PoshCode Archive  Artifact Content

Artifact 968e20eab6828ad8844707ba93d30d161e4db6d2b1e2648f25665c18895c4def:

  • File Translate-Service-DACLS.ps1 — part of check-in [985e9083da] at 2018-06-10 13:07:38 on branch trunk — Script to translate Service DACL’s into HRL (Human Readable Language) :) (user: Claus T Nielsen size: 4317)

# encoding: ascii
# api: powershell
# title: Translate Service DACLS
# description: Script to translate Service DACL’s into HRL (Human Readable Language)  :)
# version: 0.1
# type: function
# author: Claus T Nielsen
# license: CC0
# function: Get-ServiceDACL
# x-poshcode-id: 2233
# x-archived: 2010-09-22T05:17:12
#
#
Function Get-ServiceDACL {
[CmdletBinding()]
    param(
        [Parameter(Mandatory=$true,Position=0,ValueFromPipeline=$true)]
        [String]$Servicename,
        [Parameter(Mandatory=$false,Position=1)]
        [String]$Computername= ".")
	

$sddl = Invoke-expression -Command  "c:\Windows\System32\sc.exe \\$Computername sdshow $Servicename" # $Servicename
$sddl
$parts =  $sddl -split(":")
#$parts.Length
$i = 0
Write-Host "Getting Service DACL for $ServiceName on $Computername"
While ($i -lt $parts.length) {

$part = $parts[$i]

Switch ($part) {
"D" { $i++; Parse-DACL $parts[$i] }
}
$i++
}
$sddl = ""
}


Function Parse-DACL {
Param([String]$SDDLIN)

[Array]$sddls = ($SDDLIN).split('(')
Foreach ($SDDLI in $sddls) {
#($SDDLI).replace(')';'') 
#$SDDLI
$tokens = (($SDDLI).replace(')','')).split(";")
If ($tokens[5]) {
If ($tokens[5].length -gt 3) {
[wmi]$obj = 'Win32_SID.SID="{0}"' -f $($tokens[5])
    $encoded = [System.Convert]::ToBase64String($obj.BinaryRepresentation)
    $obj | Add-Member -MemberType NoteProperty -Name base64_sid -Value $encoded
	Write-Host "$($obj.ReferencedDomainName)\$($obj.AccountName)" -ForegroundColor red
}
Else {
Write-Host "$($Trustees.get_item($tokens[5]))" -ForegroundColor red
}
 "   " + $AceType.get_item($tokens[0])
 [regex]::split($tokens[2], '(.{2})') | % {Write-host "      $($PermissionType.get_item($_)) `n" -NoNewline}
 }
}
}

$AceType = @{"A" = "ACCESS ALLOWED";
"D" = "ACCESS DENIED";
"OA" = "OBJECT ACCESS ALLOWED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).";
"OD" = "OBJECT ACCESS DENIED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).";
"AU" = "SYSTEM AUDIT";
"AL" = "SYSTEM ALARM";
"OU" = "OBJECT SYSTEM AUDIT";
"OL" = "OBJECT SYSTEM ALARM";
"ML" = "MANDATORY LABEL"}

$AceFlags = @{
"CI" = "CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.";
"OI" = "OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.";
"NP" = "NO PROPAGATE: ONLY IMMEDIATE CHILDREN INHERIT THIS ACE.";
"IO" = "INHERITANCE ONLY: ACE DOESN'T APPLY TO THIS OBJECT; BUT MAY AFFECT CHILDREN VIA INHERITANCE.";
"ID" = "ACE IS INHERITED";
"SA" = "SUCCESSFUL ACCESS AUDIT";
"FA" = "FAILED ACCESS AUDIT"
}

$PermissionType = @{
"CC" = "Query Conf";
"DC" = "Change Conf";
"LC" = "QueryStat";
"SW" =	"EnumDeps";
"RP" =	"Start";
"WP" =	"Stop";
"DT" =	"Pause";
"LO" =	"Interrogate";
"CR" =	"UserDefined";
"GA" =	"Generic All";
"GX" =	"Generic Execute";
"GW" =	"Generic Write";
"GR" =	"Generic Read";
"SD" =	"Standard Delete";
"RC" =	"Read Control";
"WD" =  "Write DAC";
"WO" =	"Write Owner"
}


$Trustees = @{
"AO" = "Account operators";
"RU" = "Alias to allow previous Windows 2000";
"AN" = "Anonymous logon";
"AU" = "Authenticated users";
"BA" = "Built-in administrators";
"BG" = "Built-in guests";
"BO" = "Backup operators";
"BU" = "Built-in users";
"CA" = "Certificate server administrators";
"CG" = "Creator group";
"CO" = "Creator owner";
"DA" = "Domain administrators";
"DC" = "Domain computers";
"DD" = "Domain controllers";
"DG" = "Domain guests";
"DU" = "Domain users";
"EA" = "Enterprise administrators";
"ED" = "Enterprise domain controllers";
"WD" = "Everyone";
"PA" = "Group Policy administrators";
"IU" = "Interactively logged-on user";
"LA" = "Local administrator";
"LG" = "Local guest";
"LS" = "Local service account";
"SY" = "Local system";
"NU" = "Network logon user";
"NO" = "Network configuration operators";
"NS" = "Network service account";
"PO" = "Printer operators";
"PS" = "Personal self";
"PU" = "Power users";
"RS" = "RAS servers group";
"RD" = "Terminal server users";
"RE" = "Replicator";
"RC" = "Restricted code";
"SA" = "Schema administrators";
"SO" = "Server operators";
"SU" = "Service logon user"
}


#Example  below queries the WinRM service on RemoteServer

Get-ServiceDACL winrm RemoteServer