Привет всем! Нашел классную функцию для изменения прав управления службой, помогите пожалуйста, если не сложно добавить возможность удаления прав.
Функция:
function perms {
Param(
[Parameter(Mandatory=$True)]
[string]$Username,
[Parameter(Mandatory=$True)]
[string]$Service,
[Parameter(Mandatory=$True)]
[string]$Rights,
[Parameter(Mandatory=$True)]
[string]$Computer
)
$servicetest = Get-Service -ComputerName $Computer | where {$_.name -eq "$service"}
if (!$servicetest -and $service -ne "scmanager") {
Write-Output "Service $service does not exist on $Computer. Please supply the name and not the display name"
exit
}
$domain = ($username.split("\"))[0]
$user = ($username.split("\"))[1]
$ntaccount = New-Object System.Security.Principal.NTAccount($domain,$user)
$sid = ($ntaccount.Translate([System.Security.Principal.SecurityIdentifier])).value
if (!$sid) {
return "User $username cannot be resolved to a SID. Does the account exist?"
exit
}
$sddl = & $env:SystemRoot\System32\sc.exe \\$Computer sdshow "$Service"
if ($sddl -match $sid) {
return "User $username already has some sort of access in the SDDL. Remediate manually"
exit
}
switch ($Rights) {
"Read" { $sddl = $sddl + "(A;;LCRPRC;;;$sid)" }
"Reset" { $sddl = $sddl + "(A;;LCRPWPRC;;;$sid)" }
default { return "Invalid rights option, please select either read or reset"; exit }
}
$sddlset = & $env:SystemRoot\System32\sc.exe \\$Computer sdset "$service" "$sddl"
$sddlverify = & $env:SystemRoot\System32\sc.exe \\$Computer sdshow "$Service"
if ($sddlset -notlike "*SUCCESS*") {
return "Permissions did not set"
}
elseif ($sddlverify -notmatch $sid) {
return "Permissions did not set properly. Resolve manually"
}
else {
return "Permission $Rights set successfully on $Computer for $username on $service"
}
}
