Powershell:了解打印机 DACL

Powershell:了解打印机 DACL

我正在尝试读取并最终写入从我的打印服务器共享的打印机的 DACL。根据在互联网上找到的脚本,以下是我目前所做的:

    $pace = DATA {            
ConvertFrom-StringData -StringData @'
983052 = ManagePrinters
983088 = ManageDocuments
131080 = Print 
524288 = TakeOwnership
131072 = ReadPermissions
262144 = ChangePermissions 
'@            
}             
$flags = @(983052, 983088, 131080, 524288, 131072, 262144)

$printers = Get-WmiObject -Class Win32_Printer -ComputerName "NAME"
"Got Printers"

foreach ($printer in $printers)
{
     ""
     "Printer:  $($printer.DeviceID)"

    $sd = $printer.GetSecurityDescriptor()            
    $ssd = $sd.Descriptor.DACL
    foreach ($obj3 in $ssd)
    {
        ""
        "$($obj3.Trustee.Domain) $($obj3.Trustee.Name)"         
        foreach ($flag in $flags)
        {            
            if ($obj3.AccessMask -band $flag)
            {            
                $pace["$($flag)"]
            }
        }            
    }
}

但是,我无法理解输出。似乎除了 Creator Owner 之外,每个域/名称对都有重复的条目。但是,重复项的访问掩码与第一个不同。如果我想确认权限是我在打印机的安全选项卡中看到的,我想查看哪些条目?一旦我弄清楚要设置哪些访问掩码,写入新权限应该不成问题。

编辑:读取位掩码的循环似乎也存在问题。我从另一个应该可以工作的脚本中了解到了这一点。

编辑:这里有一些我试图理解的示例输出:

Got Printers

Printer:  printer

DOMAIN jshier
AccessMask: 983052
ManagePrinters
ManageDocuments
Print
TakeOwnership
ReadPermissions
ChangePermissions

DOMAIN jshier
AccessMask: 983088
ManagePrinters
ManageDocuments
Print
TakeOwnership
ReadPermissions
ChangePermissions

 CREATOR OWNER
AccessMask: 268435456

 Everyone
AccessMask: 131080
ManagePrinters
ManageDocuments
Print
ReadPermissions

 Everyone
AccessMask: 536870912

BUILTIN Administrators
AccessMask: 983052
ManagePrinters
ManageDocuments
Print
TakeOwnership
ReadPermissions
ChangePermissions

BUILTIN Administrators
AccessMask: 268435456

此输出与我在打印机的高级安全设置中看到的内容不匹配。例如,我的用户帐户的第一个实例应该具有除“管理文档”之外的所有权限。并且每个人都应该只有一个具有“打印”和“读取权限”权限的条目。我在 AccessMask 转换中遗漏了什么吗?

顺便说一句,这是 Win. Server 2008 R2。

答案1

在我看来,这听起来像是预期的行为。例如,如果您使用打印机管理控制台检查打印机安全性,您可能会注意到,对于给定的安全主体,有一个 ACE 条目,其中包含“打印”、“管理此打印机”和“管理文档”复选框。

但是,如果单击“高级安全”页面,则该安全主体可能会有两个 ACE,一个用于“管理此打印机”,另一个用于“管理文档”,并且通常有一个用于“所有人”的 ACE 用于打印权限。

如果您对操作系统如何定义和解释这些权限感兴趣,这里有一个可能的视图。如您所见,管理打印机包括几个其他权限,因此这可以解释输出。

[Flags]
public enum PrinterRights : int
{
    None = 0,
    Print = (ACCESS_MASK.PRINTER_ACCESS_USE | ACCESS_MASK.READ_CONTROL),
    ManageDocuments = (ACCESS_MASK.JOB_ACCESS_ADMINISTER | ACCESS_MASK.JOB_ACCESS_READ | ACCESS_MASK.DELETE | ACCESS_MASK.READ_CONTROL | ACCESS_MASK.WRITE_DAC | ACCESS_MASK.WRITE_OWNER),
    ManagePrinters = (ACCESS_MASK.PRINTER_ACCESS_ADMINISTER | ACCESS_MASK.PRINTER_ACCESS_USE | ACCESS_MASK.DELETE | ACCESS_MASK.READ_CONTROL | ACCESS_MASK.WRITE_DAC | ACCESS_MASK.WRITE_OWNER),
    ReadPermissions = ACCESS_MASK.READ_CONTROL,
    ChangePermissions = ACCESS_MASK.WRITE_DAC,
    TakeOwnership = ACCESS_MASK.WRITE_OWNER
}

