🐛 fix(function): resolve medium-severity bugs across scripts

F02: Fix RegistryAccessRule from FullControl to ReadKey in Activate and Get License
     (comment/output said 'read permissions' but code was granting FullControl)
F05: Fix Write-Error \\Cannot validate argument on parameter 'MaximumHistoryCount'. The 0 argument is less than the minimum allowed range of 1. Supply an argument that is greater than or equal to 1 and then try the command again.[0]\ -> \\\ in Get Hostnames from CSV IP Addresses
     (\\Cannot validate argument on parameter 'MaximumHistoryCount'. The 0 argument is less than the minimum allowed range of 1. Supply an argument that is greater than or equal to 1 and then try the command again.[0]\ may not reflect the current exception in a catch block)
F15: Confirmed already fixed in critical pass (Get-Date format HH-mm-ss correct)
F18: Replace \�reak 1\ with \
eturn\ in two catch blocks in Get-InactiveUsers
     (break outside a loop throws LoopFlowException in PowerShell)
F20: Add BadPasswordTime to Get-ADUser -Properties list in Get-LockedOutLocation
     (property was used in output object but never requested from AD)
F25: Fix undefined \\\ -> \\\\ in Update-ModuleVersion
F28: Remove Set-ExecutionPolicy RemoteSigned from Parse-TransportLogs
     (modifies machine security policy as a script side effect)
F30: Add bounds check before split('<')[1] in Parse-TransportLogs
     (throws index-out-of-range if no '<' delimiter present in log data)
F31: Replace \\Continue\ global mutation with try/catch for DNS lookup
     in Parse-TransportLogs (scoped error handling instead of global state change)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: SamErde

Active Directory/AD Users/Get-InactiveUsers.ps1

@@ -73,7 +73,7 @@
         Write-Verbose 'Active Directory module imported successfully'
     } catch {
         Write-Error "Failed to import Active Directory module: $($_.Exception.Message)"
-        break 1
+        return
     }
 
     # Calculate the cutoff date and its file time representation for the AD filter.
@@ -99,7 +99,7 @@
         Write-Host "Found $($InactiveUsersResult.Count) inactive user account(s)." -ForegroundColor Green
     } catch {
         Write-Error "Failed to get user accounts: $($_.Exception.Message)"
-        break 1
+        return
     }
 
     $InactiveUsers = @()

Active Directory/AD Users/Get-LockedOutLocation.ps1

@@ -48,7 +48,7 @@
             $DCCounter++
             Write-Progress -Activity 'Contacting DCs for lockout info' -Status "Querying $($DC.Hostname)" -PercentComplete (($DCCounter / $DomainControllers.Count) * 100)
             try {
-                $UserInfo = Get-ADUser -Identity $Identity -Server $DC.Hostname -Properties AccountLockoutTime, LastBadPasswordAttempt, BadPwdCount, LockedOut -ErrorAction Stop
+                $UserInfo = Get-ADUser -Identity $Identity -Server $DC.Hostname -Properties AccountLockoutTime, BadPasswordTime, LastBadPasswordAttempt, BadPwdCount, LockedOut -ErrorAction Stop
             } catch {
                 Write-Warning $_
                 continue

DDI/Get Hostnames from CSV IP Addresses.ps1

@@ -10,7 +10,7 @@ $IPAddressList | foreach-object {
         $_.Hostname = ([System.Net.Dns]::GetHostEntry($ip)).HostName
     }
     catch {
-        Write-Error $error[0] #.Exception.Message.Split(':')[1]
+        Write-Error $_ #.Exception.Message.Split(':')[1]
     }
 }
 # Write the data back to the CSV with the hostnames added.

Exchange/Parse-TransportLogs.ps1

@@ -13,7 +13,6 @@
   http://blog.chrislehr.com/2015/07/parse-transportlogs-which-ips-on-my.html
 #>
 
-Set-ExecutionPolicy RemoteSigned
 $ExchangeCredential = Get-Credential -Message "Please enter credentials to connect to your Exchange Server. `nThis will be used to pull message subject lines from the tracking logs."
 $ExchangeServer = Read-Host 'Please specify an Exchange Server name.'
 $ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "http://$ExchangeServer/PowerShell/" -Authentication Kerberos -Credential $ExchangeCredential
@@ -47,13 +46,20 @@ foreach ($item in $TestSet) {
     $testProgress++; $testPercent = [math]::Round(($testProgress / $testCount), 2) * 100
     Write-Progress -Activity "Parsing message $testProgress of $testCount." -Status "$testPercent% complete" -PercentComplete $testPercent
 
-    $data = ($item.data.split('<')[1]).Split('>')[0]
+    $splitData = $item.data.Split('<')
+    if ($splitData.Count -lt 2) {
+        Write-Warning "Skipping item with no message-id delimiter: $($item.data)"
+        continue
+    }
+    $data = $splitData[1].Split('>')[0]
     $subject = (Get-MessageTrackingLog -MessageId $data).MessageSubject | Select-Object -Unique
     $item.MessageID = $data
     $item.Subject = $subject
-    $ErrorActionPreference = 'SilentlyContinue' #To avoid ambiguous error output if/when a hostname is not found.
-    $item.Hostname = ([System.Net.DNS]::GetHostbyAddress($item.IPAddress)).Hostname
-    $ErrorActionPreference = 'Continue'
+    try {
+        $item.Hostname = ([System.Net.DNS]::GetHostbyAddress($item.IPAddress)).Hostname
+    } catch {
+        # Hostname not found for this IP; leave blank.
+    }
 }
 
 Remove-PSSession $ExchangeSession.Id

General/Update-ModuleVersion.ps1

@@ -87,7 +87,7 @@
         }
 
         if ("$NewVersion$PrereleaseTag" -notmatch $PatternValidation) {
-            Write-Error -Message "The prerelease version '$PrereleaseVersion' is not a valid semantic version." -ErrorAction Continue
+            Write-Error -Message "The prerelease version '$NewVersion$PrereleaseTag' is not a valid semantic version." -ErrorAction Continue
         } else {
             $matches | Write-Debug -Debug
             foreach ($match in $matches.GetEnumerator()) {

Windows/Activate and Get License.ps1

@@ -29,10 +29,10 @@ if (-not (Test-Path -Path $registryPath)) {
 
 # Add read permissions for SID (S-1-1-0, Everyone) to the registry key with inheritance
 $acl = Get-Acl -Path $registryPath
-$ruleSID = New-Object System.Security.AccessControl.RegistryAccessRule($sid, 'FullControl', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
+$ruleSID = New-Object System.Security.AccessControl.RegistryAccessRule($sid, 'ReadKey', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
 $acl.AddAccessRule($ruleSID)
 Set-Acl -Path $registryPath -AclObject $acl
-Write-Output "Added 'Interactive' group and SID ($sid) with read permissions (with inheritance) to the registry key."
+Write-Output "Added 'Interactive' group and SID ($sid) with read (ReadKey) permissions (with inheritance) to the registry key."
 
 #Remove the # below to make sure it will kick off the scheduled task on already enrolled devices
 Start-Process "$env:SystemRoot\system32\ClipRenew.exe"