blob: 076ab84605265684a7c2620e85f698dc7d56e910 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
#!powershell
# This file is part of Ansible
#
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# WANT_JSON
# POWERSHELL_COMMON
#Functions
Function UserSearch
{
Param ([string]$accountName)
#Check if there's a realm specified
$searchDomain = $false
$searchDomainUPN = $false
if ($accountName.Split("\").count -gt 1)
{
if ($accountName.Split("\")[0] -ne $env:COMPUTERNAME)
{
$searchDomain = $true
$accountName = $accountName.split("\")[1]
}
}
Elseif ($accountName.contains("@"))
{
$searchDomain = $true
$searchDomainUPN = $true
}
Else
{
#Default to local user account
$accountName = $env:COMPUTERNAME + "\" + $accountName
}
if ($searchDomain -eq $false)
{
# do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too
$localaccount = get-wmiobject -class "Win32_Account" -namespace "root\CIMV2" -filter "(LocalAccount = True)" | where {$_.Caption -eq $accountName}
if ($localaccount)
{
return $localaccount.SID
}
}
Else
{
#Search by samaccountname
$Searcher = [adsisearcher]""
If ($searchDomainUPN -eq $false) {
$Searcher.Filter = "sAMAccountName=$($accountName)"
}
Else {
$Searcher.Filter = "userPrincipalName=$($accountName)"
}
$result = $Searcher.FindOne()
if ($result)
{
$user = $result.GetDirectoryEntry()
# get binary SID from AD account
$binarySID = $user.ObjectSid.Value
# convert to string SID
return (New-Object System.Security.Principal.SecurityIdentifier($binarySID,0)).Value
}
}
}
$params = Parse-Args $args;
$result = New-Object PSObject;
Set-Attr $result "changed" $false;
$path = Get-Attr $params "path" -failifempty $true
$user = Get-Attr $params "user" -failifempty $true
$recurse = Get-Attr $params "recurse" "no" -validateSet "no","yes" -resultobj $result
$recurse = $recurse | ConvertTo-Bool
If (-Not (Test-Path -Path $path)) {
Fail-Json $result "$path file or directory does not exist on the host"
}
# Test that the user/group is resolvable on the local machine
$sid = UserSearch -AccountName ($user)
if (!$sid)
{
Fail-Json $result "$user is not a valid user or group on the host machine or domain"
}
Try {
$objUser = New-Object System.Security.Principal.SecurityIdentifier($sid)
$file = Get-Item -Path $path
$acl = Get-Acl $file.FullName
If ($acl.getOwner([System.Security.Principal.SecurityIdentifier]) -ne $objUser) {
$acl.setOwner($objUser)
Set-Acl $file.FullName $acl
Set-Attr $result "changed" $true;
}
If ($recurse) {
$files = Get-ChildItem -Path $path -Force -Recurse
ForEach($file in $files){
$acl = Get-Acl $file.FullName
If ($acl.getOwner([System.Security.Principal.SecurityIdentifier]) -ne $objUser) {
$acl.setOwner($objUser)
Set-Acl $file.FullName $acl
Set-Attr $result "changed" $true;
}
}
}
}
Catch {
Fail-Json $result "an error occured when attempting to change owner on $path for $user"
}
Exit-Json $result
|
