@@ -56,18 +56,18 @@ function Get-DbaPrivilege {
5656 )
5757
5858 begin {
59- $ResolveSID = @'
60- function Convert-SIDToUserName ([string] $SID ) {
61- try {
62- $objSID = New-Object System.Security.Principal.SecurityIdentifier ($SID)
63- $objUser = $objSID.Translate([System.Security.Principal.NTAccount])
64- $objUser.Value
65- } catch {
66- $SID
67- }
68- }
69- '@
59+ function Convert-SIDToUserName ([string ] $SID ) {
60+ try {
61+ $objSID = New-Object System.Security.Principal.SecurityIdentifier ($SID )
62+ $objUser = $objSID.Translate ([System.Security.Principal.NTAccount ])
63+ $objUser.Value
64+ } catch {
65+ $SID
66+ }
67+ }
68+
7069 $ComputerName = $ComputerName.ComputerName | Select-Object - Unique
70+
7171 }
7272 process {
7373 foreach ($computer in $ComputerName ) {
@@ -78,123 +78,96 @@ function Get-DbaPrivilege {
7878 }
7979
8080 try {
81- Write-Message - Level Verbose - Message " Exporting Privileges on $computer "
82- $null = Invoke-Command2 - Raw - ComputerName $computer - Credential $Credential - ScriptBlock {
81+ Write-Message - Level Verbose - Message " Exporting Privileges on $computer and cleaning up temporary files "
82+ $secPol = Invoke-Command2 - Raw - ComputerName $computer - Credential $Credential - ScriptBlock {
8383 $temp = ([System.IO.Path ]::GetTempPath()).TrimEnd(" "
8484 secedit / export / cfg $temp \secpolByDbatools.cfg > $null
85+ $CFG = Get-Content $temp \secpolByDbatools.cfg - Force
86+ Remove-Item $temp \secpolByDbatools.cfg - Force
87+ $CFG
8588 }
8689
8790 Write-Message - Level Verbose - Message " Getting Batch Logon Privileges on $computer "
88- $bl = Invoke-Command2 - Raw - ComputerName $computer - Credential $Credential - ArgumentList $ResolveSID - ScriptBlock {
89- param ($ResolveSID )
90- . ([ScriptBlock ]::Create($ResolveSID ))
91- $temp = ([System.IO.Path ]::GetTempPath()).TrimEnd(" "
92- $blEntries = (Get-Content $temp \secpolByDbatools.cfg | Where-Object {
93- $_ -like " SeBatchLogonRight*"
94- })
95-
96- if ($null -ne $blEntries ) {
97- $blEntries.Substring (20 ).Split(" ," | ForEach-Object {
98- if ($_ -match ' ^\*S-'
99- Convert-SIDToUserName - SID $_.TrimStart (' *'
100- } else {
101- $_
102- }
91+ $blEntries = $secPol | Where-Object { $_ -like " SeBatchLogonRight*"
92+
93+ $bl = if ($null -ne $blEntries ) {
94+ $blEntries.Substring (20 ).Split(" ," | ForEach-Object {
95+ if ($_ -match ' ^\*S-'
96+ Convert-SIDToUserName - SID $_.TrimStart (' *'
97+ } else {
98+ $_
10399 }
104100 }
105101 }
102+
106103 if ($bl.count -eq 0 ) {
107104 Write-Message - Level Verbose - Message " No users with Batch Logon Rights on $computer "
108105 }
109106
110107 Write-Message - Level Verbose - Message " Getting Instant File Initialization Privileges on $computer "
111- $ifi = Invoke-Command2 - Raw - ComputerName $computer - Credential $Credential - ArgumentList $ResolveSID - ScriptBlock {
112- param ($ResolveSID )
113- . ([ScriptBlock ]::Create($ResolveSID ))
114- $temp = ([System.IO.Path ]::GetTempPath()).TrimEnd(" "
115- $ifiEntries = (Get-Content $temp \secpolByDbatools.cfg | Where-Object {
116- $_ -like ' SeManageVolumePrivilege*'
117- })
118-
119- if ($null -ne $ifiEntries ) {
120- $ifiEntries.Substring (26 ).Split(" ," | ForEach-Object {
121- if ($_ -match ' ^\*S-'
122- Convert-SIDToUserName - SID $_.TrimStart (' *'
123- } else {
124- $_
125- }
108+ $ifiEntries = $secPol | Where-Object { $_ -like ' SeManageVolumePrivilege*'
109+
110+ $ifi = if ($null -ne $ifiEntries ) {
111+ $ifiEntries.Substring (26 ).Split(" ," | ForEach-Object {
112+ if ($_ -match ' ^\*S-'
113+ Convert-SIDToUserName - SID $_.TrimStart (' *'
114+ } else {
115+ $_
126116 }
127117 }
128118 }
119+
129120 if ($ifi.count -eq 0 ) {
130121 Write-Message - Level Verbose - Message " No users with Instant File Initialization Rights on $computer "
131122 }
132123
133124 Write-Message - Level Verbose - Message " Getting Lock Pages in Memory Privileges on $computer "
