我需要使用 Windows 命令行设置用户权限,如下所示。
我的文件夹位于路径“C:\Program Files<folder><folderName>”中,我需要对该文件夹具有以下权限
1. Deny all users from group "Users"
2. Keep Full permission for following user: Administrator and "testuser"
我有一个将使用 qt 安装程序框架调用的批处理脚本,在该批处理文件中,我将创建这样的用户和文件夹,
net user /add testuser password
mkdir "C:\Program Files\<folder>\<folderName>"
初始权限,
C:\>icacls "C:\Program Files\<folderName>"
C:\Program Files\<folderName> WIN-VLK3TB8O520\Administrator:(F)
WIN-VLK3TB8O520\testuser:(F)
NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(RX)
WIN-VLK3TB8O520\testuser:(OI)(CI)(F)
WIN-VLK3TB8O520\Administrator:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
WIN-VLK3TB8O520\Administrator:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
我有一个名为“testuser”的用户,它位于“用户”本地组下。当我尝试使用以下命令删除此用户组时,
icacls "C:\Program Files\<folder>\<folderName>"/deny Users:F /T /C
C:\>icacls "C:\Program Files\<folder>\<folderName>" /deny Users:F /T /C
processed file: "C:\Program Files\<folder>\<folderName>"
"C:\Program Files\<folder>\<folderName>"\*: Access is denied.
Successfully processed 1 files; Failed processing 1 files
这种访问被拒绝是合理的,因为我以管理员身份运行此命令,我猜想对于管理员用户来说权限也会被拒绝,因此我无法以管理员身份访问此文件夹。
我希望如果我能够删除以下权限,那么它就可以解决,
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
所以我执行了,
ICACLS "C:\Program Files\<folder>\<folderName>" /remove Users /T /C
对于上述命令,我没有得到任何错误,但执行此命令后,我没有获得适当的权限,
Successfully processed 57 files; Failed processing 0 files
C:\>icacls "C:\Program Files\<folder>\<folderName>"
C:\Program Files\<folder>\<folderName> WIN-VLK3TB8O520\Administrator:(F)
WIN-VLK3TB8O520\testuser:(F)
NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(RX)
WIN-VLK3TB8O520\testuser:(OI)(CI)(F)
WIN-VLK3TB8O520\Administrator:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
WIN-VLK3TB8O520\Administrator:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
对于以下评论也没有变化。
ICACLS "C:\Program Files\<folder>\<folderName>" /remove Everyone /T /C
ICACLS "C:\Program Files\<folder>\<folderName>" /grant testuser:(F) /T /C
现在我明白了,所有用户都属于“用户”组,所以我不能直接/deny“用户”。
我可以使用这两个用户(即管理员和测试用户)创建新的用户组,并设置该文件夹仅供该用户组访问的权限吗?
答案1
经过大量的文档理解和实验,我发现以下
/deny 用于完全“拒绝”该组中的所有用户。
但是,我们可以从 ACL 中删除该组,并向特定用户授予权限并将所有权更改为该用户。因此,每当任何用户尝试访问该文件夹时,UAC 窗口都会弹出并请求管理员为该特定用户授予权限。这解决了我的问题。
另外,一些权限是继承的,所以我无法直接更改 ACL。
为了解决我的问题我使用了以下方法,
// To remove inheritance.
icacls %FOLDER_PATH% /inheritance:d
// To remove all the granted and denied permission for users.
icacls %FOLDER_PATH% /remove:g Users
icacls %FOLDER_PATH% /remove:d Users
// TO grant full permission to current user
icacls %FOLDER_PATH% /GRANT %USERNAME%:F /T /Q
// TO grant full permission to different user
icacls %FOLDER_PATH% /GRANT %Another_USERNAME%:F /T
Note that these about two users will be in users group and able to access this particular folder.
And other users from "users" group will not able to access this folder unless required permissions are granted.
// TO change ownership for desired user.
icacls %FOLDER_PATH% /setowner %Another_USERNAME% /T
希望这可以帮助!