mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-07-23 21:30:22 -07:00
Fix SID Lookup Issues on Assorted Windows Modules (#28979)
* fix sid lookup issues and update copyright/license to latest format * simplify win_owner and win_share by removing unnecessary function
This commit is contained in:
parent
4af8c6852f
commit
8f050d3719
7 changed files with 52 additions and 332 deletions
|
@ -1,113 +1,43 @@
|
||||||
#!powershell
|
#!powershell
|
||||||
# This file is part of Ansible
|
|
||||||
#
|
|
||||||
# Copyright 2015, Phil Schwartz <schwartzmx@gmail.com>
|
# Copyright 2015, Phil Schwartz <schwartzmx@gmail.com>
|
||||||
# Copyright 2015, Trond Hindenes
|
# Copyright 2015, Trond Hindenes
|
||||||
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
||||||
#
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||||
# Ansible is free software: you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
#Requires -Module Ansible.ModuleUtils.Legacy.psm1
|
||||||
# the Free Software Foundation, either version 3 of the License, or
|
#Requires -Module Ansible.ModuleUtils.SID.psm1
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# Ansible is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
|
|
||||||
# WANT_JSON
|
|
||||||
# POWERSHELL_COMMON
|
|
||||||
|
|
||||||
# win_acl module (File/Resources Permission Additions/Removal)
|
# win_acl module (File/Resources Permission Additions/Removal)
|
||||||
|
|
||||||
|
|
||||||
#Functions
|
#Functions
|
||||||
Function UserSearch
|
function Get-UserSID {
|
||||||
{
|
param(
|
||||||
Param ([string]$accountName)
|
[String]$AccountName
|
||||||
#Check if there's a realm specified
|
)
|
||||||
|
|
||||||
$searchDomain = $false
|
$userSID = $null
|
||||||
$searchDomainUPN = $false
|
$searchAppPools = $false
|
||||||
$SearchAppPools = $false
|
|
||||||
if ($accountName.Split("\").count -gt 1)
|
|
||||||
{
|
|
||||||
if ($accountName.Split("\")[0] -eq $env:COMPUTERNAME)
|
|
||||||
{
|
|
||||||
|
|
||||||
}
|
if ($AccountName.Split("\").Count -gt 1) {
|
||||||
elseif ($accountName.Split("\")[0] -eq "IIS APPPOOL")
|
if ($AccountName.Split("\")[0] -eq "IIS APPPOOL") {
|
||||||
{
|
$searchAppPools = $true
|
||||||
$SearchAppPools = $true
|
$AccountName = $AccountName.Split("\")[1]
|
||||||
$accountName = $accountName.split("\")[1]
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$searchDomain = $true
|
|
||||||
$accountName = $accountName.split("\")[1]
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Elseif ($accountName.contains("@"))
|
|
||||||
{
|
|
||||||
$searchDomain = $true
|
|
||||||
$searchDomainUPN = $true
|
|
||||||
}
|
|
||||||
Else
|
|
||||||
{
|
|
||||||
#Default to local user account
|
|
||||||
$accountName = $env:COMPUTERNAME + "\" + $accountName
|
|
||||||
}
|
|
||||||
|
|
||||||
if (($searchDomain -eq $false) -and ($SearchAppPools -eq $false))
|
if ($searchAppPools) {
|
||||||
{
|
Import-Module -Name WebAdministration
|
||||||
# do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too
|
$testIISPath = Test-Path -Path "IIS:"
|
||||||
$localaccount = get-wmiobject -class "Win32_Account" -namespace "root\CIMV2" -filter "(LocalAccount = True)" | where {$_.Caption -eq $accountName}
|
if ($testIISPath) {
|
||||||
if ($localaccount)
|
$appPoolObj = Get-ItemProperty -Path "IIS:\AppPools\$AccountName"
|
||||||
{
|
$userSID = $appPoolObj.applicationPoolSid
|
||||||
return $localaccount.SID
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Elseif ($SearchAppPools -eq $true)
|
else {
|
||||||
{
|
$userSID = Convert-ToSID -account_name $AccountName
|
||||||
Import-Module WebAdministration
|
|
||||||
$testiispath = Test-path "IIS:"
|
|
||||||
