我想要设置权限,以便可执行文件不能被删除或重命名但可以执行。
当我拒绝删除它时,它也无法执行。为什么?
有没有办法让它不可删除但可执行?(我正在使用高级权限将其设置为允许执行和读取文件)。
答案1
防止文件删除或重命名但允许读取和执行访问
尝试伊卡克尔斯使用以下语法针对要锁定的文件以及要应用该命令的用户名(或安全组名称)。每个命令上方的脚本中都有注释说明,:::
解释了每个命令对 ACL 权限的具体作用。
您应该将 ACL 权限重置为在运行此脚本之前所做的任何更改的初始设置。完成后,验证该帐户是否可以执行该文件,然后运行以下脚本。
本质上是这样的禁用 ACL 继承到可执行文件所在的文件夹和文件本身。然后授予显式读取和执行文件夹和可执行文件。为了防止文件重命名,拒绝创建文件/写入数据到可执行文件所在的文件夹。最后,它明确拒绝删除访问文件夹和可执行文件。
脚本
@ECHO ON
SETLOCAL ENABLEDELAYEDEXPANSION
SET "Exe=C:\Folder\Path\file.exe"
SET "uAccount=Username"
FOR %%a in ("%Exe%") DO SET "eFolder=%%~DPa"
::: This strips the last "\" from the folder the exe resides so icacls can process
SET "eFolder=!eFolder:~0,-1!"
::: Disables ACL inheritence on the folder the exe file resides but copies all ACLs as inherited before removing
ICACLS "!eFolder!" /inheritance:d /grant:r "%uAccount%:(OI)(IO)" /C
::: Remove all granted permission ACLs on only the folder the exe file resides
ICACLS "!eFolder!" /remove:g "%uAccount%" /C
::: Remove all denied permission ACLs on only the folder the exe file resides
ICACLS "!eFolder!" /remove:g "%uAccount%" /C
::: Grants explicit read and execute ACL access on only the folder the exe file resides
ICACLS "!eFolder!" /grant:r "%uAccount%:(RX)" /C
::: Denies delete ACL access on only the folder the exe file resides
ICACLS "!eFolder!" /deny "%uAccount%":(DE)
::: Denies create files / write data ACL access on only the folder the exe file resides
ICACLS "!eFolder!" /deny "%uAccount%":(WD)
::: Disables ACL inheritence on the exe file only but copies all ACLs as inherited before removing
ICACLS "%Exe%" /inheritance:d /grant:r "%uAccount%:(OI)(IO)" /C
::: Remove all granted permission ACLs on only the exe file
ICACLS "%Exe%" /remove:g "%uAccount%" /C
::: Remove all denied permission ACLs on only the exe file
ICACLS "%Exe%" /remove:g "%uAccount%" /C
::: Grants explicit read and execute ACL access only to the exe file
ICACLS "%Exe%" /grant:r "%uAccount%:(RX)" /C
::: Grants an explicit deny of delete ACL access only to the exe file
ICACLS "%Exe%" /deny "%uAccount%":(DE)
PAUSE
EXIT
笔记:将变量的值更改
Exe=
为您想要锁定的可执行文件的完整显式路径,并将变量的值更改uAccount=
为您希望执行此操作的帐户(或组)的用户名(或安全组名称)。
GUI ACL 权限说明
exe 所在的文件夹