FriedrichWeinmann · October 4, 2023 07:38
diff --git a/Get-ADgMSAKdsKey.ps1 b/Get-ADgMSAKdsKey.ps1
 function Get-ADgMSAKdsKey {
 	<#
 	.SYNOPSIS
 		Retrieves KDS Information for a gMSA.
 	
 	.DESCRIPTION
 		Retrieves KDS Information for a group managed service account (gMSA).
 		It will attempt to verify the existence of the KDS Key, but depending on the rights involed, access might be denied.
 	
 	.PARAMETER ServiceAccount
 		The service account to retrieve the KDS information from.
 	
 	.PARAMETER Server
 		The server / domain to contact.
 	
 	.PARAMETER Credential
 		The credentials to use with the request
 	
 	.EXAMPLE
 		PS c:\> Get-ADServiceAccount -Filter * | Get-ADgMSAKdsKey
 		
 		Retrieves the KDS information for all gMSA in the current user's domain.
 	#>
 	[CmdletBinding()]
 	param (
 		[Parameter(ValueFromPipeline = $true, Mandatory = $true)]
 		$ServiceAccount,

 		[string]
 		$Server,

 		[PSCredential]
 		$Credential
 	)

 	begin {
 		$adParam = @{ }
 		if ($Server) { $adParam.Server = $Server }
 		if ($Credential) { $adParam.Credential = $Credential }

 		$kdsExists = @{ }
 		$rootDSE = Get-ADRootDSE @adParam
 	}
 	process {
 		foreach ($account in $ServiceAccount) {
 			try { $object = Get-ADServiceAccount @adParam -Identity $account -Properties msDS-ManagedPasswordId, msDS-ManagedPasswordInterval -ErrorAction Stop }
 			catch {
 				Write-Warning "Failed to retrieve $($account): $_"
 				Write-Error $_
 				continue
 			}
 			$key = [guid][byte[]]$object.'msDS-ManagedPasswordId'[24..39]
 			if ($kdsExists.Keys -notcontains $key) {
 				$kdsExists[$key] = (Get-ADObject @adParam -Identity "CN=$key,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,$($rootDSE.configurationNamingContext)" -ErrorAction Ignore) -as [bool]
 			}

 			[PSCustomObject]@{
 				SamAccountName    = $object.SamAccountName
 				KdsKeyID          = $key
 				KdsExists         = $kdsExists[$key]
 				PasswordInterval  = $object.'msDS-ManagedPasswordInterval'
 				DistinguishedName = $object.DistinguishedName
 			}
 		}
 	}
 }
	function Get-ADgMSAKdsKey {
	<#
	.SYNOPSIS
	Retrieves KDS Information for a gMSA.

	.DESCRIPTION
	Retrieves KDS Information for a group managed service account (gMSA).
	It will attempt to verify the existence of the KDS Key, but depending on the rights involed, access might be denied.

	.PARAMETER ServiceAccount
	The service account to retrieve the KDS information from.

	.PARAMETER Server
	The server / domain to contact.

	.PARAMETER Credential
	The credentials to use with the request

	.EXAMPLE
	PS c:\> Get-ADServiceAccount -Filter * \| Get-ADgMSAKdsKey

	Retrieves the KDS information for all gMSA in the current user's domain.
	#>
	[CmdletBinding()]
	param (
	[Parameter(ValueFromPipeline = $true, Mandatory = $true)]
	$ServiceAccount,

	[string]
	$Server,

	[PSCredential]
	$Credential
	)

	begin {
	$adParam = @{ }
	if ($Server) { $adParam.Server = $Server }
	if ($Credential) { $adParam.Credential = $Credential }

	$kdsExists = @{ }
	$rootDSE = Get-ADRootDSE @adParam
	}
	process {
	foreach ($account in $ServiceAccount) {
	try { $object = Get-ADServiceAccount @adParam -Identity $account -Properties msDS-ManagedPasswordId, msDS-ManagedPasswordInterval -ErrorAction Stop }
	catch {
	Write-Warning "Failed to retrieve $($account): $_"
	Write-Error $_
	continue
	}
	$key = [guid][byte[]]$object.'msDS-ManagedPasswordId'[24..39]
	if ($kdsExists.Keys -notcontains $key) {
	$kdsExists[$key] = (Get-ADObject @adParam -Identity "CN=$key,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,$($rootDSE.configurationNamingContext)" -ErrorAction Ignore) -as [bool]
	}

	[PSCustomObject]@{
	SamAccountName = $object.SamAccountName
	KdsKeyID = $key
	KdsExists = $kdsExists[$key]
	PasswordInterval = $object.'msDS-ManagedPasswordInterval'
	DistinguishedName = $object.DistinguishedName
	}
	}
	}
	}