me

# Function to resolve trustee names
function GetTrusteeName($trustee)
{
    if ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee))
    {
        $wellknownPrincipal = [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::GetInfo($trustee)
        return $wellknownPrincipal.DisplayName
    }
   
    if ([Softerra.Adaxes.Adsi.Sid]::PrimaryOwnerSid -eq $trustee)
    {
        return "Owner (ManagedBy)"
    }
    elseif ([Softerra.Adaxes.Adsi.Sid]::ManagerSid -eq $trustee)
    {
        return "Manager"
    }
    elseif ([Softerra.Adaxes.Adsi.Sid]::SecretarySid -eq $trustee)
    {
        return "Secretary"
    }
    elseif ([Softerra.Adaxes.Adsi.Sid]::AssistantSid -eq $trustee)
    {
        return "Assistant"
    }
   
    # Get object name
    $objectSid = New-Object "Softerra.Adaxes.Adsi.Sid" $trustee
    try
    {
        $object = $global:admService.OpenObject("Adaxes://<SID=$objectSid>", $NULL, $NULL, 0)
        $objectName = $object.Get("name")
    }
    catch
    {
        $objectName = $objectSid.ToString()
    }
    return $objectName
}

# Function to resolve Custom Command Names (for permissions to launch Custom Commands)
function FindCustomCommandName($commandID, $customCommandHashTable, $customCommandContainerPath)
{
    $commandName = $customCommandHashTable[$commandID]
    if ($commandName -ne $NULL)
    {
        return $commandName
    }
    
    $guidByte = (New-Object "System.Guid" $commandID).ToByteArray()
    $guidHexString = [Softerra.Adaxes.Utils.Transform]::ToRfc2254HexString($guidByte)
    
    $criteria = New-Object Softerra.Adaxes.Directory.Criteria.Criteria
    $simpleItem = $criteria.CreateSimple()
    [void]$simpleItem.SetProperty("adm-CustomCommandID").SetComparisonOperator("eq").AddValue($commandID)
    [void]$criteria.AddType("adm-CustomCommand", $simpleItem)

    $searcher = $global:admService.OpenObject($customCommandContainerPath, $NULL, $NULL, 0)
    $searcher.PageSize = 500
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.Criteria = $criteria
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    
    try
    {
        $searchResult = $searcher.ExecuteSearch()
        $result = $searchResult.FetchAll()
        if ($result.Count -ne 0)
        {
            $command = $global:admService.OpenObject($result[0].AdsPath, $NULL, $NULL, 0)
            $commandName = $command.Get("name")
            $customCommandHashTable.Add($commandID, $commandName) | Out-Null
            return $commandName
        }
    }
    finally
    {
        $searchResult.Dispose()
    }
    
    return $NULL
}

# Function to resolve object types (e.g. user, group, OU etc)
function GetObjectType($objectTypeGuid, $customCommandHashTable, $customCommandContainerPath)
{
    
    try
    {
        $objectType = $global:admService.Schema.Classes.GetObject($objectTypeGuid)
    }
    catch
    {
        $objectType = $NULL
    }

    if ($objectType -ne $NULL)
    {
        return $objectType.AdminDisplayName
    }
    
    try
    {
        $atributeType = $global:admService.Schema.Properties.GetObject($objectTypeGuid)
    }
    catch
    {
        $atributeType = $NULL
    }

    if ($atributeType -ne $NULL)
    {
        return $atributeType.AdminDisplayName
    }

