????
Your IP : 3.145.92.183
data _system_translations
{
ConvertFrom-StringData @'
# Fallback text
# Copy all the strings in the psd1 file here
msg_ad_forest = SMB Delegation cmdlets require the Active Directory forest to be in Windows Server 2012 forest functional level.
msg_ad_cmdlets = SMB Delegation cmdlets require the installation of the Active Directory module for Windows PowerShell.
'@
}
Import-LocalizedData -BindingVariable _system_translations -fileName SmbLocalization.psd1
function Set-SmbPathAcl
{
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string]
$ShareName,
[Parameter()]
[string]
$ScopeName = $null
)
if( ($null -ne $ScopeName ) -and ( "" -ne $ScopeName) )
{
(Get-SmbShare -Name $ShareName -ScopeName $ScopeName ).PresetPathACL | Set-Acl
}
else
{
(Get-SmbShare -Name $ShareName ).PresetPathACL | Set-Acl
}
}
function CheckDelegationPrerequisites
{
if( $null -eq (Get-Command -Module ActiveDirectory) )
{
Write-Error $_system_translations.msg_ad_cmdlets
return $false
}
#
# Forest mode should be greater than or equal to Windows2012Forest
#
if( (Get-AdForest).ForestMode.ToInt32($null) -lt [Microsoft.ActiveDirectory.Management.AdForestMode]::Windows2012Forest.ToInt32($null) )
{
Write-Error $_system_translations.msg_ad_forest
return $false
}
return $true
}
function Get-SmbDelegation
{
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string]
$SmbServer
)
$check = CheckDelegationPrerequisites
if( -not $check )
{
return
}
$result = @()
$fsAD = Get-ADComputer -filter {Name -Like $SmbServer} -Properties 'msds-allowedtoactonbehalfofotheridentity'
foreach ($AllowedAccount in $fsAD."msDS-AllowedToActOnBehalfOfOtherIdentity".Access)
{
$samAccountName = $AllowedAccount.IdentityReference.Value
$samAccountName = $samAccountName.Remove(0, ($samAccountName.IndexOf("\")+1))
$result += Get-ADComputer -Filter {SamAccountName -Like $samAccountName}
}
$result.Name
}
function Enable-SmbDelegation
{
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string]
$SmbClient,
[Parameter(Mandatory=$true)]
[string]
$SmbServer
)
$check = CheckDelegationPrerequisites
if( -not $check )
{
return
}
$delegationPrinciples = @()
$fsAD = Get-ADComputer -Filter {Name -Like $SmbServer} -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
foreach ($AllowedAccount in $fsAD."msDS-AllowedToActOnBehalfOfOtherIdentity".Access)
{
$samAccountName = $AllowedAccount.IdentityReference.Value
$samAccountName = $samAccountName.Remove(0, ($samAccountName.IndexOf("\")+1))
$delegationPrinciples += Get-ADComputer -Filter {SamAccountName -Like $samAccountName}
}
$delegationPrinciples += Get-ADComputer -Identity $SmbClient
$fsAD | Set-ADComputer -PrincipalsAllowedToDelegateToAccount $delegationPrinciples
}
function Disable-SmbDelegation
{
[CmdletBinding()]
param(
[Parameter()]
[string]
$SmbClient,
[Parameter(Mandatory=$true)]
[string]
$SmbServer,
[System.Management.Automation.SwitchParameter]
[bool]
$Force = $false
)
$check = CheckDelegationPrerequisites
if( -not $check )
{
return
}
$delegationPrinciples = @()
$fsAD = Get-ADComputer -Filter {Name -Like $SmbServer} -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
if( ($null -ne $SmbClient) -and ("" -ne $SmbClient) )
{
foreach ($AllowedAccount in $fsAD."msDS-AllowedToActOnBehalfOfOtherIdentity".Access)
{
$samAccountName = $AllowedAccount.IdentityReference.Value
$samAccountName = $samAccountName.Remove(0, ($samAccountName.IndexOf("\")+1))
$adc = Get-ADComputer -Filter {SamAccountName -Like $samAccountName}
