PowerShell Script/Cmdlet: Get-UserAccountControlPolicy

A PowerShell function that returns detailed information regarding how User Account Control is configured on the current system in a human-readable format.

Installation Instructions:

  1. Determine where your local scripts directory is with the following command: ([IO.DirectoryInfo](Join-Path $Profile.CurrentUserCurrentHost ".." "Scripts")).FullName
  2. Create a new file within that directory and name it Get-UserAccountControlPolicy.ps1.
  3. Copy and paste the contents below into that file and save it.
function Get-UserAccountControlPolicy { <# .SYNOPSIS Displays information about the current status and configuration of User Account Control and its policies. .DESCRIPTION The `Get-UserAccountControlPolicy` cmdlet returns detailed information regarding how User Account Control is configured on the current system in a human-readable format. .PARAMETER AccountScopeType Determines which account scopes to return the policy information for. Accepted values are 'All' (Administrators and Users), 'Admin' (Administrators), 'User' (Users), 'Both' (synonymous with 'All'), and 'None' (synonymous with passing the -Status parameter). .PARAMETER HideDescription Do not return the descriptions of what the User Account Control behaviour levels that are currently set entail. .PARAMETER Status Return only whether or not User Account Control is enabled on the system. .PARAMETER HideStatus Do not return whether or not User Account Control is enabled on the system. .INPUTS None You cannot pipe objects to Get-UserAccountControlPolicy. .OUTPUTS System.Object[] Get-UserAccountControlPolicy returns an array of objects. .NOTES This function requires PowerShell version 7.3.0 or greater. .EXAMPLE Get-UserAccountControlPolicy User Account Control is enabled. Scope Level Description ----- ----- ----------- Administrators 5 Request consent for operations involving non-Windows executables that require elevated privileges. Users 3 Request consent for operations that require elevated privileges. .EXAMPLE Get-UserAccountControlPolicy -AccountScopeType User -HideStatus Scope Level Description ----- ----- ----------- Users 1 Request authentication by an administator and consent for operations that require elevated privileges. .EXAMPLE Get-UserAccountControlPolicy -Status User Account Control is enabled. #> [CmdletBinding( ConfirmImpact = 'Low', DefaultParameterSetName = 'HideStatusParameterSet', PositionalBinding = $false, SupportsPaging = $false, SupportsShouldProcess = $false )] [OutputType([Object[]])] [Alias('Get-UACPolicy')] param ( [Parameter(ParameterSetName = 'HideStatusParameterSet')] [Alias('AccountScope', 'AccountType', 'Scope', 'ScopeType', 'Type')] [ValidateSet('Admin', 'All', 'Both', 'User', IgnoreCase = $true)] [String] $AccountScopeType = 'All', [Parameter(ParameterSetName = 'HideStatusParameterSet')] [Switch] $HideDescription, [Parameter(ParameterSetName = 'OnlyStatusParameterSet')] [Alias('OnlyStatus', 'StatusOnly')] [Switch] $Status, [Parameter(ParameterSetName = 'HideStatusParameterSet')] [Alias('HideUACStatus')] [Switch] $HideStatus ) begin { #requires -Version 7.3.0 Set-StrictMode -Version 3.0 $Script:ConfirmPreference = $ConfirmPreference $Script:ErrorActionPreference = $ErrorActionPreference $Script:ProgressPreference = $ProgressPreference # Automatically hide the UAC status if an AccountScopeType other than "All" was requested and # neither the Status nor HideStatus parameters were explicitly passed. $HideStatus = (-not $Status -and -not $HideStatus -and ($AccountScopeType -inotmatch 'all')) ? $true : $HideStatus [String] $Script:TargetLocale = (Get-UICulture).IETFLanguageTag $Script:i18nData = New-Object -TypeName 'Collections.Generic.Dictionary[String, String]'; $( switch -Wildcard ($TargetLocale) { # English (fallback) default { @{ AdminL0Desc = 'Allow any operation that requires elevated privileges without requesting authentication or consent.' AdminL1Desc = 'Request authentication and consent for operations that require elevated privileges.' AdminL2Desc = 'Request only consent for operations that require elevated privileges.' AdminL3Desc = 'Request authentication and consent for access to the device.' AdminL4Desc = 'Request only consent for access to the device.' AdminL5Desc = 'Request consent for operations involving non-Windows executables that require elevated privileges.' UserL0Desc = 'Deny any operation that requires elevated privileges.' UserL1Desc = 'Request authentication by an administator and consent for operations that require elevated privileges.' UserL2Desc = 'Request consent without switching to secure desktop for operations that require elevated privileges.' UserL3Desc = 'Request consent for operations that require elevated privileges.' UACIsEnabled = 'User Account Control is enabled.' UACIsDisabled = 'User Account Control is disabled.' } } } ).GetEnumerator() | ForEach-Object -Process { $i18nData.Add($_.Key, $_.Value) } [String] $Script:HostAndDomainName = $Env:UserDNSDomain ? $Env:UserDNSDomain : $Env:ComputerName [String] $Script:CurrentUser = [Security.Principal.WindowsIdentity]::GetCurrent().Name [String] $Script:PolicyRegistryPath = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' $Script:UACBehaviour = New-Object -TypeName 'Collections.Generic.Dictionary[String, Hashtable]'; @{ Admin = @{ 0 = $i18nData['AdminL0Desc'] 1 = $i18nData['AdminL1Desc'] 2 = $i18nData['AdminL2Desc'] 3 = $i18nData['AdminL3Desc'] 4 = $i18nData['AdminL4Desc'] 5 = $i18nData['AdminL5Desc'] } User = @{ 0 = $i18nData['UserL0Desc'] 1 = $i18nData['UserL1Desc'] 2 = $i18nData['UserL2Desc'] 3 = $i18nData['UserL3Desc'] } }.GetEnumerator() | ForEach-Object -Process { $UACBehaviour.Add($_.Key, $_.Value) } # The first two of the following three variables have valid ranges from zero through five and # zero through three, respectively. Casting them as booleans in the ternary operation within # $UACIsEnabled ensures that values greater than or equal to one are coerced into positivity. # # The reasoning for this is that User Account Control is effectively disabled if the value of # any of these three registry keys is equal to zero, regardless of the value of EnableLUA. [Byte] $Script:UACBehaviourAdmin = Get-ItemPropertyValue -Path $PolicyRegistryPath -Name 'ConsentPromptBehaviorAdmin' [Byte] $Script:UACBehaviourUser = Get-ItemPropertyValue -Path $PolicyRegistryPath -Name 'ConsentPromptBehaviorUser' [Boolean] $Script:EnableLUA = Get-ItemPropertyValue -Path $PolicyRegistryPath -Name 'EnableLUA' [Boolean] $Script:UACIsEnabled = ([Boolean]$UACBehaviourAdmin -and [Boolean]$UACBehaviourUser -and $EnableLUA) ? $true : $false } process { [Collections.Generic.List[Byte]] $Script:UACPolicy = @([Byte]$UACIsEnabled, $UACBehaviourAdmin, $UACBehaviourUser ) $Script:UACPolicyDetails = New-Object -TypeName 'Collections.Generic.Dictionary[String, Hashtable]' if ($AccountScopeType -imatch 'admin|all|both') { $UACPolicyDetails.Add('Administrators', @{ Level = $UACPolicy[1] Description = $UACBehaviour['Admin'].GetEnumerator().Where{ $_.Key -eq $UACPolicy[1] }.Value }) } if ($AccountScopeType -imatch 'user|all|both') { $UACPolicyDetails.Add('Users', @{ Level = $UACPolicy[2] Description = $UACBehaviour['User'].GetEnumerator().Where{ $_.Key -eq $UACPolicy[2] }.Value }) } } end { [Collections.Generic.List[String]] $Script:FormatTablePropertyValue = $HideDescription ? @('Scope', 'Level') : @('Scope', 'Level', 'Description') return $( if (-not $HideStatus) { if (-not $UACPolicy[0]) { Write-Host -Object "`n$($i18nData['UACIsDisabled'])" -ForegroundColor 'Red' } else { Write-Host -Object "`n$($i18nData['UACIsEnabled'])" -ForegroundColor 'Green' } } if (-not $Status) { $UACPolicyDetails.GetEnumerator() |` ForEach-Object -Process { $_.Key + ',' + $_.Value.Level + ',' + $_.Value.Description } |` ConvertFrom-Csv -Header @('Scope', 'Level', 'Description') |` Format-Table -Property $FormatTablePropertyValue } ) } clean { #Remove-Item -Path 'Class:UACBehaviour' } }

Magic Spearmint

Comments

Post a Comment