PSSA whitespace and alignment

Author: SamErde

Active Directory/AD Groups/Get Foreign Security Principals in Groups.ps1

@@ -1,6 +1,6 @@
 # List all foreign security principals in Active Directory that are a member of any group
 $FSPContainer = $Domain.ForeignSecurityPrincipalsContainer
-Get-ADObject -Filter 'ObjectClass -eq "foreignSecurityPrincipal"' -Properties 'msds-principalname','memberof' -SearchBase $FSPContainer -Server $GlobalCatalog | 
+Get-ADObject -Filter 'ObjectClass -eq "foreignSecurityPrincipal"' -Properties 'msds-principalname', 'memberof' -SearchBase $FSPContainer -Server $GlobalCatalog |
     Where-Object { $_.memberof -ne $null } | ForEach-Object {
         $AllForeignSecurityPrincipalMembers.Add($_)
     }

Active Directory/AD Groups/Remove Disabled Computer from All Groups Except Domain Computers.ps1

@@ -1,16 +1,16 @@
-$Token = (Get-ADGroup "Domain Computers" -Properties PrimaryGroupToken).PrimaryGroupToken
+$Token = (Get-ADGroup 'Domain Computers' -Properties PrimaryGroupToken).PrimaryGroupToken
 
-Get-ADComputer -Filter 'Enabled -eq "False"' -SearchBase "OU=Disabled Computers,..." -Properties PrimaryGroup,MemberOf | ForEach-Object {
+Get-ADComputer -Filter 'Enabled -eq "False"' -SearchBase 'OU=Disabled Computers,...' -Properties PrimaryGroup, MemberOf | ForEach-Object {
 
     #If Computer Primary Group is not Domain Computers, then Set Domain Computers as Primary Group.
-    If ($_.PrimaryGroup -notmatch "Domain Computers"){ 
+    If ($_.PrimaryGroup -notmatch 'Domain Computers') {
         Set-ADComputer -Identity $_ -Replace @{PrimaryGroupID = $Token } -Verbose
     } #If
 
     #If Computer is a member of more than 1 Group. Remove All Group except Domain Computers.
     If ($_.memberof) {
-        $Group = Get-ADPrincipalGroupMembership -Identity $_ | Where-Object {$_.Name -ne 'Domain Computers'}
-            Remove-ADPrincipalGroupMembership -Identity $_ -MemberOf $Group -Confirm:$false -Verbose
+        $Group = Get-ADPrincipalGroupMembership -Identity $_ | Where-Object { $_.Name -ne 'Domain Computers' }
+        Remove-ADPrincipalGroupMembership -Identity $_ -MemberOf $Group -Confirm:$false -Verbose
     } #If
 
     #Move Computer to Disabled OU.

