Skip to content

Commit 7951bfb

Browse files
jakehildrethjakehildreth
authored
Merge pull request #248 from rebelinux/testing
Enhance error handling in Get-CAHostObject and Find-ESC7 scripts
2 parents dd5a51b + 46cca78 commit 7951bfb

2 files changed

Lines changed: 8 additions & 10 deletions

File tree

Private/Find-ESC7.ps1

Lines changed: 6 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -35,8 +35,8 @@
3535
)
3636
process {
3737
$ADCSObjects | Where-Object {
38-
($_.objectClass -eq 'pKIEnrollmentService') -and
39-
( ($_.CAAdministrator -notmatch 'Failure|CA Unavailable') -or ($_.CertificateManager) )
38+
($_.objectClass -eq 'pKIEnrollmentService') -and $_.CAHostDistinguishedName -and
39+
( ($_.CAAdministrator) -or ($_.CertificateManager) )
4040
} | ForEach-Object {
4141
$UnsafeCAAdministrators = Write-Output $_.CAAdministrator -PipelineVariable admin | ForEach-Object {
4242
$SID = Convert-IdentityReferenceToSid -Object $admin
@@ -64,8 +64,7 @@
6464
}
6565
if ($UnsafeCAAdministrators) {
6666
$Issue.Issue = $Issue.Issue + @"
67-
Unexpected principals are granted "CA Administrator" rights on this Certification Authority.
68-
Unsafe CA Administrators: $($UnsafeCAAdministrators -join ', ').
67+
Unexpected prinicipals ($($UnsafeCAAdministrators -join ', ')) are granted "CA Administrator" rights on this Certification Authority.
6968
7069
"@
7170
$Issue.Fix = $Issue.Fix + @"
@@ -79,16 +78,15 @@ Reinstate CA Administrator rights for $($UnsafeCAAdministrators -join ', ')
7978
}
8079
if ($UnsafeCertificateManagers) {
8180
$Issue.Issue = $Issue.Issue + @"
82-
Unexpected principals are granted "Certificate Manager" rights on this Certification Authority.
83-
Unexpected Principals: $($UnsafeCertificateManagers -join ', ')
81+
Unexpected prinicipals ($($UnsafeCertificateManagers -join ', ')) are granted "Certificate Manager" rights on this Certification Authority.
8482
8583
"@
8684
$Issue.Fix = $Issue.Fix + @"
87-
Revoke Certificate Manager rights from $($UnsafeCertificateManagers -join ', ')
85+
Revoke CA Administrator rights from $($UnsafeCertificateManagers -join ', ')
8886
8987
"@
9088
$Issue.Revert = $Issue.Revert + @"
91-
Reinstate Certificate Manager rights for $($UnsafeCertificateManagers -join ', ')
89+
Reinstate CA Administrator rights for $($UnsafeCertificateManagers -join ', ')
9290
9391
"@
9492
}

Private/Get-CAHostObject.ps1

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,11 +40,11 @@
4040
process {
4141
if ($Credential) {
4242
$ADCSObjects | Where-Object objectClass -Match 'pKIEnrollmentService' | ForEach-Object {
43-
Get-ADObject $_.CAHostDistinguishedName -Properties * -Server $ForestGC -Credential $Credential
43+
if ($_.CAHostDistinguishedName) { Get-ADObject $_.CAHostDistinguishedName -Properties * -Server $ForestGC -Credential $Credential } else { Write-Warning "Get-CAHostObject: Unable to get information from $($_.DisplayName)" }
4444
}
4545
} else {
4646
$ADCSObjects | Where-Object objectClass -Match 'pKIEnrollmentService' | ForEach-Object {
47-
Get-ADObject $_.CAHostDistinguishedName -Properties * -Server $ForestGC
47+
if ($_.CAHostDistinguishedName) { Get-ADObject -Identity $_.CAHostDistinguishedName -Properties * -Server $ForestGC } else { Write-Warning "Get-CAHostObject: Unable to get information from $($_.DisplayName)" }
4848
}
4949
}
5050
}

0 commit comments

Comments
 (0)