Skip to content

Commit a6634cc

Browse files
mrahman-DBAmrahman-DBA
authored
Make Get-DbaPrivilege more efficient (#9436)
1 parent 750c1ea commit a6634cc

File tree

1 file changed

+62
-93
lines changed

1 file changed

+62
-93
lines changed

public/Get-DbaPrivilege.ps1

Lines changed: 62 additions & 93 deletions
Original file line numberDiff line numberDiff line change
@@ -56,18 +56,18 @@ function Get-DbaPrivilege {
5656
)
5757

5858
begin {
59-
$ResolveSID = @'
60-
function Convert-SIDToUserName ([string] $SID ) {
61-
try {
62-
$objSID = New-Object System.Security.Principal.SecurityIdentifier ($SID)
63-
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
64-
$objUser.Value
65-
} catch {
66-
$SID
67-
}
68-
}
69-
'@
59+
function Convert-SIDToUserName ([string] $SID ) {
60+
try {
61+
$objSID = New-Object System.Security.Principal.SecurityIdentifier ($SID)
62+
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
63+
$objUser.Value
64+
} catch {
65+
$SID
66+
}
67+
}
68+
7069
$ComputerName = $ComputerName.ComputerName | Select-Object -Unique
70+
7171
}
7272
process {
7373
foreach ($computer in $ComputerName) {
@@ -78,123 +78,96 @@ function Get-DbaPrivilege {
7878
}
7979

8080
try {
81-
Write-Message -Level Verbose -Message "Exporting Privileges on $computer"
82-
$null = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ScriptBlock {
81+
Write-Message -Level Verbose -Message "Exporting Privileges on $computer and cleaning up temporary files"
82+
$secPol = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ScriptBlock {
8383
$temp = ([System.IO.Path]::GetTempPath()).TrimEnd("")
8484
secedit /export /cfg $temp\secpolByDbatools.cfg > $null
85+
$CFG = Get-Content $temp\secpolByDbatools.cfg -Force
86+
Remove-Item $temp\secpolByDbatools.cfg -Force
87+
$CFG
8588
}
8689

8790
Write-Message -Level Verbose -Message "Getting Batch Logon Privileges on $computer"
88-
$bl = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ArgumentList $ResolveSID -ScriptBlock {
89-
param ($ResolveSID)
90-
. ([ScriptBlock]::Create($ResolveSID))
91-
$temp = ([System.IO.Path]::GetTempPath()).TrimEnd("");
92-
$blEntries = (Get-Content $temp\secpolByDbatools.cfg | Where-Object {
93-
$_ -like "SeBatchLogonRight*"
94-
})
95-
96-
if ($null -ne $blEntries) {
97-
$blEntries.Substring(20).Split(",") | ForEach-Object {
98-
if ($_ -match '^\*S-') {
99-
Convert-SIDToUserName -SID $_.TrimStart('*')
100-
} else {
101-
$_
102-
}
91+
$blEntries = $secPol | Where-Object { $_ -like "SeBatchLogonRight*" }
92+
93+
$bl = if ($null -ne $blEntries) {
94+
$blEntries.Substring(20).Split(",") | ForEach-Object {
95+
if ($_ -match '^\*S-') {
96+
Convert-SIDToUserName -SID $_.TrimStart('*')
97+
} else {
98+
$_
10399
}
104100
}
105101
}
102+
106103
if ($bl.count -eq 0) {
107104
Write-Message -Level Verbose -Message "No users with Batch Logon Rights on $computer"
108105
}
109106

110107
Write-Message -Level Verbose -Message "Getting Instant File Initialization Privileges on $computer"
111-
$ifi = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ArgumentList $ResolveSID -ScriptBlock {
112-
param ($ResolveSID)
113-
. ([ScriptBlock]::Create($ResolveSID))
114-
$temp = ([System.IO.Path]::GetTempPath()).TrimEnd("");
115-
$ifiEntries = (Get-Content $temp\secpolByDbatools.cfg | Where-Object {
116-
$_ -like 'SeManageVolumePrivilege*'
117-
})
118-
119-
if ($null -ne $ifiEntries) {
120-
$ifiEntries.Substring(26).Split(",") | ForEach-Object {
121-
if ($_ -match '^\*S-') {
122-
Convert-SIDToUserName -SID $_.TrimStart('*')
123-
} else {
124-
$_
125-
}
108+
$ifiEntries = $secPol | Where-Object { $_ -like 'SeManageVolumePrivilege*' }
109+
110+
$ifi = if ($null -ne $ifiEntries) {
111+
$ifiEntries.Substring(26).Split(",") | ForEach-Object {
112+
if ($_ -match '^\*S-') {
113+
Convert-SIDToUserName -SID $_.TrimStart('*')
114+
} else {
115+
$_
126116
}
127117
}
128118
}
119+
129120
if ($ifi.count -eq 0) {
130121
Write-Message -Level Verbose -Message "No users with Instant File Initialization Rights on $computer"
131122
}
132123

