# If RootDirectory has a trailing backslash, remove it (AccessChk doesn't handle it correctly).
# Entities for which to ignore write permissions.
# TrustedInstaller is always ignored; other NT SERVICE\ accounts are filtered
# out later (too many to list and too many unknown).
# The Package SIDs below (S-1-15-2-*) are associated with microsoft.windows.fontdrvhost and
# are not a problem. AppContainers never grant additional access; they only reduce access.
$FilterOut0 = @"
S-1-3-0
S-1-5-18
S-1-5-19
S-1-5-20
S-1-5-32-544
S-1-5-32-549
S-1-5-32-550
S-1-5-32-551
S-1-5-32-577
S-1-5-32-559
S-1-5-32-568
NT SERVICE\TrustedInstaller
S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394
S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523
"@
# Filter all the above plus caller-supplied "known admins"
$FilterOut = ($FilterOut0.Split("`n`r") + $KnownAdmins | Where-Object { $_.Length -gt 0 }) -join ","
# Add all members of the local Administrators group, as the Effective Permissions
# APIs consider them to be administrators also.
# For some reason, Get-LocalGroup/Get-LocalGroupMember aren't available on WMFv5.0 on Win7;
# Verify whether command exists before using it. The commands are available on Win7 in v5.1.
if ($null -ne (Get-Command Get-LocalGroupMember -ErrorAction SilentlyContinue))
{
#TODO: Detect and handle case where this cmdlet fails - disconnected and the admins group contains domain SIDs that can't be resolved.
#FWIW, NET LOCALGROUP Administrators doesn't report these entries either.
#Also fails on AAD-joined, with unresolved SIDs beginning with S-1-12-1-...
Get-LocalGroupMember -SID S-1-5-32-544 -ErrorAction SilentlyContinue | ForEach-Object { $FilterOut += "," + $_.SID.Value }