ps/Modules/Alkami.PowerShell.SDK/Public/Get-SDKUserMatrix.ps1

function Get-SDKUserMatrix {
<#
.SYNOPSIS
    Get the matrix of SDK Users, AppPoolIdentity, DomainUsername if on the domain, tenant DbRole, global database ServerRole, if it's a gMSA Account, and if it affects the AlkamiMaster table

.DESCRIPTION
    gMSA account = Group Managed Service Account, a Microsoft AD component
    DbRole = Tenant database role as assigned (and for IsMaster, those on AlkamiMaster as well)
    ServerRole = SQL Server/instance role assigned if created

.PARAMETER Force
    Alias -Refresh
    Used to refetch the list of accounts to validate domain membership
#>
    param(
        [Parameter()]
        [Alias('Refresh')]
        [switch]$Force
    )

    if ($Force) {
        # Clear it so we reprocess
        $global:sqlUserAccountList = $null
    }

    if ($null -ne $global:sqlUserAccountList) {
        # We calculate the AD group membership here, so don't spend the time or network resources re-querying for that
        return $global:sqlUserAccountList
    }

    $accountList = @(
        @{ Username="IIS APPPOOL\AuditService";              DomainUsername="CORP\dev.audit$";             DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="IIS APPPOOL\BankService";               DomainUsername="CORP\dev.bank$";              DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$true;   },
        @{ Username="IIS APPPOOL\ContentService";            DomainUsername="CORP\dev.content$";           DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="IIS APPPOOL\CoreService";               DomainUsername="CORP\dev.core$";              DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="IIS APPPOOL\MessageCenterService";      DomainUsername="CORP\dev.notify$";            DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="IIS APPPOOL\NagConfigurationService";   DomainUsername="CORP\dev.nag$";               DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $true;  IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="IIS APPPOOL\NotificationService";       DomainUsername="CORP\dev.notify$";            DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="IIS APPPOOL\RP-STS";                    DomainUsername="CORP\dev.dbms$";              DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $true;  IsGmsaAccount = $false; IsMaster=$true;  },
        @{ Username="IIS APPPOOL\STSConfiguration";          DomainUsername="CORP\dev.stsconfig$";         DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$true;   },
        @{ Username="IIS APPPOOL\SchedulerService";          DomainUsername="CORP\dev.radium$";            DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $true;  IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="IIS APPPOOL\SecurityManagementService"; DomainUsername="CORP\dev.securitymgr$";       DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="NT AUTHORITY\LOCAL SERVICE";            DomainUsername="NT AUTHORITY\LOCAL SERVICE";  DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$true;   }
    )

    # because shenanigans involving modified collections
    $returnList = @()

    foreach ($account in $accountList) {
        if ($account.Username -match 'LOCAL SERVICE') {
            # Don't try to see if Local Service is on the domain, it's _local_ for a reason
        } else {
            $serviceAccount = $null
            try {
                $serviceAccount = (Get-ADServiceAccount -Identity ($account.DomainUsername -split '\\')[1] -ErrorAction SilentlyContinue)
            } catch { <# NOP #> }
            if ($null -ne $serviceAccount) {
                # found an AD account that matches, use that as a group managed service account (it's a service account, per above)
                $account.IsGmsaAccount = $true
            } else {
                $account.DomainUsername = $account.Username
            }
        }

        if ($account.Username -match "IIS APPPOOL") {
            $account.AppPoolName = ($account.Username -split '\\')[1]
        } else {
            $account.AppPoolName = ''
        }

        $returnList += $account
    }

    # save time recalculating
    $global:sqlUserAccountList = $returnList

    return $returnList
}
First full commit 2023-05-30 22:51:22 -07:00			`function Get-SDKUserMatrix {`
			`<#`
			`.SYNOPSIS`
			`Get the matrix of SDK Users, AppPoolIdentity, DomainUsername if on the domain, tenant DbRole, global database ServerRole, if it's a gMSA Account, and if it affects the AlkamiMaster table`

