我正在尝试读取并最终为从打印服务器共享的打印机写入DACL。 这是我迄今为止,基于在互联网上发现的脚本:
$pace = DATA { ConvertFrom-StringData -StringData @' 983052 = ManagePrinters 983088 = ManageDocuments 131080 = Print 524288 = TakeOwnership 131072 = ReadPermissions 262144 = ChangePermissions '@ } $flags = @(983052, 983088, 131080, 524288, 131072, 262144) $printers = Get-WmiObject -Class Win32_Printer -ComputerName "NAME" "Got Printers" foreach ($printer in $printers) { "" "Printer: $($printer.DeviceID)" $sd = $printer.GetSecurityDescriptor() $ssd = $sd.Descriptor.DACL foreach ($obj3 in $ssd) { "" "$($obj3.Trustee.Domain) $($obj3.Trustee.Name)" foreach ($flag in $flags) { if ($obj3.AccessMask -band $flag) { $pace["$($flag)"] } } } } 但是,我无法理解输出。 似乎有除了创作者所有者之外每个域/名称对有重复的条目。 但是,重复项具有不同的访问掩码。 如果我想确认权限是我在打印机的安全选项卡中看到的,那么我想查看哪些条目? 一旦我找出要设置的访问掩码,写入新的权限不应该是一个问题。
编辑:似乎也有问题的循环读取位掩码。 我从另一个应该工作的脚本得到了这个。
编辑:这是一些示例输出,我试图理解:
Got Printers Printer: printer DOMAIN jshier AccessMask: 983052 ManagePrinters ManageDocuments Print TakeOwnership ReadPermissions ChangePermissions DOMAIN jshier AccessMask: 983088 ManagePrinters ManageDocuments Print TakeOwnership ReadPermissions ChangePermissions CREATOR OWNER AccessMask: 268435456 Everyone AccessMask: 131080 ManagePrinters ManageDocuments Print ReadPermissions Everyone AccessMask: 536870912 BUILTIN Administrators AccessMask: 983052 ManagePrinters ManageDocuments Print TakeOwnership ReadPermissions ChangePermissions BUILTIN Administrators AccessMask: 268435456
该输出与我在打印机的“高级安全设置”中看到的不符。 例如,我的用户帐户的第一个实例应具有“pipe理文档”以外的所有权限。 而且每个人都应该拥有一个具有“打印”和“读取权限”权限的条目。 我在AccessMask转换中丢失了什么?
顺便说一句,这是赢。 Server 2008 R2。
这听起来像对我的预期行为。 例如,如果使用打印机pipe理控制台检查打印机安全性,则可能会注意到给定的安全主体有一个ACE条目,并具有“打印”,“pipe理此打印机”和“pipe理文档”的checkbox。
但是,如果单击“高级安全性”页面,则可能有两个安全主体的ACE,一个用于pipe理此打印机,另一个用于pipe理文档,对于打印权限,通常每个人都有一个ACE。
如果您对操作系统如何定义和解释这些权限感兴趣,可以参考这里。 如您所见,“pipe理打印机”包含其他几个权限,以便可以解释输出。
[Flags] public enum PrinterRights : int { None = 0, Print = (ACCESS_MASK.PRINTER_ACCESS_USE | ACCESS_MASK.READ_CONTROL), ManageDocuments = (ACCESS_MASK.JOB_ACCESS_ADMINISTER | ACCESS_MASK.JOB_ACCESS_READ | ACCESS_MASK.DELETE | ACCESS_MASK.READ_CONTROL | ACCESS_MASK.WRITE_DAC | ACCESS_MASK.WRITE_OWNER), ManagePrinters = (ACCESS_MASK.PRINTER_ACCESS_ADMINISTER | ACCESS_MASK.PRINTER_ACCESS_USE | ACCESS_MASK.DELETE | ACCESS_MASK.READ_CONTROL | ACCESS_MASK.WRITE_DAC | ACCESS_MASK.WRITE_OWNER), ReadPermissions = ACCESS_MASK.READ_CONTROL, ChangePermissions = ACCESS_MASK.WRITE_DAC, TakeOwnership = ACCESS_MASK.WRITE_OWNER } [Flags] public enum ACCESS_MASK : int { #region Bits 01-15: Specific Rights /// <summary> /// Authorization to cancel, pause, resume, or restart the job. /// </summary> JOB_ACCESS_ADMINISTER = 0x00000010, /// <summary> /// Read rights for the spool file. /// </summary> JOB_ACCESS_READ = 0x00000020, /// <summary> /// Access rights for jobs combining STANDARD_RIGHTS_EXECUTE, JOB_ACCESS_ADMINISTER, and PRINTER_ACCESS_USE. /// </summary> JOB_EXECUTE = (STANDARD_RIGHTS.EXECUTE | JOB_ACCESS_ADMINISTER | PRINTER_ACCESS_USE), /// <summary> /// Access rights for jobs combining STANDARD_RIGHTS_REQUIRED, JOB_ACCESS_READ, and JOB_ACCESS_ADMINISTER. /// </summary> JOB_READ = (STANDARD_RIGHTS.REQUIRED | JOB_ACCESS_READ | JOB_ACCESS_ADMINISTER), /// <summary> /// Access rights for jobs combining STANDARD_RIGHTS_WRITE, JOB_ACCESS_ADMINISTER, and