    $extendedRightsGuid = @{"{014bf69c-7b3b-11d1-85f6-08002be74fab}" = "ChangeDomainMaster";
                            "{cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd}" = "ChangeInfrastructureMaster";
                            "{bae50096-4752-11d1-9052-00c04fc2d4cf}" = "ChangePdc";
                            "{d58d5f36-0a98-11d1-adbb-00c04fd8d5cd}" = "ChangeRidMaster";
                            "{e12b56b6-0a95-11d1-adbb-00c04fd8d5cd}" = "ChangeSchemaMaster";
                            "{fec364e0-0a98-11d1-adbb-00c04fd8d5cd}" = "DoGarbageCollection";
                            "{69ae6200-7f46-11d2-b9ad-00c04f79f805}" = "DSCheckStalePhantoms";
                            "{0bc1554e-0a99-11d1-adbb-00c04fd8d5cd}" = "RecalculateHierarchy";
                            "{62dd28a8-7f46-11d2-b9ad-00c04f79f805}" = "RecalculateSecurityInheritance";
                            "{9432c620-033c-4db7-8b58-14ef6d0bf477}" = "RefreshGroupCache";
                            "{be2bb760-7f46-11d2-b9ad-00c04f79f805}" = "UpdateSchemaCache";
                            "{00299570-246d-11d0-a768-00aa006e0529}" = "UserForceChangePassword";
                            "{ab721a53-1e2f-11d0-9819-00aa0040529b}" = "UserChangePassword";
                            "{ab721a54-1e2f-11d0-9819-00aa0040529b}" = "SendAs";
                            "{B5C7D5F3-F235-43ad-A8D7-9D8374892123}" = "ReadLoggingInformation";
                            "{ED838A5C-56C2-486e-A85E-4D1B23CD2B54}" = "ReadSummaryLog";
                            "{8B3541F7-E278-4AC7-9FF9-D73220847E52}" = "RunScript";
                            "{BD3422E8-7737-4232-A1A6-B78CAB5FEA2D}" = "ExecuteAllCustomCommands";
                            "{D81B5354-169B-4482-981D-090484B7A328}" = "EnrollDisenrollUser";
                            "{649CDC16-A7E3-4D95-AE01-CECD32C79704}" = "GetPasswordSelfServiceReport";
                            "{E783B4EC-83FC-4C51-A0C2-9E3A1FFF9E6A}" = "SendSms";
                            "{299557F6-C974-4696-BC02-17859F1D613B}" = "MoveMailbox";
                            "{D5E7B1E7-C34F-4458-B33B-CEE66C0FBBC6}" = "ExportMailbox";
                            "{F19E8E0A-C601-4234-86A6-4774197A4B99}" = "CreateMailbox";
                            "{DB382E2C-FA7C-499A-85E4-907CFFE3E3E1}" = "DeleteMailbox";
                            "{828D990A-5FA7-4F8D-96D5-2C0F9A833EDF}" = "EstablishEmailAddress";
                            "{6F6D257A-A44E-4EE6-9FF6-1BF5A9144F88}" = "DeleteEmailAddress";
                            "{ADBACEA1-0A7A-407C-9535-D3E51B6AC303}" = "ArchiveHomeDirectory";
                            "{D8F76534-EAFF-4C38-9B4C-D6C0C29365BB}" = "ExchangeProperties";
                            "{87547735-7D75-4D9F-BDA3-EEBD1789397A}" = "ExchangeGeneralProperties";
                            "{EB7861A9-DCE0-434D-A2D9-59B062310BB6}" = "ExchangeEmailAddressesProperties";
                            "{A97C32B0-69D7-47CA-BBC2-0A815C18BCA3}" = "ExchangeSendAsProperties";
                            "{B9BBF393-6BF6-4C82-8957-2DDC25DA169D}" = "ExchangeSendOnBehalfProperties";
