Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make Get-DbaPrivilege more efficient #9436

Merged
merged 2 commits into from
Aug 4, 2024
Merged

Make Get-DbaPrivilege more efficient #9436

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8eb1837
Streamline code for Get-DbaPrivilege
mrahman-DBA Jul 28, 2024
55b5f2d
Formatting updates to meet dbatools standard
mrahman-DBA Jul 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
155 changes: 62 additions & 93 deletions public/Get-DbaPrivilege.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,18 +56,18 @@ function Get-DbaPrivilege {
)

begin {
$ResolveSID = @'
function Convert-SIDToUserName ([string] $SID ) {
try {
$objSID = New-Object System.Security.Principal.SecurityIdentifier ($SID)
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
$objUser.Value
} catch {
$SID
}
}
'@
function Convert-SIDToUserName ([string] $SID ) {
try {
$objSID = New-Object System.Security.Principal.SecurityIdentifier ($SID)
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
$objUser.Value
} catch {
$SID
}
}

$ComputerName = $ComputerName.ComputerName | Select-Object -Unique

}
process {
foreach ($computer in $ComputerName) {
Expand All @@ -78,123 +78,96 @@ function Get-DbaPrivilege {
}

try {
Write-Message -Level Verbose -Message "Exporting Privileges on $computer"
$null = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ScriptBlock {
Write-Message -Level Verbose -Message "Exporting Privileges on $computer and cleaning up temporary files"
$secPol = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ScriptBlock {
$temp = ([System.IO.Path]::GetTempPath()).TrimEnd("")
secedit /export /cfg $temp\secpolByDbatools.cfg > $null
$CFG = Get-Content $temp\secpolByDbatools.cfg -Force
Remove-Item $temp\secpolByDbatools.cfg -Force
$CFG
}

Write-Message -Level Verbose -Message "Getting Batch Logon Privileges on $computer"
$bl = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ArgumentList $ResolveSID -ScriptBlock {
param ($ResolveSID)
. ([ScriptBlock]::Create($ResolveSID))
$temp = ([System.IO.Path]::GetTempPath()).TrimEnd("");
$blEntries = (Get-Content $temp\secpolByDbatools.cfg | Where-Object {
$_ -like "SeBatchLogonRight*"
})

if ($null -ne $blEntries) {
$blEntries.Substring(20).Split(",") | ForEach-Object {
if ($_ -match '^\*S-') {
Convert-SIDToUserName -SID $_.TrimStart('*')
} else {
$_
}
$blEntries = $secPol | Where-Object { $_ -like "SeBatchLogonRight*" }

$bl = if ($null -ne $blEntries) {
$blEntries.Substring(20).Split(",") | ForEach-Object {
if ($_ -match '^\*S-') {
Convert-SIDToUserName -SID $_.TrimStart('*')
} else {
$_
}
}
}

if ($bl.count -eq 0) {
Write-Message -Level Verbose -Message "No users with Batch Logon Rights on $computer"
}

Write-Message -Level Verbose -Message "Getting Instant File Initialization Privileges on $computer"
$ifi = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ArgumentList $ResolveSID -ScriptBlock {
param ($ResolveSID)
. ([ScriptBlock]::Create($ResolveSID))
$temp = ([System.IO.Path]::GetTempPath()).TrimEnd("");
$ifiEntries = (Get-Content $temp\secpolByDbatools.cfg | Where-Object {
$_ -like 'SeManageVolumePrivilege*'
})

if ($null -ne $ifiEntries) {
$ifiEntries.Substring(26).Split(",") | ForEach-Object {
if ($_ -match '^\*S-') {
Convert-SIDToUserName -SID $_.TrimStart('*')
} else {
$_
}
$ifiEntries = $secPol | Where-Object { $_ -like 'SeManageVolumePrivilege*' }

$ifi = if ($null -ne $ifiEntries) {
$ifiEntries.Substring(26).Split(",") | ForEach-Object {
if ($_ -match '^\*S-') {
Convert-SIDToUserName -SID $_.TrimStart('*')
} else {
$_
}
}
}

if ($ifi.count -eq 0) {
Write-Message -Level Verbose -Message "No users with Instant File Initialization Rights on $computer"
}

