|
|
|
@ -158,27 +158,15 @@ Try {
|
|
|
|
|
# Check if the ACE exists already in the objects ACL list
|
|
|
|
|
$match = $false
|
|
|
|
|
|
|
|
|
|
# Workaround to handle special use case 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' and
|
|
|
|
|
# 'APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES'- can't translate fully qualified name (win32 API bug/oddity)
|
|
|
|
|
# 'ALL APPLICATION PACKAGES' exists only on Win2k12 and Win2k16 and 'ALL RESTRICTED APPLICATION PACKAGES' exists only in Win2k16
|
|
|
|
|
$specialIdRefs = "ALL APPLICATION PACKAGES","ALL RESTRICTED APPLICATION PACKAGES"
|
|
|
|
|
ForEach($rule in $objACL.Access){
|
|
|
|
|
$idRefShortValue = ($rule.IdentityReference.Value).split('\')[-1]
|
|
|
|
|
|
|
|
|
|
if ( $idRefShortValue -in $specialIdRefs ) {
|
|
|
|
|
$ruleIdentity = (New-Object Security.Principal.NTAccount $idRefShortValue).Translate([Security.Principal.SecurityIdentifier])
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
$ruleIdentity = $rule.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier])
|
|
|
|
|
}
|
|
|
|
|
ForEach($rule in $objACL.GetAccessRules($true, $true, [System.Security.Principal.SecurityIdentifier])){
|
|
|
|
|
|
|
|
|
|
If ($path_item.PSProvider.Name -eq "Registry") {
|
|
|
|
|
If (($rule.RegistryRights -eq $objACE.RegistryRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) {
|
|
|
|
|
If (($rule.RegistryRights -eq $objACE.RegistryRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($rule.IdentityReference -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) {
|
|
|
|
|
$match = $true
|
|
|
|
|
Break
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) {
|
|
|
|
|
If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($rule.IdentityReference -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) {
|
|
|
|
|
$match = $true
|
|
|
|
|
Break
|
|
|
|
|
}
|
|
|
|
|