PRINTER_ACCESS_USE. /// </summary> JOB_WRITE = (STANDARD_RIGHTS.WRITE | JOB_ACCESS_ADMINISTER | PRINTER_ACCESS_USE), /// <summary> /// Access rights for printers to perform administrative tasks. /// </summary> PRINTER_ACCESS_ADMINISTER = 0x00000004, /// <summary> /// Access rights for printers to perform basic printing operations. /// </summary> PRINTER_ACCESS_USE = 0x00000008, /// <summary> /// Access rights for printers to perform all administrative tasks and basic printing operations except SYNCHRONIZE. Combines STANDARD_RIGHTS_REQUIRED, PRINTER_ACCESS_ADMINISTER, and PRINTER_ACCESS_USE. /// </summary> PRINTER_ALL_ACCESS = (STANDARD_RIGHTS.REQUIRED | PRINTER_ACCESS_ADMINISTER | PRINTER_ACCESS_USE), /// <summary> /// Access rights for printers combining STANDARD_RIGHTS_EXECUTE and PRINTER_ACCESS_USE. /// </summary> PRINTER_EXECUTE = (STANDARD_RIGHTS.EXECUTE | PRINTER_ACCESS_USE), /// <summary> /// Access rights for printers combining STANDARD_RIGHTS_READ and PRINTER_ACCESS_USE. /// </summary> PRINTER_READ = (STANDARD_RIGHTS.READ | PRINTER_ACCESS_USE), /// <summary> /// Access rights for printers combining STANDARD_RIGHTS_WRITE and PRINTER_ACCESS_USE. /// </summary> PRINTER_WRITE = (STANDARD_RIGHTS.WRITE | PRINTER_ACCESS_USE), /// <summary> /// Access rights to administer print servers. /// </summary> SERVER_ACCESS_ADMINISTER = 0x00000001, /// <summary> /// Access rights to enumerate print servers. /// </summary> SERVER_ACCESS_ENUMERATE = 0x00000002, /// <summary> /// Access rights for print servers to perform all administrative tasks and basic printing operations except SYNCHRONIZE. Combines STANDARD_RIGHTS_REQUIRED, SERVER_ACCESS_ADMINISTER, and SERVER_ACCESS_ENUMERATE. /// </summary> SERVER_ALL_ACCESS = (STANDARD_RIGHTS.REQUIRED | SERVER_ACCESS_ADMINISTER | SERVER_ACCESS_ENUMERATE), /// <summary> /// Access rights for print servers combining STANDARD_RIGHTS_EXECUTE and SERVER_ACCESS_ENUMERATE. /// </summary> SERVER_EXECUTE = (STANDARD_RIGHTS.EXECUTE | SERVER_ACCESS_ENUMERATE), /// <summary> /// Access rights for print servers combining STANDARD_RIGHTS_READ and SERVER_ACCESS_ENUMERATE. /// </summary> SERVER_READ = (STANDARD_RIGHTS.READ | SERVER_ACCESS_ENUMERATE), /// <summary> /// Access rights for print servers combining STANDARD_RIGHTS_WRITE, SERVER_ACCESS_ADMINISTER, and SERVER_ACCESS_ENUMERATE. /// </summary> SERVER_WRITE = (STANDARD_RIGHTS.WRITE | SERVER_ACCESS_ADMINISTER | SERVER_ACCESS_ENUMERATE), SPECIFIC_RIGHTS_ALL = 0x0000ffff, #endregion #region Bits 16-23: Standard Rights /// <summary> /// The right to delete the object. /// </summary> DELETE = BASE_RIGHTS.DELETE, /// <summary> /// The right to read the information in the object's security descriptor, not including the information in the SACL. /// </summary> READ_CONTROL = BASE_RIGHTS.READ_CONTROL, /// <summary> /// The right to modify the DACL in the object's security descriptor. /// </summary> WRITE_DAC = BASE_RIGHTS.WRITE_DAC, /// <summary> /// The right to change the owner in the object's security descriptor. /// </summary> WRITE_OWNER = BASE_RIGHTS.WRITE_OWNER, /// <summary> /// The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. /// </summary> SYNCHRONIZE = BASE_RIGHTS.SYNCHRONIZE, /// <summary> /// Combines DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER access /// </summary> STANDARD_REQUIRED = STANDARD_RIGHTS.REQUIRED, /// <summary> /// Currently defined to equal READ_CONTROL /// </summary> STANDARD_READ = STANDARD_RIGHTS.READ, /// <summary> /// Currently defined to equal READ_CONTROL /// </summary> STANDARD_WRITE = STANDARD_RIGHTS.WRITE, /// <summary> /// Currently defined to equal READ_CONTROL /// </summary> STANDARD_EXECUTE = STANDARD_RIGHTS.EXECUTE, /// <summary> /// Combines DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, and SYNCHRONIZE access /// </summary> STANDARD_ALL = STANDARD_RIGHTS.ALL, #endregion #region Bit 24...: Access System Security /// <summary> /// Access system security (ACCESS_SYSTEM_SECURITY). It is used to indicate access to a system access control list (SACL). This type of access requires the calling process to have the SE_SECURITY_NAME (Manage auditing and security log) privilege. If this flag is set in the access mask of an audit access ACE (successful or unsuccessful access), the SACL access will be audited. /// </summary> ACCESS_SYSTEM_SECURITY = 0x01000000, #endregion #region Bit 25...: Maximum allowed /// <summary> /// Maximum allowed (MAXIMUM_ALLOWED). /// </summary> MAXIMUM_ALLOWED = 0x02000000, #endregion #region Bits 26-27: Reserved #endregion #region Bits 28-31: Generic Rights /// <summary> /// Generic all /// </summary> GENERIC_ALL = 0x10000000, /// <summary> /// Generic execute /// </summary> GENERIC_EXECUTE = 0x20000000, /// <summary> /// Generic write /// </summary> GENERIC_WRITE = 0x40000000, /// <summary> /// Generic read /// </summary> //GENERIC_READ = 0x80000000 #endregion } /// <summary> /// Standard Access Rights /// </summary> /// <see cref="http://msdn2.microsoft.com/en-us/library/aa379607(VS.85).aspx"/> [Flags] public enum BASE_RIGHTS : int { /// <summary> /// The right to delete the object. /// </summary> DELETE = 0x00010000, /// <summary> /// The right to read the information in the object's security descriptor, not including the information in the SACL. /// </summary> READ_CONTROL = 0x00020000, /// <summary> /// The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. /// </summary> SYNCHRONIZE = 0x00100000, /// <summary> /// The right to modify the DACL in the object's security descriptor. /// </summary> WRITE_DAC = 0x00040000, /// <summary> /// The right to change the owner in the object's security descriptor. /// </summary> WRITE_OWNER = 0x00080000 } /// <summary> /// Standard Access Rights /// </summary> /// <see cref="http://msdn2.microsoft.com/en-us/library/aa379607(VS.85).aspx"/> [Flags] public enum STANDARD_RIGHTS : int { /// <summary> /// Currently defined to equal READ_CONTROL /// </summary> READ = BASE_RIGHTS.READ_CONTROL, /// <summary> /// Currently defined to equal READ_CONTROL /// </summary> WRITE = BASE_RIGHTS.READ_CONTROL, /// <summary> /// Currently defined to equal READ_CONTROL /// </summary> EXECUTE = BASE_RIGHTS.READ_CONTROL, /// <summary> /// Combines DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER access /// </summary> REQUIRED = (BASE_RIGHTS.DELETE | BASE_RIGHTS.READ_CONTROL | BASE_RIGHTS.WRITE_DAC | BASE_RIGHTS.WRITE_OWNER), /// <summary> /// Combines DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, and SYNCHRONIZE access /// </summary> ALL = (BASE_RIGHTS.DELETE | BASE_RIGHTS.READ_CONTROL | BASE_RIGHTS.SYNCHRONIZE | BASE_RIGHTS.WRITE_DAC | BASE_RIGHTS.WRITE_OWNER) }