[Flags]
public enum ACCESS_MASK : int
{
    #region Bits 01-15: Specific Rights
    /// <summary>
    /// Authorization to cancel, pause, resume, or restart the job.
    /// </summary>
    JOB_ACCESS_ADMINISTER = 0x00000010,
    /// <summary>
    /// Read rights for the spool file.
    /// </summary>
    JOB_ACCESS_READ = 0x00000020,
    /// <summary>
    /// Access rights for jobs combining STANDARD_RIGHTS_EXECUTE, JOB_ACCESS_ADMINISTER, and PRINTER_ACCESS_USE.
    /// </summary>
    JOB_EXECUTE = (STANDARD_RIGHTS.EXECUTE | JOB_ACCESS_ADMINISTER | PRINTER_ACCESS_USE),
    /// <summary>
    /// Access rights for jobs combining STANDARD_RIGHTS_REQUIRED, JOB_ACCESS_READ, and JOB_ACCESS_ADMINISTER.
    /// </summary>
    JOB_READ = (STANDARD_RIGHTS.REQUIRED | JOB_ACCESS_READ | JOB_ACCESS_ADMINISTER),
    /// <summary>
    /// Access rights for jobs combining STANDARD_RIGHTS_WRITE, JOB_ACCESS_ADMINISTER, and PRINTER_ACCESS_USE.
    /// </summary>
    JOB_WRITE = (STANDARD_RIGHTS.WRITE | JOB_ACCESS_ADMINISTER | PRINTER_ACCESS_USE),


    /// <summary>
    /// Access rights for printers to perform administrative tasks.
    /// </summary>
    PRINTER_ACCESS_ADMINISTER = 0x00000004,
    /// <summary>
    /// Access rights for printers to perform basic printing operations.
    /// </summary>
    PRINTER_ACCESS_USE = 0x00000008,
    /// <summary>
    /// Access rights for printers to perform all administrative tasks and basic printing operations except SYNCHRONIZE. Combines STANDARD_RIGHTS_REQUIRED, PRINTER_ACCESS_ADMINISTER, and PRINTER_ACCESS_USE.
    /// </summary>
    PRINTER_ALL_ACCESS = (STANDARD_RIGHTS.REQUIRED | PRINTER_ACCESS_ADMINISTER | PRINTER_ACCESS_USE),
    /// <summary>
    /// Access rights for printers combining STANDARD_RIGHTS_EXECUTE and PRINTER_ACCESS_USE.
    /// </summary>
    PRINTER_EXECUTE = (STANDARD_RIGHTS.EXECUTE | PRINTER_ACCESS_USE),
    /// <summary>
    /// Access rights for printers combining STANDARD_RIGHTS_READ and PRINTER_ACCESS_USE.
    /// </summary>
    PRINTER_READ = (STANDARD_RIGHTS.READ | PRINTER_ACCESS_USE),
    /// <summary>
    /// Access rights for printers combining STANDARD_RIGHTS_WRITE and PRINTER_ACCESS_USE.
    /// </summary>
    PRINTER_WRITE = (STANDARD_RIGHTS.WRITE | PRINTER_ACCESS_USE),


    /// <summary>
    /// Access rights to administer print servers.
    /// </summary>
    SERVER_ACCESS_ADMINISTER = 0x00000001,
    /// <summary>
    /// Access rights to enumerate print servers.
    /// </summary>
    SERVER_ACCESS_ENUMERATE = 0x00000002,
    /// <summary>
    /// Access rights for print servers to perform all administrative tasks and basic printing operations except SYNCHRONIZE. Combines STANDARD_RIGHTS_REQUIRED, SERVER_ACCESS_ADMINISTER, and SERVER_ACCESS_ENUMERATE.
    /// </summary>
    SERVER_ALL_ACCESS = (STANDARD_RIGHTS.REQUIRED | SERVER_ACCESS_ADMINISTER | SERVER_ACCESS_ENUMERATE),
    /// <summary>
    /// Access rights for print servers combining STANDARD_RIGHTS_EXECUTE and SERVER_ACCESS_ENUMERATE. 
    /// </summary>
    SERVER_EXECUTE = (STANDARD_RIGHTS.EXECUTE | SERVER_ACCESS_ENUMERATE),
    /// <summary>
    /// Access rights for print servers combining STANDARD_RIGHTS_READ and SERVER_ACCESS_ENUMERATE.
    /// </summary>
    SERVER_READ = (STANDARD_RIGHTS.READ | SERVER_ACCESS_ENUMERATE),
    /// <summary>
    /// Access rights for print servers combining STANDARD_RIGHTS_WRITE, SERVER_ACCESS_ADMINISTER, and SERVER_ACCESS_ENUMERATE.
    /// </summary>
    SERVER_WRITE = (STANDARD_RIGHTS.WRITE | SERVER_ACCESS_ADMINISTER | SERVER_ACCESS_ENUMERATE),

