I am using PowerShell on Windows 7. I have the following code snippet and wanted to know
Why am I not getting the SID to translate to a friendly username (on the domain)?
$OutFile = "I:\Permissions.csv"
$RootPath = "K:\FolderName"
$Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}
foreach ($Folder in $Folders)
{
$ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access }
Foreach ($ACL in $ACLs)
{
$objSID = New-Object System.Security.Principal.SecurityIdentifier($ACL.IdentityReference.Value)
#$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
$objUser = $objSID.Translate([System.Security.Principal.SecurityIdentifier])
$objUser.Value
#Show User
Write-Host “`r`nThe user mapped to SID $($objSID) is $($objUser.value)`r`n” -f “Red”
$OutInfo = $Folder.Fullname + "," + $objUser.Value + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
Add-Content -Value $OutInfo -Path $OutFile
}
}
Desired Output would be the SAM account name. (not the Display Name)
John.Smith1
John.Smith
IdentityReference
is a SecurityIdentifier
-object or NTAccount
-object, not the SID-value as a string, which is what you would need for the SecurityIdentifier
constructor. If you need to access the SID as a string, you need to access $ACL.IdentityReference.Value
.
Try this:
$RootPath = "K:\FolderName"
#Define $OutFile
#Define $Dname
$Folders = dir $RootPath | where {$_.psiscontainer -eq $true}
foreach ($Folder in $Folders)
{
$ACLs = get-acl $Folder.fullname
$ACLs.Access | ForEach-Object {
$ACL = $_
#IdentityReference may already be a SID- or a NTAccount-object.
#Get SID-object
$objSID = $ACL.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier])
#Translate to NTAccount-object
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
#Show User
Write-Host "`r`nThe user mapped to SID $($objSID) is $($objUser.value)`r`n" -f "Red"
$OutInfo = $Folder.Fullname + "," + $DName.Value + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
Add-Content -Value $OutInfo -Path $OutFile
}
}
You can use a fairly simple ADSI lookup to pull the user's distinguishedname. Try this out:
$DName = ([adsi]"LDAP://<SID=$($ACL.IdentityReference.value)>").distinguishedName
$DName should now contain a string with something like 'CN=JSmith,OU=Users,DC=something,DC=com'
To just get the user's name from that you can split the string a couple times since it is =
and ,
delimited:
$strUser = $dname.split("=")[1].split(",")[0]
To translate a SID String to an NTAccount:
$exampleSidString = 'S-1-5-21-768745588-123456789-987654321-500'
$objSID = New-Object System.Security.Principal.SecurityIdentifier $exampleSidString
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount] )
$objUser.Value
However, if you already have an Identity Reference (of which both SecurityIdentifier and NTAccount are subclasses), you can go straight to the transate function:
$objUser = $ACL.IdentityReference.Translate( [System.Security.Principal.NTAccount] )
$objUser.Value
Check this link out for more information
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.