Write-Message -Level Verbose -Message "Getting Lock Pages in Memory Privileges on $computer"
$lpim = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ArgumentList $ResolveSID -ScriptBlock {
param ($ResolveSID)
. ([ScriptBlock]::Create($ResolveSID))
$temp = ([System.IO.Path]::GetTempPath()).TrimEnd("");
$lpimEntries = (Get-Content $temp\secpolByDbatools.cfg | Where-Object {
$_ -like 'SeLockMemoryPrivilege*'
})

if ($null -ne $lpimEntries) {
$lpimEntries.Substring(24).Split(",") | ForEach-Object {
if ($_ -match '^\*S-') {
Convert-SIDToUserName -SID $_.TrimStart('*')
} else {
$_
}
$lpimEntries = $secPol | Where-Object { $_ -like 'SeLockMemoryPrivilege*' }

$lpim = if ($null -ne $lpimEntries) {
$lpimEntries.Substring(24).Split(",") | ForEach-Object {
if ($_ -match '^\*S-') {
Convert-SIDToUserName -SID $_.TrimStart('*')
} else {
$_
}
}
}

if ($lpim.count -eq 0) {
Write-Message -Level Verbose -Message "No users with Lock Pages in Memory Rights on $computer"
}

Write-Message -Level Verbose -Message "Getting Generate Security Audits Privileges on $computer"
$gsa = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ArgumentList $ResolveSID -ScriptBlock {
param ($ResolveSID)
. ([ScriptBlock]::Create($ResolveSID))
$temp = ([System.IO.Path]::GetTempPath()).TrimEnd("");
$gsaEntries = (Get-Content $temp\secpolByDbatools.cfg | Where-Object {
$_ -like 'SeAuditPrivilege*'
})

if ($null -ne $gsaEntries) {
$gsaEntries.Substring(19).Split(",") | ForEach-Object {
if ($_ -match '^\*S-') {
Convert-SIDToUserName -SID $_.TrimStart('*')
} else {
$_
}
$gsaEntries = $secPol | Where-Object { $_ -like 'SeAuditPrivilege*' }

$gsa = if ($null -ne $gsaEntries) {
$gsaEntries.Substring(19).Split(",") | ForEach-Object {
if ($_ -match '^\*S-') {
Convert-SIDToUserName -SID $_.TrimStart('*')
} else {
$_
}
}
}

if ($gsa.count -eq 0) {
Write-Message -Level Verbose -Message "No users with Generate Security Audits Rights on $computer"
}

Write-Message -Level Verbose -Message "Getting Logon as a service Privileges on $computer"
$los = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ArgumentList $ResolveSID -ScriptBlock {
param ($ResolveSID)
. ([ScriptBlock]::Create($ResolveSID))
$temp = ([System.IO.Path]::GetTempPath()).TrimEnd("");
$losEntries = (Get-Content $temp\secpolByDbatools.cfg | Where-Object {
$_ -like "SeServiceLogonRight*"
})

if ($null -ne $losEntries) {
$losEntries.Substring(22).split(",") | ForEach-Object {
if ($_ -match '^\*S-') {
Convert-SIDToUserName -SID $_.TrimStart('*')
} else {
$_
}
$losEntries = $secPol | Where-Object { $_ -like "SeServiceLogonRight*" }

$los = if ($null -ne $losEntries) {
$losEntries.Substring(22).split(",") | ForEach-Object {
if ($_ -match '^\*S-') {
Convert-SIDToUserName -SID $_.TrimStart('*')
} else {
$_
}
}
}

if ($los.count -eq 0) {
Write-Message -Level Verbose -Message "No users with Logon as a service Rights on $computer"
}
Expand All @@ -211,11 +184,7 @@ function Get-DbaPrivilege {
LogonAsAService = $los -contains $_
}
}
Write-Message -Level Verbose -Message "Removing secpol file on $computer"
Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ScriptBlock {
$temp = ([System.IO.Path]::GetTempPath()).TrimEnd("")
Remove-Item $temp\secpolByDbatools.cfg -Force
}

} catch {
Stop-Function -Continue -Message "Failure" -ErrorRecord $_ -Target $computer
}
Expand Down
Loading