我正在尝试阅读并最终为我的打印服务器共享的打印机编写DACL.这是我到目前为止所基于互联网上的脚本:
$pace = DATA {
ConvertFrom-StringData -StringData @'
983052 = ManagePrinters
983088 = ManageDocuments
131080 = Print
524288 = TakeOwnership
131072 = ReadPermissions
262144 = ChangePermissions
'@
}
$flags = @(983052,983088,131080,524288,131072,262144)
$printers = Get-WmiObject -Class Win32_Printer -ComputerName "NAME"
"Got Printers"
foreach ($printer in $printers)
{
""
"Printer: $($printer.deviceid)"
$sd = $printer.GetSecurityDescriptor()
$ssd = $sd.Descriptor.DACL
foreach ($obj3 in $ssd)
{
""
"$($obj3.Trustee.Domain) $($obj3.Trustee.Name)"
foreach ($flag in $flags)
{
if ($obj3.AccessMask -band $flag)
{
$pace["$($flag)"]
}
}
}
}
但是,我无法理解输出.除了Creator Owner之外,似乎每个域/名称对都有重复的条目.但是,重复项具有与第一个不同的访问掩码.如果我想确认权限是我在打印机的安全选项卡中看到的,那么我要查看哪些条目?一旦我找出要设置的访问掩码,写入新权限应该不是问题.
编辑:循环似乎也存在读取位掩码的问题.我从另一个应该工作的脚本中得到了它.
编辑:这是我试图理解的一些示例输出:
Got Printers Printer: printer DOMAIN jshier AccessMask: 983052 ManagePrinters ManageDocuments Print TakeOwnership ReadPermissions ChangePermissions DOMAIN jshier AccessMask: 983088 ManagePrinters ManageDocuments Print TakeOwnership ReadPermissions ChangePermissions CREATOR OWNER AccessMask: 268435456 Everyone AccessMask: 131080 ManagePrinters ManageDocuments Print ReadPermissions Everyone AccessMask: 536870912 BUILTIN Administrators AccessMask: 983052 ManagePrinters ManageDocuments Print TakeOwnership ReadPermissions ChangePermissions BUILTIN Administrators AccessMask: 268435456
此输出与我在打印机的高级安全设置中看到的不一致.例如,我的用户帐户的第一个实例应具有除“管理文档”之外的所有权限.每个人都应该拥有一个具有“打印”和“读取权限”权限的条目.我在AccessMask转换中遗漏了什么?
顺便说一下,这就是胜利. Server 2008 R2.
这听起来像是对我的预期行为.例如,如果使用“打印机管理”控制台检查打印机安全性,您可能会注意到给定安全主体有一个ACE条目,其中包含“打印”,“管理此打印机”和“管理文档”复选框.
但是,如果单击“高级安全性”页面,则可能有两个用于该安全主体的ACE,一个用于“管理此打印机”,另一个用于“管理文档”,并且每个人通常都有一个ACE用于“打印”权限.
如果您对操作系统如何定义和解释这些权限感兴趣,这里有一个可能的视图.如您所见,“管理打印机”包含其他几个权限,因此可以解释输出.
[Flags]
public enum PrinterRights : int
{
None = 0,Print = (ACCESS_MASK.PRINTER_ACCESS_USE | ACCESS_MASK.READ_CONTROL),ManageDocuments = (ACCESS_MASK.JOB_ACCESS_ADMINISTER | ACCESS_MASK.JOB_ACCESS_READ | ACCESS_MASK.DELETE | ACCESS_MASK.READ_CONTROL | ACCESS_MASK.WRITE_DAC | ACCESS_MASK.WRITE_OWNER),ManagePrinters = (ACCESS_MASK.PRINTER_ACCESS_ADMINISTER | ACCESS_MASK.PRINTER_ACCESS_USE | ACCESS_MASK.DELETE | ACCESS_MASK.READ_CONTROL | ACCESS_MASK.WRITE_DAC | ACCESS_MASK.WRITE_OWNER),ReadPermissions = ACCESS_MASK.READ_CONTROL,ChangePermissions = ACCESS_MASK.WRITE_DAC,TakeOwnership = ACCESS_MASK.WRITE_OWNER
}
[Flags]
public enum ACCESS_MASK : int
{
#region Bits 01-15: Specific Rights
/// <summary>
/// Authorization to cancel,pause,resume,or restart the job.
/// </summary>
JOB_ACCESS_ADMINISTER = 0x00000010,/// <summary>
/// Read rights for the spool file.
