带有 -LocalUser 示例的 Powershell New-NetFirewallRule
Powershell New-NetFirewallRule with -LocalUser example
如何创建仅影响一个本地帐户的防火墙规则
理论上下面的示例就足够了,但是我缺少参数“-LocalUser”的值
PowerShell 命令下方
New-NetFirewallRule -DisplayName "BLOCKWWW" -Direction Outbound -LocalPort 80,443 -Protocol TCP -Action Block -LocalUser **WHATGOESHERE**
从 the examples showing how to use other parameters 和类似描述(如 RemoteUser)判断,它将采用 SDDL 中的任意 ACL,每个用户一个条目。
您可以编写一个小的辅助函数来根据用户名生成这些:
function Get-FirewallLocalUserSddl {
param(
[string[]]$UserName
)
$SDDL = 'D:{0}'
$ACEs = foreach($Name in $UserName){
try{
$LocalUser = Get-LocalUser -Name $UserName -ErrorAction Stop
'(A;;CC;;;{0})' -f $LocalUser.Sid.Value
}
catch{
Write-Warning "Local user '$Username' not found"
continue
}
}
return $SDDL -f ($ACEs -join '')
}
然后像这样使用它:
New-NetFirewallRule -DisplayName "BLOCKWWW" -LocalUser (Get-FirewallLocalUserSddl user1,user2) -Direction Outbound -LocalPort 80,443 -Protocol TCP -Action Block
$user = new-object System.Security.Principal.NTAccount ("corp.contoso.com\Administrators")
$SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value
$secureUserGroup = "D:(A;;CC;;;$SIDofSecureUserGroup)"
如何创建仅影响一个本地帐户的防火墙规则
理论上下面的示例就足够了,但是我缺少参数“-LocalUser”的值
PowerShell 命令下方
New-NetFirewallRule -DisplayName "BLOCKWWW" -Direction Outbound -LocalPort 80,443 -Protocol TCP -Action Block -LocalUser **WHATGOESHERE**
从 the examples showing how to use other parameters 和类似描述(如 RemoteUser)判断,它将采用 SDDL 中的任意 ACL,每个用户一个条目。
您可以编写一个小的辅助函数来根据用户名生成这些:
function Get-FirewallLocalUserSddl {
param(
[string[]]$UserName
)
$SDDL = 'D:{0}'
$ACEs = foreach($Name in $UserName){
try{
$LocalUser = Get-LocalUser -Name $UserName -ErrorAction Stop
'(A;;CC;;;{0})' -f $LocalUser.Sid.Value
}
catch{
Write-Warning "Local user '$Username' not found"
continue
}
}
return $SDDL -f ($ACEs -join '')
}
然后像这样使用它:
New-NetFirewallRule -DisplayName "BLOCKWWW" -LocalUser (Get-FirewallLocalUserSddl user1,user2) -Direction Outbound -LocalPort 80,443 -Protocol TCP -Action Block
$user = new-object System.Security.Principal.NTAccount ("corp.contoso.com\Administrators")
$SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value
$secureUserGroup = "D:(A;;CC;;;$SIDofSecureUserGroup)"