Active Directory/AD Users/Get-ADDirectReport.ps1

@@ -1,41 +1,40 @@
-function Get-ADDirectReports
-{
-	<#
+function Get-ADDirectReports {
+    <#
 	.SYNOPSIS
 		This function retrieve the directreports property from the IdentitySpecified.
 		Optionally you can specify the Recurse parameter to find all the indirect
 		users reporting to the specify account (Identity).
-	
+
 	.DESCRIPTION
 		This function retrieve the directreports property from the IdentitySpecified.
 		Optionally you can specify the Recurse parameter to find all the indirect
 		users reporting to the specify account (Identity).
-	
+
 	.NOTES
 		Francois-Xavier Cat
 		www.lazywinadmin.com
 		@lazywinadm
-	
+
 		VERSION HISTORY
 		1.0 2014/10/05 Initial Version
-	
+
 	.PARAMETER Identity
 		Specify the account to inspect
-	
+
 	.PARAMETER Recurse
 		Specify that you want to retrieve all the indirect users under the account
-	
+
 	.EXAMPLE
 		Get-ADDirectReports -Identity Test_director
-	
+
 Name                SamAccountName      Mail                Manager
 ----                --------------      ----                -------
 test_managerB       test_managerB       test_managerB@la... test_director
 test_managerA       test_managerA       test_managerA@la... test_director
-		
+
 	.EXAMPLE
 		Get-ADDirectReports -Identity Test_director -Recurse
-	
+
 Name                SamAccountName      Mail                Manager
 ----                --------------      ----                -------
 test_managerB       test_managerB       test_managerB@la... test_director
@@ -44,65 +43,54 @@ test_userB2         test_userB2         test_userB2@lazy... test_managerB
 test_managerA       test_managerA       test_managerA@la... test_director
 test_userA2         test_userA2         test_userA2@lazy... test_managerA
 test_userA1         test_userA1         test_userA1@lazy... test_managerA
-	
+
 	#>
-	[CmdletBinding()]
-	PARAM (
-		[Parameter(Mandatory)]
-		[String[]]$Identity,
-		[Switch]$Recurse
-	)
-	BEGIN
-	{
-		TRY
-		{
-			IF (-not (Get-Module -Name ActiveDirectory)) { Import-Module -Name ActiveDirectory -ErrorAction 'Stop' -Verbose:$false }
-		}
-		CATCH
-		{
-			Write-Verbose -Message "[BEGIN] Something wrong happened"
-			Write-Verbose -Message $Error[0].Exception.Message
-		}
-	}
-	PROCESS
-	{
-		foreach ($Account in $Identity)
-		{
-			TRY
-			{
-				IF ($PSBoundParameters['Recurse'])
-				{
-					# Get the DirectReports
-					Write-Verbose -Message "[PROCESS] Account: $Account (Recursive)"
-					Get-Aduser -identity $Account -Properties directreports |
-					ForEach-Object -Process {
-						$_.directreports | ForEach-Object -Process {
-							# Output the current object with the properties Name, SamAccountName, Mail and Manager
-							Get-ADUser -Identity $PSItem -Properties mail, manager, DistinguishedName | Select-Object -Property Name, SamAccountName, DistinguishedName, Mail, @{ Name = "Manager"; Expression = { (Get-Aduser -identity $psitem.manager).samaccountname } } | Where-Object { $_.DistinguishedName -like "*,OU=Employees,OU=People,DC=DOMAINNAME,DC=org" }
-							# Gather DirectReports under the current object and so on...
-							Get-ADDirectReports -Identity $PSItem -Recurse
-						}
-					}
-				}#IF($PSBoundParameters['Recurse'])
-				IF (-not ($PSBoundParameters['Recurse']))
-				{
-					Write-Verbose -Message "[PROCESS] Account: $Account"
-					# Get the DirectReports
-					Get-Aduser -identity $Account -Properties directreports | Select-Object -ExpandProperty directReports |
-					Get-ADUser -Properties mail, manager | Select-Object -Property Name, SamAccountName, Mail, @{ Name = "Manager"; Expression = { (Get-Aduser -identity $psitem.manager).samaccountname } }
-				}#IF (-not($PSBoundParameters['Recurse']))
-			}#TRY
-			CATCH
-			{
-				Write-Verbose -Message "[PROCESS] Something wrong happened"
-				Write-Verbose -Message $Error[0].Exception.Message
-			}
-		}
-	}
-	END
-	{
-		Remove-Module -Name ActiveDirectory -ErrorAction 'SilentlyContinue' -Verbose:$false | Out-Null
-	}
+    [CmdletBinding()]
+    PARAM (
+        [Parameter(Mandatory)]
+        [String[]]$Identity,
+        [Switch]$Recurse
+    )
+    BEGIN {
+        TRY {
+            IF (-not (Get-Module -Name ActiveDirectory)) { Import-Module -Name ActiveDirectory -ErrorAction 'Stop' -Verbose:$false }
+        } CATCH {
+            Write-Verbose -Message '[BEGIN] Something wrong happened'
+            Write-Verbose -Message $Error[0].Exception.Message
+        }
+    }
+    PROCESS {
+        foreach ($Account in $Identity) {
+            TRY {
+                IF ($PSBoundParameters['Recurse']) {
+                    # Get the DirectReports
+                    Write-Verbose -Message "[PROCESS] Account: $Account (Recursive)"
+                    Get-ADUser -Identity $Account -Properties directreports |
+                        ForEach-Object -Process {
+                            $_.directreports | ForEach-Object -Process {
+                                # Output the current object with the properties Name, SamAccountName, Mail and Manager
+                                Get-ADUser -Identity $PSItem -Properties mail, manager, DistinguishedName | Select-Object -Property Name, SamAccountName, DistinguishedName, Mail, @{ Name = 'Manager'; Expression = { (Get-ADUser -Identity $psitem.manager).samaccountname } } | Where-Object { $_.DistinguishedName -like '*,OU=Employees,OU=People,DC=DOMAINNAME,DC=org' }
+                                # Gather DirectReports under the current object and so on...
+                                Get-ADDirectReports -Identity $PSItem -Recurse
+                            }
+                        }
+                }#IF($PSBoundParameters['Recurse'])
+                IF (-not ($PSBoundParameters['Recurse'])) {
+                    Write-Verbose -Message "[PROCESS] Account: $Account"
+                    # Get the DirectReports
+                    Get-ADUser -Identity $Account -Properties directreports | Select-Object -ExpandProperty directReports |
+                        Get-ADUser -Properties mail, manager | Select-Object -Property Name, SamAccountName, Mail, @{ Name = 'Manager'; Expression = { (Get-ADUser -Identity $psitem.manager).samaccountname } }
+                }#IF (-not($PSBoundParameters['Recurse']))
+            }#TRY
+            CATCH {
+                Write-Verbose -Message '[PROCESS] Something wrong happened'
+                Write-Verbose -Message $Error[0].Exception.Message
+            }
+        }
+    }
+    END {
+        Remove-Module -Name ActiveDirectory -ErrorAction 'SilentlyContinue' -Verbose:$false | Out-Null
+    }
 }
 
