realslacker/Reset-ADUserAdminCount.ps1

## Reset-ADUserAdminCount.ps1
#requires -Modules ActiveDirectory

[CmdletBinding(
    SupportsShouldProcess=$true,
    ConfirmImpact='High'
)]
param(

    [Parameter(
        Mandatory=$true,
        Position=1,
        ValueFromPipeline=$true
    )]
    [object]
    $Identity,

    [string]
    $Server,

    [pscredential]
    $Credential,

    [switch]
    $Force

)

$ADOperationSplat = @{}
if ( $Credential ) { $ADOperationSplat.Credential = $Credential }
if ( $Server ) { $ADOperationSplat.Server = $Server }

$ADUser = Get-ADUser -Identity $Identity -Properties AdminCount, nTSecurityDescriptor @ADOperationSplat -ErrorVariable GetADUserError
if ( $GetADUserError ) { return }

[object[]]$ProtectedGroups = Get-ADGroup -LDAPFilter "(&(objectCategory=group)(objectClass=group)(member:1.2.840.113556.1.4.1941:=$($ADUser.DistinguishedName)))" -Properties 'AdminCount', 'IsCriticalSystemObject' @ADOperationSplat -ErrorVariable GetADGroupError | Where-Object { $_.AdminCount -eq 1 -and $_.IsCriticalSystemObject }
if ( $GetADGroupError ) { return }

if ( $ProtectedGroups.Count -gt 0 ) {

    $ProtectedGroups | ForEach-Object {
        Write-Verbose ( 'User {0} ({1}) is a member of protected group ''{2}''' -f $ADUser.Name, $ADUser.UserPrincipalName, $_.Name )
    }

    Write-Error ( 'User {0} ({1}) is a member of {2} protected groups. AdminCount will not be reset.' -f $ADUser.Name, $ADUser.UserPrincipalName, $ProtectedGroups.Count )
    return
}

if ( -not $ADUser.AdminCount -and -not $Force ) {

    Write-Warning ( 'User {0} ({1}) is not flagged with AdminCount. No action taken, use {2} to reset anyway.' -f $ADUser.Name, $ADUser.UserPrincipalName, '-Force' )
    return

}

# get user default ACL
$SchemaNamingContext = (Get-ADRootDSE @ADOperationSplat).schemaNamingContext
$DefaultSecurityDescriptor = Get-ADObject -Identity "CN=User,$SchemaNamingContext" -Properties defaultSecurityDescriptor @ADOperationSplat | Select-Object -ExpandProperty defaultSecurityDescriptor

$DescriptionMessage = ( 'Resetting AdminCount for user {0} ({1})' -f $ADUser.Name, $ADUser.UserPrincipalName )
$WarningMessage = ( 'Reset AdminCount for user {0} ({1})?' -f $ADUser.Name, $ADUser.UserPrincipalName )

if ( $PSCmdlet.ShouldProcess( $DescriptionMessage, $WarningMessage, $null ) ) {

    $ADUser.nTSecurityDescriptor.SetSecurityDescriptorSddlForm( $DefaultSecurityDescriptor )

    Set-ADObject -Identity $ADUser.DistinguishedName -Clear 'adminCount' -Replace @{ nTSecurityDescriptor = $ADUser.nTSecurityDescriptor } @ADOperationSplat -Confirm:$false

}
	#requires -Modules ActiveDirectory

	[CmdletBinding(
	SupportsShouldProcess=$true,
	ConfirmImpact='High'
	)]
	param(

	[Parameter(
	Mandatory=$true,
	Position=1,
	ValueFromPipeline=$true
	)]
	[object]
	$Identity,

	[string]
	$Server,

	[pscredential]
	$Credential,

	[switch]
	$Force

	)

	$ADOperationSplat = @{}
	if ( $Credential ) { $ADOperationSplat.Credential = $Credential }
	if ( $Server ) { $ADOperationSplat.Server = $Server }

	$ADUser = Get-ADUser -Identity $Identity -Properties AdminCount, nTSecurityDescriptor @ADOperationSplat -ErrorVariable GetADUserError
	if ( $GetADUserError ) { return }

	[object[]]$ProtectedGroups = Get-ADGroup -LDAPFilter "(&(objectCategory=group)(objectClass=group)(member:1.2.840.113556.1.4.1941:=$($ADUser.DistinguishedName)))" -Properties 'AdminCount', 'IsCriticalSystemObject' @ADOperationSplat -ErrorVariable GetADGroupError \| Where-Object { $_.AdminCount -eq 1 -and $_.IsCriticalSystemObject }
	if ( $GetADGroupError ) { return }

	if ( $ProtectedGroups.Count -gt 0 ) {

	$ProtectedGroups \| ForEach-Object {
	Write-Verbose ( 'User {0} ({1}) is a member of protected group ''{2}''' -f $ADUser.Name, $ADUser.UserPrincipalName, $_.Name )
	}

	Write-Error ( 'User {0} ({1}) is a member of {2} protected groups. AdminCount will not be reset.' -f $ADUser.Name, $ADUser.UserPrincipalName, $ProtectedGroups.Count )
	return
	}

	if ( -not $ADUser.AdminCount -and -not $Force ) {

	Write-Warning ( 'User {0} ({1}) is not flagged with AdminCount. No action taken, use {2} to reset anyway.' -f $ADUser.Name, $ADUser.UserPrincipalName, '-Force' )
	return

	}

	# get user default ACL
	$SchemaNamingContext = (Get-ADRootDSE @ADOperationSplat).schemaNamingContext
	$DefaultSecurityDescriptor = Get-ADObject -Identity "CN=User,$SchemaNamingContext" -Properties defaultSecurityDescriptor @ADOperationSplat \| Select-Object -ExpandProperty defaultSecurityDescriptor

	$DescriptionMessage = ( 'Resetting AdminCount for user {0} ({1})' -f $ADUser.Name, $ADUser.UserPrincipalName )
	$WarningMessage = ( 'Reset AdminCount for user {0} ({1})?' -f $ADUser.Name, $ADUser.UserPrincipalName )

	if ( $PSCmdlet.ShouldProcess( $DescriptionMessage, $WarningMessage, $null ) ) {

	$ADUser.nTSecurityDescriptor.SetSecurityDescriptorSddlForm( $DefaultSecurityDescriptor )

	Set-ADObject -Identity $ADUser.DistinguishedName -Clear 'adminCount' -Replace @{ nTSecurityDescriptor = $ADUser.nTSecurityDescriptor } @ADOperationSplat -Confirm:$false

	}