Самый простой способ определить, есть ли у пользователя доступ к действиям в Active Directory

Question

Самый простой способ определить, есть ли у пользователя доступ к действиям в Active Directory

В настоящее время я использую оснастку Quest ActiveRoles Management, чтобы определить, имеет ли пользователь, выполняющий сценарий, доступ к различным операциям в нашем домене Active Directory. Мы делегируем доступ с помощью групп, поэтому я не проверяю, был ли пользователю явно предоставлен доступ; Я проверяю только членство пользователя в группе, чтобы определить, есть ли у пользователя доступ. Это работает отлично, но мне интересно, есть ли более простой (и более эффективный) способ сделать это (без покупки чего-либо). Ниже приведено описание каждой операции и код, который я использую. Я ценю любые конструктивные советы, которые вы можете дать. Спасибо!

# Check for "write member" access to AD group ($shareReadGroup)
$shareReadGroup = "<AD group name>"
$shareReadGroup_SecurityMask = Get-QADObject $shareReadGroup -SecurityMask Dacl
$shareReadGroup_WriteMember_Groups = ($shareReadGroup_SecurityMask | Get-QADPermission -Rights WriteProperty -UseExtendedMatch -Inherited -SchemaDefault -Property ("member")).Account | Where-Object {$_.Type -eq "group"}
$shareReadGroup_WriteMember_GroupMembers = $shareReadGroup_WriteMember_Groups | Get-QADGroupMember -Indirect
$shareReadGroup_WriteMember_AccessGranted = $shareReadGroup_WriteMember_GroupMembers | Where-Object {$_.sAMAccountName -eq $userRunningThisScript}

# Check for "create group" access for AD OU ($readGroupOU)
$readGroupOU = "<DN of AD OU>"
$readGroupOU_SecurityMask = Get-QADObject $readGroupOU -SecurityMask Dacl
$readGroupOU_CreateGroup_Groups = ($readGroupOU_SecurityMask | Get-QADPermission -Rights CreateChild -ChildType Group -UseExtendedMatch -Inherited -SchemaDefault).Account | Where-Object {$_.Type -eq "group"}
$readGroupOU_CreateGroup_GroupMembers = $readGroupOU_CreateGroup_Groups | Get-QADGroupMember -Indirect
$readGroupOU_CreateGroup_AccessGranted = $readGroupOU_CreateGroup_GroupMembers | Where-Object {$_.sAMAccountName -eq $userRunningThisScript}

# Check for "write description, write member" access for group objects within AD OU ($readGroupOU)
$readGroupOU = "<DN of AD OU>"
$readGroupOU_SecurityMask = Get-QADObject $readGroupOU -SecurityMask Dacl
$readGroupOU_ManageGroups_Groups = ($readGroupOU_SecurityMask | Get-QADPermission -Rights WriteProperty -ChildType Group -UseExtendedMatch -Inherited -SchemaDefault -Property ("description","member")).Account | Where-Object {$_.Type -eq "group"}
$readGroupOU_ManageGroups_GroupMembers = $readGroupOU_CreateGroup_Groups | Get-QADGroupMember -Indirect
$readGroupOU_ManageGroups_AccessGranted = $readGroupOU_ManageGroups_GroupMembers | Where-Object {$_.sAMAccountName -eq $userRunningThisScript}

-1

powershell permissions active-directory quest

Источник

user5438087 12 окт '15 в 19:52

1 ответ

Другие вопросы по тегам powershell permissions active-directory quest

user5438087 14 окт '15 в 18:12 2015-10-14 18:12 · Answer 1 · 2015-10-14 18:12

В итоге я написал функцию, упрощающую проверку разрешений и облегчающую понимание для всех. Вот код, если кому-то интересно.

function Confirm-UserActiveDirectoryAccess {
    <#
        .SYNOPSIS
            Confirm that a user has the specified access to an AD object
        .DESCRIPTION
            This function simplifies the complex operation of determining whether a given user
            has a given level of access to an Active Directory object.  It assumes that all access
            rights should be considered, including inherited and schema default rights.
        .EXAMPLE
            Confirm-UserActiveDirectoryAccess -ADobject TestGroup -Rights WriteProperty -Property member
        .EXAMPLE
            Confirm-UserActiveDirectoryAccess -User TestUser -ADobject OU=TestOU,DC=domain,DC=local -Rights CreateChild -ChildType Group
        .EXAMPLE
            Confirm-UserActiveDirectoryAccess -ADobject OU=TestOU,DC=domain,DC=local -Rights WriteProperty -ChildType Group -Property description
        .PARAMETER User
            The username of the user whose access you wish to check.
            Defaults to the username of the account running the PowerShell session if not specified.
        .PARAMETER ADobject
            The DN, SID, GUID, UPN, or Domain\Name of the directory object you wish to check against.
        .PARAMETER Rights
            The rights you wish to check for (ReadProperty, WriteProperty, CreateChild, etc.).
            Refer to the -Rights property of the Get-QADPermission cmdlet for valid values.
        .PARAMETER ChildType
            Specify the child type if needing to determine permissions to children of an AD object (Group, User, Computer, etc.).
            Refer to the -ChildType property of the Get-QADPermission cmdlet for valid values.
        .PARAMETER Property
            The attribute of the AD object you wish to verify access to.
            These are the standard LDAP attribute names for a given object (sAMAccountName, member, ipPhone, etc.).
    #>
    [CmdletBinding()]
    param (
        [Parameter(Mandatory=$False)]
        [string]$User = [Environment]::UserName,

        [Parameter(Mandatory=$True,
            HelpMessage='Specify the DN, SID, GUID, UPN or Domain\Name of the directory object you want to find.')]
        [string]$ADobject,

        [Parameter(Mandatory=$True,
            HelpMessage='Exit this command and enter "Get-Help Get-QADPermission -Full", then refer to the -Rights parameter for valid values.')]
        [string]$Rights,

        [Parameter(Mandatory=$False)]
        [string]$ChildType,

        [Parameter(Mandatory=$False)]
        [string]$Property
    )

    $GetQADPermissionParams = @{
        Rights = $Rights;
        UseExtendedMatch = $True;
        Inherited = $True;
        SchemaDefault = $True;
    }

    If ($ChildType) {
        $GetQADPermissionParams += @{
            ChildType = $ChildType;
        }
    }

    If ($Property) {
        $GetQADPermissionParams += @{
            Property = $Property;
        }
    }

    $accountsWithAccess = (Get-QADObject -Identity $ADobject -SecurityMask Dacl | Get-QADPermission @GetQADPermissionParams).Account
    $userAccessGranted = $accountsWithAccess | Where-Object {$_.sAMAccountName -eq $User}
    $groupAccessGranted = $accountsWithAccess | Where-Object {$_.Type -eq "group"} | Get-QADGroupMember -Indirect | Where-Object {$_.sAMAccountName -eq $User}

    If ($userAccessGranted -or $groupAccessGranted) { Return $True }
}

$shareReadGroup_WriteMember = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $shareReadGroup -Rights WriteProperty -Property member
$readGroupOU_CreateGroup = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $readGroupOU -Rights CreateChild -ChildType Group
$readGroupOU_WriteGroupDescription = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $readGroupOU -Rights WriteProperty -ChildType Group -Property description
$readGroupOU_WriteGroupMember = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $readGroupOU -Rights WriteProperty -ChildType Group -Property member