			`.DESCRIPTION`
			`gMSA account = Group Managed Service Account, a Microsoft AD component`
			`DbRole = Tenant database role as assigned (and for IsMaster, those on AlkamiMaster as well)`
			`ServerRole = SQL Server/instance role assigned if created`

			`.PARAMETER Force`
			`Alias -Refresh`
			`Used to refetch the list of accounts to validate domain membership`
			`#>`
			`param(`
			`[Parameter()]`
			`[Alias('Refresh')]`
			`[switch]$Force`
			`)`

			`if ($Force) {`
			`# Clear it so we reprocess`
			`$global:sqlUserAccountList = $null`
			`}`

			`if ($null -ne $global:sqlUserAccountList) {`
			`# We calculate the AD group membership here, so don't spend the time or network resources re-querying for that`
			`return $global:sqlUserAccountList`
			`}`

			`$accountList = @(`
			`@{ Username="IIS APPPOOL\AuditService"; DomainUsername="CORP\dev.audit$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false; },`
			`@{ Username="IIS APPPOOL\BankService"; DomainUsername="CORP\dev.bank$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$true; },`
			`@{ Username="IIS APPPOOL\ContentService"; DomainUsername="CORP\dev.content$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false; },`
			`@{ Username="IIS APPPOOL\CoreService"; DomainUsername="CORP\dev.core$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false; },`
			`@{ Username="IIS APPPOOL\MessageCenterService"; DomainUsername="CORP\dev.notify$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false; },`
			`@{ Username="IIS APPPOOL\NagConfigurationService"; DomainUsername="CORP\dev.nag$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $true; IsGmsaAccount = $false; IsMaster=$false; },`
			`@{ Username="IIS APPPOOL\NotificationService"; DomainUsername="CORP\dev.notify$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false; },`
			`@{ Username="IIS APPPOOL\RP-STS"; DomainUsername="CORP\dev.dbms$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $true; IsGmsaAccount = $false; IsMaster=$true; },`
			`@{ Username="IIS APPPOOL\STSConfiguration"; DomainUsername="CORP\dev.stsconfig$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$true; },`
			`@{ Username="IIS APPPOOL\SchedulerService"; DomainUsername="CORP\dev.radium$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $true; IsGmsaAccount = $false; IsMaster=$false; },`
			`@{ Username="IIS APPPOOL\SecurityManagementService"; DomainUsername="CORP\dev.securitymgr$"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false; },`
			`@{ Username="NT AUTHORITY\LOCAL SERVICE"; DomainUsername="NT AUTHORITY\LOCAL SERVICE"; DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$true; }`
			`)`

			`# because shenanigans involving modified collections`
			`$returnList = @()`

			`foreach ($account in $accountList) {`
			`if ($account.Username -match 'LOCAL SERVICE') {`
			`# Don't try to see if Local Service is on the domain, it's _local_ for a reason`
			`} else {`
			`$serviceAccount = $null`
			`try {`
			`$serviceAccount = (Get-ADServiceAccount -Identity ($account.DomainUsername -split '\\')[1] -ErrorAction SilentlyContinue)`
			`} catch { <# NOP #> }`
			`if ($null -ne $serviceAccount) {`
			`# found an AD account that matches, use that as a group managed service account (it's a service account, per above)`
			`$account.IsGmsaAccount = $true`
			`} else {`
			`$account.DomainUsername = $account.Username`
			`}`
			`}`

			`if ($account.Username -match "IIS APPPOOL") {`
			`$account.AppPoolName = ($account.Username -split '\\')[1]`
			`} else {`
			`$account.AppPoolName = ''`
			`}`

			`$returnList += $account`
			`}`

			`# save time recalculating`
			`$global:sqlUserAccountList = $returnList`

			`return $returnList`
			`}`