if( $adc.Name -ne $SmbClient )
{
$delegationPrinciples += $adc
}
}
}
$fsAD | Set-ADComputer -PrincipalsAllowedToDelegateToAccount $delegationPrinciples
}
function DumpAndTestCertificate([String]$Storename, [String]$Thumbprint) {
# All SMB Server certificates for QUIC should be from the machine store
$Certificate = (Get-Item -path Cert:\LocalMachine\$Storename\$Thumbprint)
if ($null -eq $Certificate)
{
Write-Error -Message "Unable to retrieve certificate '$Storename' '$Thumbprint'" -Category ObjectNotFound;
return;
}
# Certificate is self-signed if the issuer-name and subject-name match
$IsSelfSigned = -not (Compare-Object $Certificate.IssuerName $Certificate.SubjectName)
#$SubjectName = $Certificate.SubjectName.Name;
$SubjectOid = $Certificate.SubjectName.Oid;
$SubjectRawData = $Certificate.SubjectName.RawData;
$SignatureAlgorithm = $Certificate.SignatureAlgorithm.Value.ToString() + " " + $Certificate.SignatureAlgorithm.FriendlyName.ToString();
#$Certificate | Select-Object -Property *
$Certificate | Select-Object -Property @{Name = 'SMBServerCertificateMappingName'; Expression = { $MappingName } },
@{Name = 'SelfSigned'; Expression = { $IsSelfSigned.ToString() } },
SubjectName,
Subject,
@{Name = 'SubjectOid'; Expression = { $SubjectOid } },
@{Name = 'SubjectRawData'; Expression = { $SubjectRawData } },
FriendlyName,
@{Name = 'SignatureAlgorithm'; Expression = { $SignatureAlgorithm } },
Thumbprint,
NotBefore,
NotAfter,
SendAsTrustedIssuer,
PublicKey,
DnsNameList | Format-List
if ($IsSelfSigned)
{
$TestResult = $Certificate | Test-Certificate -AllowUntrustedRoot
}
else
{
$TestResult = $Certificate | Test-Certificate
}
if ($TestResult)
{
Write-Output "Test-Certificate result : PASS"
}
else
{
Write-Error "Test-Certificate result : FAIL"
}
}
function Get-SmbServerCertProps
{
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string]
$Name,
[System.Management.Automation.SwitchParameter]
[bool]
$Force = $false
)
$AllCertMappings = Get-SmbServerCertificateMapping -Name $Name;
foreach ($CertMapping in $AllCertMappings) {
Write-Output "---------------------------------------------------------------------------------------------------------------"
$MappingName = $($CertMapping).Name
Write-Output "Checking Mapping '$MappingName'....."
$StoreName = $($CertMapping).StoreName
DumpAndTestCertificate -Storename $StoreName -Thumbprint $CertMapping.Thumbprint
$RenewalChain = $($CertMapping).RenewalChain
Write-Output "`r`nRenewalChain: $RenewalChain"
if ($RenewalChain -ne "") {
Write-Output "`r`nTesting certificates in the RenewalChain.....`r`n"
$RenewalChain -split ":" | ForEach-Object {
$RenewedCert = $_
if ($null -eq $RenewedCert -or $RenewedCert -eq "") {
continue
}
Write-Output "`r`nRenewedCert: $RenewedCert"
Write-Output "-------------------------------------------------------"
DumpAndTestCertificate -Storename $StoreName -Thumbprint $RenewedCert
}
}
}
}
Set-Alias -Name ssmbp -Value Set-SmbPathAcl
Set-Alias -Name gsmbd -Value Get-SmbDelegation
Set-Alias -Name esmbd -Value Enable-SmbDelegation
Set-Alias -Name dsmbd -Value Disable-SmbDelegation
Set-Alias -Name gsmbscp -Value Get-SmbServerCertProps
Export-ModuleMember -Function Set-SmbPathAcl -Alias ssmbp
Export-ModuleMember -Function Get-SmbDelegation -Alias gsmbd
Export-ModuleMember -Function Enable-SmbDelegation -Alias esmbd
Export-ModuleMember -Function Disable-SmbDelegation -Alias dsmbd
Export-ModuleMember -Function Get-SmbServerCertProps -Alias gsmbscp