GPOTools

0.3.0

internal/functions/ConvertFrom-ImportedIdentity.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
                                function ConvertFrom-ImportedIdentity

{

<#

    .SYNOPSIS

        Converts an imported identity into a security principal.

    .DESCRIPTION

        Converts an imported identity into a security principal.

        This is used for granting permissions.

    .PARAMETER Permission

        The permission object containing the source principal.

    .PARAMETER DomainObject

        An object representing the destination domain (as returned by Get-ADDomain)

    .EXAMPLE

        PS C:\> ConvertFrom-ImportedIdentity -Permission $permission -DomainObject $domainObject

        Resolves the source identity into a destination security principal.

#>

    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseOutputTypeCorrectly", "")]

    [OutputType([System.Security.Principal.IdentityReference])]

    [CmdletBinding()]

    param (

        [Parameter(Mandatory = $true)]

        $Permission,

        [Parameter(Mandatory = $true)]

        $DomainObject

    )

    process

    {

        switch ($Permission.PrincipalType)

        {

            'Local BuiltIn' { return [System.Security.Principal.SecurityIdentifier]$Permission.SID }

            'foreignSecurityPrincipal' { return [System.Security.Principal.SecurityIdentifier]$Permission.SID }

            'group'

            {

                #TODO: Implement Domain Resolution

                try { $domainObject = Resolve-DomainMapping -DomainSid ($Permission.SID -as [System.Security.Principal.SecurityIdentifier]).AccountDomainSid.Value -DomainFqdn $Permission.DomainFqdn -DomainName $Permission.DomainName }

                catch { throw "Cannot resolve domain $($Permission.DomainFqdn) for $($Permission.Group) $($Permission.SID)! $_" }

                if ($Permission.IsBuiltIn -like 'true')

                {

                    return [System.Security.Principal.SecurityIdentifier]('{0}-{1}' -f $DomainObject.DomainSID, $Permission.RID)

                }

                else

                {

                    $identity = $script:identityMapping | Where-Object SID -EQ $Permission.SID

                    if (-not $identity) { throw "Cannot resolve $($Permission.IdentityReference) ($($Permission.SID))" }

                    return [System.Security.Principal.NTAccount]('{0}\{1}' -f $DomainObject.NetBIOSName, $identity.Target)

                }

            }

        }

    }

}