 <#
@@ -111,4 +99,4 @@ Get-ADDirectReports -Identity Test_director
 
 # Find all Indirect user reporting to Test_director
 Get-ADDirectReports -Identity Test_director -Recurse
-#>
+#>

Active Directory/AD Users/Remove-DisabledUsersFromAllGroups.ps1

@@ -1,16 +1,16 @@
-$Token = (Get-ADGroup "Domain Users" -Properties PrimaryGroupToken).PrimaryGroupToken
+$Token = (Get-ADGroup 'Domain Users' -Properties PrimaryGroupToken).PrimaryGroupToken
 
-Get-ADUser -Filter 'Enabled -eq "False"' -Properties PrimaryGroup,MemberOf | ForEach-Object {
+Get-ADUser -Filter 'Enabled -eq "False"' -Properties PrimaryGroup, MemberOf | ForEach-Object {
 
     # If the user's Primary Group is not Domain Users, then set Domain Users as their Primary Group.
-    If ($_.PrimaryGroup -notmatch "Domain Users"){ 
+    If ($_.PrimaryGroup -notmatch 'Domain Users') {
         Set-ADUsers -Identity $_ -Replace @{PrimaryGroupID = $Token } -Verbose
     }
 
     # If User is a member of more than 1 Group, remove all group memberships except Domain Users.
     If ($_.memberof) {
-        $Group = Get-ADPrincipalGroupMembership -Identity $_ | Where-Object {$_.Name -ne 'Domain Users'}
-            Remove-ADPrincipalGroupMembership -Identity $_ -MemberOf $Group -Confirm:$false -Verbose
+        $Group = Get-ADPrincipalGroupMembership -Identity $_ | Where-Object { $_.Name -ne 'Domain Users' }
+        Remove-ADPrincipalGroupMembership -Identity $_ -MemberOf $Group -Confirm:$false -Verbose
     }
 
     # Move User to Disabled OU.

Active Directory/AD Users/Test-IsMemberOfProtectedUsers.ps1

@@ -30,7 +30,7 @@ function Test-IsMemberOfProtectedUsers {
             Author:     Sam Erde (https://linktr.ee/SamErde)
             Modified:   2024-02-16
             Version:    0.1.0
-            
+
             Membership in Active Directory's Protect Users group can have implications for anything that relies on NTLM authentication.
 
