我正在尝试阅读并最终为我的打印服务器共享的打印机编写DACL.这是我到目前为止所基于互联网上的脚本:
$pace = DATA { ConvertFrom-StringData -StringData @' 983052 = ManagePrinters 983088 = ManageDocuments 131080 = Print 524288 = TakeOwnership 131072 = ReadPermissions 262144 = ChangePermissions '@ } $flags = @(983052,983088,131080,524288,131072,262144) $printers = Get-WmiObject -Class Win32_Printer -ComputerName "NAME" "Got Printers" foreach ($printer in $printers) { "" "Printer: $($printer.DeviceID)" $sd = $printer.GetSecurityDescriptor() $ssd = $sd.Descriptor.DACL foreach ($obj3 in $ssd) { "" "$($obj3.Trustee.Domain) $($obj3.Trustee.Name)" foreach ($flag in $flags) { if ($obj3.AccessMask -band $flag) { $pace["$($flag)"] } } } }
但是,我无法理解输出.除了Creator Owner之外,似乎每个域/名称对都有重复的条目.但是,重复项具有与第一个不同的访问掩码.如果我想确认权限是我在打印机的安全选项卡中看到的,那么我要查看哪些条目?一旦我找出要设置的访问掩码,写入新权限应该不是问题.
编辑:循环似乎也存在读取位掩码的问题.我从另一个应该工作的脚本中得到了它.
编辑:这是我试图理解的一些示例输出:
Got Printers Printer: printer DOMAIN jshier AccessMask: 983052 ManagePrinters ManageDocuments Print TakeOwnership ReadPermissions ChangePermissions DOMAIN jshier AccessMask: 983088 ManagePrinters ManageDocuments Print TakeOwnership ReadPermissions ChangePermissions CREATOR OWNER AccessMask: 268435456 Everyone AccessMask: 131080 ManagePrinters ManageDocuments Print ReadPermissions Everyone AccessMask: 536870912 BUILTIN Administrators AccessMask: 983052 ManagePrinters ManageDocuments Print TakeOwnership ReadPermissions ChangePermissions BUILTIN Administrators AccessMask: 268435456
此输出与我在打印机的高级安全设置中看到的不一致.例如,我的用户帐户的第一个实例应具有除“管理文档”之外的所有权限.每个人都应该拥有一个具有“打印”和“读取权限”权限的条目.我在AccessMask转换中遗漏了什么?
顺便说一下,这就是胜利. Server 2008 R2.
这听起来像是对我的预期行为.例如,如果使用“打印机管理”控制台检查打印机安全性,您可能会注意到给定安全主体有一个ACE条目,其中包含“打印”,“管理此打印机”和“管理文档”复选框.
原文链接:https://www.f2er.com/windows/366437.html但是,如果单击“高级安全性”页面,则可能有两个用于该安全主体的ACE,一个用于“管理此打印机”,另一个用于“管理文档”,并且每个人通常都有一个ACE用于“打印”权限.
如果您对操作系统如何定义和解释这些权限感兴趣,这里有一个可能的视图.如您所见,“管理打印机”包含其他几个权限,因此可以解释输出.
