W systemie Windows użytkownicy mogą mieć uprawnienia (do plików, drukarek itp) oraz prawa (do wyłączenia komputera, do zalogowania itp). Tutaj przedstawiam dwie funkcje, które pracują z prawami użytkowników. Pierwsza z nich sprawdza, czy użytkownik ma przyznane prawo, a druga nadaje takie prawo.
Filozofia obu funkcji jest podobna. Polecenie secedit służy do wyeksportowania informacji o przyznanych prawach dla użytkowników oraz do zaimportowania tych informacji. Między eksportem a importem znajduje się trochę typowej PowerShellowej logiki, która sprawdza czy użytkownik ma przypisane prawo czy nie.
Oto i funkcje:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 |
<# .SYNOPSIS Tests is a user has right .DESCRIPTION secedit is used if error appears it is thrown if user has the right returns $true if user does not have the right or error happens returns $false .EXAMPLE Test-UserRight -account rafal -userRight "SeServiceLogonRight" True .EXAMPLE Test-UserRight -account rafal -userRight "SeServiceLogonRight_NON_EXISTING" Test-UserRight : Right not found: SeServiceLogonRight_NON_EXISTING False .EXAMPLE Test-UserRight -account rafal_NONEXISTING -userRight "SeServiceLogonRight" False .EXAMPLE Test-UserRight -account patryk -userRight "SeServiceLogonRight" False #> function Test-UserRight { [CmdletBinding()] Param( [Parameter(mandatory=$true)] $account, [Parameter(mandatory=$true)] $userRight ) #export data to temporal file $tempFile = [System.IO.Path]::GetTempFileName() $retCode = Start-Process secedit -ArgumentList "/export /areas USER_RIGHTS /cfg $tempFile" -Wait -PassThru if ($retCode.ExitCode -ne 0) { Write-Error "Getting user rights failed with code $($retCode.ExitCode)" del $tempFile -ea SilentlyContinue return $false } #extract list of users with user right $line = Get-Content $tempFile -Encoding Unicode | where {$_ -like "$userRight*"} | select -First 1 if ($line -eq $null) { Write-Error "Right not found: $userRight" del $tempFile -EA SilentlyContinue return $false } $lineTable = @() $lineTable += $line.split('=') $users = @() $users += $lineTable[1].split(',') | foreach { $_.Trim() } del $tempFile -ea SilentlyContinue #test if the user has the right and return value return ($account -in $users) } <# .SYNOPSIS Adds a user right to a user .DESCRIPTION secedit is used if error appears it is thrown if success returns 0 if failure returns value <> 0 .EXAMPLE Add-UserRight -account rafal -userRight SeServiceLogonRight User rafal has been assigned SeServiceLogonRight 0 .EXAMPLE Add-UserRight -account rafal -userRight SeLockMemory User rafal already has SeLockMemory. No action required 0 .EXAMPLE Add-UserRight -account rafal -userRight SeLockMemory_NOT_EXISTING Add-UserRight : Right not found: SeLockMemory_NOT_EXISTING -1 .EXAMPLE Add-UserRight -account rafal_NOT_EXISTING -userRight SeServiceLogonRight Add-UserRight : security template export failed exit code 1. Wrong username (rafal_NOT_EXISTING)? 1 #> function Add-UserRight { [CmdletBinding()] Param( [Parameter(mandatory=$true)] $account, [Parameter(mandatory=$true)] $userRight ) #export data to temporal file $tempFile = [System.IO.Path]::GetTempFileName() $retCode = Start-Process secedit -ArgumentList "/export /areas USER_RIGHTS /cfg $tempFile" -Wait -PassThru if ($retCode.ExitCode -ne 0) { Write-Error "Getting user rights failed with code $($retCode.ExitCode)" del $tempFile -ea SilentlyContinue return -1 } #extract list of users with user right $line = Get-Content $tempFile -Encoding Unicode | where {$_ -like "$userRight*"} | select -First 1 if ($line -eq $null) { Write-Error "Right not found: $userRight" del $tempFile -EA SilentlyContinue return -1 } $lineTable = @() $lineTable += $line.split('=') $users = @() $users += $lineTable[1].split(',') | foreach { $_.Trim() } #if needed - add the right to the user if ( -not ($account -in $users)) { $users += $account $lineTable[1] = $users -join ',' $newLine = $lineTable -join '=' $content = (Get-Content $tempFile -Encoding Unicode).Replace($line,$newLine) $content | Out-File $tempFile -Force -Encoding unicode $retCode = Start-Process secedit -ArgumentList "/configure /db secedit.sdb /cfg $tempFile /areas USER_RIGHTS" -Wait -PassThru if ($retCode.ExitCode -ne 0) { Write-Error "security template export failed exit code $($retCode.ExitCode). Wrong username ($account)?" del $tempFile -ea SilentlyContinue return $retCode.ExitCode } else { Write-Output "User $account has been assigned $userRight" } } else { echo "User $account already has $userRight. No action required" } del $tempFile -ea SilentlyContinue return 0 } |