             To Do:
@@ -55,8 +55,7 @@ function Test-IsMemberOfProtectedUsers {
         # These two are different types. Fixed by referencing $CheckUser.SID later, but should fix here by using one type.
         $CurrentUser = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name).Split('\')[-1]
         $CheckUser = Get-ADUser $CurrentUser -Properties primaryGroupID
-    }
-    else {
+    } else {
         $CheckUser = Get-ADUser $User -Properties primaryGroupID
     }
 

Active Directory/Domain Services/AD Permissions Class Types.ps1

@@ -1,61 +1,60 @@
 # Create a hash table of all permission class and sub-class types from the AD schema.
 $ObjectTypeGUID = @{}
 (Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter '(SchemaIDGUID=*)' -Properties Name, SchemaIDGUID).
-ForEach({$ObjectTypeGUID.Add([GUID]$_.SchemaIDGUID,$_.Name)})
+ForEach({ $ObjectTypeGUID.Add([GUID]$_.SchemaIDGUID, $_.Name) })
 
-(Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -LDAPFilter '(ObjectClass=ControlAccessRight)' -Properties Name, RightsGUID).ForEach({$ObjectTypeGUID.Add([GUID]$_.RightsGUID,$_.Name)})
+(Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -LDAPFilter '(ObjectClass=ControlAccessRight)' -Properties Name, RightsGUID).ForEach({ $ObjectTypeGUID.Add([GUID]$_.RightsGUID, $_.Name) })
 $ObjectTypeGUID | Format-Table -AutoSize
 
 # Example:
 $ObjectTypeGUID[[GUID]'00299570-246d-11d0-a768-00aa006e0529']
 
 
-function Get-NameForGUID{
+function Get-NameForGUID {
     # Portions from http://blog.wobl.it/2016/04/active-directory-guid-to-friendly-name-using-just-powershell/
-        [CmdletBinding()]
-        [OutputType([System.String])]
-        Param(
-            [guid]$guid,
-            [string]$ForestDNSName
-        )
-        Begin{
-            IF (!$ForestDNSName)
-            { $ForestDNSName = (Get-ADForest $ForestDNSName).Name }
-    
-            IF ($ForestDNSName -notlike "*=*")
-             { $ForestDNSNameDN = "DC=$($ForestDNSName.replace('.', ',DC='))" }
-    
-                $ExtendedRightGUIDs = "LDAP://cn=Extended-Rights,cn=configuration,$ForestDNSNameDN"
-                $PropertyGUIDs = "LDAP://cn=schema,cn=configuration,$ForestDNSNameDN"
-        }
-        Process{
-            If($guid -eq "00000000-0000-0000-0000-000000000000"){
-                Return "All"
-            }Else{
-                $rightsGuid = $guid
-                $property = "cn"
-                $SearchAdsi = ([ADSISEARCHER]"(rightsGuid=$rightsGuid)")
-                $SearchAdsi.SearchRoot = $ExtendedRightGUIDs
-                $SearchAdsi.SearchScope = "OneLevel"
+    [CmdletBinding()]
+    [OutputType([System.String])]
+    Param(
+        [guid]$guid,
+        [string]$ForestDNSName
+    )
+    Begin {
+        IF (!$ForestDNSName)
+        { $ForestDNSName = (Get-ADForest $ForestDNSName).Name }
+
+        IF ($ForestDNSName -notlike '*=*')
+        { $ForestDNSNameDN = "DC=$($ForestDNSName.replace('.', ',DC='))" }
+
+        $ExtendedRightGUIDs = "LDAP://cn=Extended-Rights,cn=configuration,$ForestDNSNameDN"
+        $PropertyGUIDs = "LDAP://cn=schema,cn=configuration,$ForestDNSNameDN"
+    }
+    Process {
+        If ($guid -eq '00000000-0000-0000-0000-000000000000') {
+            Return 'All'
+        } Else {
+            $rightsGuid = $guid
+            $property = 'cn'
+            $SearchAdsi = ([ADSISEARCHER]"(rightsGuid=$rightsGuid)")
+            $SearchAdsi.SearchRoot = $ExtendedRightGUIDs
+            $SearchAdsi.SearchScope = 'OneLevel'
+            $SearchAdsiRes = $SearchAdsi.FindOne()
+            If ($SearchAdsiRes) {
+                Return $SearchAdsiRes.Properties[$property]
+            } Else {
+                $SchemaGuid = $guid
+                $SchemaByteString = '\' + ((([guid]$SchemaGuid).ToByteArray() | ForEach-Object { $_.ToString('x2') }) -Join '\')
+                $property = 'ldapDisplayName'
+                $SearchAdsi = ([ADSISEARCHER]"(schemaIDGUID=$SchemaByteString)")
+                $SearchAdsi.SearchRoot = $PropertyGUIDs
+                $SearchAdsi.SearchScope = 'OneLevel'
                 $SearchAdsiRes = $SearchAdsi.FindOne()
-                If($SearchAdsiRes){
+                If ($SearchAdsiRes) {
                     Return $SearchAdsiRes.Properties[$property]
-                }Else{
-                    $SchemaGuid = $guid
-                    $SchemaByteString = "\" + ((([guid]$SchemaGuid).ToByteArray() | %{$_.ToString("x2")}) -Join "\")
-                    $property = "ldapDisplayName"
-                    $SearchAdsi = ([ADSISEARCHER]"(schemaIDGUID=$SchemaByteString)")
-                    $SearchAdsi.SearchRoot = $PropertyGUIDs
-                    $SearchAdsi.SearchScope = "OneLevel"
-                    $SearchAdsiRes = $SearchAdsi.FindOne()
-                    If($SearchAdsiRes){
-                        Return $SearchAdsiRes.Properties[$property]
-                    }Else{
-                        Write-Host -f Yellow $guid
-                        Return $guid.ToString()
-                    }
+                } Else {
+                    Write-Host -f Yellow $guid
+                    Return $guid.ToString()
                 }
             }
         }
     }
-    
+}

