Powershell中域用户的远程共享的有效权限

时间:2014-11-28 14:26:46

标签: powershell

我在这里搜索并阅读了一些主题,但我找不到我要找的东西。

基本上,我想检查特定用户对多个共享的有效权限,我想要一个脚本,如:

$user = Read-Host "Enter username"
$shares = "\\serverABC\share2","\\serverABC\share1"

foreach ($share in $shares)
{
    Cmdlet-EffectivePermissions $share
}

预期输出:

\\serverABC\share1
Full Control : No
Traverse folder / execute / file : YEs
List folder / read data : No
...

\\serverABC\share2"
Full Control : No
Traverse folder / execute / file : YEs
List folder / read data : No
...

事实上,我想在Powershell中完全采用与有效权限Tab相同的方式。

是否存在使用.NET方法(GetUserEffectivePermissions)或Get-ACL的内置解决方案(不导入任何模块,加载项......)?

enter image description here

1 个答案:

答案 0 :(得分:3)

我不知道.NET / PowerShell本地执行此操作的方法。但是,有一个PowerShell module here应该可以做你正在寻找的东西。导入后,您应该能够将伪代码修改为以下内容:

$user = Read-Host "Enter username"
$shares = "\\serverABC\share2","\\serverABC\share1"

foreach ($share in $shares) {
    Get-EffectiveAccess -Path $share -Principal $user -ListAllRights
}

返回PS对象而不是简单文本。如果格式不符合您的喜好,您可以使用一些实用程序命令来调整它的形状。以下是这样做的两个例子:

首先,对原始版本的简单更改不会返回您提到的确切格式,但它非常接近:

foreach ($share in $shares) {
    $share
    Get-EffectiveAccess -Path $share -Principal $user -ListAllRights | ForEach-Object {
        "{0}: {1}" -f $_.Permission, $_.Allowed
    }
    ""
}

接下来,一个更复杂的变化,将输出格式化为您的要求(至少我认为):

# Go through each FileSystemRights enum name and add them to a hash table if their value is
# a power of 2. This will also keep track of names that share a value, and later those can
# be combined to provide a friendly permission name
$Ht = @{}
foreach ($Name in [System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights])) {
    $Value = [System.Security.AccessControl.FileSystemRights]::$Name

    if ($Value.value__ -band ($Value.value__ - 1)) {
        # Not a power of 2, so ignore this
        continue
    }

    if (-not $Ht.$Value) {
        $Ht.$Value = @()
    }

    $Ht.$Value += $Name
}

# FullControl isn't a power of 2, but it's useful to test for access, so add it manually
$Ht.([System.Security.AccessControl.FileSystemRights]::FullControl) = "FullControl"

function YesNoTest {
    param(
        [System.Security.AccessControl.FileSystemRights] $EffectiveAccess,
        [System.Security.AccessControl.FileSystemRights] $AccessToTest
    )

    if (($EffectiveAccess -band $AccessToTest) -eq $AccessToTest) {
        "Yes"
    }
    else {
        "No"
    }
}

$shares | Get-EffectiveAccess -Principal $user | ForEach-Object {
    $_.DisplayName

    $EffectiveAccess = $_.EffectiveAccess
    $Ht.GetEnumerator() | sort { $_.Key.value__ } -Descending | ForEach-Object {
        "{0}: {1}" -f ($_.Value -join " / "), (YesNoTest $EffectiveAccess $_.Key)
    }
    ""
}

请注意,如果您针对远程系统运行此操作并且满足以下条件,则这将不完全准确:

  • 安全描述符包含远程系统本地的组,即非域组
  • 您正在查看的用户是其中一个本地组
    • 的成员
相关问题
最新问题