Skip to content

Instantly share code, notes, and snippets.

@SasStu

SasStu/Detection.ps1

Last active Apr 19, 2018
Embed
What would you like to do?
function Get-LocalUserAccount {
[CmdletBinding()]
param (
[Parameter(
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true
)]
[string[]] $Computer = $env:COMPUTERNAME,
[Parameter(Mandatory = $true)]
[string] $Name
)
foreach ($item in $Computer) {
[ADSI] $host = [string]::Format("WinNT://{0}", $item)
if ($Name) {
foreach ($user in $Name) {
$host.Children | where { $_.SchemaClassName -eq "User" -and $_.Name -eq $user }
}
}
else {
$host.Children | where {$_.SchemaClassName -eq "User"}
}
}
}
$AdminAccountName = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd' -Name 'AdminAccountName' -ErrorAction SilentlyContinue).AdminAccountName
$item = Get-LocalUserAccount -Name $AdminAccountName
if ($item -eq $null -and $AdminAccountName -ne $null -and ((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd' -Name 'AdmPwdEnabled' -ErrorAction SilentlyContinue).AdmPwdEnabled) -eq '1' -and (Get-Item -Path ($env:ProgramFiles + '\LAPS\CSE\AdmPwd.dll') -ErrorAction SilentlyContinue)) {
return $false
}
else {
return $true
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment