Powershell:了解打印机DACL

前端之家收集整理的这篇文章主要介绍了Powershell:了解打印机DACL前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我正在尝试阅读并最终为我的打印服务器共享的打印机编写DACL.这是我到目前为止所基于互联网上的脚本:
$pace = DATA {            
ConvertFrom-StringData -StringData @'
983052 = ManagePrinters
983088 = ManageDocuments
131080 = Print 
524288 = TakeOwnership
131072 = ReadPermissions
262144 = ChangePermissions 
'@            
}             
$flags = @(983052,983088,131080,524288,131072,262144)

$printers = Get-WmiObject -Class Win32_Printer -ComputerName "NAME"
"Got Printers"

foreach ($printer in $printers)
{
     ""
     "Printer:  $($printer.DeviceID)"

    $sd = $printer.GetSecurityDescriptor()            
    $ssd = $sd.Descriptor.DACL
    foreach ($obj3 in $ssd)
    {
        ""
        "$($obj3.Trustee.Domain) $($obj3.Trustee.Name)"         
        foreach ($flag in $flags)
        {            
            if ($obj3.AccessMask -band $flag)
            {            
                $pace["$($flag)"]
            }
        }            
    }
}

但是,我无法理解输出.除了Creator Owner之外,似乎每个域/名称对都有重复的条目.但是,重复项具有与第一个不同的访问掩码.如果我想确认权限是我在打印机的安全选项卡中看到的,那么我要查看哪些条目?一旦我找出要设置的访问掩码,写入新权限应该不是问题.

编辑:循环似乎也存在读取位掩码的问题.我从另一个应该工作的脚本中得到了它.

编辑:这是我试图理解的一些示例输出

Got Printers

Printer:  printer

DOMAIN jshier
AccessMask: 983052
ManagePrinters
ManageDocuments
Print
TakeOwnership
ReadPermissions
ChangePermissions

DOMAIN jshier
AccessMask: 983088
ManagePrinters
ManageDocuments
Print
TakeOwnership
ReadPermissions
ChangePermissions

 CREATOR OWNER
AccessMask: 268435456

 Everyone
AccessMask: 131080
ManagePrinters
ManageDocuments
Print
ReadPermissions

 Everyone
AccessMask: 536870912

BUILTIN Administrators
AccessMask: 983052
ManagePrinters
ManageDocuments
Print
TakeOwnership
ReadPermissions
ChangePermissions

BUILTIN Administrators
AccessMask: 268435456

输出与我在打印机的高级安全设置中看到的不一致.例如,我的用户帐户的第一个实例应具有除“管理文档”之外的所有权限.每个人都应该拥有一个具有“打印”和“读取权限”权限的条目.我在AccessMask转换中遗漏了什么?

顺便说一下,这就是胜利. Server 2008 R2.

这听起来像是对我的预期行为.例如,如果使用“打印机管理”控制台检查打印机安全性,您可能会注意到给定安全主体有一个ACE条目,其中包含“打印”,“管理此打印机”和“管理文档”复选框.

但是,如果单击“高级安全性”页面,则可能有两个用于该安全主体的ACE,一个用于“管理此打印机”,另一个用于“管理文档”,并且每个人通常都有一个ACE用于“打印”权限.

如果您对操作系统如何定义和解释这些权限感兴趣,这里有一个可能的视图.如您所见,“管理打印机”包含其他几个权限,因此可以解释输出.

[Flags]
public enum PrinterRights : int
{
    None = 0,Print = (ACCESS_MASK.PRINTER_ACCESS_USE | ACCESS_MASK.READ_CONTROL),ManageDocuments = (ACCESS_MASK.JOB_ACCESS_ADMINISTER | ACCESS_MASK.JOB_ACCESS_READ | ACCESS_MASK.DELETE | ACCESS_MASK.READ_CONTROL | ACCESS_MASK.WRITE_DAC | ACCESS_MASK.WRITE_OWNER),ManagePrinters = (ACCESS_MASK.PRINTER_ACCESS_ADMINISTER | ACCESS_MASK.PRINTER_ACCESS_USE | ACCESS_MASK.DELETE | ACCESS_MASK.READ_CONTROL | ACCESS_MASK.WRITE_DAC | ACCESS_MASK.WRITE_OWNER),ReadPermissions = ACCESS_MASK.READ_CONTROL,ChangePermissions = ACCESS_MASK.WRITE_DAC,TakeOwnership = ACCESS_MASK.WRITE_OWNER
}

[Flags]
public enum ACCESS_MASK : int
{
    #region Bits 01-15: Specific Rights
    /// <summary>
    /// Authorization to cancel,pause,resume,or restart the job.
    /// </summary>
    JOB_ACCESS_ADMINISTER = 0x00000010,/// <summary>
    /// Read rights for the spool file.
    /// </summary>
    JOB_ACCESS_READ = 0x00000020,/// <summary>
    /// Access rights for jobs combining STANDARD_RIGHTS_EXECUTE,JOB_ACCESS_ADMINISTER,and PRINTER_ACCESS_USE.
    /// </summary>
    JOB_EXECUTE = (STANDARD_RIGHTS.EXECUTE | JOB_ACCESS_ADMINISTER | PRINTER_ACCESS_USE),/// <summary>
    /// Access rights for jobs combining STANDARD_RIGHTS_required,JOB_ACCESS_READ,and JOB_ACCESS_ADMINISTER.
    /// </summary>
    JOB_READ = (STANDARD_RIGHTS.required | JOB_ACCESS_READ | JOB_ACCESS_ADMINISTER),/// <summary>
    /// Access rights for jobs combining STANDARD_RIGHTS_WRITE,and PRINTER_ACCESS_USE.
    /// </summary>
    JOB_WRITE = (STANDARD_RIGHTS.WRITE | JOB_ACCESS_ADMINISTER | PRINTER_ACCESS_USE),/// <summary>
    /// Access rights for printers to perform administrative tasks.
    /// </summary>
    PRINTER_ACCESS_ADMINISTER = 0x00000004,/// <summary>
    /// Access rights for printers to perform basic printing operations.
    /// </summary>
    PRINTER_ACCESS_USE = 0x00000008,/// <summary>
    /// Access rights for printers to perform all administrative tasks and basic printing operations except SYNCHRONIZE. Combines STANDARD_RIGHTS_required,PRINTER_ACCESS_ADMINISTER,and PRINTER_ACCESS_USE.
    /// </summary>
    PRINTER_ALL_ACCESS = (STANDARD_RIGHTS.required | PRINTER_ACCESS_ADMINISTER | PRINTER_ACCESS_USE),/// <summary>
    /// Access rights for printers combining STANDARD_RIGHTS_EXECUTE and PRINTER_ACCESS_USE.
    /// </summary>
    PRINTER_EXECUTE = (STANDARD_RIGHTS.EXECUTE | PRINTER_ACCESS_USE),/// <summary>
    /// Access rights for printers combining STANDARD_RIGHTS_READ and PRINTER_ACCESS_USE.
    /// </summary>
    PRINTER_READ = (STANDARD_RIGHTS.READ | PRINTER_ACCESS_USE),/// <summary>
    /// Access rights for printers combining STANDARD_RIGHTS_WRITE and PRINTER_ACCESS_USE.
    /// </summary>
    PRINTER_WRITE = (STANDARD_RIGHTS.WRITE | PRINTER_ACCESS_USE),/// <summary>
    /// Access rights to administer print servers.
    /// </summary>
    SERVER_ACCESS_ADMINISTER = 0x00000001,/// <summary>
    /// Access rights to enumerate print servers.
    /// </summary>
    SERVER_ACCESS_ENUMERATE = 0x00000002,/// <summary>
    /// Access rights for print servers to perform all administrative tasks and basic printing operations except SYNCHRONIZE. Combines STANDARD_RIGHTS_required,SERVER_ACCESS_ADMINISTER,and SERVER_ACCESS_ENUMERATE.
    /// </summary>
    SERVER_ALL_ACCESS = (STANDARD_RIGHTS.required | SERVER_ACCESS_ADMINISTER | SERVER_ACCESS_ENUMERATE),/// <summary>
    /// Access rights for print servers combining STANDARD_RIGHTS_EXECUTE and SERVER_ACCESS_ENUMERATE. 
    /// </summary>
    SERVER_EXECUTE = (STANDARD_RIGHTS.EXECUTE | SERVER_ACCESS_ENUMERATE),/// <summary>
    /// Access rights for print servers combining STANDARD_RIGHTS_READ and SERVER_ACCESS_ENUMERATE.
    /// </summary>
    SERVER_READ = (STANDARD_RIGHTS.READ | SERVER_ACCESS_ENUMERATE),/// <summary>
    /// Access rights for print servers combining STANDARD_RIGHTS_WRITE,and SERVER_ACCESS_ENUMERATE.
    /// </summary>
    SERVER_WRITE = (STANDARD_RIGHTS.WRITE | SERVER_ACCESS_ADMINISTER | SERVER_ACCESS_ENUMERATE),SPECIFIC_RIGHTS_ALL = 0x0000ffff,#endregion
    #region Bits 16-23: Standard Rights
    /// <summary>
    /// The right to delete the object.
    /// </summary>
    DELETE = BASE_RIGHTS.DELETE,/// <summary>
    /// The right to read the information in the object's security descriptor,not including the information in the SACL.
    /// </summary>
    READ_CONTROL = BASE_RIGHTS.READ_CONTROL,/// <summary>
    /// The right to modify the DACL in the object's security descriptor.
    /// </summary>
    WRITE_DAC = BASE_RIGHTS.WRITE_DAC,/// <summary>
    /// The right to change the owner in the object's security descriptor.
    /// </summary>
    WRITE_OWNER = BASE_RIGHTS.WRITE_OWNER,/// <summary>
    /// The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
    /// </summary>
    SYNCHRONIZE = BASE_RIGHTS.SYNCHRONIZE,/// <summary>
    /// Combines DELETE,READ_CONTROL,WRITE_DAC,and WRITE_OWNER access
    /// </summary>
    STANDARD_required = STANDARD_RIGHTS.required,/// <summary>
    /// Currently defined to equal READ_CONTROL
    /// </summary>
    STANDARD_READ = STANDARD_RIGHTS.READ,/// <summary>
    /// Currently defined to equal READ_CONTROL
    /// </summary>
    STANDARD_WRITE = STANDARD_RIGHTS.WRITE,/// <summary>
    /// Currently defined to equal READ_CONTROL
    /// </summary>
    STANDARD_EXECUTE = STANDARD_RIGHTS.EXECUTE,WRITE_OWNER,and SYNCHRONIZE access
    /// </summary>
    STANDARD_ALL = STANDARD_RIGHTS.ALL,#endregion
    #region Bit  24...: Access System Security
    /// <summary>
    /// Access system security (ACCESS_SYSTEM_SECURITY). It is used to indicate access to a system access control list (SACL). This type of access requires the calling process to have the SE_SECURITY_NAME (Manage auditing and security log) privilege. If this flag is set in the access mask of an audit access ACE (successful or unsuccessful access),the SACL access will be audited.
    /// </summary>
    ACCESS_SYSTEM_SECURITY = 0x01000000,#endregion
    #region Bit  25...: Maximum allowed
    /// <summary>
    /// Maximum allowed (MAXIMUM_ALLOWED).
    /// </summary>
    MAXIMUM_ALLOWED = 0x02000000,#endregion
    #region Bits 26-27: Reserved
    #endregion
    #region Bits 28-31: Generic Rights
    /// <summary>
    /// Generic all 
    /// </summary>
    GENERIC_ALL = 0x10000000,/// <summary>
    /// Generic execute 
    /// </summary>
    GENERIC_EXECUTE = 0x20000000,/// <summary>
    /// Generic write 
    /// </summary>
    GENERIC_WRITE = 0x40000000,/// <summary>
    /// Generic read 
    /// </summary>
    //GENERIC_READ = 0x80000000
    #endregion
}

/// <summary>
/// Standard Access Rights
/// </summary>
/// <see cref="http://msdn2.microsoft.com/en-us/library/aa379607(VS.85).aspx"/>
[Flags]
public enum BASE_RIGHTS : int
{
    /// <summary>
    /// The right to delete the object.
    /// </summary>
    DELETE = 0x00010000,not including the information in the SACL.
    /// </summary>
    READ_CONTROL = 0x00020000,/// <summary>
    /// The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
    /// </summary>
    SYNCHRONIZE = 0x00100000,/// <summary>
    /// The right to modify the DACL in the object's security descriptor.
    /// </summary>
    WRITE_DAC = 0x00040000,/// <summary>
    /// The right to change the owner in the object's security descriptor.
    /// </summary>
    WRITE_OWNER = 0x00080000
}

/// <summary>
/// Standard Access Rights
/// </summary>
/// <see cref="http://msdn2.microsoft.com/en-us/library/aa379607(VS.85).aspx"/>
[Flags]
public enum STANDARD_RIGHTS : int
{
    /// <summary>
    /// Currently defined to equal READ_CONTROL
    /// </summary>
    READ = BASE_RIGHTS.READ_CONTROL,/// <summary>
    /// Currently defined to equal READ_CONTROL
    /// </summary>
    WRITE = BASE_RIGHTS.READ_CONTROL,/// <summary>
    /// Currently defined to equal READ_CONTROL
    /// </summary>
    EXECUTE = BASE_RIGHTS.READ_CONTROL,and WRITE_OWNER access
    /// </summary>
    required = (BASE_RIGHTS.DELETE | BASE_RIGHTS.READ_CONTROL | BASE_RIGHTS.WRITE_DAC | BASE_RIGHTS.WRITE_OWNER),and SYNCHRONIZE access
    /// </summary>
    ALL = (BASE_RIGHTS.DELETE | BASE_RIGHTS.READ_CONTROL | BASE_RIGHTS.SYNCHRONIZE | BASE_RIGHTS.WRITE_DAC | BASE_RIGHTS.WRITE_OWNER)
}
原文链接:https://www.f2er.com/windows/366437.html

猜你在找的Windows相关文章