Active Directory/Domain Services/Get-TrustedDomainNetBIOSNames.ps1

@@ -1,17 +1,16 @@
 Import-Module ActiveDirectory
-[array]$ADDomainTrusts = (Get-ADObject -Filter {ObjectClass -eq "trustedDomain"}).Name
+[array]$ADDomainTrusts = (Get-ADObject -Filter { ObjectClass -eq 'trustedDomain' }).Name
 [array]$NetBIOSDomainNames = @()
 
-foreach ($trust in $ADDomainTrusts)
-{
+foreach ($trust in $ADDomainTrusts) {
     $trustedDNSDomainName = $trust
-    $NetBIOSDomainNames += ((Get-ADDomain $trustedDNSDomainName | Select-Object NetBIOSName)| Out-String).Trim()
+    $NetBIOSDomainNames += ((Get-ADDomain $trustedDNSDomainName | Select-Object NetBIOSName) | Out-String).Trim()
 }
 
 $NetBIOSDomainNames
 
 <# Or using this:
-  $TrustedDomains = @{}           
+  $TrustedDomains = @{}
   $TrustedDomains += Get-ADObject -Filter {ObjectClass -eq "trustedDomain"} -Properties * |
       Select-Object @{ Name = 'NetBIOSName'; Expr = { $_.FlatName } },@{ Name = 'DNSName'; Expr = { $_.Name } },$TrustedDomains
 

Active Directory/Domain Services/Invoke-DcDiag.ps1

@@ -4,13 +4,13 @@ function Invoke-DcDiag {
         [ValidateNotNullOrEmpty()]
         [string]$DomainController
     )
- 
+
     $result = dcdiag /s:$DomainController
-    $result | select-string -pattern '\. (.*) \b(passed|failed)\b test (.*)' | foreach {
+    $result | Select-String -Pattern '\. (.*) \b(passed|failed)\b test (.*)' | ForEach-Object {
         $obj = @{
-            TestName = $_.Matches.Groups[3].Value
+            TestName   = $_.Matches.Groups[3].Value
             TestResult = $_.Matches.Groups[2].Value
-            Entity = $_.Matches.Groups[1].Value
+            Entity     = $_.Matches.Groups[1].Value
         }
         [pscustomobject]$obj
     }