我正在编写一个脚本,用于获取 Active Directory 林中所有 GPO 的审核设置。我通过以下方式获取了大部分所需信息:
Get-Gpo -All |
ForEach-Object {$GPO = $_.DisplayName; Get-Acl -Path ("AD:\" + $_.Path) -Audit |
Select-Object @{n="GPO";e={$GPO}},PSChildName,AuditToString,Audit,AccessToString,sddl} |
select GPO,AuditToString,AccessToString,sddl |
Format-list |
out-file C:\Users\scott\Desktop\gpo_acl.txt
输出如下:
GPO : Server 2019
AuditToString : Everyone Success
Everyone Failure
Everyone Success
Everyone Success
Sddl : PAI(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;LCRPLORC;;;ED)
GPO : Computer Quarantine
AuditToString : Everyone Success
Everyone Failure
Everyone Success
Everyone Success
Sddl : PAI(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;LCRPLORC;;;ED)
(我截断了 Sddl 输出,因为它会公开我不想公开的信息。)我现在试图实现的是让 Sddl 输出更易于阅读。我可以手动将 Sddl 输出复制到以下命令中:
ConvertFrom-SddlString -sddl "PAI(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;LCRPLORC;;;ED)" -type ActiveDirectoryRights |
Select-Object -ExpandProperty DiscretionaryAcl
它给了我看起来更漂亮的输出,如下所示:
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed (GenericExecute, GenericRead, ListChildren, ListObject, ReadControl, ReadProperty)
NT AUTHORITY\Authenticated Users: AccessAllowed (GenericExecute, GenericRead, ListChildren, ListObject, ReadControl, ReadProperty)
NT AUTHORITY\SYSTEM: AccessAllowed (CreateChild, Delete, DeleteChild, DeleteTree, ExecuteKey, FullControl, GenericExecute, GenericRead, GenericWrite, ListChildren, ListObject, Read, ReadAndExecute, ReadControl, ReadProperty, Self, WriteDacl, WriteKey, WriteOwner, WriteProperty)
我试图在开头发布的 for-each 循环中获得更好的输出。一位同事建议在 select-object 的末尾添加此哈希表:
Get-Gpo -All |
ForEach-Object {$GPO = $_.DisplayName; Get-Acl -Path ("AD:\" + $_.Path) -Audit |
Select-Object @{n="GPO";e={$GPO}},PSChildName,AuditToString,Audit,AccessToString,sddl @{n="SDDLString";e={ConvertFrom-SddlString($_.sddl)}}} |
select GPO,AuditToString,AccessToString,sddl |
Format-list |
out-file C:\Users\scott\Desktop\gpo_acl.txt
但它打印的是对象的名称而不是内容。理想情况下,我希望输出看起来像这样:
GPO : Server 2019
AuditToString : Everyone Success
Everyone Failure
Everyone Success
Everyone Success
Sddl : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed (GenericExecute, GenericRead, ListChildren, ListObject, ReadControl, ReadProperty)
NT AUTHORITY\Authenticated Users: AccessAllowed (GenericExecute, GenericRead, ListChildren, ListObject, ReadControl, ReadProperty)
NT AUTHORITY\SYSTEM: AccessAllowed (CreateChild, Delete, DeleteChild, DeleteTree, ExecuteKey, FullControl, GenericExecute, GenericRead, GenericWrite, ListChildren, ListObject, Read, ReadAndExecute, ReadControl, ReadProperty, Self, WriteDacl, WriteKey, WriteOwner, WriteProperty)
GPO : Computer Quarantine
AuditToString : Everyone Success
Everyone Failure
Everyone Success
Everyone Success
Sddl : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed (GenericExecute, GenericRead, ListChildren, ListObject, ReadControl, ReadProperty)
NT AUTHORITY\Authenticated Users: AccessAllowed (GenericExecute, GenericRead, ListChildren, ListObject, ReadControl, ReadProperty)
NT AUTHORITY\SYSTEM: AccessAllowed (CreateChild, Delete, DeleteChild, DeleteTree, ExecuteKey, FullControl, GenericExecute, GenericRead, GenericWrite, ListChildren, ListObject, Read, ReadAndExecute, ReadControl, ReadProperty, Self, WriteDacl, WriteKey, WriteOwner, WriteProperty)
如有任何建议,我们将非常感激。
答案1
我认为这可能会让你更接近你所期望的东西;我相信你可以自己回到 Out-File 中:
Get-Gpo -All |
ForEach-Object {$GPO = $_.DisplayName; Get-Acl -Path ("AD:\" + $_.Path) -Audit |
Select-Object -Property `
@{n="GPO";e={$GPO}}, `
AuditToString, `
@{n="SDDLString";e={(ConvertFrom-SddlString -Sddl $_.Sddl).SystemAcl}}
} | Format-List
注意换行符;它们在这里只是为了让你不必侧滚动