if ($testiispath -eq $false)
|
|
||||||
{
|
|
||||||
return $null
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$apppoolobj = Get-ItemProperty IIS:\AppPools\$accountName
|
|
||||||
return $apppoolobj.applicationPoolSid
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
Else
|
|
||||||
{
|
|
||||||
#Search by samaccountname
|
|
||||||
$Searcher = [adsisearcher]""
|
|
||||||
|
|
||||||
If ($searchDomainUPN -eq $false) {
|
return $userSID
|
||||||
$Searcher.Filter = "sAMAccountName=$($accountName)"
|
|
||||||
}
|
|
||||||
Else {
|
|
||||||
$Searcher.Filter = "userPrincipalName=$($accountName)"
|
|
||||||
}
|
|
||||||
|
|
||||||
$result = $Searcher.FindOne()
|
|
||||||
if ($result)
|
|
||||||
{
|
|
||||||
$user = $result.GetDirectoryEntry()
|
|
||||||
|
|
||||||
# get binary SID from AD account
|
|
||||||
$binarySID = $user.ObjectSid.Value
|
|
||||||
|
|
||||||
# convert to string SID
|
|
||||||
return (New-Object System.Security.Principal.SecurityIdentifier($binarySID,0)).Value
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Need to adjust token privs when executing Set-ACL in certain cases.
|
# Need to adjust token privs when executing Set-ACL in certain cases.
|
||||||
|
@ -234,9 +164,8 @@ If (-Not (Test-Path -Path $path)) {
|
||||||
}
|
}
|
||||||
|
|
||||||
# Test that the user/group is resolvable on the local machine
|
# Test that the user/group is resolvable on the local machine
|
||||||
$sid = UserSearch -AccountName ($user)
|
$sid = Get-UserSID -AccountName $user
|
||||||
if (!$sid)
|
if (!$sid) {
|
||||||
{
|
|
||||||
Fail-Json $result "$user is not a valid user or group on the host machine or domain"
|
Fail-Json $result "$user is not a valid user or group on the host machine or domain"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -260,14 +189,14 @@ Try {
|
||||||
|
|
||||||
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]$inherit
|
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]$inherit
|
||||||
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]$propagation
|
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]$propagation
|
||||||
|
|
||||||
If ($type -eq "allow") {
|
If ($type -eq "allow") {
|
||||||
$objType =[System.Security.AccessControl.AccessControlType]::Allow
|
$objType =[System.Security.AccessControl.AccessControlType]::Allow
|
||||||
}
|
}
|
||||||
Else {
|
Else {
|
||||||
$objType =[System.Security.AccessControl.AccessControlType]::Deny
|
$objType =[System.Security.AccessControl.AccessControlType]::Deny
|
||||||
}
|
}
|
||||||
|
|
||||||
$objUser = New-Object System.Security.Principal.SecurityIdentifier($sid)
|
$objUser = New-Object System.Security.Principal.SecurityIdentifier($sid)
|
||||||
If ($path -match "^HK(CC|CR|CU|LM|U):\\") {
|
If ($path -match "^HK(CC|CR|CU|LM|U):\\") {
|
||||||
$objACE = New-Object System.Security.AccessControl.RegistryAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
|
$objACE = New-Object System.Security.AccessControl.RegistryAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
|
||||||
|
@ -276,7 +205,7 @@ Try {
|
||||||
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
|
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
|
||||||
}
|
}
|
||||||
$objACL = Get-ACL $path
|
$objACL = Get-ACL $path
|
||||||
|
|
||||||
# Check if the ACE exists already in the objects ACL list
|
# Check if the ACE exists already in the objects ACL list
|
||||||
$match = $false
|
$match = $false
|
||||||
|
|
||||||
|
@ -300,7 +229,7 @@ Try {
|
||||||
Break
|
Break
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) {
|
If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) {
|
||||||
$match = $true
|
$match = $true
|
||||||
Break
