拒绝用户删除文件但允许其执行文件

Question

防止文件删除或重命名但允许读取和执行访问

尝试伊卡克尔斯使用以下语法针对要锁定的文件以及要应用该命令的用户名（或安全组名称）。每个命令上方的脚本中都有注释说明，:::解释了每个命令对 ACL 权限的具体作用。

您应该将 ACL 权限重置为在运行此脚本之前所做的任何更改的初始设置。完成后，验证该帐户是否可以执行该文件，然后运行以下脚本。

本质上是这样的禁用 ACL 继承到可执行文件所在的文件夹和文件本身。然后授予显式读取和执行文件夹和可执行文件。为了防止文件重命名，拒绝创建文件/写入数据到可执行文件所在的文件夹。最后，它明确拒绝删除访问文件夹和可执行文件。

脚本

@ECHO ON
SETLOCAL ENABLEDELAYEDEXPANSION
SET "Exe=C:\Folder\Path\file.exe"
SET "uAccount=Username"
FOR %%a in ("%Exe%") DO SET "eFolder=%%~DPa"
::: This strips the last "\" from the folder the exe resides so icacls can process
SET "eFolder=!eFolder:~0,-1!"

::: Disables ACL inheritence on the folder the exe file resides but copies all ACLs as inherited before removing
ICACLS "!eFolder!" /inheritance:d /grant:r "%uAccount%:(OI)(IO)" /C
::: Remove all granted permission ACLs on only the folder the exe file resides
ICACLS "!eFolder!" /remove:g "%uAccount%" /C
::: Remove all denied permission ACLs on only the folder the exe file resides
ICACLS "!eFolder!" /remove:g "%uAccount%" /C
::: Grants explicit read and execute ACL access on only the folder the exe file resides
ICACLS "!eFolder!" /grant:r "%uAccount%:(RX)" /C
::: Denies delete ACL access on only the folder the exe file resides  
ICACLS "!eFolder!" /deny "%uAccount%":(DE)
::: Denies create files / write data ACL access on only the folder the exe file resides  
ICACLS "!eFolder!" /deny "%uAccount%":(WD)

::: Disables ACL inheritence on the exe file only but copies all ACLs as inherited before removing
ICACLS "%Exe%" /inheritance:d /grant:r "%uAccount%:(OI)(IO)" /C
::: Remove all granted permission ACLs on only the exe file
ICACLS  "%Exe%"  /remove:g "%uAccount%" /C
::: Remove all denied permission ACLs on only the exe file
ICACLS  "%Exe%"  /remove:g "%uAccount%" /C
::: Grants explicit read and execute ACL access only to the exe file
ICACLS "%Exe%" /grant:r "%uAccount%:(RX)" /C
::: Grants an explicit deny of delete ACL access only to the exe file
ICACLS "%Exe%" /deny "%uAccount%":(DE)


PAUSE
EXIT

笔记：将变量的值更改Exe=为您想要锁定的可执行文件的完整显式路径，并将变量的值更改uAccount=为您希望执行此操作的帐户（或组）的用户名（或安全组名称）。

GUI ACL 权限说明

exe 所在的文件夹

exe 文件本身

防止文件删除或重命名但允许读取和执行访问

尝试伊卡克尔斯使用以下语法针对要锁定的文件以及要应用该命令的用户名（或安全组名称）。每个命令上方的脚本中都有注释说明，:::解释了每个命令对 ACL 权限的具体作用。

您应该将 ACL 权限重置为在运行此脚本之前所做的任何更改的初始设置。完成后，验证该帐户是否可以执行该文件，然后运行以下脚本。

本质上是这样的禁用 ACL 继承到可执行文件所在的文件夹和文件本身。然后授予显式读取和执行文件夹和可执行文件。为了防止文件重命名，拒绝创建文件/写入数据到可执行文件所在的文件夹。最后，它明确拒绝删除访问文件夹和可执行文件。

脚本

@ECHO ON
SETLOCAL ENABLEDELAYEDEXPANSION
SET "Exe=C:\Folder\Path\file.exe"
SET "uAccount=Username"
FOR %%a in ("%Exe%") DO SET "eFolder=%%~DPa"
::: This strips the last "\" from the folder the exe resides so icacls can process
SET "eFolder=!eFolder:~0,-1!"

::: Disables ACL inheritence on the folder the exe file resides but copies all ACLs as inherited before removing
ICACLS "!eFolder!" /inheritance:d /grant:r "%uAccount%:(OI)(IO)" /C
::: Remove all granted permission ACLs on only the folder the exe file resides
ICACLS "!eFolder!" /remove:g "%uAccount%" /C
::: Remove all denied permission ACLs on only the folder the exe file resides
ICACLS "!eFolder!" /remove:g "%uAccount%" /C
::: Grants explicit read and execute ACL access on only the folder the exe file resides
ICACLS "!eFolder!" /grant:r "%uAccount%:(RX)" /C
::: Denies delete ACL access on only the folder the exe file resides  
ICACLS "!eFolder!" /deny "%uAccount%":(DE)
::: Denies create files / write data ACL access on only the folder the exe file resides  
ICACLS "!eFolder!" /deny "%uAccount%":(WD)

::: Disables ACL inheritence on the exe file only but copies all ACLs as inherited before removing
ICACLS "%Exe%" /inheritance:d /grant:r "%uAccount%:(OI)(IO)" /C
::: Remove all granted permission ACLs on only the exe file
ICACLS  "%Exe%"  /remove:g "%uAccount%" /C
::: Remove all denied permission ACLs on only the exe file
ICACLS  "%Exe%"  /remove:g "%uAccount%" /C
::: Grants explicit read and execute ACL access only to the exe file
ICACLS "%Exe%" /grant:r "%uAccount%:(RX)" /C
::: Grants an explicit deny of delete ACL access only to the exe file
ICACLS "%Exe%" /deny "%uAccount%":(DE)


PAUSE
EXIT

笔记：将变量的值更改Exe=为您想要锁定的可执行文件的完整显式路径，并将变量的值更改uAccount=为您希望执行此操作的帐户（或组）的用户名（或安全组名称）。

GUI ACL 权限说明

exe 所在的文件夹

exe 文件本身

拒绝用户删除文件但允许其执行文件

答案1

防止文件删除或重命名但允许读取和执行访问

脚本

GUI ACL 权限说明

更多资源

相关内容