使用 PowerShell 设置 NTFS 文件共享的权限

【问题标题】:Setting permissions on NTFS Fileshare with PowerShell使用 PowerShell 设置 NTFS 文件共享的权限
【发布时间】:2019-02-28 21:32:31
【问题描述】:

简而言之,我的脚本应该创建 5 个文件夹、1 个根级文件夹、3 个 2 级文件夹和 1 个 3 级文件夹。

权限在第二级授予,ReadWrite 或 ReadOnly。任何用户都不能在第二层中创建任何内容或删除第二层。

我似乎遇到了Set-Acl 和权限方面的问题。我想知道是否有更好的方法来编写不需要提升权限的脚本。我们的 DA 可以很好地运行脚本,我可以手动创建文件夹和安全组,但它很乏味且容易出错。任何对我做错了什么或如何做得更好的见解将不胜感激。

Import-Module ActiveDirectory
$path = "\\earth\data\group\"
$newFolderName = Read-Host -Prompt "Enter Name of New Folder"
$newFolderFull = $path + $newFolderName
Write-Output "New Folder will be: $newFolderFull"
$confirm = Read-Host "Confirm? Y/N"
if (!(($confirm) -ne "y")) {
    Write-Output "Create AD Groups"
    $groupNamePGroup = "P_$newFolderName"
    $groupNameAdminRW = "EG-$newFolderName-Admin-RW"
    $groupNameAdminRF = "EG-$newFolderName-Admin-RF"
    $groupNameEveryoneRW = "EG-$newFolderName-Everyone-RW"
    $groupNameEveryoneRF = "EG-$newFolderName-Everyone-RF"
    $groupNameScannedDocsRW = "EG-$newFolderName-ScannedDocs-RW"

    New-ADGroup $groupNamePGroup -samAccountName $groupNamePGroup -GroupScope DomainLocal -path "OU=SecurityGroups,OU=Metro,DC=metrogr,DC=org"
    New-ADGroup $groupNameAdminRW -samAccountName $groupNameAdminRW -GroupScope DomainLocal -path "OU=SecurityGroups,OU=Metro,DC=metrogr,DC=org"
    New-ADGroup $groupNameAdminRF -samAccountName $groupNameAdminRF -GroupScope DomainLocal -path "OU=SecurityGroups,OU=Metro,DC=metrogr,DC=org"
    New-ADGroup $groupNameEveryoneRW -samAccountName $groupNameEveryoneRW -GroupScope DomainLocal -path "OU=SecurityGroups,OU=Metro,DC=metrogr,DC=org"
    New-ADGroup $groupNameEveryoneRF -samAccountName $groupNameEveryoneRF -GroupScope DomainLocal -path "OU=SecurityGroups,OU=Metro,DC=metrogr,DC=org"
    New-ADGroup $groupNameScannedDocsRW -samAccountName $groupNameScannedDocsRW -GroupScope DomainLocal -path "OU=SecurityGroups,OU=Metro,DC=metrogr,DC=org"

    Write-Output "Add Folder.."
    New-Item $newFolderFull -ItemType Directory
    New-Item $newFolderFull\Admin -ItemType Directory
    New-Item $newFolderFull\Everyone -ItemType Directory
    New-Item $newFolderFull\ScannedDocs -ItemType Directory
    New-Item $newFolderFull\Everyone\ScannedDocs -ItemType Directory

    Write-Output "Remove Inheritance.."
    icacls $newFolderFull /inheritance:d
    icacls $newFolderFull\Admin /inheritance:d
    icacls $newFolderFull\Everyone /inheritance:d
    icacls $newFolderFull\Everyone\ScannedDocs /inheritance:d
    #icacls $newFolderFull\ScannedDocs /inheritance:d

    # Rights
    $readOnly = [Security.AccessControl.FileSystemRights]"ReadAndExecute"
    $readWrite = [Security.AccessControl.FileSystemRights]"Write, DeleteSubdirectoriesAndFiles,ReadAndExecute"

    # Inheritance
    $inheritanceFlag = [Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
    # Propagation
    $propagationFlag = [Security.AccessControl.PropagationFlags]::None
    # User
    $PUserRF = New-Object System.Security.Principal.NTAccount($groupNamePGroup)
    $AdminUserRW = New-Object System.Security.Principal.NTAccount($groupnameAdminRW)
    $AdminUserRF = New-Object System.Security.Principal.NTAccount($groupnameAdminRF)
    $EveryoneUserRW = New-Object System.Security.Principal.NTAccount($groupnameEveryoneRW)
    $EveryoneUserRF = New-Object System.Security.Principal.NTAccount($groupnameEveryoneRF)
    $ScannedDocsUserRW = New-Object System.Security.Principal.NTAccount($groupnameScannedDocsRW)
    # Type
    $type = [Security.AccessControl.AccessControlType]::Allow

