我需要一个脚本或简单的PowerShell代码,以便为特定用户从文件夹中删除所有权限,并将这些删除应用到所有子文件夹和文件 - 递归地...
谢谢!
$acl=get-acl c:\temp
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("domain\user","Read",,,"Allow")
$acl.RemoveAccessRuleAll($accessrule)
Set-Acl -Path "c:\temp" -AclObject $acl
这应该递归地清除c:\temp中用户的所有安全规则。
我认为更简单的方法是从具有正确权限的文件或文件夹复制访问控制列表(ACL),并将其应用于您想要特定访问权限的文件夹。 例如:
$acl= get-acl /path/to/file_with_correct acl
$files = get-childItem c:\temp\*.* -recurce | set-acl -aclobject $acl -whatif
移除 -whatif 参数以有效地修改 ACL。
或者按照 这篇 Technet 文章 的指引,使用以下代码:
$Right = [System.Security.AccessControl.FileSystemRights]::Read
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
$objType = [System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount("domain\bob")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($objUser, $Right, $InheritanceFlag, $PropagationFlag, $objType)
$objACL = Get-ACL "d:\test"
$objACL.RemoveAccessRuleAll($objACE)
Set-ACL "d:\test" -AclObject $objACL
function Remove-OGRemoteACL (){
<#
.SYNOPSIS
Invoke a script block on a target to remove ACL permissions
.DESCRIPTION
Invoke a script block on a target to change ACL permissions to remove the crazy delay GET-ACL can encounter.
.PARAMETER serverFQDN
the server that the script block is run on
.PARAMETER remotePath
the UNC path of the share to remove the permisions for the user from.
.PARAMETER userName
the user name of the domain user.
.EXAMPLE
Remove-OGRemoteACL -serverFQDN "bigserver.awesomedomain.net" -remotePath "\\bigserver.awesomedomain.net\my\amazingShare" -userName "awesomedomain\myuser"
.NOTES
Name: Remove-OGRemoteACL
Author: Richie Schuster - SCCMOG.com
GitHub: https://github.com/SCCMOG/PS.SCCMOG.TOOLS
Website: https://www.sccmog.com
Contact: @RichieJSY
Created: 2023-03-14
Updated: -
Version history:
1.0.0 - 2023-03-14 Function Created
#>
[cmdletbinding()]
param (
[parameter(Mandatory=$True,ValueFromPipeline=$true,Position=0)]
[string]$serverFQDN,
[parameter(Mandatory=$True,ValueFromPipeline=$true,Position=1)]
[string]$remotePath,
[parameter(Mandatory=$True,ValueFromPipeline=$true,Position=2)]
[string]$userName
)
try{
Write-Verbose "Invoking ACL removal commmand [Server: $($serverFQDN)] [userName: $($userName)] [Server: $($remotePath)]"
Invoke-Command -ComputerName "$($serverFQDN)" -ScriptBlock {
$acl = Get-Acl $using:remotePath
$usersid = New-Object System.Security.Principal.Ntaccount("$using:userName")
$acl.PurgeAccessRules($usersid)
$acl | Set-Acl $using:remotePath
}
Write-Verbose "Success invoking ACL removal commmand [Server: $($serverFQDN)] [userName: $($userName)] [Server: $($remotePath)]"
}
catch{
Write-Error "Error - Failed invoking ACL removal commmand [Server: $($serverFQDN)] [userName: $($userName)] [Server: $($remotePath)]. Error: $($_.Exception.Message)"
}
}
例子:
Remove-OGRemoteACL -serverFQDN "bigserver.awesomedomain.net" -remotePath "\\bigserver.awesomedomain.net\my\amazingShare" -userName "awesomedomain\myuser" -Verbose
ls c:\temp -recurse |set-acl -aclObject $acl
- Loïc MICHEL