/// </summary>
JOB_ACCESS_READ = 0x00000020,/// <summary>
/// Access rights for jobs combining STANDARD_RIGHTS_EXECUTE,JOB_ACCESS_ADMINISTER,and PRINTER_ACCESS_USE.
/// </summary>
JOB_EXECUTE = (STANDARD_RIGHTS.EXECUTE | JOB_ACCESS_ADMINISTER | PRINTER_ACCESS_USE),/// <summary>
/// Access rights for jobs combining STANDARD_RIGHTS_required,JOB_ACCESS_READ,and JOB_ACCESS_ADMINISTER.
/// </summary>
JOB_READ = (STANDARD_RIGHTS.required | JOB_ACCESS_READ | JOB_ACCESS_ADMINISTER),/// <summary>
/// Access rights for jobs combining STANDARD_RIGHTS_WRITE,and PRINTER_ACCESS_USE.
/// </summary>
JOB_WRITE = (STANDARD_RIGHTS.WRITE | JOB_ACCESS_ADMINISTER | PRINTER_ACCESS_USE),/// <summary>
/// Access rights for printers to perform administrative tasks.
/// </summary>
PRINTER_ACCESS_ADMINISTER = 0x00000004,/// <summary>
/// Access rights for printers to perform basic printing operations.
/// </summary>
PRINTER_ACCESS_USE = 0x00000008,/// <summary>
/// Access rights for printers to perform all administrative tasks and basic printing operations except SYNCHRONIZE. Combines STANDARD_RIGHTS_required,PRINTER_ACCESS_ADMINISTER,and PRINTER_ACCESS_USE.
/// </summary>
PRINTER_ALL_ACCESS = (STANDARD_RIGHTS.required | PRINTER_ACCESS_ADMINISTER | PRINTER_ACCESS_USE),/// <summary>
/// Access rights for printers combining STANDARD_RIGHTS_EXECUTE and PRINTER_ACCESS_USE.
/// </summary>
PRINTER_EXECUTE = (STANDARD_RIGHTS.EXECUTE | PRINTER_ACCESS_USE),/// <summary>
/// Access rights for printers combining STANDARD_RIGHTS_READ and PRINTER_ACCESS_USE.
/// </summary>
PRINTER_READ = (STANDARD_RIGHTS.READ | PRINTER_ACCESS_USE),/// <summary>
/// Access rights for printers combining STANDARD_RIGHTS_WRITE and PRINTER_ACCESS_USE.
/// </summary>
PRINTER_WRITE = (STANDARD_RIGHTS.WRITE | PRINTER_ACCESS_USE),/// <summary>
/// Access rights to administer print servers.
/// </summary>
SERVER_ACCESS_ADMINISTER = 0x00000001,/// <summary>
/// Access rights to enumerate print servers.
/// </summary>
SERVER_ACCESS_ENUMERATE = 0x00000002,/// <summary>
/// Access rights for print servers to perform all administrative tasks and basic printing operations except SYNCHRONIZE. Combines STANDARD_RIGHTS_required,SERVER_ACCESS_ADMINISTER,and SERVER_ACCESS_ENUMERATE.
/// </summary>
SERVER_ALL_ACCESS = (STANDARD_RIGHTS.required | SERVER_ACCESS_ADMINISTER | SERVER_ACCESS_ENUMERATE),/// <summary>
/// Access rights for print servers combining STANDARD_RIGHTS_EXECUTE and SERVER_ACCESS_ENUMERATE.
/// </summary>
SERVER_EXECUTE = (STANDARD_RIGHTS.EXECUTE | SERVER_ACCESS_ENUMERATE),/// <summary>
/// Access rights for print servers combining STANDARD_RIGHTS_READ and SERVER_ACCESS_ENUMERATE.
/// </summary>
SERVER_READ = (STANDARD_RIGHTS.READ | SERVER_ACCESS_ENUMERATE),/// <summary>
/// Access rights for print servers combining STANDARD_RIGHTS_WRITE,and SERVER_ACCESS_ENUMERATE.
/// </summary>
SERVER_WRITE = (STANDARD_RIGHTS.WRITE | SERVER_ACCESS_ADMINISTER | SERVER_ACCESS_ENUMERATE),SPECIFIC_RIGHTS_ALL = 0x0000ffff,#endregion
#region Bits 16-23: Standard Rights
/// <summary>
/// The right to delete the object.
/// </summary>
DELETE = BASE_RIGHTS.DELETE,/// <summary>
/// The right to read the information in the object's security descriptor,not including the information in the SACL.