|
Break
|
||||||
}
|
}
|
||||||
|
@ -335,11 +264,11 @@ Try {
|
||||||
# A rule didn't exist that was trying to be removed
|
# A rule didn't exist that was trying to be removed
|
||||||
Else {
|
Else {
|
||||||
Exit-Json $result "the specified rule does not exist"
|
Exit-Json $result "the specified rule does not exist"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Catch {
|
Catch {
|
||||||
Fail-Json $result "an error occurred when attempting to $state $rights permission(s) on $path for $user - $($_.Exception.Message)"
|
Fail-Json $result "an error occurred when attempting to $state $rights permission(s) on $path for $user - $($_.Exception.Message)"
|
||||||
}
|
}
|
||||||
|
|
||||||
Exit-Json $result
|
Exit-Json $result
|
||||||
|
|
|
@ -1,27 +1,8 @@
|
||||||
#!/usr/bin/python
|
#!/usr/bin/python
|
||||||
# -*- coding: utf-8 -*-
|
|
||||||
|
|
||||||
# Copyright 2015, Phil Schwartz <schwartzmx@gmail.com>
|
# Copyright 2015, Phil Schwartz <schwartzmx@gmail.com>
|
||||||
# Copyright 2015, Trond Hindenes
|
# Copyright 2015, Trond Hindenes
|
||||||
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
||||||
#
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||||
# This file is part of Ansible
|
|
||||||
#
|
|
||||||
# Ansible is free software: you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# Ansible is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
|
|
||||||
# this is a windows documentation stub. actual code lives in the .ps1
|
|
||||||
# file of the same name
|
|
||||||
|
|
||||||
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
||||||
'status': ['preview'],
|
'status': ['preview'],
|
||||||
|
|
|
@ -1,85 +1,9 @@
|
||||||
#!powershell
|
#!powershell
|
||||||
# This file is part of Ansible
|
|
||||||
#
|
|
||||||
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
||||||
#
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||||
# Ansible is free software: you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# Ansible is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
|
|
||||||
# WANT_JSON
|
#Requires -Module Ansible.ModuleUtils.Legacy.psm1
|
||||||
# POWERSHELL_COMMON
|
#Requires -Module Ansible.ModuleUtils.SID.psm1
|
||||||
|
|
||||||
#Functions
|
|
||||||
Function UserSearch
|
|
||||||
{
|
|
||||||
Param ([string]$accountName)
|
|
||||||
#Check if there's a realm specified
|
|
||||||
|
|
||||||
$searchDomain = $false
|
|
||||||
$searchDomainUPN = $false
|
|
||||||
if ($accountName.Split("\").count -gt 1)
|
|
||||||
{
|
|
||||||
if ($accountName.Split("\")[0] -ne $env:COMPUTERNAME)
|
|
||||||
{
|
|
||||||
$searchDomain = $true
|
|
||||||
$accountName = $accountName.split("\")[1]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Elseif ($accountName.contains("@"))
|
|
||||||
{
|
|
||||||
$searchDomain = $true
|
|
||||||
$searchDomainUPN = $true
|
|
||||||
}
|
|
||||||
Else
|
|
||||||
{
|
|
||||||
#Default to local user account
|
|
||||||
$accountName = $env:COMPUTERNAME + "\" + $accountName
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($searchDomain -eq $false)
|
|
||||||
{
|
|
||||||
# do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too
|
|
||||||
$localaccount = get-wmiobject -class "Win32_Account" -namespace "root\CIMV2" -filter "(LocalAccount = True)" | where {$_.Caption -eq $accountName}
|
|
||||||
if ($localaccount)
|
|
||||||
{
|
|
||||||
return $localaccount.SID
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Else
|
|
||||||
{
|
|
||||||
#Search by samaccountname
|
|
||||||
$Searcher = [adsisearcher]""
|
|
||||||
|
|
||||||
If ($searchDomainUPN -eq $false) {
|
|
||||||
$Searcher.Filter = "sAMAccountName=$($accountName)"
|
|
||||||
}
|
