我有一个接受以下输入的脚本
“发送器IP = 10.10.10.10”
应该返回登录的最后一个用户。
首先,它将尝试检测操作系统
其次,它将尝试检测用户配置文件
最后,它会尝试将安全标识符转换为用户帐户,即DOMAIN \ username
以下是代码的相关部分
$Sender_IP = $my_hash.Get_Item("sender-ip")
try
{
<#Gather information on the computer corresponding to $Sender_IP#>
$Win32OS = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $Sender_IP -ErrorAction Stop
}
catch [Exception]
{
$userId = "Unknown/CannotDetectOS "
return $output = "userId=" + $userId
}
try
{
$Win32User = Get-WmiObject -Class Win32_UserProfile -ComputerName $Sender_IP -ErrorAction Stop
}
catch [Exception]
{
$userId = "Unknown/CannotDetectUserProfile "
return $output+= "userId=" + $userId
}
$Win32User = $Win32User | Sort-Object -Property LastUseTime -Descending
$LastUser = $Win32User | Select-Object -First 1
try
{
$UserSID = New-Object System.Security.Principal.SecurityIdentifier($LastUser.SID)
$userId = $UserSID.Translate([System.Security.Principal.NTAccount])
}
catch [Exception]
{
$userId = "Unknown/CannotDetectUserSID "
return $output = "userId=" + $userId
}
$userId = $userId.Value
if ($userId -ne $NULL){
$output = "userId=" + $userId
}
elseif ($userID -eq $NULL)
{
$userId = "Unknown/UserID"
$output = "userId=" + $userId
}
$output.replace("\","/")
据我所知,需要打开WMI服务才能检测Windows操作系统,即
$Win32OS = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $Sender_IP -ErrorAction Stop
和Windows用户配置文件,即
$Win32User = Get-WmiObject -Class Win32_UserProfile -ComputerName $Sender_IP -ErrorAction Stop
但是需要启用什么服务来正确翻译安全标识符,即
$Win32User = $Win32User | Sort-Object -Property LastUseTime -Descending
$LastUser = $Win32User | Select-Object -First 1
try
{
$UserSID = New-Object System.Security.Principal.SecurityIdentifier($LastUser.SID)
$userId = $UserSID.Translate([System.Security.Principal.NTAccount])
}
catch [Exception]
{
$userId = "Unknown/CannotDetectUserSID "
return $output = "userId=" + $userId
}
一周我将使用“sender-ip = 10.10.10.10”运行脚本并获取实际用户,下周脚本将抛出“CannotDetectUserProfile”,下周脚本将抛出“CannotDetectOS”等等
需要启用哪些服务,我可以通过PowerShell远程执行此操作吗?