如何解决无法过滤ACL.IdentityReference以排除某些模式?
以下脚本可以正常工作,以列出我的文件服务器目录中所有明确定义的ACL。但是,我需要排除以下对象和SID:
'NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER','Everyone','DOMAIN\SERVICE-AVScan,'S-1-5-21'
在下面的代码中,我需要排除具有上述模式的所有条目。到目前为止,这是我的代码。
$Excludes = 'NT AUTHORITY\SYSTEM','S-1-5-21'
$reExcludeObjects = '^({0})$' -f (($Excludes | ForEach-Object { [regex]::Escape($_) }) -join '|')
function Get-CustomDirInfo([IO.DirectoryInfo]$path,$parentAcl)
{
$containerInherit = [Security.AccessControl.InheritanceFlags]::ContainerInherit
$acl = (Get-Acl -Path $path.FullName).Access | Foreach-Object {
New-Object PSObject -Property @{
Path = $path.FullName;
IdentityReference = $_.IdentityReference;
FileSystemRights = $_.FileSystemRights;
IsInherited = $_.IsInherited;
InheritanceFlags = $_.InheritanceFlags;
InheritedFrom = if ($_.IsInherited)
{
if ($parentAcl)
{
$current = $_
$parentAce = $parentAcl.Access | Where-Object {
($current.IdentityReference -eq $_.IdentityReference) -and
($current.FileSystemRights -band $_.FileSystemRights) -and
($_.InheritanceFlags -band $containerInherit) -and
($_.IdentityReference -notmatch $reExcludeObjects)
}
if (!$parentAce -or ($parentAce.count -gt 1))
{
Write-Warning "Something is not right Parent ACE Count = $($parentAce.count) - $($path.FullName)"
#Export the broken direcotries path as unique entries
$BrokenACLDirectories += $path.FullName
$BrokenACLDirectories | Select-Object -exp FullName -Unique | OGV -Title "There are $($BrokenACLDirectories.Count) Broken Directories"
}
if ($parentAce.IsInherited)
{
$parentAce.InheritedFrom
}
else
{
Split-Path $path.FullName -Parent
}
}
else
{
"Unknown (Top:$($path.FullName))"
}
}
else {
"Not Inherited"
}
}
}
$acl
$inheritableAcl = $acl | Where-Object { $_.InheritanceFlags -band $containerInherit }
$path.FullName | Get-ChildItem | Where-Object { $_.PsIsContainer } | Foreach-Object { Get-CustomDirInfo $_ $inheritableAcl }
}
Get-CustomDirInfo (Get-Item C:\Users\Public) | ft Path,IdentityReference,FileSystemRights,IsInherited,InheritedFrom -Auto
这是我的IDE中的错误:
这是我停留的代码部分:
Where-Object {
($current.IdentityReference -eq $_.IdentityReference) -and
($current.FileSystemRights -band $_.FileSystemRights) -and
($_.InheritanceFlags -band $containerInherit) -and
($_.IdentityReference -notcontains $ExcludePattern )
}
解决方法
如果要将正则表达式-notmatch
与($_.IdentityReference -notmatch $reExcludeObJects)
一起使用,则需要先对exclude数组中的字符串进行转义,然后再与|
联接
$Excludes = 'NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER','DOMAIN\SERVICE-AVScan','Everyone','S-1-5-21'
$reExcludeObjects = '^({0})' -f (($Excludes | ForEach-Object { [regex]::Escape($_) }) -join '|')
$parentAce = $parentAcl.Access | Where-Object {
...
($_.IdentityReference -notmatch $reExcludeObjects)
...
}
如果要使用-notcontains
,请按原样使用$ Exclude数组,就像在Doug Maurer's helpful answer中一样
$Excludes = 'NT AUTHORITY\SYSTEM','S-1-5-21'
$parentAce = $parentAcl.Access | Where-Object {
...
($Excludes -notcontains $_.IdentityReference)
...
}
此外,我宁愿在函数内部创建一个$ Exclude数组(并且如果您也使用-notmatch
$ reExcludeObjects regex字符串),或者将该函数作为一个字符串发送到该函数新参数,但这取决于您。
我会让它变得不那么复杂,坚持使用原始的$ excludepattern并使用-notcontains或-notin
$ExcludePattern = @(
'NT AUTHORITY\SYSTEM','S-1-5-21'
)
(Get-Acl $item).Access | where IdentityReference -notin $ExcludePattern
或
$ExcludePattern = @(
'NT AUTHORITY\SYSTEM','S-1-5-21'
)
(Get-Acl $item).Access | where {$ExcludePattern -notcontains $_.IdentityReference}
编辑:
正如我评论的那样,您的函数非常复杂。让我们将其保留为最少的可重现示例。
对于这些示例,我将使用c:\ windows \ system32目录。
$item = 'c:\windows\system32'
现在我通常会看到
(Get-Acl $item).Access | select identityreference
IdentityReference
-----------------
CREATOR OWNER
NT AUTHORITY\SYSTEM
NT AUTHORITY\SYSTEM
BUILTIN\Administrators
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Users
NT SERVICE\TrustedInstaller
NT SERVICE\TrustedInstaller
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES
然后在ContainerInherit
过滤之后,列表仅限于此
$containerInherit = [Security.AccessControl.InheritanceFlags]::ContainerInherit
(Get-Acl $item).Access | where {$_.InheritanceFlags -band $containerInherit} | select identityreference
IdentityReference
-----------------
CREATOR OWNER
NT AUTHORITY\SYSTEM
BUILTIN\Administrators
BUILTIN\Users
NT SERVICE\TrustedInstaller
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES
最后,当与排除列表结合使用时。
(Get-Acl $item).Access | where {$_.InheritanceFlags -band $containerInherit} | where IdentityReference -notin $ExcludePattern | select identityreference
或
(Get-Acl $item).Access | where {$_.InheritanceFlags -band $containerInherit -and $_.IdentityReference -notin $ExcludePattern} | select identityreference
都生产
IdentityReference
-----------------
BUILTIN\Users
NT SERVICE\TrustedInstaller
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES
测试清楚显示,创建者所有者,NT Authority \ SYSTEM和BUILTIN \ Administrators均已删除。替代-notcontains
(Get-Acl $item).Access | where {$_.InheritanceFlags -band $containerInherit -and $ExcludePattern -notcontains $_.IdentityReference} | select identityreference
IdentityReference
-----------------
BUILTIN\Users
NT SERVICE\TrustedInstaller
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES
如果您在函数中看到不同的结果,建议将其分成较小的部分进行调试。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。