Powershell - 测试用户的实际访问权限

Question

我需要测试用户是否有权访问文件夹（读取，写入，删除），而不是正确的NTFS权限。

我用开始处理白衣用户凭据

Answer 1

我写这个剧本，它avalaible多AD林，与地方，UNC和DFS路径

<# 
    .SYNOPSIS 
     Teste les droits reel dans un dossier 
    .DESCRIPTION 
     Tente d'ecrire un fichier dans la destination specifiée en tant que NtAccountName 
    .PARAMETER Path 
     FQDN du dossier a tester 
     ex : '\\open.adds\RPannuzzo$\Pannuzzolk\Donnees\Scans' 
    .PARAMETER NtaccountName 
     Nom d'utilisateur complet 
     ex : 'contoso\JhonDoe' 
    .EXAMPLE 
     .\Test-RealAccess.ps1 -path 'D:\repertoire 
    .EXAMPLE 
     .\Test-RealAccess.ps1 '\\open.adds\Rshare$\Pathlk\Data' -ntAccountName 'contoso\JhonDoe' 

     le mdp vous sera demandé, une seule fois et sera enregistre dans la registry 
    .NOTES 
     Alopez 2016 
     Em@il : alban.lopez ON gmail.com 
#> 
#requires -version 3 

param(
    [string[]]$paths = '\\Contoso.adds\Share$\Target\Data', 
    $ntAccountName = 'contoso\JhonDoe' 
) 


$version = '0.53/Test Read,Write,Supp.' 
$source = "Script Test d'access reel (alopez)" 

function Get-CredentialByRegistry ($ntAccountName) { 
    $regKey = "HKCU:\Software\Pass\$ntAccountName" 

    # voir le mdp 
    # [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR(((Get-ItemProperty $regKey -Name SecurePass).SecurePass | convertto-securestring))) 
    if(!(Get-ItemProperty $regKey -Name SecurePass -ea 0).SecurePass) { 
     # on demande et on enregistre le mdp 
     new-Item -Path "HKCU:\Software\Pass" -EA 0 | out-null 
     new-Item -Path "HKCU:\Software\Pass\$($ntAccountName.split('\')[0])" -EA 0 | out-null 
     new-Item -Path $regKey -EA 0 | out-null 
     $WinCredential = Get-Credential -UserName "$ntAccountName" -Message "Identifiant de connexion : $ntAccountName`nPour les tests de validation" 
     Set-ItemProperty -Path $regKey -name SecurePass -value ($WinCredential.GetNetworkCredential().securePassword | ConvertFrom-SecureString) 
    } 

    return new-object -typename System.Management.Automation.PSCredential -argumentlist @("$NtAccountName",((Get-ItemProperty $regKey -Name SecurePass -ea 0).SecurePass | convertto-securestring)) 
} 

$ACL = @() 

$ACL = foreach ($path in $paths) { 
    $access = $null 
    Remove-Item "$path\test-RW.txt","$path\test-ForRead.txt",'.\access.txt','.\error.txt' -Force -ea 0 | out-null 
    start-sleep -s 2 
    try{ 
     'Readable' | Set-Content "$path\test-ForRead.txt" -Force -ea stop | out-null 
     write-host " Droits pour " -nonewline -fore blue -back White 
     write-host "$ntAccountName" -nonewline -fore darkgreen -back White 
     write-host " dans [" -nonewline -fore blue -back White 
      write-host "$path" -fore magenta -nonewline -back White 
       write-host '] : '.padright(80-$ntAccountName.length-$path.length) -nonewline -fore blue -back White 
     try{ 
      (Start-Process -Wait -NoNewWindow -Credential (Get-CredentialByRegistry $ntAccountName -PassThru) "powershell.exe" -RedirectStandardOutput '.\access.txt' -RedirectStandardError '.\error.txt' ` 
      -ArgumentList " 
      whoami | Set-Content '$path\test-RW.txt' -ea Continue; 
      start-sleep -s 1; 

      if ((get-content '$path\test-ForRead.txt' -ea Continue) -like 'Readable') { 
       'R'; 
      }; 

      if ((get-content '$path\test-RW.txt' -ea Continue) -like `$(whoami)) { 
       'W'; 
      }; 

      Remove-Item '$path\test-ForRead.txt' -ea Continue; 
      start-sleep -s 1; 
      if (!(Test-Path '$path\test-ForRead.txt' -ea Continue)) { 
       'S'; 
      }; 
      " ` 
      -ea SilentlyContinue) 
     } catch { 
      # l'execution "en tant que" retourne toujours une erreur, meme si tout fonctionne 
     } 
     start-sleep -s 5; 
     $access = (get-content '.\access.txt') -join('') 
     if ($access -clike 'RWS') { 
      write-host "$access".padleft(10).padright(16) -fore Black -back Green 
     } elseif ($access.length -ge 1) { 
      write-host "$access".padleft(10).padright(16) -fore DarkGreen -back Yellow 
     } else { 
      write-host "  [ ! ]  " -fore White -back Red 
     } 
    } catch { 
     write-host "`n`tVous n'avez pas acces a [ " -fore White -back Red -nonewline 
     write-host "$path" -fore White -back magenta -nonewline 
     write-host " ] ! Impossible de faire le test !".padright(54) -fore White -back Red 
    } 
    [pscustomobject][ordered]@{ 
      'path' = $path 
      'ntAccountName' = $ntAccountName 
      'Read' = ($access -clike '*R*') 
      'Write' = ($access -clike '*W*') 
      'Supp.' = ($access -clike '*S*') 
      'Access' = $access 
     } 
    Remove-Item "$path\test-RW.txt","$path\test-ForRead.txt" -Force -ea 0 | out-null 
} 

return $ACL