function Get-SDKUserMatrix {
<#
.SYNOPSIS
    Get the matrix of SDK Users, AppPoolIdentity, DomainUsername if on the domain, tenant DbRole, global database ServerRole, if it's a gMSA Account, and if it affects the AlkamiMaster table

.DESCRIPTION
    gMSA account = Group Managed Service Account, a Microsoft AD component
    DbRole = Tenant database role as assigned (and for IsMaster, those on AlkamiMaster as well)
    ServerRole = SQL Server/instance role assigned if created

.PARAMETER Force
    Alias -Refresh
    Used to refetch the list of accounts to validate domain membership
#>
    param(
        [Parameter()]
        [Alias('Refresh')]
        [switch]$Force
    )

    if ($Force) {
        # Clear it so we reprocess
        $global:sqlUserAccountList = $null
    }

    if ($null -ne $global:sqlUserAccountList) {
        # We calculate the AD group membership here, so don't spend the time or network resources re-querying for that
        return $global:sqlUserAccountList
    }

    $accountList = @(
        @{ Username="IIS APPPOOL\AuditService";              DomainUsername="CORP\dev.audit$";             DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="IIS APPPOOL\BankService";               DomainUsername="CORP\dev.bank$";              DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$true;   },
        @{ Username="IIS APPPOOL\ContentService";            DomainUsername="CORP\dev.content$";           DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="IIS APPPOOL\CoreService";               DomainUsername="CORP\dev.core$";              DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="IIS APPPOOL\MessageCenterService";      DomainUsername="CORP\dev.notify$";            DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="IIS APPPOOL\NagConfigurationService";   DomainUsername="CORP\dev.nag$";               DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $true;  IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="IIS APPPOOL\NotificationService";       DomainUsername="CORP\dev.notify$";            DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="IIS APPPOOL\RP-STS";                    DomainUsername="CORP\dev.dbms$";              DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $true;  IsGmsaAccount = $false; IsMaster=$true;  },
        @{ Username="IIS APPPOOL\STSConfiguration";          DomainUsername="CORP\dev.stsconfig$";         DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$true;   },
        @{ Username="IIS APPPOOL\SchedulerService";          DomainUsername="CORP\dev.radium$";            DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $true;  IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="IIS APPPOOL\SecurityManagementService"; DomainUsername="CORP\dev.securitymgr$";       DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$false;  },
        @{ Username="NT AUTHORITY\LOCAL SERVICE";            DomainUsername="NT AUTHORITY\LOCAL SERVICE";  DbRole="db_owner"; ServerRole="sysadmin"; RequiresCertAccess = $false; IsGmsaAccount = $false; IsMaster=$true;   }
    )

    # because shenanigans involving modified collections
    $returnList = @()

    foreach ($account in $accountList) {
        if ($account.Username -match 'LOCAL SERVICE') {
            # Don't try to see if Local Service is on the domain, it's _local_ for a reason
        } else {
            $serviceAccount = $null
            try {
                $serviceAccount = (Get-ADServiceAccount -Identity ($account.DomainUsername -split '\\')[1] -ErrorAction SilentlyContinue)
            } catch { <# NOP #> }
            if ($null -ne $serviceAccount) {
                # found an AD account that matches, use that as a group managed service account (it's a service account, per above)
                $account.IsGmsaAccount = $true
            } else {
                $account.DomainUsername = $account.Username
            }
        }

        if ($account.Username -match "IIS APPPOOL") {
            $account.AppPoolName = ($account.Username -split '\\')[1]
        } else {
            $account.AppPoolName = ''
        }

        $returnList += $account
    }

    # save time recalculating
    $global:sqlUserAccountList = $returnList

    return $returnList
}