使用 cacls 命令时的帐户名称语法

tag-icon tag-icon windows
使用 cacls 命令时的帐户名称语法

我一直在想办法获取可用的用户名cacls /g 用户名:right命令授予特定用户对文件和目录的权限。我遇到了一些障碍,因为我的计算机上存在一些帐户,例如 SYSTEM 帐户:

C:\Windows\system32>wmic sysaccount get Name
...
SYSTEM
...

但是 cacls 的 /g 选项仅适用于NT AUTHORITY\SYSTEM,因此它需要 NT AUTHORITY 域前缀。我的问题是,如何从我的 wmic 查询中确定任何帐户(例如 SYSTEM)的此前缀?如何使用 cacls 的 /g 选项获取所有可用的帐户名称?

我确实发现 SysInternals(当然,他们是低级操作系统工具的大师)有一个名为psgetsid它将会输出 SYSTEM 帐户的 SID 以及它的其他别名,NT AUTHORITY/SYSTEM但我希望有一种更标准的方法来获取这个名称:

C:\Users\User\Downloads\PSTools>psgetsid SYSTEM

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for NT AUTHORITY\SYSTEM:
S-1-5-18

答案1

运行以下 PowerShell 脚本:

# Normal users:
get-wmiobject -class "win32_account" -namespace "root\cimv2" | where-object{$_.sidtype -eq 1} | sort name | foreach {Write-Host $env:computername\$($_.Name)}
# Normal groups:
get-wmiobject -class "win32_account" -namespace "root\cimv2" | where-object{$_.sidtype -eq 4} | where-object{$_.sid.length -gt 15} | sort name | foreach {Write-Host $env:computername\$($_.Name)}
# Builtin groups:
get-wmiobject -class "win32_account" -namespace "root\cimv2" | where-object{$_.sidtype -eq 4 -and $_.SID -Match "^S-1-5-32-(\d){3}$" } | sort name | foreach {Write-Host BUILTIN\$($_.Name)}
# Special accounts:
get-wmiobject -class "win32_account" -namespace "root\cimv2" | where-object{$_.sidtype -eq 5} | sort name | foreach {Write-Host NT AUTHORITY\$($_.Name)}
# Service accounts:
get-service | foreach {Write-Host NT Service\$($_.Name)}
# only if you have IIS with scripting installed:
Get-WebConfiguration system.applicationHost/applicationPools/* | where {$_.ProcessModel.identitytype -eq 'ApplicationPoolIdentity'} | foreach {Write-Host IIS APPPOOL\$($_.Name)}
# Only if you have Hyper-V installed
get-vm | foreach {Write-Host NT VIRTUAL MACHINE\$($_.Id)}

# Odd ones:
"NT VIRTUAL MACHINE\Virtual Machines"
"NT AUTHORITY\Local account and member of Administrators group"
"NT AUTHORITY\Local account"
"NT AUTHORITY\This Organization Certificate"
"APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES"
"CONSOLE LOGON"

这仅适用于本地计算机,在 AD 域中有更多的帐户,有更多信息我在 superuser.com 上回答过这个问题

相关内容