/// </summary>
READ_CONTROL = BASE_RIGHTS.READ_CONTROL,/// <summary>
/// The right to modify the DACL in the object's security descriptor.
/// </summary>
WRITE_DAC = BASE_RIGHTS.WRITE_DAC,/// <summary>
/// The right to change the owner in the object's security descriptor.
/// </summary>
WRITE_OWNER = BASE_RIGHTS.WRITE_OWNER,/// <summary>
/// The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
/// </summary>
SYNCHRONIZE = BASE_RIGHTS.SYNCHRONIZE,/// <summary>
/// Combines DELETE,READ_CONTROL,WRITE_DAC,and WRITE_OWNER access
/// </summary>
STANDARD_required = STANDARD_RIGHTS.required,/// <summary>
/// Currently defined to equal READ_CONTROL
/// </summary>
STANDARD_READ = STANDARD_RIGHTS.READ,/// <summary>
/// Currently defined to equal READ_CONTROL
/// </summary>
STANDARD_WRITE = STANDARD_RIGHTS.WRITE,/// <summary>
/// Currently defined to equal READ_CONTROL
/// </summary>
STANDARD_EXECUTE = STANDARD_RIGHTS.EXECUTE,WRITE_OWNER,and SYNCHRONIZE access
/// </summary>
STANDARD_ALL = STANDARD_RIGHTS.ALL,#endregion
#region Bit 24...: Access System Security
/// <summary>
/// Access system security (ACCESS_SYstem_Security). It is used to indicate access to a system access control list (SACL). This type of access requires the calling process to have the SE_Security_NAME (Manage auditing and security log) privilege. If this flag is set in the access mask of an audit access ACE (successful or unsuccessful access),the SACL access will be audited.
/// </summary>
ACCESS_SYstem_Security = 0x01000000,#endregion
#region Bit 25...: Maximum allowed
/// <summary>
/// Maximum allowed (MAXIMUM_ALLOWED).
/// </summary>
MAXIMUM_ALLOWED = 0x02000000,#endregion
#region Bits 26-27: Reserved
#endregion
#region Bits 28-31: Generic Rights
/// <summary>
/// Generic all
/// </summary>
GENERIC_ALL = 0x10000000,/// <summary>
/// Generic execute
/// </summary>
GENERIC_EXECUTE = 0x20000000,/// <summary>
/// Generic write
/// </summary>
GENERIC_WRITE = 0x40000000,/// <summary>
/// Generic read
/// </summary>
//GENERIC_READ = 0x80000000
#endregion
}
/// <summary>
/// Standard Access Rights
/// </summary>
/// <see cref="http://msdn2.microsoft.com/en-us/library/aa379607(VS.85).aspx"/>
[Flags]
public enum BASE_RIGHTS : int
{
/// <summary>
/// The right to delete the object.
/// </summary>
DELETE = 0x00010000,not including the information in the SACL.
/// </summary>
READ_CONTROL = 0x00020000,/// <summary>
/// The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
/// </summary>
SYNCHRONIZE = 0x00100000,/// <summary>
/// The right to modify the DACL in the object's security descriptor.
/// </summary>
WRITE_DAC = 0x00040000,/// <summary>
/// The right to change the owner in the object's security descriptor.
/// </summary>
WRITE_OWNER = 0x00080000
}
/// <summary>
/// Standard Access Rights
/// </summary>
/// <see cref="http://msdn2.microsoft.com/en-us/library/aa379607(VS.85).aspx"/>
[Flags]
public enum STANDARD_RIGHTS : int
{
/// <summary>
/// Currently defined to equal READ_CONTROL
/// </summary>
READ = BASE_RIGHTS.READ_CONTROL,/// <summary>
/// Currently defined to equal READ_CONTROL
/// </summary>
WRITE = BASE_RIGHTS.READ_CONTROL,/// <summary>
/// Currently defined to equal READ_CONTROL
/// </summary>
EXECUTE = BASE_RIGHTS.READ_CONTROL,and WRITE_OWNER access
/// </summary>
required = (BASE_RIGHTS.DELETE | BASE_RIGHTS.READ_CONTROL | BASE_RIGHTS.WRITE_DAC | BASE_RIGHTS.WRITE_OWNER),and SYNCHRONIZE access
/// </summary>
ALL = (BASE_RIGHTS.DELETE | BASE_RIGHTS.READ_CONTROL | BASE_RIGHTS.SYNCHRONIZE | BASE_RIGHTS.WRITE_DAC | BASE_RIGHTS.WRITE_OWNER)
}
