Windows-Server-2008

授予 Windows 服務的權限

  • October 23, 2017

我遇到了另一個障礙。我有一個非管理員 IIS 身份帳戶,我想授予該帳戶啟動、停止、重新啟動和讀取一個 Windows 服務狀態的權限。我遵循了此處發布的解決方案。但是,我想通過 PowerShell 來實現自動化,因為我有很多伺服器。我能夠獲取非管理員帳戶的 SID,並獲取命令的輸出並將其保存在變數下。我轉換為字元串,但不能應用任何函式,如StartsWith, split,insert等。這是我的程式碼:

#Getting the SID for non-admin ISS identity account
$objUser = New-Object System.Security.Principal.NTAccount("non-admin")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$sid = $strSID.Value
#output retuned = S-1-5-21-2103278432-2794320136-1883075150-1000

#Storing the output of cmd prompt
$cmd = cmd.exe /c "sc sdshow <Service_Name>"
$test = $cmd | Out-String
#output returned = D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

#Storing the value that needs to be inserted in $CMD
$str = "(A;;RPWPCR;;;$sid)"

我想插入 $ str just before “S:” in $ 測試,我一直不成功。我想通過 PowerShell 而不是 SubInAcl 來實現這一點。任何幫助,將不勝感激。最終程式碼應如下所示:

sc sdset <SERVICE_NAME> "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)($str)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

假設您的$test變數包含D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD),您可以執行以下操作:

$sid = "S-1-5-21-2103278432-2794320136-1883075150-1000"
$test = "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
$str = "(A;;RPWPCR;;;$sid)"

$newstring = $test -replace "S:","$($str)S:"

$newstring

返回:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2103278432-2794320136-1883075150-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

引用自:https://serverfault.com/questions/879116