Skip to content

[WIP] Add condition to check for members of Pre-Windows 2000 group#237

Merged
rebelinux merged 2 commits intodevfrom
copilot/add-check-for-pre-windows-group
Feb 28, 2026
Merged

[WIP] Add condition to check for members of Pre-Windows 2000 group#237
rebelinux merged 2 commits intodevfrom
copilot/add-check-for-pre-windows-group

Conversation

Copy link
Contributor

Copilot AI commented Feb 28, 2026
edited
Loading

  • Explore codebase and understand existing health check patterns
  • Add Pre-Windows 2000 Compatible Access group membership check to Get-AbrADDomainObject.ps1
    • Check group members (SID: S-1-5-32-554) using pre-loaded $GroupOBj collection
    • Resolve member DNs to human-readable names with type (USER, COMPUTER, GROUP, FOREIGN SECURITY PRINCIPAL)
    • Handles FSPs (e.g. "Authenticated Users") via the $FSP collection and msds-principalname property
    • Apply Critical style warning for Authenticated Users or Anonymous Logon members
    • Add security health check explanation text
    • Debug timer placed correctly outside the Section block
  • Validated PowerShell syntax (no parse errors)
  • Run code review and addressed feedback
  • Run security scan (CodeQL does not analyze PowerShell)
Original prompt

This section details on the original issue you should resolve

<issue_title>HealthCheck - Members of Pre-Windows 2000 Compatible Access group</issue_title>
<issue_description>### Description

Add condition to check for Members of Pre-Windows 2000 Compatible Access group

https://www.semperis.com/blog/security-risks-pre-windows-2000-compatibility-windows-2022/

PS C:\Users\administrator.PHARMAX> Get-ADGroup -Identity 'Pre-Windows 2000 Compatible Access' | Get-ADGroupMember


distinguishedName : CN=ACADE-DC-01V,OU=Domain Controllers,DC=acad,DC=pharmax,DC=local
name              : ACADE-DC-01V
objectClass       : computer
objectGUID        : 0748e0ab-3b9d-48bd-bf9f-c202806f1774
SamAccountName    : ACADE-DC-01V$
SID               : S-1-5-21-370360276-377477351-3184454278-1000

distinguishedName :
name              : Authenticated Users
objectClass       :
objectGUID        : 00000000-0000-0000-0000-000000000000
SamAccountName    : Authenticated Users
SID               : S-1-5-11



PS C:\Users\administrator.PHARMAX>

Additional Context

No response

Before submitting

  • I have read the documentation, and referred to the known issues before submitting this change request.
  • I have checked for previously opened & closed issues before submitting this change request.</issue_description>

Comments on the Issue (you are @copilot in this section)

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

@github-actions
Copy link

github-actions bot commented Feb 28, 2026

PSScriptAnalyzer results:

Errors: [0], Warnings: [15], Information: [0]


RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADGPO.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADDomainObject.ps1
Line       : 19
Message    : The parameter 'ValidDcFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADAuthenticationPolicy.ps1
Line       : 20
Message    : The parameter 'ValidDcFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADTrust.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADCACRLSetting.ps1
Line       : 22
Message    : The parameter 'CA' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : ConvertTo-ADObjectName.ps1
Line       : 21
Message    : The parameter 'DC' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADDomain.ps1
Line       : 20
Message    : The parameter 'ValidDcFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADKerberosAudit.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADOU.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-ADObjectSearch.ps1
Line       : 21
Message    : The parameter 'Filter' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-ADObjectSearch.ps1
Line       : 22
Message    : The parameter 'Properties' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-ADObjectSearch.ps1
Line       : 23
Message    : The parameter 'SelectPrty' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : ConvertTo-ADCanonicalName.ps1
Line       : 20
Message    : The parameter 'Domain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADDFSHealth.ps1
Line       : 20
Message    : The parameter 'DCs' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Invoke-AsBuiltReport.Microsoft.AD.ps1
Line       : 21
Message    : The parameter 'Credential' has been declared but not used.

@rebelinux
Add health check for Pre-Windows 2000 Compatible Access group membership
9680f5a 
Co-authored-by: rebelinux <1002783+rebelinux@users.noreply.github.com>
@github-actions
Copy link

github-actions bot commented Feb 28, 2026

PSScriptAnalyzer results:

Errors: [0], Warnings: [15], Information: [0]


RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADGPO.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADDomainObject.ps1
Line       : 19
Message    : The parameter 'ValidDcFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADAuthenticationPolicy.ps1
Line       : 20
Message    : The parameter 'ValidDcFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADTrust.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADCACRLSetting.ps1
Line       : 22
Message    : The parameter 'CA' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : ConvertTo-ADObjectName.ps1
Line       : 21
Message    : The parameter 'DC' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADDomain.ps1
Line       : 20
Message    : The parameter 'ValidDcFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADKerberosAudit.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADOU.ps1
Line       : 20
Message    : The parameter 'ValidDCFromDomain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-ADObjectSearch.ps1
Line       : 21
Message    : The parameter 'Filter' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-ADObjectSearch.ps1
Line       : 22
Message    : The parameter 'Properties' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-ADObjectSearch.ps1
Line       : 23
Message    : The parameter 'SelectPrty' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : ConvertTo-ADCanonicalName.ps1
Line       : 20
Message    : The parameter 'Domain' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Get-AbrADDFSHealth.ps1
Line       : 20
Message    : The parameter 'DCs' has been declared but not used.

RuleName   : PSReviewUnusedParameter
Severity   : Warning
ScriptName : Invoke-AsBuiltReport.Microsoft.AD.ps1
Line       : 21
Message    : The parameter 'Credential' has been declared but not used.

@rebelinux rebelinux marked this pull request as ready for review February 28, 2026 00:59
@rebelinux rebelinux merged commit 8bfd2aa into dev Feb 28, 2026
4 checks passed
Copilot stopped work on behalf of rebelinux due to an error February 28, 2026 00:59
The session was cancelled by the user.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@rebelinux rebelinux rebelinux approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@rebelinux rebelinux

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

HealthCheck - Members of Pre-Windows 2000 Compatible Access group

2 participants

@rebelinux