[Flags] public enum PrinterRights : int { None = 0,Print = (ACCESS_MASK.PRINTER_ACCESS_USE | ACCESS_MASK.READ_CONTROL),ManageDocuments = (ACCESS_MASK.JOB_ACCESS_ADMINISTER | ACCESS_MASK.JOB_ACCESS_READ | ACCESS_MASK.DELETE | ACCESS_MASK.READ_CONTROL | ACCESS_MASK.WRITE_DAC | ACCESS_MASK.WRITE_OWNER),ManagePrinters = (ACCESS_MASK.PRINTER_ACCESS_ADMINISTER | ACCESS_MASK.PRINTER_ACCESS_USE | ACCESS_MASK.DELETE | ACCESS_MASK.READ_CONTROL | ACCESS_MASK.WRITE_DAC | ACCESS_MASK.WRITE_OWNER),ReadPermissions = ACCESS_MASK.READ_CONTROL,ChangePermissions = ACCESS_MASK.WRITE_DAC,TakeOwnership = ACCESS_MASK.WRITE_OWNER } [Flags] public enum ACCESS_MASK : int { #region Bits 01-15: Specific Rights /// <summary> /// Authorization to cancel,pause,resume,or restart the job. /// </summary> JOB_ACCESS_ADMINISTER = 0x00000010,/// <summary> /// Read rights for the spool file. /// </summary> JOB_ACCESS_READ = 0x00000020,/// <summary> /// Access rights for jobs combining STANDARD_RIGHTS_EXECUTE,JOB_ACCESS_ADMINISTER,and PRINTER_ACCESS_USE. /// </summary> JOB_EXECUTE = (STANDARD_RIGHTS.EXECUTE | JOB_ACCESS_ADMINISTER | PRINTER_ACCESS_USE),/// <summary> /// Access rights for jobs combining STANDARD_RIGHTS_required,JOB_ACCESS_READ,and JOB_ACCESS_ADMINISTER. /// </summary> JOB_READ = (STANDARD_RIGHTS.required | JOB_ACCESS_READ | JOB_ACCESS_ADMINISTER),/// <summary> /// Access rights for jobs combining STANDARD_RIGHTS_WRITE,and PRINTER_ACCESS_USE. /// </summary> JOB_WRITE = (STANDARD_RIGHTS.WRITE | JOB_ACCESS_ADMINISTER | PRINTER_ACCESS_USE),/// <summary> /// Access rights for printers to perform administrative tasks. /// </summary> PRINTER_ACCESS_ADMINISTER = 0x00000004,/// <summary> /// Access rights for printers to perform basic printing operations. /// </summary> PRINTER_ACCESS_USE = 0x00000008,/// <summary> /// Access rights for printers to perform all administrative tasks and basic printing operations except SYNCHRONIZE. Combines STANDARD_RIGHTS_required,PRINTER_ACCESS_ADMINISTER,and PRINTER_ACCESS_USE. /// </summary> PRINTER_ALL_ACCESS = (STANDARD_RIGHTS.required | PRINTER_ACCESS_ADMINISTER | PRINTER_ACCESS_USE),/// <summary> /// Access rights for printers combining STANDARD_RIGHTS_EXECUTE and PRINTER_ACCESS_USE. /// </summary> PRINTER_EXECUTE = (STANDARD_RIGHTS.EXECUTE | PRINTER_ACCESS_USE),/// <summary> /// Access rights for printers combining STANDARD_RIGHTS_READ and PRINTER_ACCESS_USE. /// </summary> PRINTER_READ = (STANDARD_RIGHTS.READ | PRINTER_ACCESS_USE),/// <summary> /// Access rights for printers combining STANDARD_RIGHTS_WRITE and PRINTER_ACCESS_USE. /// </summary> PRINTER_WRITE = (STANDARD_RIGHTS.WRITE | PRINTER_ACCESS_USE),/// <summary> /// Access rights to administer print servers. /// </summary> SERVER_ACCESS_ADMINISTER = 0x00000001,/// <summary> /// Access rights to enumerate print servers. /// </summary> SERVER_ACCESS_ENUMERATE = 0x00000002,/// <summary> /// Access rights for print servers to perform all administrative tasks and basic printing operations except SYNCHRONIZE. Combines STANDARD_RIGHTS_required,SERVER_ACCESS_ADMINISTER,and SERVER_ACCESS_ENUMERATE. /// </summary> SERVER_ALL_ACCESS = (STANDARD_RIGHTS.required | SERVER_ACCESS_ADMINISTER | SERVER_ACCESS_ENUMERATE),/// <summary> /// Access rights for print servers combining STANDARD_RIGHTS_EXECUTE and SERVER_ACCESS_ENUMERATE. /// </summary> SERVER_EXECUTE = (STANDARD_RIGHTS.EXECUTE | SERVER_ACCESS_ENUMERATE),/// <summary> /// Access rights for print servers combining STANDARD_RIGHTS_READ and SERVER_ACCESS_ENUMERATE. /// </summary> SERVER_READ = (STANDARD_RIGHTS.READ | SERVER_ACCESS_ENUMERATE),/// <summary> /// Access rights for print servers combining STANDARD_RIGHTS_WRITE,and SERVER_ACCESS_ENUMERATE. /// </summary> SERVER_WRITE = (STANDARD_RIGHTS.WRITE | SERVER_ACCESS_ADMINISTER | SERVER_ACCESS_ENUMERATE),SPECIFIC_RIGHTS_ALL = 0x0000ffff,#endregion #region Bits 16-23: Standard Rights /// <summary> /// The right to delete the object. /// </summary> DELETE = BASE_RIGHTS.DELETE,/// <summary> /// The right to read the information in the object's security descriptor,not including the information in the SACL. /// </summary> READ_CONTROL = BASE_RIGHTS.READ_CONTROL,/// <summary> /// The right to modify the DACL in the object's security descriptor. /// </summary> WRITE_DAC = BASE_RIGHTS.WRITE_DAC,/// <summary> /// The right to change the owner in the object's security descriptor. /// </summary> WRITE_OWNER = BASE_RIGHTS.WRITE_OWNER,/// <summary> /// The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. /// </summary> SYNCHRONIZE = BASE_RIGHTS.SYNCHRONIZE,/// <summary> /// Combines DELETE,READ_CONTROL,WRITE_DAC,and WRITE_OWNER access /// </summary> STANDARD_required = STANDARD_RIGHTS.required,/// <summary> /// Currently defined to equal READ_CONTROL /// </summary> STANDARD_READ = STANDARD_RIGHTS.READ,/// <summary> /// Currently defined to equal READ_CONTROL /// </summary> STANDARD_WRITE = STANDARD_RIGHTS.WRITE,/// <summary> /// Currently defined to equal READ_CONTROL /// </summary> STANDARD_EXECUTE = STANDARD_RIGHTS.EXECUTE,WRITE_OWNER,and SYNCHRONIZE access /// </summary> STANDARD_ALL = STANDARD_RIGHTS.ALL,#endregion #region Bit 24...: Access System Security /// <summary> /// Access system security (ACCESS_SYSTEM_SECURITY). It is used to indicate access to a system access control list (SACL). This type of access requires the calling process to have the SE_SECURITY_NAME (Manage auditing and security log) privilege. If this flag is set in the access mask of an audit access ACE (successful or unsuccessful access),the SACL access will be audited. /// </summary> ACCESS_SYSTEM_SECURITY = 0x01000000,#endregion #region Bit 25...: Maximum allowed /// <summary> /// Maximum allowed (MAXIMUM_ALLOWED). /// </summary> MAXIMUM_ALLOWED = 0x02000000,#endregion #region Bits 26-27: Reserved #endregion #region Bits 28-31: Generic Rights /// <summary> /// Generic all /// </summary> GENERIC_ALL = 0x10000000,/// <summary> /// Generic execute /// </summary> GENERIC_EXECUTE = 0x20000000,/// <summary> /// Generic write /// </summary> GENERIC_WRITE = 0x40000000,/// <summary> /// Generic read /// </summary> //GENERIC_READ = 0x80000000 #endregion } /// <summary> /// Standard Access Rights /// </summary> /// <see cref="http://msdn2.microsoft.com/en-us/library/aa379607(VS.85).aspx"/> [Flags] public enum BASE_RIGHTS : int { /// <summary> /// The right to delete the object. /// </summary> DELETE = 0x00010000,not including the information in the SACL. /// </summary> READ_CONTROL = 0x00020000,/// <summary> /// The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. /// </summary> SYNCHRONIZE = 0x00100000,/// <summary> /// The right to modify the DACL in the object's security descriptor. /// </summary> WRITE_DAC = 0x00040000,/// <summary> /// The right to change the owner in the object's security descriptor. /// </summary> WRITE_OWNER = 0x00080000 } /// <summary> /// Standard Access Rights /// </summary> /// <see cref="http://msdn2.microsoft.com/en-us/library/aa379607(VS.85).aspx"/> [Flags] public enum STANDARD_RIGHTS : int { /// <summary> /// Currently defined to equal READ_CONTROL /// </summary> READ = BASE_RIGHTS.READ_CONTROL,/// <summary> /// Currently defined to equal READ_CONTROL /// </summary> WRITE = BASE_RIGHTS.READ_CONTROL,/// <summary> /// Currently defined to equal READ_CONTROL /// </summary> EXECUTE = BASE_RIGHTS.READ_CONTROL,and WRITE_OWNER access /// </summary> required = (BASE_RIGHTS.DELETE | BASE_RIGHTS.READ_CONTROL | BASE_RIGHTS.WRITE_DAC | BASE_RIGHTS.WRITE_OWNER),and SYNCHRONIZE access /// </summary> ALL = (BASE_RIGHTS.DELETE | BASE_RIGHTS.READ_CONTROL | BASE_RIGHTS.SYNCHRONIZE | BASE_RIGHTS.WRITE_DAC | BASE_RIGHTS.WRITE_OWNER) }