@ -1,113 +1,43 @@
#!powershell
#!powershell
# This file is part of Ansible
#
# Copyright 2015, Phil Schwartz <schwartzmx@gmail.com>
# Copyright 2015, Phil Schwartz <schwartzmx@gmail.com>
# Copyright 2015, Trond Hindenes
# Copyright 2015, Trond Hindenes
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
#
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# WANT_JSON
# POWERSHELL_COMMON
# win_acl module (File/Resources Permission Additions/Removal)
# Requires -Module Ansible.ModuleUtils.Legacy.psm1
# Requires -Module Ansible.ModuleUtils.SID.psm1
# win_acl module (File/Resources Permission Additions/Removal)
#Functions
#Functions
Function UserSearch
function Get-UserSID {
{
param (
Param ( [ string ] $accountName )
[ String ] $AccountName
#Check if there's a realm specified
)
$searchDomain = $false
$userSID = $null
$searchDomainUPN = $false
$searchAppPools = $false
$SearchAppPools = $false
if ( $accountName . Split ( " \ " ) . count -gt 1 )
{
if ( $accountName . Split ( " \ " ) [ 0 ] -eq $env:COMPUTERNAME )
{
if ( $AccountName . Split ( " \ " ) . Count -gt 1 ) {
if ( $AccountName . Split ( " \ " ) [ 0 ] -eq " IIS APPPOOL " ) {
$searchAppPools = $true
$AccountName = $AccountName . Split ( " \ " ) [ 1 ]
}
}
elseif ( $accountName . Split ( " \ " ) [ 0 ] -eq " IIS APPPOOL " )
{
$SearchAppPools = $true
$accountName = $accountName . split ( " \ " ) [ 1 ]
}
else
{
$searchDomain = $true
$accountName = $accountName . split ( " \ " ) [ 1 ]
}
}
Elseif ( $accountName . contains ( " @ " ) )
{
$searchDomain = $true
$searchDomainUPN = $true
}
Else
{
#Default to local user account
$accountName = $env:COMPUTERNAME + " \ " + $accountName
}
}
if ( ( $searchDomain -eq $false ) -and ( $SearchAppPools -eq $false ) )
if ( $searchAppPools ) {
{
Import-Module -Name WebAdministration
# do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too
$testIISPath = Test-Path -Path " IIS: "
$localaccount = get-wmiobject -class " Win32_Account " -namespace " root\CIMV2 " -filter " (LocalAccount = True) " | where { $_ . Caption -eq $accountName }
if ( $testIISPath ) {
if ( $localaccount )
$appPoolObj = Get-ItemProperty -Path " IIS:\AppPools\ $AccountName "
{
$userSID = $appPoolObj . applicationPoolSid
return $localaccount . SID
}
}
}
Elseif ( $SearchAppPools -eq $true )
{
Import-Module WebAdministration
$testiispath = Test-path " IIS: "
if ( $testiispath -eq $false )
{
return $null
}
else
{
$apppoolobj = Get-ItemProperty IIS : \ AppPools \ $accountName
return $apppoolobj . applicationPoolSid
}
}
Else
{
#Search by samaccountname
$Searcher = [ adsisearcher ] " "
If ( $searchDomainUPN -eq $false ) {
$Searcher . Filter = " sAMAccountName= $( $accountName ) "
}
}
E lse {
else {
$Searcher . Filter = " userPrincipalName= $( $accountName ) "
$userSID = Convert-ToSID -account_name $AccountName
}
}
$result = $Searcher . FindOne ( )
return $userSID
if ( $result )
{
$user = $result . GetDirectoryEntry ( )
# get binary SID from AD account
$binarySID = $user . ObjectSid . Value
# convert to string SID
return ( New-Object System . Security . Principal . SecurityIdentifier ( $binarySID , 0 ) ) . Value
}
}
}
}
# Need to adjust token privs when executing Set-ACL in certain cases.
# Need to adjust token privs when executing Set-ACL in certain cases.
@ -234,9 +164,8 @@ If (-Not (Test-Path -Path $path)) {
}
}
# Test that the user/group is resolvable on the local machine
# Test that the user/group is resolvable on the local machine
$sid = UserSearch -AccountName ( $user )
$sid = Get-UserSID -AccountName $user
if ( ! $sid )
if ( ! $sid ) {
{
Fail-Json $result " $user is not a valid user or group on the host machine or domain "
Fail-Json $result " $user is not a valid user or group on the host machine or domain "
}
}