mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-04-25 20:01:25 -07:00
Added powershell SID utils for shared common code (#27091)
* Added powershell SID utils for shared common code * rebased from upstream and fixed up module util after change
This commit is contained in:
Jordan Borean
GitHub
parent
adabefd016
commit
a695f30411
3 changed files with 159 additions and 0 deletions
|
|
@ -0,0 +1,85 @@
|
|||
# Copyright (c) 2017 Ansible Project
|
||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
Function Convert-FromSID($sid) {
|
||||
# Converts a SID to a Down-Level Logon name in the form of DOMAIN\UserName
|
||||
# If the SID is for a local user or group then DOMAIN would be the server
|
||||
# name.
|
||||
|
||||
$account_object = New-Object System.Security.Principal.SecurityIdentifier($sid)
|
||||
try {
|
||||
$nt_account = $account_object.Translate([System.Security.Principal.NTAccount])
|
||||
} catch {
|
||||
Fail-Json -obj @{} -message "failed to convert sid '$sid' to a logon name: $($_.Exception.Message)"
|
||||
}
|
||||
|
||||
return $nt_account.Value
|
||||
}
|
||||
|
||||
Function Convert-ToSID($account_name) {
|
||||
# Converts an account name to a SID, it can take in the following forms
|
||||
# UPN:
|
||||
# principal@domain (Domain users only)
|
||||
# Down-Level Login Name
|
||||
# DOMAIN\principal (Domain)
|
||||
# SERVERNAME\principal (Local)
|
||||
# .\principal (Local)
|
||||
# NT AUTHORITY\SYSTEM (Local Service Accounts)
|
||||
# Login Name
|
||||
# principal (Local/Local Service Accounts)
|
||||
|
||||
if ($account_name -like "*\*") {
|
||||
$account_name_split = $account_name -split "\\"
|
||||
if ($account_name_split[0] -eq ".") {
|
||||
$domain = $env:COMPUTERNAME
|
||||
} else {
|
||||
$domain = $account_name_split[0]
|
||||
}
|
||||
$username = $account_name_split[1]
|
||||
} elseif ($account_name -like "*@*") {
|
||||
$account_name_split = $account_name -split "@"
|
||||
$domain = $account_name_split[1]
|
||||
$username = $account_name_split[0]
|
||||
} else {
|
||||
$domain = $null
|
||||
$username = $account_name
|
||||
}
|
||||
|
||||
if ($domain) {
|
||||
# searching for a local group with the servername prefixed will fail,
|
||||
# need to check for this situation and only use NTAccount(String)
|
||||
if ($domain -eq $env:COMPUTERNAME) {
|
||||
$adsi = [ADSI]("WinNT://$env:COMPUTERNAME,computer")
|
||||
$group = $adsi.psbase.children | Where-Object { $_.schemaClassName -eq "group" -and $_.Name -eq $username }
|
||||
} else {
|
||||
$group = $null
|
||||
}
|
||||
if ($group) {
|
||||
$account = New-Object System.Security.Principal.NTAccount($username)
|
||||
} else {
|
||||
$account = New-Object System.Security.Principal.NTAccount($domain, $username)
|
||||
}
|
||||
} else {
|
||||
# when in a domain NTAccount(String) will favour domain lookups check
|
||||
# if username is a local user and explictly search on the localhost for
|
||||
# that account
|
||||
$adsi = [ADSI]("WinNT://$env:COMPUTERNAME,computer")
|
||||
$user = $adsi.psbase.children | Where-Object { $_.schemaClassName -eq "user" -and $_.Name -eq $username }
|
||||
if ($user) {
|
||||
$account = New-Object System.Security.Principal.NTAccount($env:COMPUTERNAME, $username)
|
||||
} else {
|
||||
$account = New-Object System.Security.Principal.NTAccount($username)
|
||||
}
|
||||
}
|
||||
|
||||
try {
|
||||
$account_sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
|
||||
} catch {
|
||||
Fail-Json @{} "account_name $account_name is not a valid account, cannot get SID: $($_.Exception.Message)"
|
||||
}
|
||||
|
||||
return $account_sid.Value
|
||||
}
|
||||
|
||||
# this line must stay at the bottom to ensure all defined module parts are exported
|
||||
Export-ModuleMember -Alias * -Function * -Cmdlet *
|
||||
Loading…
Add table
Add a link
Reference in a new issue