134- $lpim = Invoke-Command2 - Raw - ComputerName $computer - Credential $Credential - ArgumentList $ResolveSID - ScriptBlock {
135- param ($ResolveSID )
136- . ([ScriptBlock ]::Create($ResolveSID ))
137- $temp = ([System.IO.Path ]::GetTempPath()).TrimEnd(" "
138- $lpimEntries = (Get-Content $temp \secpolByDbatools.cfg | Where-Object {
139- $_ -like ' SeLockMemoryPrivilege*'
140- })
141-
142- if ($null -ne $lpimEntries ) {
143- $lpimEntries.Substring (24 ).Split(" ," | ForEach-Object {
144- if ($_ -match ' ^\*S-'
145- Convert-SIDToUserName - SID $_.TrimStart (' *'
146- } else {
147- $_
148- }
125+ $lpimEntries = $secPol | Where-Object { $_ -like ' SeLockMemoryPrivilege*'
126+
127+ $lpim = if ($null -ne $lpimEntries ) {
128+ $lpimEntries.Substring (24 ).Split(" ," | ForEach-Object {
129+ if ($_ -match ' ^\*S-'
130+ Convert-SIDToUserName - SID $_.TrimStart (' *'
131+ } else {
132+ $_
149133 }
150134 }
151135 }
136+
152137 if ($lpim.count -eq 0 ) {
153138 Write-Message - Level Verbose - Message " No users with Lock Pages in Memory Rights on $computer "
154139 }
155140
156141 Write-Message - Level Verbose - Message " Getting Generate Security Audits Privileges on $computer "
157- $gsa = Invoke-Command2 - Raw - ComputerName $computer - Credential $Credential - ArgumentList $ResolveSID - ScriptBlock {
158- param ($ResolveSID )
159- . ([ScriptBlock ]::Create($ResolveSID ))
160- $temp = ([System.IO.Path ]::GetTempPath()).TrimEnd(" "
161- $gsaEntries = (Get-Content $temp \secpolByDbatools.cfg | Where-Object {
162- $_ -like ' SeAuditPrivilege*'
163- })
164-
165- if ($null -ne $gsaEntries ) {
166- $gsaEntries.Substring (19 ).Split(" ," | ForEach-Object {
167- if ($_ -match ' ^\*S-'
168- Convert-SIDToUserName - SID $_.TrimStart (' *'
169- } else {
170- $_
171- }
142+ $gsaEntries = $secPol | Where-Object { $_ -like ' SeAuditPrivilege*'
143+
144+ $gsa = if ($null -ne $gsaEntries ) {
145+ $gsaEntries.Substring (19 ).Split(" ," | ForEach-Object {
146+ if ($_ -match ' ^\*S-'
147+ Convert-SIDToUserName - SID $_.TrimStart (' *'
148+ } else {
149+ $_
172150 }
173151 }
174152 }
153+
175154 if ($gsa.count -eq 0 ) {
176155 Write-Message - Level Verbose - Message " No users with Generate Security Audits Rights on $computer "
177156 }
178157
179158 Write-Message - Level Verbose - Message " Getting Logon as a service Privileges on $computer "
180- $los = Invoke-Command2 - Raw - ComputerName $computer - Credential $Credential - ArgumentList $ResolveSID - ScriptBlock {
181- param ($ResolveSID )
182- . ([ScriptBlock ]::Create($ResolveSID ))
183- $temp = ([System.IO.Path ]::GetTempPath()).TrimEnd(" "
184- $losEntries = (Get-Content $temp \secpolByDbatools.cfg | Where-Object {
185- $_ -like " SeServiceLogonRight*"
186- })
187-
188- if ($null -ne $losEntries ) {
189- $losEntries.Substring (22 ).split(" ," | ForEach-Object {
190- if ($_ -match ' ^\*S-'
191- Convert-SIDToUserName - SID $_.TrimStart (' *'
192- } else {
193- $_
194- }
159+ $losEntries = $secPol | Where-Object { $_ -like " SeServiceLogonRight*"
160+
161+ $los = if ($null -ne $losEntries ) {
162+ $losEntries.Substring (22 ).split(" ," | ForEach-Object {
163+ if ($_ -match ' ^\*S-'
164+ Convert-SIDToUserName - SID $_.TrimStart (' *'
165+ } else {
166+ $_
195167 }
196168 }
197169 }
170+
198171 if ($los.count -eq 0 ) {
199172 Write-Message - Level Verbose - Message " No users with Logon as a service Rights on $computer "
200173 }
@@ -211,11 +184,7 @@ function Get-DbaPrivilege {
211184 LogonAsAService = $los -contains $_
212185 }
213186 }
214- Write-Message - Level Verbose - Message " Removing secpol file on $computer "
215- Invoke-Command2 - Raw - ComputerName $computer - Credential $Credential - ScriptBlock {
216- $temp = ([System.IO.Path ]::GetTempPath()).TrimEnd(" "
217- Remove-Item $temp \secpolByDbatools.cfg - Force
218- }
187+
219188 } catch {
220189 Stop-Function - Continue - Message " Failure" - ErrorRecord $_ - Target $computer
221190 }
0 commit comments