|
||||||
Else {
|
|
||||||
$Searcher.Filter = "userPrincipalName=$($accountName)"
|
|
||||||
}
|
|
||||||
|
|
||||||
$result = $Searcher.FindOne()
|
|
||||||
if ($result)
|
|
||||||
{
|
|
||||||
$user = $result.GetDirectoryEntry()
|
|
||||||
|
|
||||||
# get binary SID from AD account
|
|
||||||
$binarySID = $user.ObjectSid.Value
|
|
||||||
|
|
||||||
# convert to string SID
|
|
||||||
return (New-Object System.Security.Principal.SecurityIdentifier($binarySID,0)).Value
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
$result = @{
|
$result = @{
|
||||||
changed = $false
|
changed = $false
|
||||||
|
@ -97,9 +21,8 @@ If (-Not (Test-Path -Path $path)) {
|
||||||
}
|
}
|
||||||
|
|
||||||
# Test that the user/group is resolvable on the local machine
|
# Test that the user/group is resolvable on the local machine
|
||||||
$sid = UserSearch -AccountName ($user)
|
$sid = Convert-ToSID -account_name $user
|
||||||
if (-not $sid)
|
if (!$sid) {
|
||||||
{
|
|
||||||
Fail-Json $result "$user is not a valid user or group on the host machine or domain"
|
Fail-Json $result "$user is not a valid user or group on the host machine or domain"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,25 +1,6 @@
|
||||||
#!/usr/bin/python
|
#!/usr/bin/python
|
||||||
# -*- coding: utf-8 -*-
|
|
||||||
|
|
||||||
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
||||||
#
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||||
# This file is part of Ansible
|
|
||||||
#
|
|
||||||
# Ansible is free software: you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# Ansible is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
|
|
||||||
# this is a windows documentation stub. actual code lives in the .ps1
|
|
||||||
# file of the same name
|
|
||||||
|
|
||||||
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
||||||
'status': ['preview'],
|
'status': ['preview'],
|
||||||
|
|
|
@ -1,87 +1,12 @@
|
||||||
#!powershell
|
#!powershell
|
||||||
# This file is part of Ansible
|
|
||||||
|
|
||||||
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
||||||
#
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||||
# Ansible is free software: you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# Ansible is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
|
|
||||||
# WANT_JSON
|
#Requires -Module Ansible.ModuleUtils.Legacy.psm1
|
||||||
# POWERSHELL_COMMON
|
#Requires -Module Ansible.ModuleUtils.SID.psm1
|
||||||
|
|
||||||
#Functions
|
#Functions
|
||||||
Function UserSearch
|
Function NormalizeAccounts {
|
||||||
{
|
|
||||||
Param ([string]$accountName)
|
|
||||||
#Check if there's a realm specified
|
|
||||||
|
|
||||||
$searchDomain = $false
|
|
||||||
$searchDomainUPN = $false
|
|
||||||
if ($accountName.Split("\").count -gt 1)
|
|
||||||
{
|
|
||||||
if ($accountName.Split("\")[0] -ne $env:COMPUTERNAME)
|
|
||||||
{
|
|
||||||
$searchDomain = $true
|
|
||||||
$accountName = $accountName.split("\")[1]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Elseif ($accountName.contains("@"))
|
|
||||||
{
|
|
||||||
$searchDomain = $true
|
|
||||||
$searchDomainUPN = $true
|
|
||||||
}
|
|
||||||
Else
|
|
||||||
{
|
|
||||||
#Default to local user account
|
|
||||||
$accountName = $env:COMPUTERNAME + "\" + $accountName
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($searchDomain -eq $false)
|
|
||||||
{
|
|
||||||
# do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too
|
|
||||||
$localaccount = get-wmiobject -class "Win32_Account" -namespace "root\CIMV2" -filter "(LocalAccount = True)" | where {$_.Caption -eq $accountName}
|
|
||||||
if ($localaccount)
|
|
||||||
{
|
|
||||||
return $localaccount.SID
