/\/\o\/\/ PowerShelled

This blog has moved to http://ThePowerShellGuy.com Greetings /\/\o\/\/
$AtomFeed = ("Atom.xml")
$PreviousItems = (" Line Breaks "," MSH Clipboard part 2 (of 3 ?) "," MSH TakeOwner working "," MSH Clipboard use workaround "," [MSH] keyboard status "," playing with MY-object from MSH "," MSH access NT provider "," Update-TypeData (Democracy to the types) "," MSH directory watcher with popup-balloon "," StartRDP script "," ")

Monday, October 24, 2005

 


Getting and using a SecurityPrincipal from MSH



Sometimes you look way to far to get something,

I was searching for getting a SecurityPrincipal, from AD (see former posts)
I could not find it (I can get the Owner of the AD-Object as securityPrincipal, but that is Domain\Administrators.)

the trick was just declare them :

$Account = new-object system.security.principal.ntaccount("User")

or

$Account = new-object system.security.principal.ntaccount ("Domain", "User")

(this will not fail if user does not exists, error only comes when You use it)

to get the SID for this Account :

$SID = $Account.translate([system.security.principal.securityidentifier])

(if you get no error your user DOES exist ;-) so this is a good way to check if you have a valid user.

so now I can realy use my set_Owner function :

MSH C:\> $Account = new-object system.security.principal.ntaccount("administrators")
MSH C:\> (gi test.txt).set_owner($Account)
MSH C:\> (gi test.txt).get_owner($Account)
Value-----BUILTIN\Administrators

MSH C:\> $nt = new-object system.security.principal.ntaccount("foo")
MSH C:\> (gi test.txt).set_owner($nt)
Exception calling "Set_Owner" with "1" argument(s): "Exception calling "SetOwner" with "1" argument(s): "Some or all identity references could not be translated.".".At line:1 char:24+ (gi test.txt).set_owner( <<<< $nt)

gr /\/\o\/\/

PS if you are admin you can GiveOwnership to any account you want with this.


Comments:
Blogger Sung Meister
Shouldn't argument for
"$nt = new-object system.security.principal.ntaccount("Domain,"User")"
be ("Domain", "User"), instead?
 
Blogger Sung Meister
Ah, yeah i have forgot to mention that it'd have been better that if you get yourself a " System.Management.Automation.MshCredential" object created(through get-credential) with "Administrator", then be able to change principals and other stuff as well...

Man i was looking for ways to do that but will be you able to find out if there is a way?
 
Blogger Sung Meister
Sorry for spamming with comments.

On the second thought, i guess letting administrator credential to modify system properties would be bad because that would mean "coupling" credential object with system property modifying objects...
 
Blogger /\/\o\/\/
Shouldn't argument for
"$nt = new-object system.security.principal.ntaccount("Domain,"User")"
be ("Domain", "User"), instead?
# posted by dontbothermewithspam : 6:35 PM

Fixed, I also made it all $account
to make it more clear

Ah, yeah i have forgot to mention that it'd have been better that if you get yourself a " System.Management.Automation.MshCredential" object created(through get-credential) with "Administrator", then be able to change principals and other stuff as well...

Easy to get it in a function,
and make your own.
but yes should be there (as the shortcuts to get-Owner ec.) V2 ?

Man i was looking for ways to do that but will be you able to find out if there is a way?

I will add it to the post

Sorry for spamming with comments.

NP thanks for the comments.

On the second thought, i guess letting administrator credential to modify system properties would be bad because that would mean "coupling" credential object with system property modifying objects...

Don't think so, You still have to have the rights to do the GiveOwn, even in NT the TakeOwner function, was just an interface restriction, (if you called the API you could set it to any account), I have needed this often (repairing Homedirs etc.)

In 2003 you can do it in the interface also.

gr /\/\o\/\/

PS trust (..and check/check Doublecheck..;-)) your admins
 
Anonymous Anonymous
These are great examples of manipulating ACL's, but I was wondering how it would be possible to replace the whole DACL rather than just adding in an ACE?

I'd basically like to perform the equivilent of unticking the inherit from parent checkbox in the UI (and hitting the remove button).

Pointers in the right direction (for a non-hardcore programmer) greatly appreciated ;)

Cheers

Adam
 
Post a Comment



<< Home

Archives

October 2005   November 2005   December 2005   January 2006   February 2006   March 2006   April 2006   May 2006   June 2006   July 2006   August 2006   September 2006   October 2006   November 2006   December 2006  

$Links = ("PowerShell RC1 Docs"," PowerShell RC1 X86"," PowerShell RC1 X64"," Monad GettingStarted guide"," Monad Progamming Guide"," Monad SDK"," Monad videos on Channel 9"," MSH Community Workspace"," scripts.readify.net "," MonadSource"," www.reskit.net"," PowerShell Blog"," Under The Stairs"," computerperformance powershell Home"," proudlyserving"," MSH on wikipedia"," MSHWiki Channel 9"," Keith Hill's Blog"," Precision Computing"," PowerShell for fun"," MSH Memo (Japanese)"," monadblog")

find-blog -about "PowerShell","Monad" | out-Technorati.
find-blog -contains "","" | out-Technorati.
Google
 
Web mow001.blogspot.com

This page is powered by Blogger. Isn't yours?