带有 -LocalUser 示例的 Powershell New-NetFirewallRule

Powershell New-NetFirewallRule with -LocalUser example

如何创建仅影响一个本地帐户的防火墙规则

理论上下面的示例就足够了,但是我缺少参数“-LocalUser”的值

PowerShell 命令下方

New-NetFirewallRule -DisplayName "BLOCKWWW" -Direction Outbound -LocalPort 80,443 -Protocol TCP -Action Block -LocalUser **WHATGOESHERE**

the examples showing how to use other parameters 和类似描述(如 RemoteUser)判断,它将采用 SDDL 中的任意 ACL,每个用户一个条目。

您可以编写一个小的辅助函数来根据用户名生成这些:

function Get-FirewallLocalUserSddl {
  param(
    [string[]]$UserName
  )

  $SDDL = 'D:{0}'

  $ACEs = foreach($Name in $UserName){
    try{
      $LocalUser = Get-LocalUser -Name $UserName -ErrorAction Stop
      '(A;;CC;;;{0})' -f $LocalUser.Sid.Value
    }
    catch{
      Write-Warning "Local user '$Username' not found"
      continue
    }
  }
  return $SDDL -f ($ACEs -join '')
}

然后像这样使用它:

New-NetFirewallRule -DisplayName "BLOCKWWW" -LocalUser (Get-FirewallLocalUserSddl user1,user2) -Direction Outbound -LocalPort 80,443 -Protocol TCP -Action Block
$user = new-object System.Security.Principal.NTAccount ("corp.contoso.com\Administrators")
$SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value
$secureUserGroup = "D:(A;;CC;;;$SIDofSecureUserGroup)"