joshfinley · May 13, 2025 22:37
diff --git a/Get-DomainPolicyPrivilegeRights.ps1 b/Get-DomainPolicyPrivilegeRights.ps1
 # Step 1: Locate the Default Domain Policy GPO and get the gPCFileSysPath
 $domainDN = ([ADSI]"LDAP://RootDSE").defaultNamingContext
 $ldapPath = "LDAP://CN=Policies,CN=System,$domainDN"
 $domain = [ADSI]$ldapPath

 $searcher = New-Object DirectoryServices.DirectorySearcher($domain)
 $searcher.Filter = "(&(objectClass=groupPolicyContainer)(displayName=Default Domain Policy))"
 $result = $searcher.FindOne()

 if (-not $result) {
    throw "Default Domain Policy not found"
 }

 $gpo = $result.Properties
 $gptPath = $gpo["gpcfilesyspath"][0]

 # Step 2: Locate and read GptTmpl.inf
 $infPath = Join-Path -Path $gptPath -ChildPath "MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"

 if (-not (Test-Path $infPath)) {
    throw "GptTmpl.inf not found at $infPath"
 }

 $lines = Get-Content $infPath

 # Step 3: Parse the [Privilege Rights] section
 $inSection = $false
 $privileges = @{}

 foreach ($line in $lines) {
    if ($line -match "^\[Privilege Rights\]") {
        $inSection = $true
        continue
    }

    if ($inSection -and $line -match "^\[.*\]") {
        break  # end of section
    }

    if ($inSection -and $line -match "=") {
        $key, $value = $line -split '=', 2
        $sids = $value -split ',' | ForEach-Object { $_.Trim() }
        $privileges[$key.Trim()] = $sids
    }
 }

 # Step 4: Convert SIDs to account names (optional)
 foreach ($priv in $privileges.Keys) {
    Write-Output "`n$priv"
    foreach ($sid in $privileges[$priv]) {
        try {
            $objSID = New-Object System.Security.Principal.SecurityIdentifier($sid)
            $account = $objSID.Translate([System.Security.Principal.NTAccount])
            Write-Output "$sid -> $account"
        } catch {
            Write-Output "$sid -> (unresolvable)"
        }
    }
 }
	# Step 1: Locate the Default Domain Policy GPO and get the gPCFileSysPath
	$domainDN = ([ADSI]"LDAP://RootDSE").defaultNamingContext
	$ldapPath = "LDAP://CN=Policies,CN=System,$domainDN"
	$domain = [ADSI]$ldapPath

	$searcher = New-Object DirectoryServices.DirectorySearcher($domain)
	$searcher.Filter = "(&(objectClass=groupPolicyContainer)(displayName=Default Domain Policy))"
	$result = $searcher.FindOne()

	if (-not $result) {
	throw "Default Domain Policy not found"
	}

	$gpo = $result.Properties
	$gptPath = $gpo["gpcfilesyspath"][0]

	# Step 2: Locate and read GptTmpl.inf
	$infPath = Join-Path -Path $gptPath -ChildPath "MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"

	if (-not (Test-Path $infPath)) {
	throw "GptTmpl.inf not found at $infPath"
	}

	$lines = Get-Content $infPath

	# Step 3: Parse the [Privilege Rights] section
	$inSection = $false
	$privileges = @{}

	foreach ($line in $lines) {
	if ($line -match "^\[Privilege Rights\]") {
	$inSection = $true
	continue
	}

	if ($inSection -and $line -match "^\[.*\]") {
	break # end of section
	}

	if ($inSection -and $line -match "=") {
	$key, $value = $line -split '=', 2
	$sids = $value -split ',' \| ForEach-Object { $_.Trim() }
	$privileges[$key.Trim()] = $sids
	}
	}

	# Step 4: Convert SIDs to account names (optional)
	foreach ($priv in $privileges.Keys) {
	Write-Output "`n$priv"
	foreach ($sid in $privileges[$priv]) {
	try {
	$objSID = New-Object System.Security.Principal.SecurityIdentifier($sid)
	$account = $objSID.Translate([System.Security.Principal.NTAccount])
	Write-Output "$sid -> $account"
	} catch {
	Write-Output "$sid -> (unresolvable)"
	}
	}
	}