From a6634ccd5b82b084e0322219476d05bfaa27c4f0 Mon Sep 17 00:00:00 2001 From: mrahman-DBA <176774888+mrahman-DBA@users.noreply.github.com> Date: Sun, 4 Aug 2024 02:48:47 -0400 Subject: [PATCH] Make Get-DbaPrivilege more efficient (#9436) --- public/Get-DbaPrivilege.ps1 | 155 +++++++++++++++--------------------- 1 file changed, 62 insertions(+), 93 deletions(-) diff --git a/public/Get-DbaPrivilege.ps1 b/public/Get-DbaPrivilege.ps1 index 6b7252c46e..13821107ba 100644 --- a/public/Get-DbaPrivilege.ps1 +++ b/public/Get-DbaPrivilege.ps1 @@ -56,18 +56,18 @@ function Get-DbaPrivilege { ) begin { - $ResolveSID = @' - function Convert-SIDToUserName ([string] $SID ) { - try { - $objSID = New-Object System.Security.Principal.SecurityIdentifier ($SID) - $objUser = $objSID.Translate([System.Security.Principal.NTAccount]) - $objUser.Value - } catch { - $SID - } - } -'@ + function Convert-SIDToUserName ([string] $SID ) { + try { + $objSID = New-Object System.Security.Principal.SecurityIdentifier ($SID) + $objUser = $objSID.Translate([System.Security.Principal.NTAccount]) + $objUser.Value + } catch { + $SID + } + } + $ComputerName = $ComputerName.ComputerName | Select-Object -Unique + } process { foreach ($computer in $ComputerName) { @@ -78,123 +78,96 @@ function Get-DbaPrivilege { } try { - Write-Message -Level Verbose -Message "Exporting Privileges on $computer" - $null = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ScriptBlock { + Write-Message -Level Verbose -Message "Exporting Privileges on $computer and cleaning up temporary files" + $secPol = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ScriptBlock { $temp = ([System.IO.Path]::GetTempPath()).TrimEnd("") secedit /export /cfg $temp\secpolByDbatools.cfg > $null + $CFG = Get-Content $temp\secpolByDbatools.cfg -Force + Remove-Item $temp\secpolByDbatools.cfg -Force + $CFG } Write-Message -Level Verbose -Message "Getting Batch Logon Privileges on $computer" - $bl = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ArgumentList $ResolveSID -ScriptBlock { - param ($ResolveSID) - . ([ScriptBlock]::Create($ResolveSID)) - $temp = ([System.IO.Path]::GetTempPath()).TrimEnd(""); - $blEntries = (Get-Content $temp\secpolByDbatools.cfg | Where-Object { - $_ -like "SeBatchLogonRight*" - }) - - if ($null -ne $blEntries) { - $blEntries.Substring(20).Split(",") | ForEach-Object { - if ($_ -match '^\*S-') { - Convert-SIDToUserName -SID $_.TrimStart('*') - } else { - $_ - } + $blEntries = $secPol | Where-Object { $_ -like "SeBatchLogonRight*" } + + $bl = if ($null -ne $blEntries) { + $blEntries.Substring(20).Split(",") | ForEach-Object { + if ($_ -match '^\*S-') { + Convert-SIDToUserName -SID $_.TrimStart('*') + } else { + $_ } } } + if ($bl.count -eq 0) { Write-Message -Level Verbose -Message "No users with Batch Logon Rights on $computer" } Write-Message -Level Verbose -Message "Getting Instant File Initialization Privileges on $computer" - $ifi = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ArgumentList $ResolveSID -ScriptBlock { - param ($ResolveSID) - . ([ScriptBlock]::Create($ResolveSID)) - $temp = ([System.IO.Path]::GetTempPath()).TrimEnd(""); - $ifiEntries = (Get-Content $temp\secpolByDbatools.cfg | Where-Object { - $_ -like 'SeManageVolumePrivilege*' - }) - - if ($null -ne $ifiEntries) { - $ifiEntries.Substring(26).Split(",") | ForEach-Object { - if ($_ -match '^\*S-') { - Convert-SIDToUserName -SID $_.TrimStart('*') - } else { - $_ - } + $ifiEntries = $secPol | Where-Object { $_ -like 'SeManageVolumePrivilege*' } + + $ifi = if ($null -ne $ifiEntries) { + $ifiEntries.Substring(26).Split(",") | ForEach-Object { + if ($_ -match '^\*S-') { + Convert-SIDToUserName -SID $_.TrimStart('*') + } else { + $_ } } } + if ($ifi.count -eq 0) { Write-Message -Level Verbose -Message "No users with Instant File Initialization Rights on $computer" } Write-Message -Level Verbose -Message "Getting Lock Pages in Memory Privileges on $computer" - $lpim = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ArgumentList $ResolveSID -ScriptBlock { - param ($ResolveSID) - . ([ScriptBlock]::Create($ResolveSID)) - $temp = ([System.IO.Path]::GetTempPath()).TrimEnd(""); - $lpimEntries = (Get-Content $temp\secpolByDbatools.cfg | Where-Object { - $_ -like 'SeLockMemoryPrivilege*' - }) - - if ($null -ne $lpimEntries) { - $lpimEntries.Substring(24).Split(",") | ForEach-Object { - if ($_ -match '^\*S-') { - Convert-SIDToUserName -SID $_.TrimStart('*') - } else { - $_ - } + $lpimEntries = $secPol | Where-Object { $_ -like 'SeLockMemoryPrivilege*' } + + $lpim = if ($null -ne $lpimEntries) { + $lpimEntries.Substring(24).Split(",") | ForEach-Object { + if ($_ -match '^\*S-') { + Convert-SIDToUserName -SID $_.TrimStart('*') + } else { + $_ } } } + if ($lpim.count -eq 0) { Write-Message -Level Verbose -Message "No users with Lock Pages in Memory Rights on $computer" } Write-Message -Level Verbose -Message "Getting Generate Security Audits Privileges on $computer" - $gsa = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ArgumentList $ResolveSID -ScriptBlock { - param ($ResolveSID) - . ([ScriptBlock]::Create($ResolveSID)) - $temp = ([System.IO.Path]::GetTempPath()).TrimEnd(""); - $gsaEntries = (Get-Content $temp\secpolByDbatools.cfg | Where-Object { - $_ -like 'SeAuditPrivilege*' - }) - - if ($null -ne $gsaEntries) { - $gsaEntries.Substring(19).Split(",") | ForEach-Object { - if ($_ -match '^\*S-') { - Convert-SIDToUserName -SID $_.TrimStart('*') - } else { - $_ - } + $gsaEntries = $secPol | Where-Object { $_ -like 'SeAuditPrivilege*' } + + $gsa = if ($null -ne $gsaEntries) { + $gsaEntries.Substring(19).Split(",") | ForEach-Object { + if ($_ -match '^\*S-') { + Convert-SIDToUserName -SID $_.TrimStart('*') + } else { + $_ } } } + if ($gsa.count -eq 0) { Write-Message -Level Verbose -Message "No users with Generate Security Audits Rights on $computer" } Write-Message -Level Verbose -Message "Getting Logon as a service Privileges on $computer" - $los = Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ArgumentList $ResolveSID -ScriptBlock { - param ($ResolveSID) - . ([ScriptBlock]::Create($ResolveSID)) - $temp = ([System.IO.Path]::GetTempPath()).TrimEnd(""); - $losEntries = (Get-Content $temp\secpolByDbatools.cfg | Where-Object { - $_ -like "SeServiceLogonRight*" - }) - - if ($null -ne $losEntries) { - $losEntries.Substring(22).split(",") | ForEach-Object { - if ($_ -match '^\*S-') { - Convert-SIDToUserName -SID $_.TrimStart('*') - } else { - $_ - } + $losEntries = $secPol | Where-Object { $_ -like "SeServiceLogonRight*" } + + $los = if ($null -ne $losEntries) { + $losEntries.Substring(22).split(",") | ForEach-Object { + if ($_ -match '^\*S-') { + Convert-SIDToUserName -SID $_.TrimStart('*') + } else { + $_ } } } + if ($los.count -eq 0) { Write-Message -Level Verbose -Message "No users with Logon as a service Rights on $computer" } @@ -211,11 +184,7 @@ function Get-DbaPrivilege { LogonAsAService = $los -contains $_ } } - Write-Message -Level Verbose -Message "Removing secpol file on $computer" - Invoke-Command2 -Raw -ComputerName $computer -Credential $Credential -ScriptBlock { - $temp = ([System.IO.Path]::GetTempPath()).TrimEnd("") - Remove-Item $temp\secpolByDbatools.cfg -Force - } + } catch { Stop-Function -Continue -Message "Failure" -ErrorRecord $_ -Target $computer }