                            "{C7C0C556-62F7-45E5-B12D-ABFF8A857A84}" = "ExchangeMailboxRightsProperties";
                            "{274614ED-130F-40BC-BC72-601F0C1D5138}" = "ExchangeMailTipProperties";
                            "{82E50D86-1850-4EEE-9792-82D61A45F53A}" = "ExchangeDeliveryOptionsProperties";
                            "{7A2F504B-F7A7-4D21-B731-8FF9E9BBF48E}" = "ExchangeMessageDeliveryRestrictionsProperties";
                            "{79511D62-2638-4E80-A59B-24D92ABCE291}" = "ExchangeMessageModerationProperties";
                            "{61A0C1FD-9866-46EF-8BD4-60D792DFE554}" = "ExchangeMessageSizeRestrictionsProperties";
                            "{DD6540B6-CA2B-45C6-8D0D-EFBCD51EBD3E}" = "ExchangeMailboxQuotasProperties";
                            "{2C902617-EA87-4AEE-A26A-C3DCA79B38BE}" = "ExchangeMailboxPoliciesProperties";
                            "{CA1A1A17-09D6-4AA7-8369-2B936CCBC674}" = "ExchangeUMFeatureProperties";
                            "{360B7E6B-8042-436E-9117-D9691B10AC0F}" = "ExchangeActiveSyncFeatureProperties";
                            "{3BEF8F48-F5E4-422D-B100-168D4F06ABD9}" = "ExchangeArchiveFeatureProperties";
                            "{3CF80F35-49ED-4BEF-B41F-88C7456BE394}" = "ExchangeMapiFeatureProperties";
                            "{31DE0C27-4D5A-4E23-8F9C-7CB179635D35}" = "ExchangeOwaFeatureProperties";
                            "{795AB3ED-D1B4-49D1-8D16-1C47F2CF2ED7}" = "ExchangeRetentionHoldFeatureProperties";
                            "{3D497EF4-E358-4EB7-91A3-1E16EA054AFF}" = "ExchangeLitigationHoldFeatureProperties";
                            "{AF777E74-5ACB-4848-864C-70707B78C2C3}" = "ExchangePop3FeatureProperties";
                            "{BB3BD947-9C0F-4B38-AACC-2F3BFE301453}" = "ExchangeImapFeatureProperties";
                            "{4F16A030-3C93-4935-8C7F-A9ABEBC60693}" = "ExchangeAutoReplyConfigurationProperties";
                            "{16CAAFF5-74D3-429D-8D66-BCBA270C075C}" = "ExchangeCalendarSettingsProperties";
                            "{683AEA04-F847-4CEB-8D0B-B9534EB0EEEC}" = "Office365AccountProperties";
                            "{609CEF0E-7B62-436D-A621-CFAE0740BDD1}" = "AdaxesCustomAttributes";
                            "{77b5b886-944a-11d1-aebd-0000f80367c1}" = "PersonalInformation";
                            "{e45795b3-9455-11d1-aebd-0000f80367c1}" = "WebInformation";
                            "{e45795b2-9455-11d1-aebd-0000f80367c1}" = "EmailInformation";
                            "{e9db7f44-3799-441f-9719-33f32c20cdc3}" = "ResetMultifactorAuthentication";
                            "{A813457B-48DE-4821-A22F-253AAB73D5AE}" = "ConvertToSharedMailbox";
                            "{86908D09-1566-4698-A315-0E2792A5EB73}" = "ConvertToRegularMailbox";
                            "{D8640203-5F31-49C6-9A32-C880FB45EECA}" = "GenerateReport";}
    $extendedRights = $extendedRightsGuid[$objectTypeGuid]
    if ($extendedRights -ne $NULL)
    {
        return $extendedRights
    }
    
