mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2025-10-26 13:56:09 -07:00 
			
		
		
		
	* Added powershell SID utils for shared common code * rebased from upstream and fixed up module util after change
		
			
				
	
	
		
			85 lines
		
	
	
	
		
			3.3 KiB
		
	
	
	
		
			PowerShell
		
	
	
	
	
	
			
		
		
	
	
			85 lines
		
	
	
	
		
			3.3 KiB
		
	
	
	
		
			PowerShell
		
	
	
	
	
	
| # Copyright (c) 2017 Ansible Project
 | |
| # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 | |
| 
 | |
| Function Convert-FromSID($sid) {
 | |
|     # Converts a SID to a Down-Level Logon name in the form of DOMAIN\UserName
 | |
|     # If the SID is for a local user or group then DOMAIN would be the server
 | |
|     # name.
 | |
| 
 | |
|     $account_object = New-Object System.Security.Principal.SecurityIdentifier($sid)
 | |
|     try {
 | |
|         $nt_account = $account_object.Translate([System.Security.Principal.NTAccount])
 | |
|     } catch {
 | |
|         Fail-Json -obj @{} -message "failed to convert sid '$sid' to a logon name: $($_.Exception.Message)"
 | |
|     }
 | |
|     
 | |
|     return $nt_account.Value
 | |
| }
 | |
| 
 | |
| Function Convert-ToSID($account_name) {
 | |
|     # Converts an account name to a SID, it can take in the following forms
 | |
|     # UPN:
 | |
|     #   principal@domain (Domain users only)
 | |
|     # Down-Level Login Name
 | |
|     #   DOMAIN\principal (Domain)
 | |
|     #   SERVERNAME\principal (Local)
 | |
|     #   .\principal (Local)
 | |
|     #   NT AUTHORITY\SYSTEM (Local Service Accounts)
 | |
|     # Login Name
 | |
|     #   principal (Local/Local Service Accounts)
 | |
| 
 | |
|     if ($account_name -like "*\*") {
 | |
|         $account_name_split = $account_name -split "\\"
 | |
|         if ($account_name_split[0] -eq ".") {
 | |
|             $domain = $env:COMPUTERNAME
 | |
|         } else {
 | |
|             $domain = $account_name_split[0]
 | |
|         }
 | |
|         $username = $account_name_split[1]
 | |
|     } elseif ($account_name -like "*@*") {
 | |
|         $account_name_split = $account_name -split "@"
 | |
|         $domain = $account_name_split[1]
 | |
|         $username = $account_name_split[0]
 | |
|     } else {
 | |
|         $domain = $null
 | |
|         $username = $account_name
 | |
|     }
 | |
| 
 | |
|     if ($domain) {
 | |
|         # searching for a local group with the servername prefixed will fail,
 | |
|         # need to check for this situation and only use NTAccount(String)
 | |
|         if ($domain -eq $env:COMPUTERNAME) {
 | |
|             $adsi = [ADSI]("WinNT://$env:COMPUTERNAME,computer")
 | |
|             $group = $adsi.psbase.children | Where-Object { $_.schemaClassName -eq "group" -and $_.Name -eq $username }
 | |
|         } else {
 | |
|             $group = $null
 | |
|         }
 | |
|         if ($group) {
 | |
|             $account = New-Object System.Security.Principal.NTAccount($username)
 | |
|         } else {
 | |
|             $account = New-Object System.Security.Principal.NTAccount($domain, $username)
 | |
|         }
 | |
|     } else {
 | |
|         # when in a domain NTAccount(String) will favour domain lookups check
 | |
|         # if username is a local user and explictly search on the localhost for
 | |
|         # that account
 | |
|         $adsi = [ADSI]("WinNT://$env:COMPUTERNAME,computer")
 | |
|         $user = $adsi.psbase.children | Where-Object { $_.schemaClassName -eq "user" -and $_.Name -eq $username }
 | |
|         if ($user) {
 | |
|             $account = New-Object System.Security.Principal.NTAccount($env:COMPUTERNAME, $username)
 | |
|         } else {
 | |
|             $account = New-Object System.Security.Principal.NTAccount($username)
 | |
|         }
 | |
|     }
 | |
|     
 | |
|     try {
 | |
|         $account_sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
 | |
|     } catch {
 | |
|         Fail-Json @{} "account_name $account_name is not a valid account, cannot get SID: $($_.Exception.Message)"
 | |
|     }
 | |
|     
 | |
|     return $account_sid.Value
 | |
| }
 | |
| 
 | |
| # this line must stay at the bottom to ensure all defined module parts are exported
 | |
| Export-ModuleMember -Alias * -Function * -Cmdlet *
 |