我正在尝试将文件的所有者设置为来自另一个域的SID。 此域名不受信任,因此以下内容无法使用。
PS > (Get-Acl .).SetOwner([System.Security.Principal.NTAccount]'TESTWORLD\barry')
Exception calling "SetOwner" with "1" argument(s): "Some or all identity references could not be translated."
At line:1 char:1
+ (Get-Acl .).SetOwner([System.Security.Principal.NTAccount]'TESTWORLD\barry')
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : IdentityNotMappedException
我可以从其他域获取用户的SID,如下所示:
$c = Get-Credentials TESTWORLD.INVALID\AdminUser
$dc = Get-ADDomainController -Discover -DomainName TESTWORLD.INVALID -Service PrimaryDC | %{$_.HostName}
$sid = Get-ADUser -Filter {Name -eq "barry"} -Server $dc -Credential $c | %{$_.SID}
然后我想将此SID设置为该文件的所有者。怎么可能?
答案 0 :(得分:0)
如果允许DCOM流量进入远程计算机,请尝试以下操作。您需要将$ Path设置为远程系统的本地路径。如果您正在使用备用凭据,请在$ OptionalCred哈希表中提供Credential值:
试试这个:
$Path = "C:\Folder"
$OwnerSID = # SID string goes here #
$Computer = $env:ComputerName
$OptionalCred = @{
# Don't use this running against local machine
#Credential = Get-Credential TESTWORLD.INVALID\AdminUser
}
$EscapedPath = [regex]::Escape($Path)
$FileSecuritySetting = Get-WmiObject Win32_LogicalFileSecuritySetting -Filter "Path='$EscapedPath'" -ComputerName $Computer @OptionalCred
$Win32SD = $FileSecuritySetting | Invoke-WmiMethod -Name GetSecurityDescriptor | select -ExpandProperty Descriptor
$NewOwner = ([wmiclass]"Win32_Trustee").PSBase.CreateInstance()
$NewOwner.SIDString = $OwnerSID
$Win32SD.Owner = $NewOwner
Invoke-WmiMethod -Path $FileSecuritySetting.__PATH -Name SetSecurityDescriptor -ArgumentList $Win32SD @OptionalCred