Powershell：如何檢查組或帳戶是否從SID中刪除？

Question

我試圖用此命令導出用戶權限分配：
secedit /export /areas USER_RIGHTS /cfg d:\privs.txt
然後使用Powershell我試圖將SIDs翻譯成名稱。這裏是我的代碼：

$output=@() 
$temp = "c:\" 
$file = "$temp\privs.txt" 
[string] $readableNames 

$process = [diagnostics.process]::Start("secedit.exe", "/export /cfg $file /areas USER_RIGHTS") 
$process.WaitForExit() 
$in = get-content $file 

foreach ($line in $in) { 
    if ($line.StartsWith("Se")) { 
    $privilege = $line.substring(0,$line.IndexOf("=") - 1) 
    switch ($privilege){ 
    "SeCreateTokenPrivilege " {$privilege = "Create a token object"} 
    "SeAssignPrimaryTokenPrivilege" {$privilege = "Replace a process-level token"} 
    "SeLockMemoryPrivilege" {$privilege = "Lock pages in memory"} 
    "SeIncreaseQuotaPrivilege" {$privilege = "Adjust memory quotas for a process"} 
    "SeUnsolicitedInputPrivilege" {$privilege = "Load and unload device drivers"} 
    "SeMachineAccountPrivilege" {$privilege = "Add workstations to domain"} 
    "SeTcbPrivilege" {$privilege = "Act as part of the operating system"} 
    "SeSecurityPrivilege" {$privilege = "Manage auditing and the security log"} 
    "SeTakeOwnershipPrivilege" {$privilege = "Take ownership of files or other objects"} 
    "SeLoadDriverPrivilege" {$privilege = "Load and unload device drivers"} 
    "SeSystemProfilePrivilege" {$privilege = "Profile system performance"} 
    "SeSystemtimePrivilege" {$privilege = "Change the system time"} 
    "SeProfileSingleProcessPrivilege" {$privilege = "Profile single process"} 
    "SeCreatePagefilePrivilege" {$privilege = "Create a pagefile"} 
    "SeCreatePermanentPrivilege" {$privilege = "Create permanent shared objects"} 
    "SeBackupPrivilege" {$privilege = "Back up files and directories"} 
    "SeRestorePrivilege" {$privilege = "Restore files and directories"} 
    "SeShutdownPrivilege" {$privilege = "Shut down the system"} 
    "SeDebugPrivilege" {$privilege = "Debug programs"} 
    "SeAuditPrivilege" {$privilege = "Generate security audit"} 
    "SeSystemEnvironmentPrivilege" {$privilege = "Modify firmware environment values"} 
    "SeChangeNotifyPrivilege" {$privilege = "Bypass traverse checking"} 
    "SeRemoteShutdownPrivilege" {$privilege = "Force shutdown from a remote system"} 
    "SeUndockPrivilege" {$privilege = "Remove computer from docking station"} 
    "SeSyncAgentPrivilege" {$privilege = "Synchronize directory service data"} 
    "SeEnableDelegationPrivilege" {$privilege = "Enable computer and user accounts to be trusted for delegation"} 
    "SeManageVolumePrivilege" {$privilege = "Manage the files on a volume"} 
    "SeImpersonatePrivilege" {$privilege = "Impersonate a client after authentication"} 
    "SeCreateGlobalPrivilege" {$privilege = "Create global objects"} 
    "SeTrustedCredManAccessPrivilege" {$privilege = "Access Credential Manager as a trusted caller"} 
    "SeRelabelPrivilege" {$privilege = "Modify an object label"} 
    "SeIncreaseWorkingSetPrivilege" {$privilege = "Increase a process working set"} 
    "SeTimeZonePrivilege" {$privilege = "Change the time zone"} 
    "SeCreateSymbolicLinkPrivilege" {$privilege = "Create symbolic links"} 
    "SeDenyInteractiveLogonRight" {$privilege = "Deny local logon"} 
    "SeRemoteInteractiveLogonRight" {$privilege = "Allow logon through Terminal Services"} 
    "SeServiceLogonRight" {$privilege = "Logon as a service"} 
    "SeIncreaseBasePriorityPrivilege" {$privilege = "Increase scheduling priority"} 
    "SeBatchLogonRight" {$privilege = "Log on as a batch job"} 
    "SeInteractiveLogonRight" {$privilege = "Log on locally"} 
    "SeDenyNetworkLogonRight" {$privilege = "Deny Access to this computer from the network"} 
    "SeNetworkLogonRight" {$privilege = "Access this Computer from the Network"} 
    "SeDenyBatchLogonRight" {$privilege = "Deny log on as a batch job"} 
    "SeDenyServiceLogonRight" {$privilege = "Deny log on as a service"} 
    "SeDenyRemoteInteractiveLogonRight" {$privilege = "Deny log on through Remote Desktop Services"} 
} 
$sids = $line.substring($line.IndexOf("=") + 1,$line.Length - ($line.IndexOf("=") + 1)) 
$sids = $sids.Trim() -split "," 


$readableNames = "" 
    foreach ($str in $sids){ 
      if($str.StartsWith("*")) 
      { 
       $str = $str.substring(1) 
       $str 
       $sid = new-object System.Security.Principal.SecurityIdentifier($str) 
       $readableName = $sid.Translate([System.Security.Principal.NTAccount]) 
       $readableNames = $readableNames + $readableName.Value + ", " 
      } 
      else 
      { 
      $readableNames = $readableNames + $str + ", " 
      } 
    } 
    $output += New-Object PSObject -Property @{    
    privilege  = $privilege    
    readableNames = $readableNames.substring(0,($readableNames.Length - 1)) 
    #else   = $line."property" 
    } 
} 
} 

$output 

所以這個問題我有是，我得到錯誤
exception calling translate with 1 argument some or all identity referances could not be translated

$str輸出讓我發現，當像
S-1-5-21-1042109134-4285797005-3901271436-1004
S-1-5-21-1042109134-4285797005-3901271436-1006
S-1-5-21-1042109134-4285797005-3901271436-1007
的SID給
$sid.Translate([System.Security.Principal.NTAccount])
導致錯誤的函數。那是因爲相應的組或帳戶已被刪除。那麼在調用Translate函數之前，是否有任何方法可以確定是否從SID中刪除帳戶或組。非常感謝你。

Answer 1

您可以使用try {} catch {}來處理來自孤立SID的異常。

try { 
    $readableName = $sid.Translate([System.Security.Principal.NTAccount]) 
} catch { 
    Write-Host "Could not find SID" 
} 

或者把它包裝成一個功能，如果你想：

function Test-SID ([string]$SID) { 
    $SIDobj = new-object System.Security.Principal.SecurityIdentifier($SID) 

    try { 
     [bool]$SIDobj.Translate([System.Security.Principal.NTAccount]) 

    } catch { 
     $false 
    } 
}