[英]List of permissions for a folder and it's subfolder
我在 Windows 7 上使用 PowerShell。我有以下代码片段,想知道
为什么我没有将 SID 转换为友好的用户名(在域上)?
$OutFile = "I:\Permissions.csv"
$RootPath = "K:\FolderName"
$Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}
foreach ($Folder in $Folders)
{
$ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access }
Foreach ($ACL in $ACLs)
{
$objSID = New-Object System.Security.Principal.SecurityIdentifier($ACL.IdentityReference.Value)
#$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
$objUser = $objSID.Translate([System.Security.Principal.SecurityIdentifier])
$objUser.Value
#Show User
Write-Host “`r`nThe user mapped to SID $($objSID) is $($objUser.value)`r`n” -f “Red”
$OutInfo = $Folder.Fullname + "," + $objUser.Value + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
Add-Content -Value $OutInfo -Path $OutFile
}
}
所需的输出将是 SAM 帐户名称。 (不是显示名称)
John.Smith1
John.Smith
IdentityReference
是一个SecurityIdentifier
或NTAccount
,而不是作为字符串的 SID 值,这是SecurityIdentifier
构造函数所需要的。 如果需要以字符串形式访问 SID,则需要访问$ACL.IdentityReference.Value
。
尝试这个:
$RootPath = "K:\FolderName"
#Define $OutFile
#Define $Dname
$Folders = dir $RootPath | where {$_.psiscontainer -eq $true}
foreach ($Folder in $Folders)
{
$ACLs = get-acl $Folder.fullname
$ACLs.Access | ForEach-Object {
$ACL = $_
#IdentityReference may already be a SID- or a NTAccount-object.
#Get SID-object
$objSID = $ACL.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier])
#Translate to NTAccount-object
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
#Show User
Write-Host "`r`nThe user mapped to SID $($objSID) is $($objUser.value)`r`n" -f "Red"
$OutInfo = $Folder.Fullname + "," + $DName.Value + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
Add-Content -Value $OutInfo -Path $OutFile
}
}
您可以使用相当简单的 ADSI 查找来提取用户的专有名称。 试试这个:
$DName = ([adsi]"LDAP://<SID=$($ACL.IdentityReference.value)>").distinguishedName
$DName 现在应该包含一个类似于 'CN=JSmith,OU=Users,DC=something,DC=com' 的字符串
要从中获取用户名,您可以将字符串拆分几次,因为它是=
和,
分隔:
$strUser = $dname.split("=")[1].split(",")[0]
要将 SID 字符串转换为 NTAccount:
$exampleSidString = 'S-1-5-21-768745588-123456789-987654321-500'
$objSID = New-Object System.Security.Principal.SecurityIdentifier $exampleSidString
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount] )
$objUser.Value
但是,如果您已经有一个 Identity Reference(其中 SecurityIdentifier 和 NTAccount 都是其子类),您可以直接使用 transate 函数:
$objUser = $ACL.IdentityReference.Translate( [System.Security.Principal.NTAccount] )
$objUser.Value
查看此链接以获取更多信息
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.