Reputation: 117
Return user data from SID
Trying to use SID translator to see what users have permissions on a specific printer (eventually I will modify to use for multiple printers), receiving error You cannot call a method on a null-valued expression. Below is what I have.
$SID = [System.Security.Principal.SecurityIdentifier]::(
(Get-Printer 'Test-Printer-MFP' -Full).PermissionSDDL
)
$User = ($SID.Translate([System.Security.Principal.NTAccount]))
Return $User.Value
Update: This function translates the SID to username, I need to do this for all users on the printer so I can query multiple printers.
$objSID = New-Object System.Security.Principal.SecurityIdentifier `
("S-1-5-21-3923692831-1208425469-611280938-4396488")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value
Upvotes: 0
Views: 1165
Answers (1)
Reputation: 200273
The PermissionSDDL property gives you a security descriptor in SDDL format, not an SID. ACE strings in security descriptors of that format contain either string SIDs (S-x-y-...) or SID constants. You could split the string, extract the SIDs, and convert them like you tried in your code. However, that would handle only string SIDs, not SID constants.
A better way to resolve both string SIDs and SID constants to the corresponding names would be to convert the security descriptor from SDDL form to object form. Some quick googling revealed this article using the SetSecurityDescriptorSddlForm() method for transforming the SDDL string to a "regular" ACL object:
Function Convert-SDDLToACL {
[Cmdletbinding()]
Param (
#One or more strings of SDDL syntax.
[string[]]$SDDLString
)
foreach ($SDDL in $SDDLString) {
$ACLObject = New-Object -Type Security.AccessControl.DirectorySecurity
$ACLObject.SetSecurityDescriptorSddlForm($SDDL)
$ACLObject.Access
}
}
The function returns the ACEs of the generated security descriptor object. You can extract the user/group/principal names from that list like this:
$sddl = (Get-Printer 'Test-Printer-MFP' -Full).PermissionSDDL
Convert-SDDLToACL $sddl |
Select-Object -Expand IdentityReference |
Select-Object -Expand Value
Upvotes: 1
Related Questions
- How do I get the SID number from whoami /all in Powershell?
- retrieve users of a group by group sid
- Trying to get permissions from printer, view as username not sid
- Pull User Info From AD
- Get User SID of remote computer
- SID in a Powershell function
- How can I convert a SID to an account name in PowerShell?
- Query AD for SID using PowerShell
- Getting SID of users
- Powershell CMDLET return property values AD/User