    #Add Group membership
    Add-ADGroupMember -Identity $groupNamePGroup -Members $groupNameAdminRW,$groupNameAdminRF,$groupNameEveryoneRW,$groupNameEveryoneRF,$groupNameScannedDocsRW
    Add-ADGroupMember -Identity $groupNameEveryoneRW -Members NDPSSCAN
    Add-ADGroupMember -Identity $groupNameScannedDocsRW -Members NDPSSCAN

    # ACL
    $accessControlEntryDefault = New-Object System.Security.AccessControl.FileSystemAccessRule @("Domain Users", $readOnly, $inheritanceFlag, $propagationFlag, $type)
    $accessControlRootEntryRF = New-Object System.Security.AccessControl.FileSystemAccessRule @($PUserRF, $readOnly, $inheritanceFlag, $propagationFlag, $type)
    $accessControlAdminEntryRW = New-Object System.Security.AccessControl.FileSystemAccessRule @($AdminUserRW, $readWrite, $inheritanceFlag, $propagationFlag, $type)
    $accessControlAdminEntryRF = New-Object System.Security.AccessControl.FileSystemAccessRule @($AdminUserRF, $readOnly, $inheritanceFlag, $propagationFlag, $type)
    $accessControlEveryoneEntryRW = New-Object System.Security.AccessControl.FileSystemAccessRule @($EveryoneUserRW, $readWrite, $inheritanceFlag, $propagationFlag, $type)
    $accessControlEveryoneEntryRF = New-Object System.Security.AccessControl.FileSystemAccessRule @($EveryoneUserRF, $readOnly, $inheritanceFlag, $propagationFlag, $type)
    $accessControlScannedDocsEntryRW = New-Object System.Security.AccessControl.FileSystemAccessRule @($ScannedDocsUserRW, $readWrite, $inheritanceFlag, $propagationFlag, $type)

    $objACL = Get-Acl $newFolderFull
    $objACL.RemoveAccessRuleAll($accessControlEntryDefault)
    $objACL.AddAccessRule($accessControlRootEntryRF)
    Set-Acl $newFolderFull $objACL

    $objACL = Get-Acl $newFolderFull\Admin
    $objACL.RemoveAccessRuleAll($accessControlEntryDefault)
    $objACL.AddAccessRule($accessControlAdminEntryRW)
    $objACL.AddAccessRule($accessControlAdminEntryRF)
    Set-Acl $newFolderFull\Admin $objACL

    $objACL = Get-Acl $newFolderFull\Everyone
    $objACL.RemoveAccessRuleAll($accessControlEntryDefault)
    $objACL.AddAccessRule($accessControlEveryoneEntryRW)
    $objACL.AddAccessRule($accessControlEveryoneEntryRF)
    Set-Acl $newFolderFull\Everyone $objACL

    $objACL = Get-Acl $newFolderFull\ScannedDocs
    $objACL.RemoveAccessRuleAll($accessControlEntryDefault)
    $objACL.AddAccessRule($accessControlScannedDocsEntryRW)
    Set-Acl $newFolderFull\ScannedDocs $objACL
}

【问题讨论】:

  • 我不清楚您面临什么问题,但一种优化显然是将创建 ACE 和读取/修改 ACL 的代码包装在自定义函数中,从而避免意大利面条式代码。至于需要提升的权限:如果现有的 ACL 允许您这样做,您可以修改 ACL。如果他们不提升 必需的。不,没有办法解决这个问题。如果有那将是一个巨大的安全漏洞。
  • Set-ACL :进程不具备此操作所需的“SeSecurityPrivilege”权限。在 C:\Powershell\FolderCreationStart.ps1:85 char:3 + Set-ACL $newFolderFull\Everyone $objACL + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (\\earth\data\group\zzRobertTest\Everyone:String) [Set-Acl], PrivilegeNotHeldException + FullyQualifiedErrorId : System.Security.AccessControl。 PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand 这是我不断收到的错误。
  • 嗯,这个错误信息不需要太多解释了吧?
  • PermissionDenied - 检查您的本地政策,因为您的帐户没有权限。具体来说,Take ownership of files or other objects 政策。
  • $objACL = Get-ACL $newFolderFull\ScannedDocs $objACL.RemoveAccessRuleAll($accessControlEntryDefault) $objACL.AddAccessRule($accessControlScannedDocsEntryRW) #Set-ACL $newFolderFull\ScannedDocs $objACL (Get-Item -Path $newFolderFull\ScannedDocs).SetAccessControl($objACL) 看到其他人遇到同样的问题,他们可以手动创建文件夹和安全组,但不能使用 Powershell。使用 SetAccessControl 我的脚本可以完成它需要做的事情。

标签: windows powershell ntfs sysadmin


【解决方案1】:

SetAccessControl($objACL) 为我工作。

Set-ACL 不起作用,因为我的帐户没有提升权限。

【讨论】:

    猜你喜欢
    • 2015-06-06
    • 2014-12-20
    • 2014-10-29
    • 2019-07-07
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2023-03-16
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode