Question

我在Windows 7上使用PowerShell。我有以下代码片段，想知道

为什么我没有将SID转换为友好的用户名（在域上）？

$OutFile = "I:\Permissions.csv"
$RootPath = "K:\FolderName"

$Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}

foreach ($Folder in $Folders)
{
    $ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access  }
    Foreach ($ACL in $ACLs)
    {

        $objSID = New-Object System.Security.Principal.SecurityIdentifier($ACL.IdentityReference.Value) 
        #$objUser = $objSID.Translate([System.Security.Principal.NTAccount]) 
        $objUser = $objSID.Translate([System.Security.Principal.SecurityIdentifier])
        $objUser.Value


        #Show User
        Write-Host “`r`nThe user mapped to SID $($objSID) is $($objUser.value)`r`n” -f “Red”

        $OutInfo = $Folder.Fullname + "," + $objUser.Value  + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
        Add-Content -Value $OutInfo -Path $OutFile
    }
}

所需输出将是SAM帐户名称。（不是显示名称）

John.Smith1
John.Smith

Answer 1

IdentityReference是一个SecurityIdentifier - 对象或NTAccount - 对象，而不是作为字符串的SID值，这是SecurityIdentifier构造函数所需要的。如果您需要以字符串形式访问SID，则需要访问$ACL.IdentityReference.Value。

试试这个：

$RootPath = "K:\FolderName"
#Define $OutFile
#Define $Dname

$Folders = dir $RootPath | where {$_.psiscontainer -eq $true}

foreach ($Folder in $Folders)
{
    $ACLs = get-acl $Folder.fullname

    $ACLs.Access | ForEach-Object { 
        $ACL = $_

        #IdentityReference may already be a SID- or a NTAccount-object. 
        #Get SID-object
        $objSID = $ACL.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier])
        #Translate to NTAccount-object
        $objUser = $objSID.Translate([System.Security.Principal.NTAccount]) 

        #Show User
        Write-Host "`r`nThe user mapped to SID $($objSID) is $($objUser.value)`r`n" -f "Red"

        $OutInfo = $Folder.Fullname + "," + $DName.Value  + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
        Add-Content -Value $OutInfo -Path $OutFile
    }
}

Answer 2

您可以使用相当简单的ADSI查找来提取用户的可分辨名称。试试这个：

$DName = ([adsi]"LDAP://<SID=$($ACL.IdentityReference.value)>").distinguishedName

$ DName现在应该包含一个字符串，其中包含'CN = JSmith，OU = Users，DC = something，DC = com'

要从中获取用户名，您可以将字符串拆分几次，因为它是=和,分隔的：

$strUser = $dname.split("=")[1].split(",")[0]

Answer 3

$objSID = New-Object System.Security.Principal.SecurityIdentifier `
    ("S-1-5-21-768745588-123456789-987654321-500")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

我认为您错过了S-1-5-21-768745588-123456789-987654321-500 SID但是（我可能错了）请查看this link以获取更多信息

文件夹及其子文件夹的权限列表

3 个答案: