[Issue] - Health Checker computer group membership check

[kadmos36]

Provide Version Number 24.06.24.2018

Describe the issue New Group Membership check uses $env:computername instead of $server, and suggestion for hardened ADs

Expected behavior Get Membership of wanted server

Script Output Membership of computer executing the script to check remote server

Additional context Look at code starting in line 13480. I would suggest to replace $env:computername with $server. In Addition, in our hardened Activ Directory the cmdlet Get-ADPrincipalGroupMembership dos not work. i would suggest using Get-ADComputer $server -Properties memberof | select -ExpandProperty memberof which works if global group membership search is prohibited in the Active Directory

[dpaulson45]

Using $env:COMPUTERNAME should not be causing a problem.

https://github.com/microsoft/CSS-Exchange/blob/0848d672668108d3f858efc30af6e7f3e4611eaa/Diagnostics/HealthChecker/DataCollection/ExchangeInformation/Get-ExchangeInformation.ps1#L207

The reason being is because we are inside a ScriptBlock that will execute on the $Server variable. So, the $env:ComputerName is the remote server.

But if we are having issues with running that cmdlet in locked down environments, we will need to attempt to add in a catch for this as well. This would be similar to issue #2110 where the other cmdlet is also failing in some environments.

[kadmos36]

Thank you for your quick response, David.

Okay, I haven't thinked of the ScriptBlock behaviour. Sorry. Looks like it must be wrong.

I would suggest to check if it might be possible to modify it for hardened environments

try { $ADGroupMembership = (Get-ADPrincipalGroupMembership (Get-ADComputer $env:COMPUTERNAME).DistinguishedName -ErrorAction Stop) } catch { $ADGroupMembership = Get-ADComputer $env:COMPUTERNAME -Properties MemberOf | Select-Object -ExpandProperty MemberOf | Get-ADObject }

This might fix it. The only Group missing in $ADGroupMembership would be Domain Computers if the catch block is hit.

[dpaulson45]

That is interesting that Domain Computers doesn't show up in the other cmdlet.

We are going to need to do a little more than just what you provided, as we need to be able to get the SID and should really try to make sure we get all the same properties that we would have gotten from Get-ADPrincipalGroupMembership. I will have to look at this some more when I am back in the office.

[kadmos36]

The thing with Domain Computers could be because of AD hardening.

I compared the output of the Get-ADPrincipalGroupMembership variants. The output of Get-ADcomputer has the properties GroupCategory and GroupScope missing. If replaced with Get-ADGroup the Output properties are the same.