Powershell文件夹继承问题
我在使用 powershell 脚本时遇到问题,我基本上尝试通过删除以下组
- NT AUTHORITY\Authenticated Users
- BUILTIN\Users
来重置文件夹的权限如果我手动将文件夹更改为不从其父级继承,则脚本可以正常工作,我有通过谷歌查找通过脚本编译的脚本删除继承的最佳方法,但不执行任何操作。
这是我正在使用的命令
$WebsiteACL =Get-Acl -Path "C:\websites"
$WebsiteACL.SetAccessRuleProtection($true,$false)
有人有任何建议吗?
I am having problems with a powershell script i basically trying to reset the permission on a folder, by removing the following groups
- NT AUTHORITY\Authenticated Users
- BUILTIN\Users
If i manually change the folder to not inherit from it parent the script works, I have look through google to find best way of removing the inheritance via a script the script compiles but not do anything.
This is the command i am using
$WebsiteACL =Get-Acl -Path "C:\websites"
$WebsiteACL.SetAccessRuleProtection($true,$false)
Does anyone have any sugestion?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
就我个人而言,我发现 Get-Acl 和 Set-Acl 仍然太像 PITA,无法使用(而且我是一名 C# 开发人员)。您可以使用 icacls.exe 轻松完成您的任务:
它还支持删除组。查看其用法:
icacls /?。Personally I find Get-Acl and Set-Acl still too much of a PITA to use (and I'm a C# dev). You can use icacls.exe to accomplish your task easily:
It also supports removing groups. Check out its usage:
icacls /?.Get-Acl/Set-Acl可能会非常痛苦,除非您是要更改其权限的对象的所有者 - 即使您是管理员。如果您想要更改不属于您的对象的 ACL,则必须为您的身份/帐户启用 SeBackupPrivilege。据我所知,修改系统权限的唯一简单方法是安装PowerShell 社区扩展并使用Get/Set-Privilege。我真的不明白为什么这个限制存在,但它确实存在。话虽如此,在大多数情况下使用 icacls 效果都很好。如果您在启用了基于访问的枚举的情况下对通过共享访问的目录设置权限,则会出现错误。大家都这样做对吗? ;)
使用 icacls 触摸 ABE 控制的共享下的目录会导致该目录消失,即使您仍然拥有该目录的权限。如果您使用 Windows 资源管理器 ACL 编辑器读取并(重新)应用使用 icacls 设置的权限,则该目录将再次可见。
经过一番绞尽脑汁后,确定 icacls 正在对同步位进行某些操作。如果没有同步,ABE 会导致目录不可见。最简单的解决方法是不使用 ABE,但在我们的环境中禁用 ABE 不是一个选项。
另一种解决方案是使用 SetACL.exe,您可以从 SourceForge 下载它。恕我直言,它的语法非常复杂,但非常强大。它还以 OCX 形式提供,因此您可以通过 PowerShell 编写脚本。
Get-Acl/Set-Aclcan be a royal pain unless you're the owner of the object you're trying to change permissions on -- even if you're an Administrator. If you want to change an ACL on an object you don't own you have to have the SeBackupPrivilege enabled for your identity/account. The only easy way I know of to modify system privileges is install PowerShell Community Extensions and useGet/Set-Privilege. I really don't understand why this limitation exists but it does.With that said, using
icaclsworks very well under most conditions. There is a bug if you're setting permissions on a directory accessed through a share with Access Based Enumeration enabled. Everyone does this right? ;)Touching a directory underneath an ABE controlled share with icacls causes the directory to disappear even if you still have permissions to that directory. If you use the Windows Explorer ACL editor to read and (re)apply the permissions set with icacls the directory is visible again.
After much head scratching it was determined that icacls was doing something to the synchronize bit. Without synchronize ABE causes the directory to be invisible. The simplest workaround would be to not use ABE but in our environment disabling ABE is not an option.
Another solution is use
SetACL.exewhich you can download from SourceForge. It has a very complicated syntax, imho, but is really powerful. It's also available as a OCX so you can script it via PowerShell.