🐛 fix(scripts): resolve follow-up PowerShell audit findings (#16)

Resolve follow-up PowerShell audit and PR review findings.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: SamErde

Active Directory/AD Groups/Archive-ObsoleteGroups.ps1

@@ -18,9 +18,6 @@
 #
 # ============================================================
 
-#Import the Active Directory module so we can work with AD groups.
-Import-Module ActiveDirectory
-
 # TODO: This script requires customization before running. The $Domain, archive paths,
 # TODO: group identity/OU values in the loop, and Move-ADObject target path must all be set
 # TODO: for your environment. See inline TODO comments below.
@@ -36,6 +33,9 @@ param (
     $GroupListPath = 'C:\Scripts\ObsoleteGroups\ObsoleteGroups.csv'
 )
 
+#Import the Active Directory module so we can work with AD groups.
+Import-Module ActiveDirectory
+
 #Read in the CSV or text file of group names.
 $File = Get-Content -Path $GroupListPath
 

Active Directory/AD Users/Get-ADDirectReport.ps1

@@ -25,15 +25,15 @@
 		Specify that you want to retrieve all the indirect users under the account
 
 	.EXAMPLE
-		Get-ADDirectReports -Identity Test_director
+		Get-ADDirectReport -Identity Test_director
 
 Name                SamAccountName      Mail                Manager
 ----                --------------      ----                -------
 test_managerB       test_managerB       test_managerB@la... test_director
 test_managerA       test_managerA       test_managerA@la... test_director
 
 	.EXAMPLE
-		Get-ADDirectReports -Identity Test_director -Recurse
+		Get-ADDirectReport -Identity Test_director -Recurse
 
 Name                SamAccountName      Mail                Manager
 ----                --------------      ----                -------
@@ -56,7 +56,7 @@ test_userA1         test_userA1         test_userA1@lazy... test_managerA
             IF (-not (Get-Module -Name ActiveDirectory)) { Import-Module -Name ActiveDirectory -ErrorAction 'Stop' -Verbose:$false }
         } CATCH {
             Write-Verbose -Message '[BEGIN] Something wrong happened'
-            Write-Verbose -Message $Error[0].Exception.Message
+            Write-Verbose -Message $_.Exception.Message
         }
     }
     PROCESS {
@@ -69,9 +69,9 @@ test_userA1         test_userA1         test_userA1@lazy... test_managerA
                         ForEach-Object -Process {
                             $_.directreports | ForEach-Object -Process {
                                 # Output the current object with the properties Name, SamAccountName, Mail and Manager
-                                Get-ADUser -Identity $PSItem -Properties mail, manager, DistinguishedName | Select-Object -Property Name, SamAccountName, DistinguishedName, Mail, @{ Name = 'Manager'; Expression = { (Get-ADUser -Identity $psitem.manager).samaccountname } } | Where-Object { $_.DistinguishedName -like '*,OU=Employees,OU=People,DC=DOMAINNAME,DC=org' }
+                                Get-ADUser -Identity $PSItem -Properties mail, manager, DistinguishedName | Select-Object -Property Name, SamAccountName, DistinguishedName, Mail, @{ Name = 'Manager'; Expression = { (Get-ADUser -Identity $psitem.manager).samaccountname } }
                                 # Gather DirectReports under the current object and so on...
-                                Get-ADDirectReports -Identity $PSItem -Recurse
+                                Get-ADDirectReport -Identity $PSItem -Recurse
                             }
                         }
                 }#IF($PSBoundParameters['Recurse'])
@@ -84,7 +84,7 @@ test_userA1         test_userA1         test_userA1@lazy... test_managerA
             }#TRY
             CATCH {
                 Write-Verbose -Message '[PROCESS] Something wrong happened'
-                Write-Verbose -Message $Error[0].Exception.Message
+                Write-Verbose -Message $_.Exception.Message
             }
         }
     }
@@ -95,8 +95,8 @@ test_userA1         test_userA1         test_userA1@lazy... test_managerA
 
 <#
 # Find all direct user reporting to Test_director
-Get-ADDirectReports -Identity Test_director
+Get-ADDirectReport -Identity Test_director
 
 # Find all Indirect user reporting to Test_director
-Get-ADDirectReports -Identity Test_director -Recurse
+Get-ADDirectReport -Identity Test_director -Recurse
 #>

Active Directory/AD Users/Get-LockedOutLocation.ps1

@@ -33,8 +33,7 @@
         try {
             Import-Module ActiveDirectory -ErrorAction Stop
         } catch {
-            Write-Warning $_
-            break
+            throw "Failed to import the ActiveDirectory module. $($_.Exception.Message)"
         }
     }#end begin
     process {

Active Directory/Domain Services/DNSZonesRemote.ps1

@@ -29,29 +29,31 @@ $Creds = Get-Credential
 #Loop through each server in the list, opening a PowerShell remoting session, then show the name and status of the session. Skips (continue) to the next server if a connection fails.
 foreach ($srv in $servers) {
     $server = $srv.Hostname
-    $session = New-PSSession -ComputerName $server -Name $server -Credential $Creds
+    $session = $null
     Try {
         Write-Host -ForegroundColor Green "Connecting to $server... " -NoNewline
-        Enter-PSSession $session
-    } Catch {
-        Write-Host -ForegroundColor DarkYellow "Failed to enter the PSSession for $server. Skipping."
-        Continue
-    }
-    Write-Output $session.State
+        $session = New-PSSession -ComputerName $server -Name $server -Credential $Creds -ErrorAction Stop
+        Write-Output $session.State
 
-    $zones = Get-ChildItem -Path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones\'
+        Invoke-Command -Session $session -ScriptBlock {
+            $zones = Get-ChildItem -Path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones\'
 
-    foreach ($zone in $zones) {
-        Write-Host "`n`n 'Name: ' (Get-ItemProperty -PSPath $zone.PSPath).PSChildName" -NoNewline -ForegroundColor Yellow
-        Write-Host "`n 'SecondaryServers: ' (Get-ItemProperty -PSPath $zone.PSPath).SecondaryServers" -NoNewline
-        Write-Host "`n 'SecureSecondaries: ' (Get-ItemProperty -PSPath $zone.PSPath).SecureSecondaries `n" -NoNewline
+            foreach ($zone in $zones) {
+                Write-Host "`n`nName: $((Get-ItemProperty -PSPath $zone.PSPath).PSChildName)" -NoNewline -ForegroundColor Yellow
+                Write-Host "`nSecondaryServers: $((Get-ItemProperty -PSPath $zone.PSPath).SecondaryServers)" -NoNewline
+                Write-Host "`nSecureSecondaries: $((Get-ItemProperty -PSPath $zone.PSPath).SecureSecondaries) `n" -NoNewline
 
-        #Set-ItemProperty -PSPath $zone.PSPath -Name "SecondaryServers" -Value "" -WhatIf
-        #Set-ItemProperty -PSPath $zone.PSPath -Name "SecureSecondaries" -Value "3" -WhatIf
+                #Set-ItemProperty -PSPath $zone.PSPath -Name "SecondaryServers" -Value "" -WhatIf
+                #Set-ItemProperty -PSPath $zone.PSPath -Name "SecureSecondaries" -Value "3" -WhatIf
+            }
+        }
+    } Catch {
+        Write-Host -ForegroundColor DarkYellow "Failed to enter the PSSession for $server. Skipping."
+        Continue
+    } Finally {
+        if ($session) {
+            Remove-PSSession $session
+            Write-Host "$server session removed. `n`n" -ForegroundColor DarkYellow -NoNewline
+        }
     }
-
-    #Cleanup and then show the current PSSession state.
-    if ($session) { Exit-PSSession }
-    if ($session) { Remove-PSSession $session }
-    Write-Host "$session.ComputerName $session.State `n`n" -ForegroundColor DarkYellow -NoNewline
 }

Active Directory/Export-AllADUserTransitiveGroupMemberships.ps1

@@ -148,14 +148,17 @@ begin {
             }
 
             $CurrentProgressPreference = Get-Variable -Name ProgressPreference -ValueOnly
-            Set-Variable -Name ProgressPreference -Value 'SilentlyContinue' -Scope Global -Force -ErrorAction SilentlyContinue
-            # Check if the global catalog server is available on the specified port.
-            if (-not (Test-NetConnection -ComputerName $Server -Port $Port -InformationLevel Quiet -ErrorAction SilentlyContinue)) {
-                if (-not (Test-NetConnection -ComputerName $Server -Port $AltPort -InformationLevel Quiet -ErrorAction SilentlyContinue)) {
-                    throw "Unable to connect to the global catalog server '$Server' on port '$Port' or '$AltPort.'"
+            try {
+                Set-Variable -Name ProgressPreference -Value 'SilentlyContinue' -Scope Global -Force -ErrorAction SilentlyContinue
+                # Check if the global catalog server is available on the specified port.
+                if (-not (Test-NetConnection -ComputerName $Server -Port $Port -InformationLevel Quiet -ErrorAction SilentlyContinue)) {
+                    if (-not (Test-NetConnection -ComputerName $Server -Port $AltPort -InformationLevel Quiet -ErrorAction SilentlyContinue)) {
+                        throw "Unable to connect to the global catalog server '$Server' on port '$Port' or '$AltPort.'"
+                    }
                 }
+            } finally {
+                Set-Variable -Name ProgressPreference -Value $CurrentProgressPreference -Scope Global -Force -ErrorAction SilentlyContinue
             }
-            Set-Variable -Name ProgressPreference -Value $CurrentProgressPreference -Scope Global -Force -ErrorAction SilentlyContinue
         }
 
