我被迫添加一个只能访问一个文件夹的用户。因此,我需要从我的所有文件中删除用户和域用户权限。现在,每个用户都可以看到彼此的文件夹。所有用户文件夹都对内置“DOMAIN\Users”组具有读取权限,我想删除它。我尝试在用户文件夹中运行:
for /d %G in (*) do icacls %G /remove Users /t"
它对所有文件和文件夹执行了一些操作,但是当我回去检查时,用户权限仍然存在。
答案1
显然,/remove不会影响继承的 ACL:
C:\Windows\System32> pushd d:\bat\files2
d:\bat\files2> for /d %G in (*) do @icacls %G /T | findstr /I "folder \\Users"
folder BUILTIN\Administrators:(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
folder\xxx.csv BUILTIN\Administrators:(F)
BUILTIN\Users:(I)(RX)
d:\bat\files2> for /d %G in (*) do @icacls %G /remove Users /T
processed file: folder
processed file: folder\xxx.csv
Successfully processed 2 files; Failed processing 0 files
d:\bat\files2> for /d %G in (*) do @icacls %G /T | findstr /I "folder \\Users"
folder BUILTIN\Administrators:(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
folder\xxx.csv BUILTIN\Administrators:(F)
BUILTIN\Users:(I)(RX)
需要禁用继承并首先复制 ACE:
d:\bat\files2> for /d %G in (*) do @(icacls %G /inheritance:d /T&&icacls %G /remove Users /T)
processed file: folder
processed file: folder\xxx.csv
Successfully processed 2 files; Failed processing 0 files
processed file: folder
processed file: folder\xxx.csv
Successfully processed 2 files; Failed processing 0 files
d:\bat\files2> for /d %G in (*) do @icacls %G /T | findstr /I "folder \\Users"
folder BUILTIN\Administrators:(F)
folder\xxx.csv BUILTIN\Administrators:(F)
注意使用&&操作员在下面的一行中
for /d %G in (*) do @(icacls %G /inheritance:d /T&&icacls %G /remove Users /T)
代替
for /d %G in (*) do @icacls %G /inheritance:d /T
for /d %G in (*) do @icacls %G /remove Users /T
例子应用于以下文件结构:
d:\bat\files2> tree . /f
D:\BAT\FILES2
│ SampleInput.eml
│
└───folder
xxx.csv