PowerShell: Sprawdzanie i nadawanie użytkownikom praw użytkownika User Rights

9-Mar-2019

W systemie Windows użytkownicy mogą mieć uprawnienia (do plików, drukarek itp) oraz prawa (do wyłączenia komputera, do zalogowania itp). Tutaj przedstawiam dwie funkcje, które pracują z prawami użytkowników. Pierwsza z nich sprawdza, czy użytkownik ma przyznane prawo, a druga nadaje takie prawo.

Filozofia obu funkcji jest podobna. Polecenie secedit służy do wyeksportowania informacji o przyznanych prawach dla użytkowników oraz do zaimportowania tych informacji. Między eksportem a importem znajduje się trochę typowej PowerShellowej logiki, która sprawdza czy użytkownik ma przypisane prawo czy nie.

Oto i funkcje:

<#
.SYNOPSIS
Tests is a user has right

.DESCRIPTION
secedit is used
if error appears it is thrown
if user has the right returns $true
if user does not have the right or error happens returns $false

.EXAMPLE
Test-UserRight -account rafal -userRight "SeServiceLogonRight"

True

.EXAMPLE
Test-UserRight -account rafal -userRight "SeServiceLogonRight_NON_EXISTING"
Test-UserRight : Right not found: SeServiceLogonRight_NON_EXISTING
False

.EXAMPLE
Test-UserRight -account rafal_NONEXISTING -userRight "SeServiceLogonRight"
False

.EXAMPLE
Test-UserRight -account patryk -userRight "SeServiceLogonRight"
False

#>
function Test-UserRight
{
[CmdletBinding()]
Param(
 [Parameter(mandatory=$true)]
 $account,
 [Parameter(mandatory=$true)]
 $userRight
 )

 #export data to temporal file
 $tempFile = [System.IO.Path]::GetTempFileName() 
 $retCode = Start-Process secedit -ArgumentList "/export /areas USER_RIGHTS /cfg $tempFile" -Wait -PassThru
 if ($retCode.ExitCode -ne 0)
 {
 Write-Error "Getting user rights failed with code $($retCode.ExitCode)"
 del $tempFile -ea SilentlyContinue
 return $false
 }

 #extract list of users with user right
 $line = Get-Content $tempFile -Encoding Unicode | where {$_ -like "$userRight*"} | select -First 1
 if ($line -eq $null)
 {
 Write-Error "Right not found: $userRight"
 del $tempFile -EA SilentlyContinue
 return $false
 }
 $lineTable = @()
 $lineTable += $line.split('=')
 $users = @()
 $users += $lineTable[1].split(',') | foreach { $_.Trim() }
 del $tempFile -ea SilentlyContinue

 #test if the user has the right and return value
 return ($account -in $users)
}

<#
.SYNOPSIS
Adds a user right to a user

.DESCRIPTION
secedit is used
if error appears it is thrown
if success returns 0
if failure returns value <> 0

.EXAMPLE

Add-UserRight -account rafal -userRight SeServiceLogonRight
User rafal has been assigned SeServiceLogonRight
0

.EXAMPLE

Add-UserRight -account rafal -userRight SeLockMemory
User rafal already has SeLockMemory. No action required
0

.EXAMPLE

Add-UserRight -account rafal -userRight SeLockMemory_NOT_EXISTING
Add-UserRight : Right not found: SeLockMemory_NOT_EXISTING
-1

.EXAMPLE

Add-UserRight -account rafal_NOT_EXISTING -userRight SeServiceLogonRight
Add-UserRight : security template export failed exit code 1. Wrong username (rafal_NOT_EXISTING)?
1

#>
function Add-UserRight
{
[CmdletBinding()]
Param(
 [Parameter(mandatory=$true)]
 $account,
 [Parameter(mandatory=$true)]
 $userRight
 )

 #export data to temporal file
 $tempFile = [System.IO.Path]::GetTempFileName() 
 $retCode = Start-Process secedit -ArgumentList "/export /areas USER_RIGHTS /cfg $tempFile" -Wait -PassThru
 if ($retCode.ExitCode -ne 0)
 {
 Write-Error "Getting user rights failed with code $($retCode.ExitCode)"
 del $tempFile -ea SilentlyContinue
 return -1
 }

 #extract list of users with user right
 $line = Get-Content $tempFile -Encoding Unicode | where {$_ -like "$userRight*"} | select -First 1
 if ($line -eq $null)
 {
 Write-Error "Right not found: $userRight"
 del $tempFile -EA SilentlyContinue
 return -1
 }
 $lineTable = @()
 $lineTable += $line.split('=')
 $users = @()
 $users += $lineTable[1].split(',') | foreach { $_.Trim() }

 #if needed - add the right to the user
 if ( -not ($account -in $users))
 {
 $users += $account
 $lineTable[1] = $users -join ','
 $newLine = $lineTable -join '='
 $content = (Get-Content $tempFile -Encoding Unicode).Replace($line,$newLine)
 $content | Out-File $tempFile -Force -Encoding unicode
 $retCode = Start-Process secedit -ArgumentList "/configure /db secedit.sdb /cfg $tempFile /areas USER_RIGHTS" -Wait -PassThru
 if ($retCode.ExitCode -ne 0)
 {
 Write-Error "security template export failed exit code $($retCode.ExitCode). Wrong username ($account)?"
 del $tempFile -ea SilentlyContinue
 return $retCode.ExitCode
 }
 else
 {
 Write-Output "User $account has been assigned $userRight"
 }
 }
 else
 {
 echo "User $account already has $userRight. No action required"
 }

 del $tempFile -ea SilentlyContinue
 return 0
}

 

Dodaj komentarz:

Autor: Rafał Kraik