我的新雇主为数百名用户设置了文件夹重定向,而设置它的人并不真正了解自己在做什么。结果,重定向文件夹/主目录权限的最佳实践沒有被關注。
让人们访问其重定向文件夹位置的解决方案是将Full Control
权限(NTFS 权限,当然不是“共享”权限)应用于Everyone
根目录(“主页”)并将其传播到根目录下的所有子文件夹和文件。
可能出什么问题呢?首席执行官的文件夹中又不会有机密信息My Documents
,或者有人会感染 CryptoWall 并加密其他人的文件。对吧?
所以,无论如何,既然 CryptoWall 感染已被清除并且备份已恢复,许多人希望我们用一些不那么可怕的东西替换当前的权限,并且我不想要在几百个文件夹中点击权限对话框。
PowerShell 如何为我解决这个问题并让我的生活再次变得有价值?
答案1
感谢 JScott请我参考System.Security.Principal
...类或方法或无论它是什么,一些 PowerShell 将一堆子文件夹上的 ACL 替换为适合用户主目录的 ACL:
$Root = "Path to the root folder that holds all the user home directories"
$Paths = Get-ChildItem $Root | Select-Object -Property Name,FullName
$DAAR = New-Object system.security.accesscontrol.filesystemaccessrule("MyDomain\Domain Admins","FullControl","ContainerInherit, ObjectInherit","None","Allow")
#Domain Admin Access Rule.
$SysAR = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","ContainerInherit, ObjectInherit","None","Allow")
#SYSTEM Access Rule.
foreach ($Folder in $Paths)
{
Write-Host "Generating ACL for $($folder.FullName) ... "
#For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output.
$ACL = New-Object System.Security.AccessControl.DirectorySecurity
#Creates a blank ACL object to add access rules into, also blanks out the ACL for each iteration of the loop.
$objUser = New-Object System.Security.Principal.NTAccount("MyDomain\"+$folder.name)
#Creating the right type of User Object to feed into our ACL, and populating it with the user whose folder we're currently on.
$UserAR = New-Object system.security.accesscontrol.filesystemaccessrule( $objuser ,"FullControl","ContainerInherit, ObjectInherit","None","Allow")
#Access Rule for the user whose folder we're dealing with during this iteration.
$acl.SetOwner($objUser)
$acl.SetAccessRuleProtection($true, $false)
#Change the inheritance/propagation settings of the folder we're dealing with
$acl.SetAccessRule($UserAR)
$acl.SetAccessRule($DAAR)
$acl.SetAccessRule($SysAR)
Write-Host "Changing ACL on $($folder.FullName) to:"
$acl | fl
#For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output.
Set-Acl -Path $Folder.Fullname -ACLObject $acl
}
答案2
先前的答案不起作用如果主文件夹/重定向文件夹设置为“授予用户独占权限”。这是因为当选择此选项时不推荐,只有系统和用户才有权访问该文件夹。如果不拥有该文件夹的所有权,您就无法更改权限(即使以管理员身份)。
这是一种无需承担责任即可解决这个问题的方法。这是一个两步过程。
创建一个运行 ICACLS 的 powershell 脚本来修改文件夹和子文件夹的权限。
运行 PSexec 来启动 Powershell 脚本。
1 创建/复制/窃取 powershell 脚本 (需要 PS 3.0 或更高版本)
#ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write
$StartingDir= "c:\shares\users" ##Path to root of users home dirs
$Principal="domain\username" #or "administrators"
$Permission="F"
$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"
if ($Verify -eq "Y") {
foreach ($FOLDER in $(Get-ChildItem -path $StartingDir -directory -recurse)) {
$temp = $Folder.fullname
CACLS `"$temp`" /E /P `"${Principal}`":${Permission} >$NULL
#write-host $Folder.FullName
}
}
- 运行 PSEXEC,它以 SYSTEM 帐户运行,因此可以更改只有 SYSTEM 和用户才有权访问的文件夹的权限。安装并运行 PSexec。https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
从命令行:
psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1'"