我有一个注册表项,我需要取得它的所有权,然后设置权限。我能够取得所有权,但在设置权限时,它仅适用于注册表项的最顶层,不会向下继承。我需要修改什么才能使权限继承到整个项?
$AddACL = New-Object System.Security.AccessControl.RegistryAccessRule ("Domain Admins","FullControl","Allow")
$owner = [System.Security.Principal.NTAccount]"Administrators"
$keyCR = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
# Get a blank ACL since you don't have access and need ownership
$aclCR = $keyCR.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
$aclCR.SetOwner($owner)
$keyCR.SetAccessControl($aclCR)
# Get the acl and modify it
$aclCR = $keyCR.GetAccessControl()
$aclCR.SetAccessRule($AddACL)
$keyCR.SetAccessControl($aclCR)
$keyCR.Close()
答案1
在仔细查看了 AccessControl 参数后,我找到了答案。我对要添加的 ACL 定义得不够具体。这是当前的代码,它只将权限单独添加到顶部键;
$AddACL = New-Object System.Security.AccessControl.RegistryAccessRule ("Domain Admins","FullControl","Allow")
这是允许在注册表顶层设置 ACL 并向下继承的代码:
$AddACL = New-Object System.Security.AccessControl.RegistryAccessRule ("Domain Admins","FullControl","ObjectInherit,ContainerInherit","None","Allow")