From 4d8a6a5ab14d2cf6f793fdee8a709b874bf38889 Mon Sep 17 00:00:00 2001 From: Charlene Auger Date: Thu, 7 Jul 2022 14:46:37 +0200 Subject: [PATCH] Fix azureAD user retrieval --- agent/winusers.ps1 | 67 +++++++++++++++++++++++++++++++++++----------- infos.json | 2 +- install.php | 36 +++++++++++++------------ 3 files changed, 72 insertions(+), 33 deletions(-) diff --git a/agent/winusers.ps1 b/agent/winusers.ps1 index 91a5ff2..290b003 100644 --- a/agent/winusers.ps1 +++ b/agent/winusers.ps1 @@ -1,6 +1,7 @@ +# Function to get Admin user status function Get-AdminUser { param([string] $username) - $admingroup = Get-LocalGroupMember -SID "S-1-5-32-544" + $admingroup = Get-LocalGroupMember -SID "S-1-5-32-544" -ErrorAction SilentlyContinue $userType = "Local" foreach ($admin in $admingroup) { @@ -13,6 +14,7 @@ function Get-AdminUser { return $userType } +# Function to get user folder size function Get-Size { param([string]$pth) @@ -23,16 +25,33 @@ function Get-Size } } +# Function to check if is an AD user function Check-AdUser($username) { $ad_User = $null - $ad_User = Get-ADUser -Identity $username - if($ad_User -ne $null) { - return "Domain user" - } else { - return "Local user" - } + try { + $ad_User = Get-ADUser -Identity $username + return "Domain" + } catch { + return "Unknown" + } +} + +# Function to retrieve user AD SID +function Get-AdSid +{ + param([string]$pth, [array]$profileList) + foreach($sid in $profileList) { + if($pth -eq $sid.ProfileImagePath) { + return $sid.PSChildName + } + } + + return "" } +################################# +# Local User # +################################# $users = Get-LocalUser | Select * $pathUsers = "C:\Users" $allUsers = @() @@ -40,7 +59,6 @@ $allUsers = @() $startTime = (get-date).AddDays(-15) $logEvents = Get-Eventlog -LogName Security -after $startTime | where {$_.eventID -eq 4624} - foreach ($user in $users) { if($user.Name -ne $null){ @@ -68,7 +86,6 @@ foreach ($user in $users) { } } - $xml += "`n" $xml += ""+ $user.Name +"`n" $xml += ""+ $userType +"`n" @@ -88,6 +105,15 @@ foreach ($user in $users) { } } +################################# +# AD User # +################################# +# Get computer account type connection +$Dsregcmd = New-Object PSObject ; Dsregcmd /status | Where {$_ -match ' : '} | ForEach { $Item = $_.Trim() -split '\s:\s'; $Dsregcmd | Add-Member -MemberType NoteProperty -Name $($Item[0] -replace '[:\s]','') -Value $Item[1] -EA SilentlyContinue } + +$profileListPath = @("Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*") +$profileList = Get-ItemProperty -Path $profileListPath -ErrorAction Ignore | Select ProfileImagePath, PSChildName + $tmp = Get-ChildItem -Path $pathUsers | Select "Name" [System.Collections.ArrayList]$usersFolder = $tmp.Name @@ -99,18 +125,29 @@ $usersAd = $usersFolder | Where-Object {$allUsers -notcontains $_} foreach ($userAd in $usersAd) { $path = "C:\Users\"+ $userAd - if (Get-Command Get-ADUser -errorAction SilentlyContinue) { - $type = Check-AdUser -username $userAd - $folderSize ='0' - } else { - $folderSize = Get-Size - $type = "Domain" + + $sid = Get-AdSid $path $profileList + + if($Dsregcmd.AzureAdJoined -eq "YES") { + $folderSize = Get-Size $path + $type = "AzureAD" + } + + if($Dsregcmd.DomainJoined -eq "YES") { + if (Get-Command Get-ADUser -errorAction SilentlyContinue) { + $type = Check-AdUser -username $userAd + $folderSize = Get-Size $path + } else { + $type = "Domain" + $folderSize = Get-Size $path + } } $xml += "`n" $xml += ""+ $userAd +"`n" $xml += ""+ $type +"`n" $xml += ""+ $folderSize +"`n" + $xml += ""+ $sid +"`n" $xml += "`n" } diff --git a/infos.json b/infos.json index 0f9e828..77c06e5 100644 --- a/infos.json +++ b/infos.json @@ -3,7 +3,7 @@ "author" : ["J.C.BELLAMY"], "contributor" : ["Guillaume PRIOU", "Gilles DUBOIS", "Rudy LAURENT", "Charlene AUGER"], "supportedAgent" : ["Windows"], - "version" : "3.2", + "version" : "4.0", "licence" : "GPLv2", "description" : { "fr" : "Remonte les utilisateurs Windows", diff --git a/install.php b/install.php index c2b190b..6e015df 100644 --- a/install.php +++ b/install.php @@ -10,23 +10,25 @@ function extension_install_winusers() // Drop table first $commonObject -> sqlQuery("DROP TABLE `winusers`;"); - $commonObject -> sqlQuery("CREATE TABLE `winusers` ( - `ID` INT(11) NOT NULL AUTO_INCREMENT, - `HARDWARE_ID` INT(11) NOT NULL, - `NAME` VARCHAR(255) DEFAULT NULL, - `TYPE` VARCHAR(255) DEFAULT NULL, - `SIZE` VARCHAR(255) DEFAULT NULL, - `LASTLOGON` VARCHAR(255) DEFAULT NULL, - `DESCRIPTION` VARCHAR(255) DEFAULT NULL, - `STATUS` VARCHAR(255) DEFAULT NULL, - `USERMAYCHANGEPWD` VARCHAR(255) DEFAULT NULL, - `PASSWORDEXPIRES` VARCHAR(255) DEFAULT NULL, - `SID` VARCHAR(255) DEFAULT NULL, - `USERCONNECTION` VARCHAR(255) DEFAULT NULL, - `NUMBERREMOTECONNECTION` VARCHAR(255) DEFAULT NULL, - `IPREMOTE` VARCHAR(255) DEFAULT NULL, - PRIMARY KEY (`ID`,`HARDWARE_ID`) - ) ENGINE=InnoDB ;"); + $commonObject -> sqlQuery( + "CREATE TABLE `winusers` ( + `ID` INT(11) NOT NULL AUTO_INCREMENT, + `HARDWARE_ID` INT(11) NOT NULL, + `NAME` VARCHAR(255) DEFAULT NULL, + `TYPE` VARCHAR(255) DEFAULT NULL, + `SIZE` VARCHAR(255) DEFAULT '0', + `LASTLOGON` VARCHAR(255) DEFAULT NULL, + `DESCRIPTION` VARCHAR(255) DEFAULT NULL, + `STATUS` VARCHAR(255) DEFAULT NULL, + `USERMAYCHANGEPWD` VARCHAR(255) DEFAULT NULL, + `PASSWORDEXPIRES` VARCHAR(255) DEFAULT NULL, + `SID` VARCHAR(255) DEFAULT NULL, + `USERCONNECTION` VARCHAR(255) DEFAULT NULL, + `NUMBERREMOTECONNECTION` VARCHAR(255) DEFAULT NULL, + `IPREMOTE` VARCHAR(255) DEFAULT NULL, + PRIMARY KEY (`ID`,`HARDWARE_ID`) + ) ENGINE=InnoDB ;" + ); } /**