有人知道如何将Windows SDDL字符串转换为人类可读格式吗?
我最近一直在尝试完成打印机的审核。
在完成一小部分工作之后,通过手动将所有信息放入Excel并几乎失去理智之后,我决定采用不同的方法,学习如何使用PowerShell节省时间和精力,并准备更准确和更准确的在短时间内清洁文档。 我只有一个问题...除了SDDL字符串外,90%的信息非常准确,这是非常隐秘的。
我了解到,存在一种通过转换sddlstring函数转换它们的方法,但是输出仍然缺少我需要的基本信息:
- 组或用户名(例如:每个人;所有人;约翰·杜(John Doe);所有应用程序包;所有应用程序包;创建者所有者; admins; admins; admins; admins;等等。)
- 权限(打印,管理此打印机,管理文档或这些组合的任何组合)
我试图从SDDL字符串中实现的输出的示例:“ [[所有人:打印;所有应用程序包:所有应用程序包:管理文档:Creator eLlans; Creator所有者 打印,管理文档;
: 我尝试在Powershell中手动为SDDL字符串编写解析器,但是作为Powershell的新手,我发现自己已经迷路了。
我已经搜寻了互联网寻找功能或某些可以做到这一点但无济于事的代码,而且我们在公司内部的编程受到了严格的限制,因此我无法使用我知道的任何其他编程语言来帮助我。 。
有人知道是否有一种更可靠/准确的方式翻译SDDL字符串的方法?
$allprintservers = (Get-ADObject -LDAPFilter "(.......)" -properties *|Sort-Object -Unique -Property servername).servername
$prntrs = @()
foreach ($printserver in $allprintservers){
$pos = $printserver.IndexOf(".")
$PrintServerName = $printserver.Substring(0, $pos)
$printers = (Get-Printer -ComputerName $PrintServerName | Where-Object {$_.Name -notlike "......."}).Name
foreach ($printer in $printers) {
if ([string]::IsNullOrWhiteSpace($printer) -or $printer -like "........."){
$printer = "null"
break
}else{
$currentprinter = Get-Printer -ComputerName $PrintServerName | Where-Object {$_.Name -like $printer}
$name = $currentprinter.Name
$location = $currentprinter.Location
$comment = $currentprinter.Comment
$driverName = $currentprinter.DriverName
$sharedName = $currentprinter.ShareName
$shared = $currentprinter.Shared
$portName = $currentprinter.PortName
$permissions = (Get-Printer -ComputerName $PrintServerName -name $name -Full).PermissionSDDL
$translation = ConvertFrom-SddlString -sddl $permissions -type ActiveDirectoryRights | Select-Object -ExpandProperty DiscretionaryAcl
$translation = [string]::join("; ",($translation.Split("`n")))
}#else
$prntr = [PSCustomObject]@{
ServerName = $PrintServerName
PrinterName = $name
Location = $location
Comment = $comment
DriverName = $driverName
SharedName = $sharedName
Shared = $shared
PortName = $portName
UnTransACL = $permissions
TransACL = $translation
}#printer_CustomObject
$prntrs += $prntr
}#Foreach 2nd
}#foreach 1st
$prntrs | Export-Csv "..\..\PrinterAudit2022.csv" -Encoding UTF8
我删除了代码的几部分,以避免共享任何敏感信息,但它不应影响代码的逻辑。
I have been recently trying to complete an audit on printers.
After completing a small slice of the work by manually putting in all the information into excel and almost losing my mind, I decided to take a different approach and learn how to use powershell to save time and effort, and also prepare a much more accurate and clean document in a considerably shorter time span.
I only have one problem...90% of the information is incredibly accurate, apart from the SDDL strings, which were quite cryptic.
I learned that there exists a way to translate them, via the ConvertFrom-SddlString function, but the output is still lacking the essential information I need:
- Group or Username (Example: Everyone; John Doe; All Application Packages; CREATOR OWNER; Admins; etc..)
- Permissions (Print, Manage this printer, Manage Documents, or any combination of these)
Example of the output I was trying to achieve from the SDDL strings: "[Everybody: Print; All Application Packages: Manage Documents; CREATOR OWNER: Print, Manage Documents; AdminY: Print, Manage documents, Manage this printer; AdminX: Print, Manage this printer]"
The ConvertFrom-AddlString seems to be lacking some groups, and also doesn't tell you some permissions. I tried manually writing a parser for the sddl string in powershell, but being a newbie in powershell I am finding myself quite lost.
I have scoured the internet looking for a function or some code that might be able to do just that but to no avail, and we are severely limited in programming within the company, so I cannot use any other programming languages I know to help me out.
Does anyone know if there is a way to translate the SDDL strings in a more reliable/accurate manner?
$allprintservers = (Get-ADObject -LDAPFilter "(.......)" -properties *|Sort-Object -Unique -Property servername).servername
$prntrs = @()
foreach ($printserver in $allprintservers){
$pos = $printserver.IndexOf(".")
$PrintServerName = $printserver.Substring(0, $pos)
$printers = (Get-Printer -ComputerName $PrintServerName | Where-Object {$_.Name -notlike "......."}).Name
foreach ($printer in $printers) {
if ([string]::IsNullOrWhiteSpace($printer) -or $printer -like "........."){
$printer = "null"
break
}else{
$currentprinter = Get-Printer -ComputerName $PrintServerName | Where-Object {$_.Name -like $printer}
$name = $currentprinter.Name
$location = $currentprinter.Location
$comment = $currentprinter.Comment
$driverName = $currentprinter.DriverName
$sharedName = $currentprinter.ShareName
$shared = $currentprinter.Shared
$portName = $currentprinter.PortName
$permissions = (Get-Printer -ComputerName $PrintServerName -name $name -Full).PermissionSDDL
$translation = ConvertFrom-SddlString -sddl $permissions -type ActiveDirectoryRights | Select-Object -ExpandProperty DiscretionaryAcl
$translation = [string]::join("; ",($translation.Split("`n")))
}#else
$prntr = [PSCustomObject]@{
ServerName = $PrintServerName
PrinterName = $name
Location = $location
Comment = $comment
DriverName = $driverName
SharedName = $sharedName
Shared = $shared
PortName = $portName
UnTransACL = $permissions
TransACL = $translation
}#printer_CustomObject
$prntrs += $prntr
}#Foreach 2nd
}#foreach 1st
$prntrs | Export-Csv "..\..\PrinterAudit2022.csv" -Encoding UTF8
I have removed a very few select parts of the code to avoid sharing any sensitive information, but it shouldn't affect the logic of the code.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论