Get-UserProfiles
Description
Gathers information about user profiles.
Requirements
- PowerShell v5
Usage
- Searches
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\for existing profiles. - For each profile, the script performs the following steps:
- Attempts to translate the
System.Security.Principal.SecurityIdentifierobject created from the user SID to aSystem.Security.Principal.NTAccount. This is used to validate the username.- If this process fails, the username will be inferred from the
ProfileImagePath.- Example:
C:\users\usernamewould be inferred asusername.
- Example:
- If this process fails, the username will be inferred from the
- Validates if the user is a local user by comparing against the output from
Get-LocalUser. - Checks if the user is a local admin via the
Test-LocalAdminAccessfunction.- Starts with the
Administratorslocal group and searches for membership of the target user. If the user is found to be a member, the function returns$true. If not, any subgroups are recursively searched.
- Starts with the
- Checks for the last login time of the user using the
Get-LoginEventsfunction.- Uses an event log filter to search for the target user SID login events.
- If no events are returned by
Get-LoginEvents, theWin32_NetworkLoginProfileWMI namespace is searched.
- The profile size is determined via
Get-ChildItemagainst theProfileImagePath. It returns the size in megabytes rounded to two decimal places. - Creates a
[pscustomobject]and adds it to the return array.
- Attempts to translate the
- Local users that are detected but do not have a valid user profile created are then processed.
- Checks if the user is a local admin via the
Test-LocalAdminAccessfunction. - Creates a
[pscustomobject]and adds it to the return array.
- Checks if the user is a local admin via the
- Returns the composed array.
.\Get-UserProfiles.ps1
Output
- .\Get-UserProfiles-log.txt