    $commandName = FindCustomCommandName $objectTypeGuid $customCommandHashTable $customCommandContainerPath
    if ($commandName -ne $NULL)
    {
        return "Execute: $commandName"
    }
    return $objectTypeGuid
}

$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$global:admService = $admNS.GetServiceDirectly("localhost")

# Find all Security Roles
$securityRolesPath = $global:admService.Backend.GetConfigurationContainerPath("AccessControlRoles")
$searcher = $global:admService.OpenObject($securityRolesPath, $NULL, $NULL, 0)
$criteria = New-Object Softerra.Adaxes.Directory.Criteria.Criteria
[void]$criteria.AddType("adm-Role", $NULL)
$searcher.Criteria = $criteria
$searcher.PageSize = 500
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"

try
{
    # Execute search
    $searchResult = $searcher.ExecuteSearch()
    $roles = $searchResult.FetchAll()
    
    # Build report
    $customCommandHashTable = New-Object "System.Collections.Hashtable"
    $customCommandContainerPath = $global:admService.Backend.GetConfigurationContainerPath("CustomCommands")
    foreach ($roleId in $roles)
    {
        # Bind to the Security Role
        $role = $global:admService.OpenObject($roleId.AdsPath, $NULL, $NULL, 0)
        
        # Role name
        $roleName = $role.RoleName

        $reportHeader += "<tr valign='top'><td>$roleName</td>"
        Write-Host "Adding role '$roleName'"
       
        # Description
        $description = $role.Description
        $reportHeader += "<td>$description</td>"
        
        # Assignments
        $assignments = $role.Assignments
        $reportHeader += "<td>"
        if ($assignments.Count -ne 0)
        {
            $reportHeader += "<table border='1' width = '100%'><tr><th>Trustee</th><th>AssignedOver</th><th>Exclude</th><th>Inheritance</th></tr>"
            foreach ($assignment in $role.Assignments)
            {
                $trusteeName = GetTrusteeName $assignment.Trustee
                foreach ($item in $assignment.ActivityScopeItems)
                {
                    switch ($item.Type)
                    {
                        "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY"
                        {
                            $itemName = "All objects"
                        }
                        "ADM_SCOPEBASEOBJECTTYPE_CONFIGURATION"
                        {
                            $itemName = "Configuration objects"
                        }
                        default
                        {
                            try
                            {
                                $itemName = $item.BaseObject.Get("name")
                            }
                            catch
                            {
                                $itemName = [Guid]$item.Get("adm-ScopeBaseObjectGuid")
                            }
                        }
                    }
                   
                    switch ($item.Inheritance)
                    {
                        "ADS_SCOPE_BASE"
                        {
                            $inheritance = "This object only"
                        }
                        "ADS_SCOPE_ONELEVEL"
                        {
                            $inheritance = "One level"
                        }
                        "ADS_SCOPE_SUBTREE"
                        {
                            $inheritance = "Subtree"
                        }
                    }
                    $exclude = $item.Exclude
                    
                    $reportHeader += "<tr><td>$trusteeName</td><td>$itemName</td><td>$exclude</td><td>$inheritance</td></tr>"
                }
                
            }
            $reportHeader += "</table>"
        }
        else
        {
            $reportHeader += "N/A"
        }
        $reportHeader += "</td>"
        
        # Permissions
        $rolePermissions = $role.Permissions
        $reportHeader += "<td>"
        $reportHeader += "<table border='1' width = '100%'><tr><th>Access Mask</th><th>Object Type</th><th>Access Type</th><th>Applies to</th></tr>"
        for ($i = 0; $i -lt $rolePermissions.Count; $i++)
        {
            $permissionEntry = $rolePermissions.GetObject($i)
            
            # Access mask
            $accessMask = $permissionEntry.AccessMask.ToString()

            # Object type
            $objectTypeGuid = $permissionEntry.ObjectType
            if ($objectTypeGuid -eq $NULL)
            {
                $objectType = "All"
            }
            else
            {
                $objectType = GetObjectType $objectTypeGuid $customCommandHashTable $customCommandContainerPath
            }
            
            # Access type
            if ($permissionEntry.AccessType -eq "ADM_PERMISSION_TYPE_ALLOW")
            {
                $accessType = "Allow"
            }
            else
            {
                $accessType = "Deny"
            }
            
            # Applies to
            $inheritedObjectTypeGuid = $permissionEntry.InheritedObjectType
            if ($inheritedObjectTypeGuid -eq $NULL)
            {
                $inheritedObjectTypeName = "All"
            }
            else
            {
                $inheritedObjectTypeName = GetObjectType $inheritedObjectTypeGuid $customCommandHashTable $customCommandContainerPath
            }
            
            $reportHeader += "<tr><td>$accessMask</td><td>$objectType</td><td>$accessType</td><td>$inheritedObjectTypeName</td></tr>"
        }
        $reportHeader += "</table></td></tr>"
    }
    $reportHeader += "</table>"
    $htmlReport = $reportHeader + $reportFooter
    
    # Send message
    Send-MailMessage -To $to -from $from -SmtpServer $smtpServer -Subject $subject -Body $htmlReport -BodyAsHtml -Encoding ([System.Text.Encoding]::UTF8)
}
finally
{
    $searchResult.Dispose()
}

Comments 0
Leave a comment
Loading...

Got questions?

Support Questions & Answers