forked from scriptrunner/ActionPacks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathGet-FilMObjectPermissions_Html.ps1
118 lines (102 loc) · 3.77 KB
/
Get-FilMObjectPermissions_Html.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#Requires -Version 4.0
<#
.SYNOPSIS
Generates a report with the permissions of a folder or file
.DESCRIPTION
.NOTES
This PowerShell script was developed and optimized for ScriptRunner. The use of the scripts requires ScriptRunner.
The customer or user is authorized to copy the script from the repository and use them in ScriptRunner.
The terms of use for ScriptRunner do not apply to this script. In particular, ScriptRunner Software GmbH assumes no liability for the function,
the use and the consequences of the use of this freely available script.
PowerShell is a product of Microsoft Corporation. ScriptRunner is a product of ScriptRunner Software GmbH.
© ScriptRunner Software GmbH
.COMPONENT
Requires Library Script ReportLibrary from the Action Pack Reporting\_LIB_
.LINK
https://github.com/scriptrunner/ActionPacks/tree/master/WinFileManagement/_REPORTS_
.Parameter ObjectName
Specifies the folder or file name with the path
.Parameter ObjectClass
Specifies the type of the accounts
.EXAMPLE
#>
[CmdLetBinding()]
Param(
[Parameter(Mandatory = $true)]
[string]$ObjectName,
[Parameter(Mandatory = $true)]
[ValidateSet("All","Groups","Users")]
[string]$ObjectClass = "All"
)
$null = [System.Reflection.Assembly]::LoadWithPartialName('System.DirectoryServices.AccountManagement')
try{
$Script:output=@()
[bool]$Script:IsGroup = $false
[bool]$Script:IsUser = $false
function CheckIdentity([string] $Name){
if($ObjectClass -eq "All"){
$Script:IsGroup=$true
$Script:IsUser=$true
return
}
$Script:IsGroup=$false
$Script:IsUser=$false
$tmp = New-Object System.Security.Principal.NTAccount($Name)
try{
$sid = $tmp.Translate([System.Security.Principal.SecurityIdentifier]).Value
}
catch
{
return
}
if($sid -eq "S-1-1-0") # Everyone
{
$Script:IsGroup = $true
}
elseif($sid -eq "S-1-5-18") # System
{
$Script:IsGroup = $true
}
elseif($sid -eq "S-1-5-32-544") # Administrators
{
$Script:IsGroup = $true
}
elseif($sid -eq "S-1-5-11") # Authenticated Users
{
$Script:IsGroup = $true
}
elseif($sid -eq "S-1-5-4") # Interactive
{
$Script:IsGroup = $true
}
elseif($sid -eq "S-1-5-32-545") # Users
{
$Script:IsGroup = $true
}
else{
$tmp = New-Object System.Security.Principal.SecurityIdentifier ($sid)
$tmp = $tmp.Translate([System.Security.Principal.NTAccount]).Value
$ctx = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Domain, $tmp.Split("\")[0])
$chk=[System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($ctx, [System.DirectoryServices.AccountManagement.IdentityType]::SID, $sid)
$Script:IsGroup = ($null -ne $chk)
$chk=[System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($ctx, [System.DirectoryServices.AccountManagement.IdentityType]::Sid, $sid)
$Script:IsUser = ($null -ne $chk)
}
}
$Script:acl = Get-Acl -Path $ObjectName -ErrorAction Stop
foreach($item in $Script:acl.Access){
CheckIdentity $item.IdentityReference
if($Script:IsGroup -eq $true -and $ObjectClass -ne "Users"){
$Script:output += $item
}
if($Script:IsUser -eq $true -and $ObjectClass -ne "Groups"){
$Script:output += $item
}
}
ConvertTo-ResultHtml -Result $Script:output
}
catch{
throw
}
finally{
}