1 #!powershell
2
3 #Requires -Module Ansible.ModuleUtils.Legacy
4 #Requires -Module Ansible.ModuleUtils.SID
5
6 $params = Parse-Args $args
7 $sid_account = Get-AnsibleParam -obj $params -name "sid_account" -type "str" -failifempty $true
8
Assert-Equals($actual, $expected)9 Function Assert-Equals($actual, $expected) {
10 if ($actual -ne $expected) {
11 Fail-Json @{} "actual != expected`nActual: $actual`nExpected: $expected"
12 }
13 }
14
Get-ComputerSID()15 Function Get-ComputerSID() {
16 # find any local user and trim off the final UID
17 $luser_sid = (Get-CimInstance Win32_UserAccount -Filter "Domain='$env:COMPUTERNAME'")[0].SID
18
19 return $luser_sid -replace '(S-1-5-21-\d+-\d+-\d+)-\d+', '$1'
20 }
21
22 $local_sid = Get-ComputerSID
23
24 # most machines should have a -500 Administrator account, but it may have been renamed. Look it up by SID
25 $default_admin = Get-CimInstance Win32_UserAccount -Filter "SID='$local_sid-500'"
26
27 # this group is called Administrators by default on English Windows, but could named something else. Look it up by SID
28 $default_admin_group = Get-CimInstance Win32_Group -Filter "SID='S-1-5-32-544'"
29
30 if (@($default_admin).Length -ne 1) {
31 Fail-Json @{} "could not find a local admin account with SID ending in -500"
32 }
33
34 ### Set this to the NETBIOS name of the domain you wish to test, not set for shippable ###
35 $test_domain = $null
36
37 $tests = @(
38 # Local Users
39 @{ sid = "S-1-1-0"; full_name = "Everyone"; names = @("Everyone") },
40 @{ sid = "S-1-5-18"; full_name = "NT AUTHORITY\SYSTEM"; names = @("NT AUTHORITY\SYSTEM", "SYSTEM") },
41 @{ sid = "S-1-5-20"; full_name = "NT AUTHORITY\NETWORK SERVICE"; names = @("NT AUTHORITY\NETWORK SERVICE", "NETWORK SERVICE") },
42 @{ sid = "$($default_admin.SID)"; full_name = "$($default_admin.FullName)"; names = @("$env:COMPUTERNAME\$($default_admin.Name)", "$($default_admin.Name)", ".\$($default_admin.Name)") },
43
44 # Local Groups
45 @{ sid = "$($default_admin_group.SID)"; full_name = "BUILTIN\$($default_admin_group.Name)"; names = @("BUILTIN\$($default_admin_group.Name)", "$($default_admin_group.Name)", ".\$($default_admin_group.Name)") }
46 )
47
48 # Add domain tests if the domain name has been set
49 if ($null -ne $test_domain) {
50 Import-Module ActiveDirectory
51 $domain_info = Get-ADDomain -Identity $test_domain
52 $domain_sid = $domain_info.DomainSID
53 $domain_netbios = $domain_info.NetBIOSName
54 $domain_upn = $domain_info.Forest
55
56 $tests += @{
57 sid = "$domain_sid-512"
58 full_name = "$domain_netbios\Domain Admins"
59 names = @("$domain_netbios\Domain Admins", "Domain Admins@$domain_upn", "Domain Admins")
60 }
61
62 $tests += @{
63 sid = "$domain_sid-500"
64 full_name = "$domain_netbios\Administrator"
65 names = @("$domain_netbios\Administrator", "Administrator@$domain_upn")
66 }
67 }
68
69 foreach ($test in $tests) {
70 $actual_account_name = Convert-FromSID -sid $test.sid
71 # renamed admins may have an empty FullName; skip comparison in that case
72 if ($test.full_name) {
73 Assert-Equals -actual $actual_account_name -expected $test.full_name
74 }
75
76 foreach ($test_name in $test.names) {
77 $actual_sid = Convert-ToSID -account_name $test_name
78 Assert-Equals -actual $actual_sid -expected $test.sid
79 }
80 }
81
82 # the account to SID test is run outside of the normal run as we can't test it
83 # in the normal test suite
84 # Calling Convert-ToSID with a string like a SID should return that SID back
85 $actual = Convert-ToSID -account_name $sid_account
86 Assert-Equals -actual $actual -expected $sid_account
87
88 # Calling COnvert-ToSID with a string prefixed with .\ should return the SID
89 # for a user that is called that SID and not the SID passed in
90 $actual = Convert-ToSID -account_name ".\$sid_account"
91 Assert-Equals -actual ($actual -ne $sid_account) -expected $true
92
93 Exit-Json @{ data = "success" }
94