133124
Write-Message -Level Verbose -Message "Getting Lock Pages in Memory Privileges on $computer"
134-
$lpim = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ArgumentList $ResolveSID -ScriptBlock {
135-
param ($ResolveSID)
136-
. ([ScriptBlock]::Create($ResolveSID))
137-
$temp = ([System.IO.Path]::GetTempPath()).TrimEnd("");
138-
$lpimEntries = (Get-Content $temp\secpolByDbatools.cfg | Where-Object {
139-
$_ -like 'SeLockMemoryPrivilege*'
140-
})
141-
142-
if ($null -ne $lpimEntries) {
143-
$lpimEntries.Substring(24).Split(",") | ForEach-Object {
144-
if ($_ -match '^\*S-') {
145-
Convert-SIDToUserName -SID $_.TrimStart('*')
146-
} else {
147-
$_
148-
}
125+
$lpimEntries = $secPol | Where-Object { $_ -like 'SeLockMemoryPrivilege*' }
126+
127+
$lpim = if ($null -ne $lpimEntries) {
128+
$lpimEntries.Substring(24).Split(",") | ForEach-Object {
129+
if ($_ -match '^\*S-') {
130+
Convert-SIDToUserName -SID $_.TrimStart('*')
131+
} else {
132+
$_
149133
}
150134
}
151135
}
136+
152137
if ($lpim.count -eq 0) {
153138
Write-Message -Level Verbose -Message "No users with Lock Pages in Memory Rights on $computer"
154139
}
155140

156141
Write-Message -Level Verbose -Message "Getting Generate Security Audits Privileges on $computer"
157-
$gsa = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ArgumentList $ResolveSID -ScriptBlock {
158-
param ($ResolveSID)
159-
. ([ScriptBlock]::Create($ResolveSID))
160-
$temp = ([System.IO.Path]::GetTempPath()).TrimEnd("");
161-
$gsaEntries = (Get-Content $temp\secpolByDbatools.cfg | Where-Object {
162-
$_ -like 'SeAuditPrivilege*'
163-
})
164-
165-
if ($null -ne $gsaEntries) {
166-
$gsaEntries.Substring(19).Split(",") | ForEach-Object {
167-
if ($_ -match '^\*S-') {
168-
Convert-SIDToUserName -SID $_.TrimStart('*')
169-
} else {
170-
$_
171-
}
142+
$gsaEntries = $secPol | Where-Object { $_ -like 'SeAuditPrivilege*' }
143+
144+
$gsa = if ($null -ne $gsaEntries) {
145+
$gsaEntries.Substring(19).Split(",") | ForEach-Object {
146+
if ($_ -match '^\*S-') {
147+
Convert-SIDToUserName -SID $_.TrimStart('*')
148+
} else {
149+
$_
172150
}
173151
}
174152
}
153+
175154
if ($gsa.count -eq 0) {
176155
Write-Message -Level Verbose -Message "No users with Generate Security Audits Rights on $computer"
177156
}
178157

179158
Write-Message -Level Verbose -Message "Getting Logon as a service Privileges on $computer"
180-
$los = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ArgumentList $ResolveSID -ScriptBlock {
181-
param ($ResolveSID)
182-
. ([ScriptBlock]::Create($ResolveSID))
183-
$temp = ([System.IO.Path]::GetTempPath()).TrimEnd("");
184-
$losEntries = (Get-Content $temp\secpolByDbatools.cfg | Where-Object {
185-
$_ -like "SeServiceLogonRight*"
186-
})
187-
188-
if ($null -ne $losEntries) {
189-
$losEntries.Substring(22).split(",") | ForEach-Object {
190-
if ($_ -match '^\*S-') {
191-
Convert-SIDToUserName -SID $_.TrimStart('*')
192-
} else {
193-
$_
194-
}
159+
$losEntries = $secPol | Where-Object { $_ -like "SeServiceLogonRight*" }
160+
161+
$los = if ($null -ne $losEntries) {
162+
$losEntries.Substring(22).split(",") | ForEach-Object {
163+
if ($_ -match '^\*S-') {
164+
Convert-SIDToUserName -SID $_.TrimStart('*')
165+
} else {
166+
$_
195167
}
196168
}
197169
}
170+
198171
if ($los.count -eq 0) {
199172
Write-Message -Level Verbose -Message "No users with Logon as a service Rights on $computer"
200173
}
@@ -211,11 +184,7 @@ function Get-DbaPrivilege {
211184
LogonAsAService = $los -contains $_
212185
}
213186
}
214-
Write-Message -Level Verbose -Message "Removing secpol file on $computer"
215-
Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ScriptBlock {
216-
$temp = ([System.IO.Path]::GetTempPath()).TrimEnd("")
217-
Remove-Item $temp\secpolByDbatools.cfg -Force
218-
}
187+
219188
} catch {
220189
Stop-Function -Continue -Message "Failure" -ErrorRecord $_ -Target $computer
221190
}

0 commit comments

Comments
 (0)