我有两种类型的组 - 只读和读写 - 每个文件夹都有编号:
GROUP1_RO
GROUP1_RW
GROUP2_RO
GROUP2_RW
(...)
我想创建这样的目录树:
SHARE
|-MAIN_FOLDER1
| |-SUBFOLDERS
| |-FILES
|
|-MAIN_FOLDER2
| |-SUBFOLDERS
| |-FILES
|
|-MAIN_FOLDER3
(...)
每个组都可以访问自己的 MAIN_FOLDER*,并且组 _RO 只能读取文件,但 _RW 可以创建文件夹、删除文件夹和文件。
我想保护 MAIN_FOLDERS* 不被这个 _RW 用户意外删除。
主要目标是创建一组批处理/cli 命令,以准确的权限逐个准备这些文件夹。
尝试使用 icacls 来做到这一点,但是我遇到了多个权限的问题(无效参数)。
我通过设置以下权限手动完成了此操作:
a) Enter Properties > Security > Advanced > Edit...
b) Uncheck "Include inheritable permissions from this object's parent" and choose "Remove"
c) Add group GROUP1_RO ( RO ) and set permissions:
+ Allow (( This Folder, subfolders and files ))
* Traverse Folder / execute file
* List folder / read data
* Read attributes
* Read extendet attributes
* Read permissions
- Deny
* Delete
e) Add group GROUP1_RW ( RW ) and set permissions:
+ Allow (( This Folder, subfolders and files ))
* Full control
- uncheck Take ownership
- Deny
* Delete
但是,对于许多子文件夹,手动设置这些设置很麻烦。有没有办法通过 icacls(或其他程序)对不同的组进行设置?
问候并致谢,Mike
答案1
也许我可以通过两种方式做到这一点:
I)通过继承:
mkdir MAIN_FOLDER1
icacls MAIN_FOLDER1 /inheritance:d
icacls MAIN_FOLDER1 /remove Everyone
icacls MAIN_FOLDER1 /grant GROUP1_RO:(OI)(CI)(RX)
icacls MAIN_FOLDER1 /grant GROUP1_RW:(OI)(CI)(RX,W,WDAC,DC)
icacls MAIN_FOLDER1 /deny GROUP1_RW:(OI)(CI)(DE)
II)无继承:
mkdir MAIN_FOLDER1
icacls MAIN_FOLDER1 /inheritance:r
icacls MAIN_FOLDER1 /grant "DOMAIN\Domain Admins":(OI)(CI)(F)
icacls MAIN_FOLDER1 /grant "BUILTIN\Administrators":(CI)(F)
icacls MAIN_FOLDER1 /grant GROUP1_RO:(OI)(CI)(RX)
icacls MAIN_FOLDER1 /grant GROUP1_RW:(OI)(CI)(RX,W,WDAC,DC)
icacls MAIN_FOLDER1 /deny GROUP1_RW:(OI)(CI)(DE)
并循环执行该动作。