         process {

Active Directory/Get-ADObjectFromPipeline.ps1

@@ -15,7 +15,6 @@ function Get-ADObjectFromPipeline {
 
     begin {
         Import-Module ActiveDirectory
-        $GlobalCatalog = Get-ADDomainController -Discover -Service GlobalCatalog
     }
 
     process {
@@ -36,25 +35,15 @@ function Get-ADObjectFromPipeline {
         switch ($IdentityType) {
             'user' {
                 # Not Complete
-                $User = Get-ADUser -Identity $Identity -Properties PrimaryGroup,SidHistory
+                Get-ADUser -Identity $Identity -Properties PrimaryGroup,SidHistory
             }
             'computer' {
                 # Not Complete
-                $Computer = Get-ADComputer -Identity $Identity -Properties PrimaryGroup,SidHistory
+                Get-ADComputer -Identity $Identity -Properties PrimaryGroup,SidHistory
             }
             Default {
                 Write-Error "Identity type not supported."
             }
         }
     }
-
-    end {
-        # Do something and/or return the resulting object to the pipeline.
-        if ($User) {
-            $User
-        }
-        if ($Computer) {
-            $Computer
-        }
-    }
 }

Active Directory/Get-ADUserTransitiveGroupMembership.ps1

@@ -57,14 +57,17 @@ function Get-ADUserTransitiveGroupMembership {
         }
 
         $CurrentProgressPreference = Get-Variable -Name ProgressPreference -ValueOnly
-        Set-Variable -Name ProgressPreference -Value 'SilentlyContinue' -Force -Scope Global -ErrorAction SilentlyContinue
-        # Check if the global catalog server is available on the specified port.
-        if (-not (Test-NetConnection -ComputerName $Server -Port $Port -InformationLevel Quiet -ErrorAction SilentlyContinue)) {
-            if (-not (Test-NetConnection -ComputerName $Server -Port $AltPort -InformationLevel Quiet -ErrorAction SilentlyContinue)) {
-                throw "Unable to connect to the global catalog server '$Server' on port '$Port' or '$AltPort.'"
+        try {
+            Set-Variable -Name ProgressPreference -Value 'SilentlyContinue' -Force -Scope Global -ErrorAction SilentlyContinue
+            # Check if the global catalog server is available on the specified port.
+            if (-not (Test-NetConnection -ComputerName $Server -Port $Port -InformationLevel Quiet -ErrorAction SilentlyContinue)) {
+                if (-not (Test-NetConnection -ComputerName $Server -Port $AltPort -InformationLevel Quiet -ErrorAction SilentlyContinue)) {
+                    throw "Unable to connect to the global catalog server '$Server' on port '$Port' or '$AltPort.'"
+                }
             }
+        } finally {
+            Set-Variable -Name ProgressPreference -Value $CurrentProgressPreference -Force -Scope Global -ErrorAction SilentlyContinue
         }
-        Set-Variable -Name ProgressPreference -Value $CurrentProgressPreference -Force -Scope Global -ErrorAction SilentlyContinue
     }
 
     process {

Active Directory/Get-LAPSPasswords.ps1

@@ -1,3 +1,46 @@
-Get-ADComputer -SearchBase 'OU=Member Servers,DC=DOMAINNAME,DC=org' `
-    -Properties Name, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime -Filter { Name -notlike '*xen*' } | `
-        Select-Object Name, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime | Sort-Object Name | Out-GridView
+function Get-LAPSPassword {
+    <#
+    .SYNOPSIS
+        Gets LAPS password metadata for computers in an Active Directory search base.
+
+    .DESCRIPTION
+        Returns computer names and LAPS password expiration times by default. Use IncludePassword only when the caller
+        has a secure process for handling plaintext local administrator passwords.
+
+    .PARAMETER SearchBase
+        The distinguished name of the organizational unit or container to search.
+
+    .PARAMETER IncludePassword
+        Includes the plaintext ms-Mcs-AdmPwd value in the output.
+
+    .EXAMPLE
+        Get-LAPSPassword -SearchBase 'OU=Member Servers,DC=example,DC=com'
+
+    .OUTPUTS
+        PSCustomObject
+    #>
+    [CmdletBinding()]
+    [OutputType([PSCustomObject])]
+    param (
+        [Parameter(Mandatory)]
+        [ValidateNotNullOrEmpty()]
+        [string]
+        $SearchBase,
+
+        [Parameter()]
+        [switch]
+        $IncludePassword
+    )
+
+    $Properties = @('Name', 'ms-Mcs-AdmPwdExpirationTime')
+    if ($IncludePassword) {
+        Write-Warning 'Plaintext LAPS passwords will be included in the output. Handle the results securely.'
+        $Properties += 'ms-Mcs-AdmPwd'
+    }
+
+    Get-ADComputer -SearchBase $SearchBase -Properties $Properties -Filter { Name -notlike '*xen*' } |
+        Sort-Object -Property Name |
+        Select-Object -Property Name,
+        @{ Name = 'Password'; Expression = { if ($IncludePassword) { $_.'ms-Mcs-AdmPwd' } else { '<redacted>' } } },
+        @{ Name = 'PasswordExpirationTime'; Expression = { $_.'ms-Mcs-AdmPwdExpirationTime' } }
+}

Active Directory/Set DNS Server Zone Settings via Registry.ps1

@@ -27,9 +27,6 @@
     those changes to be read and take effect.
 #>
 
-# Prevent accidental running of this script until you've read the warning above:
-break
-
 if ($session) { Remove-PSSession $session }
 
 #Specify a list of DNS servers manually, or just get a list of all domain controllers in the domain.
@@ -39,31 +36,31 @@ $creds = Get-Credential
 #Loop through each server in the list, opening a PowerShell remoting session, then show the name and status of the session. Skips (continue) to the next server if a connection fails.
 foreach ($srv in $servers) {
     $server = $srv.Hostname
-    $session = New-PSSession -ComputerName $server -Name $server -Credential $creds
+    $session = $null
     Try {
         Write-Host "Connecting to $server... " -ForegroundColor Green -NoNewline
-        Enter-PSSession $session
-    } Catch {
-        Write-Host "Failed to enter the PSSession for $server. Skipping." -ForegroundColor DarkYellow
-        Continue
-    }
-    Write-Output $session.State
+        $session = New-PSSession -ComputerName $server -Name $server -Credential $creds -ErrorAction Stop
+        Write-Output $session.State
 
-    $zones = Get-ChildItem -Path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones\'
+        Invoke-Command -Session $session -ScriptBlock {
+            $zones = Get-ChildItem -Path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones\'
 
-    foreach ($zone in $zones) {
-        Write-Host "`n`nName: $((Get-ItemProperty -PSPath $zone.PSPath).PSChildName)" -NoNewline -ForegroundColor Yellow
-        Write-Host "`nSecondaryServers: $((Get-ItemProperty -PSPath $zone.PSPath).SecondaryServers)" -NoNewline
-        Write-Host "`nSecureSecondaries: $((Get-ItemProperty -PSPath $zone.PSPath).SecureSecondaries) `n" -NoNewline
+            foreach ($zone in $zones) {
+                Write-Host "`n`nName: $((Get-ItemProperty -PSPath $zone.PSPath).PSChildName)" -NoNewline -ForegroundColor Yellow
+                Write-Host "`nSecondaryServers: $((Get-ItemProperty -PSPath $zone.PSPath).SecondaryServers)" -NoNewline
+                Write-Host "`nSecureSecondaries: $((Get-ItemProperty -PSPath $zone.PSPath).SecureSecondaries) `n" -NoNewline
 
-        #Set-ItemProperty -PSPath $zone.PSPath -Name "SecondaryServers" -Value "" -Whatif
-        #Set-ItemProperty -PSPath $zone.PSPath -Name "SecureSecondaries" -Value "3" -Whatif
+                #Set-ItemProperty -PSPath $zone.PSPath -Name "SecondaryServers" -Value "" -WhatIf
+                #Set-ItemProperty -PSPath $zone.PSPath -Name "SecureSecondaries" -Value "3" -WhatIf
+            }
+        }
+    } Catch {
+        Write-Host "Failed to enter the PSSession for $server. Skipping." -ForegroundColor DarkYellow
+        Continue
+    } Finally {
+        if ($session) {
+            Remove-PSSession $session
+            Write-Host "$server session removed. `n`n" -NoNewline
+        }
     }
-
-
-    #Cleanup and then show the current PSSession state.
-    if ($session) { Exit-PSSession }
-    if ($session) { Remove-PSSession $session }
-    Write-Host "$($session.ComputerName) $($session.State) `n`n" -NoNewline
-
 }

DDI/Get Hostnames from CSV IP Addresses.ps1

@@ -10,7 +10,7 @@ $IPAddressList | foreach-object {
         $_.Hostname = ([System.Net.Dns]::GetHostEntry($ip)).HostName
     }
     catch {
-        Write-Error $_ #.Exception.Message.Split(':')[1]
+        Write-Error -ErrorRecord $_ #.Exception.Message.Split(':')[1]
     }
 }
 # Write the data back to the CSV with the hostnames added.