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Else
|
|
||||||
{
|
|
||||||
#Search by samaccountname
|
|
||||||
$Searcher = [adsisearcher]""
|
|
||||||
|
|
||||||
If ($searchDomainUPN -eq $false) {
|
|
||||||
$Searcher.Filter = "sAMAccountName=$($accountName)"
|
|
||||||
}
|
|
||||||
Else {
|
|
||||||
$Searcher.Filter = "userPrincipalName=$($accountName)"
|
|
||||||
}
|
|
||||||
|
|
||||||
$result = $Searcher.FindOne()
|
|
||||||
if ($result)
|
|
||||||
{
|
|
||||||
$user = $result.GetDirectoryEntry()
|
|
||||||
|
|
||||||
# get binary SID from AD account
|
|
||||||
$binarySID = $user.ObjectSid.Value
|
|
||||||
|
|
||||||
# convert to string SID
|
|
||||||
return (New-Object System.Security.Principal.SecurityIdentifier($binarySID,0)).Value
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Function NormalizeAccounts
|
|
||||||
{
|
|
||||||
param(
|
param(
|
||||||
[parameter(valuefrompipeline=$true)]
|
[parameter(valuefrompipeline=$true)]
|
||||||
$users
|
$users
|
||||||
|
@ -89,17 +14,17 @@ Function NormalizeAccounts
|
||||||
|
|
||||||
$users = $users.Trim()
|
$users = $users.Trim()
|
||||||
If ($users -eq "") {
|
If ($users -eq "") {
|
||||||
$splittedUsers = [Collections.Generic.List[String]] @()
|
$splitUsers = [Collections.Generic.List[String]] @()
|
||||||
}
|
}
|
||||||
Else {
|
Else {
|
||||||
$splittedUsers = [Collections.Generic.List[String]] $users.Split(",")
|
$splitUsers = [Collections.Generic.List[String]] $users.Split(",")
|
||||||
}
|
}
|
||||||
|
|
||||||
$normalizedUsers = [Collections.Generic.List[String]] @()
|
$normalizedUsers = [Collections.Generic.List[String]] @()
|
||||||
ForEach($splittedUser in $splittedUsers) {
|
ForEach($splitUser in $splitUsers) {
|
||||||
$sid = UserSearch $splittedUser
|
$sid = Convert-ToSID -account_name $splitUser
|
||||||
If (!$sid) {
|
if (!$sid) {
|
||||||
Fail-Json $result "$splittedUser is not a valid user or group on the host machine or domain"
|
Fail-Json $result "$splitUser is not a valid user or group on the host machine or domain"
|
||||||
}
|
}
|
||||||
|
|
||||||
$normalizedUser = (New-Object System.Security.Principal.SecurityIdentifier($sid)).Translate([System.Security.Principal.NTAccount])
|
$normalizedUser = (New-Object System.Security.Principal.SecurityIdentifier($sid)).Translate([System.Security.Principal.NTAccount])
|
||||||
|
|
|
@ -1,25 +1,6 @@
|
||||||
#!/usr/bin/python
|
#!/usr/bin/python
|
||||||
# -*- coding: utf-8 -*-
|
|
||||||
|
|
||||||
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
|
||||||
#
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||||
# This file is part of Ansible
|
|
||||||
#
|
|
||||||
# Ansible is free software: you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# Ansible is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
|
|
||||||
# this is a windows documentation stub. actual code lives in the .ps1
|
|
||||||
# file of the same name
|
|
||||||
|
|
||||||
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
||||||
'status': ['preview'],
|
'status': ['preview'],
|
||||||
|
|
|
@ -45,7 +45,7 @@
|
||||||
path: "{{test_win_owner_path}}"
|
path: "{{test_win_owner_path}}"
|
||||||
user: invalid-user
|
user: invalid-user
|
||||||
register: invalid_user
|
register: invalid_user
|
||||||
failed_when: invalid_user.msg != 'invalid-user is not a valid user or group on the host machine or domain'
|
failed_when: invalid_user.msg is not search("account_name invalid-user is not a valid account, cannot get SID.*")
|
||||||
|
|
||||||
- name: set owner defaults check
|
- name: set owner defaults check
|
||||||
win_owner:
|
win_owner:
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue