Powershell:如何检查组或帐户是否从SID中删除？

Question

我试图使用以下命令导出用户权限分配：

secedit /export /areas USER_RIGHTS /cfg d:\privs.txt

然后用Powershell我试着把SID翻译成名字。这是我的代码：

$output=@()
$temp = "c:\"
$file = "$temp\privs.txt"
[string] $readableNames

$process = [diagnostics.process]::Start("secedit.exe", "/export /cfg $file /areas USER_RIGHTS")
$process.WaitForExit()
$in = get-content $file

foreach ($line in $in) {
    if ($line.StartsWith("Se")) {
    $privilege = $line.substring(0,$line.IndexOf("=") - 1)
    switch ($privilege){
    "SeCreateTokenPrivilege " {$privilege = "Create a token object"}
    "SeAssignPrimaryTokenPrivilege" {$privilege = "Replace a process-level token"}
    "SeLockMemoryPrivilege" {$privilege = "Lock pages in memory"}
    "SeIncreaseQuotaPrivilege" {$privilege = "Adjust memory quotas for a process"}
    "SeUnsolicitedInputPrivilege" {$privilege = "Load and unload device drivers"}
    "SeMachineAccountPrivilege" {$privilege = "Add workstations to domain"}
    "SeTcbPrivilege" {$privilege = "Act as part of the operating system"}
    "SeSecurityPrivilege" {$privilege = "Manage auditing and the security log"}
    "SeTakeOwnershipPrivilege" {$privilege = "Take ownership of files or other objects"}
    "SeLoadDriverPrivilege" {$privilege = "Load and unload device drivers"}
    "SeSystemProfilePrivilege" {$privilege = "Profile system performance"}
    "SeSystemtimePrivilege" {$privilege = "Change the system time"}
    "SeProfileSingleProcessPrivilege" {$privilege = "Profile single process"}
    "SeCreatePagefilePrivilege" {$privilege = "Create a pagefile"}
    "SeCreatePermanentPrivilege" {$privilege = "Create permanent shared objects"}
    "SeBackupPrivilege" {$privilege = "Back up files and directories"}
    "SeRestorePrivilege" {$privilege = "Restore files and directories"}
    "SeShutdownPrivilege" {$privilege = "Shut down the system"}
    "SeDebugPrivilege" {$privilege = "Debug programs"}
    "SeAuditPrivilege" {$privilege = "Generate security audit"}
    "SeSystemEnvironmentPrivilege" {$privilege = "Modify firmware environment values"}
    "SeChangeNotifyPrivilege" {$privilege = "Bypass traverse checking"}
    "SeRemoteShutdownPrivilege" {$privilege = "Force shutdown from a remote system"}
    "SeUndockPrivilege" {$privilege = "Remove computer from docking station"}
    "SeSyncAgentPrivilege" {$privilege = "Synchronize directory service data"}
    "SeEnableDelegationPrivilege" {$privilege = "Enable computer and user accounts to be trusted for delegation"}
    "SeManageVolumePrivilege" {$privilege = "Manage the files on a volume"}
    "SeImpersonatePrivilege" {$privilege = "Impersonate a client after authentication"}
    "SeCreateGlobalPrivilege" {$privilege = "Create global objects"}
    "SeTrustedCredManAccessPrivilege" {$privilege = "Access Credential Manager as a trusted caller"}
    "SeRelabelPrivilege" {$privilege = "Modify an object label"}
    "SeIncreaseWorkingSetPrivilege" {$privilege = "Increase a process working set"}
    "SeTimeZonePrivilege" {$privilege = "Change the time zone"}
    "SeCreateSymbolicLinkPrivilege" {$privilege = "Create symbolic links"}
    "SeDenyInteractiveLogonRight" {$privilege = "Deny local logon"}
    "SeRemoteInteractiveLogonRight" {$privilege = "Allow logon through Terminal Services"}
    "SeServiceLogonRight" {$privilege = "Logon as a service"}
    "SeIncreaseBasePriorityPrivilege" {$privilege = "Increase scheduling priority"}
    "SeBatchLogonRight" {$privilege = "Log on as a batch job"}
    "SeInteractiveLogonRight" {$privilege = "Log on locally"}
    "SeDenyNetworkLogonRight" {$privilege = "Deny Access to this computer from the network"}
    "SeNetworkLogonRight" {$privilege = "Access this Computer from the Network"}
    "SeDenyBatchLogonRight" {$privilege = "Deny log on as a batch job"}
    "SeDenyServiceLogonRight" {$privilege = "Deny log on as a service"}
    "SeDenyRemoteInteractiveLogonRight" {$privilege = "Deny log on through Remote Desktop Services"}
 }
$sids = $line.substring($line.IndexOf("=") + 1,$line.Length - ($line.IndexOf("=") + 1))
$sids =  $sids.Trim() -split ","


$readableNames = ""
    foreach ($str in $sids){
            if($str.StartsWith("*"))
            {
                $str = $str.substring(1)
                $str
                $sid = new-object System.Security.Principal.SecurityIdentifier($str)
                $readableName = $sid.Translate([System.Security.Principal.NTAccount])
                $readableNames = $readableNames + $readableName.Value + ", "
            }
            else
            {
            $readableNames = $readableNames + $str + ", "
            }
     }
    $output += New-Object PSObject -Property @{            
    privilege       = $privilege               
    readableNames   = $readableNames.substring(0,($readableNames.Length - 1))
    #else            = $line."property" 
    } 
 }
}

$output 

所以我的问题是我犯了错误

exception calling translate with 1 argument some or all identity referances could not be translated

$str输出显示，当小岛屿发展中国家喜欢

S-1-5-21-1042109134-4285797005-3901271436-1004

S-1-5-21-1042109134-4285797005-3901271436-1006

S-1-5-21-1042109134-4285797005-3901271436-1007

被赋予

$sid.Translate([System.Security.Principal.NTAccount])

会导致错误的函数。这是因为相应的组或帐户已被删除。因此，在调用Translate函数之前，是否可以确定帐户或组是否已从SID中删除。非常感谢。

Answer 1

您可以使用try {} catch {}来处理来自孤立的SID的异常。

try {
    $readableName = $sid.Translate([System.Security.Principal.NTAccount])
} catch {
    Write-Host "Could not find SID"
}

或者将其包装为一个函数，如果您想：

function Test-SID ([string]$SID) {
    $SIDobj = new-object System.Security.Principal.SecurityIdentifier($SID)

    try {
        [bool]$SIDobj.Translate([System.Security.Principal.NTAccount])

    } catch {
        $false
    }
}