    SPECIFIC_RIGHTS_ALL = 0x0000ffff,
    #endregion
    #region Bits 16-23: Standard Rights
    /// <summary>
    /// The right to delete the object.
    /// </summary>
    DELETE = BASE_RIGHTS.DELETE,
    /// <summary>
    /// The right to read the information in the object's security descriptor, not including the information in the SACL.
    /// </summary>
    READ_CONTROL = BASE_RIGHTS.READ_CONTROL,
    /// <summary>
    /// The right to modify the DACL in the object's security descriptor.
    /// </summary>
    WRITE_DAC = BASE_RIGHTS.WRITE_DAC,
    /// <summary>
    /// The right to change the owner in the object's security descriptor.
    /// </summary>
    WRITE_OWNER = BASE_RIGHTS.WRITE_OWNER,
    /// <summary>
    /// The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
    /// </summary>
    SYNCHRONIZE = BASE_RIGHTS.SYNCHRONIZE,

    /// <summary>
    /// Combines DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER access
    /// </summary>
    STANDARD_REQUIRED = STANDARD_RIGHTS.REQUIRED,
    /// <summary>
    /// Currently defined to equal READ_CONTROL
    /// </summary>
    STANDARD_READ = STANDARD_RIGHTS.READ,
    /// <summary>
    /// Currently defined to equal READ_CONTROL
    /// </summary>
    STANDARD_WRITE = STANDARD_RIGHTS.WRITE,
    /// <summary>
    /// Currently defined to equal READ_CONTROL
    /// </summary>
    STANDARD_EXECUTE = STANDARD_RIGHTS.EXECUTE,
    /// <summary>
    /// Combines DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, and SYNCHRONIZE access
    /// </summary>
    STANDARD_ALL = STANDARD_RIGHTS.ALL,
    #endregion
    #region Bit  24...: Access System Security
    /// <summary>
    /// Access system security (ACCESS_SYSTEM_SECURITY). It is used to indicate access to a system access control list (SACL). This type of access requires the calling process to have the SE_SECURITY_NAME (Manage auditing and security log) privilege. If this flag is set in the access mask of an audit access ACE (successful or unsuccessful access), the SACL access will be audited.
    /// </summary>
    ACCESS_SYSTEM_SECURITY = 0x01000000,
    #endregion
    #region Bit  25...: Maximum allowed
    /// <summary>
    /// Maximum allowed (MAXIMUM_ALLOWED).
    /// </summary>
    MAXIMUM_ALLOWED = 0x02000000,
    #endregion
    #region Bits 26-27: Reserved
    #endregion
    #region Bits 28-31: Generic Rights
    /// <summary>
    /// Generic all 
    /// </summary>
    GENERIC_ALL = 0x10000000,
    /// <summary>
    /// Generic execute 
    /// </summary>
    GENERIC_EXECUTE = 0x20000000,
    /// <summary>
    /// Generic write 
    /// </summary>
    GENERIC_WRITE = 0x40000000,
    /// <summary>
    /// Generic read 
    /// </summary>
    //GENERIC_READ = 0x80000000
    #endregion
}

/// <summary>
/// Standard Access Rights
/// </summary>
/// <see cref="http://msdn2.microsoft.com/en-us/library/aa379607(VS.85).aspx"/>
[Flags]
public enum BASE_RIGHTS : int
{
    /// <summary>
    /// The right to delete the object.
    /// </summary>
    DELETE = 0x00010000,
    /// <summary>
    /// The right to read the information in the object's security descriptor, not including the information in the SACL.
    /// </summary>
    READ_CONTROL = 0x00020000,
    /// <summary>
    /// The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
    /// </summary>
    SYNCHRONIZE = 0x00100000,
    /// <summary>
    /// The right to modify the DACL in the object's security descriptor.
    /// </summary>
    WRITE_DAC = 0x00040000,
    /// <summary>
    /// The right to change the owner in the object's security descriptor.
    /// </summary>
    WRITE_OWNER = 0x00080000
}

/// <summary>
/// Standard Access Rights
/// </summary>
/// <see cref="http://msdn2.microsoft.com/en-us/library/aa379607(VS.85).aspx"/>
[Flags]
public enum STANDARD_RIGHTS : int
{
    /// <summary>
    /// Currently defined to equal READ_CONTROL
    /// </summary>
    READ = BASE_RIGHTS.READ_CONTROL,
    /// <summary>
    /// Currently defined to equal READ_CONTROL
    /// </summary>
    WRITE = BASE_RIGHTS.READ_CONTROL,
    /// <summary>
    /// Currently defined to equal READ_CONTROL
    /// </summary>
    EXECUTE = BASE_RIGHTS.READ_CONTROL,
    /// <summary>
    /// Combines DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER access
    /// </summary>
    REQUIRED = (BASE_RIGHTS.DELETE | BASE_RIGHTS.READ_CONTROL | BASE_RIGHTS.WRITE_DAC | BASE_RIGHTS.WRITE_OWNER),
    /// <summary>
    /// Combines DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, and SYNCHRONIZE access
    /// </summary>
    ALL = (BASE_RIGHTS.DELETE | BASE_RIGHTS.READ_CONTROL | BASE_RIGHTS.SYNCHRONIZE | BASE_RIGHTS.WRITE_DAC | BASE_RIGHTS.WRITE_OWNER)
}

相关内容