我正在尝试应用在Windows安全设置的“高级”选项卡中定义的NTFS权限。一个ACL $Rule
是针对仅此文件夹
,另一个是针对仅子文件夹和文件
。
正如您下面所看到的,这些权限已经被大量修改:
(Get-Acl 'L:\Test\Beez\RAPJOUR\Appels List\Correct').Access
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : CreateFiles, AppendData, DeleteSubdirectoriesAndFiles, ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : Domain\Dirk
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : DeleteSubdirectoriesAndFiles, Modify, Synchronize
AccessControlType : Allow
IdentityReference : Domain\Dirk
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
- 除了完全控制、写入属性、写入扩展属性、删除、更改权限和获取所有权之外,一切都是开启的。
- 除了完全控制、更改权限和获取所有权之外,一切都是开启的。
这是我用来应用权限的代码片段。在这种情况下,它必须定义在Change
部分中:
$f = 'L:\Test\Beez\RAPJOUR\Appels List\Wrong'
$ADobject = 'Domain\User'
$acl = Get-Acl $f
$Grant = 'Change'
# Remove user/group first
$rule = New-Object system.security.AccessControl.FileSystemAccessRule("$ADobject","Read",,,"Allow")
$acl.RemoveAccessRuleAll($rule)
# Add read permissions
if ($Grant -eq 'ReadAndExecute') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Allow")
}
if ($Grant -eq 'Change') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "Modify", "ContainerInherit, ObjectInherit", "Synchronize", "Allow DeleteSubdirectoriesAndFiles")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "AppendData", "ContainerInherit, ObjectInherit", "ReadAndExecute","Synchronize", "Allow CreateFiles","DeleteSubdirectoriesAndFiles")
}
if ($Grant -eq 'Modify') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
}
if ($Grant -eq 'FullControl') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
}
if ($Grant -eq 'ListFolderContents') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "ReadAndExecute", "ContainerInherit", "None", "Allow")
}
$acl.AddAccessRule($rule)
Set-Acl $f $acl
我似乎无法正确使用语法...谢谢你的帮助。
多亏了这篇文章,我已经找到了以下内容:
- '仅子文件夹和文件':
"ContainerInherit, ObjectInherit", "InheritOnly"
- '仅此文件夹':
"None", "InheritOnly"
Array
格式中,但是也可以接受它作为字符串,格式为'Value1,Value2,Value3,...'。 很高兴知道 :) - DarkLite1