我正在尝试为这样的组设置文件夹权限:
\服务器\共享$\文件夹1\文件夹2
遍历 Share$ -> 遍历文件夹 1 -> 修改文件夹 2
共享中还有更多文件夹,但该组不应获得任何访问权限。这就是为什么我在 $AccessRuleTraverse 中将继承和传播标志设置为“无”、“无”。
$AccessRuleModify = New-Object System.Security.AccessControl.FileSystemAccessRule("TestGroup","Modify","ContainerInherit, ObjectInherit","None","Allow")
$AccessRuleTraverse = New-Object System.Security.AccessControl.FileSystemAccessRule("TestGroup","Traverse,ListDirectory","None","None","Allow")
$ACL = Get-Acl $Share
$ACL.AddAccessRule($AccessRuleTraverse)
$ACL | Format-List
Set-Acl -Path $Share $ACL
$ACLFolder1 = Get-Acl $Folder1
$ACLFolder1.AddAccessRule($AccessRuleTraverse)
$ACL | Format-List
Set-Acl -Path $Folder1 $ACLFolder1
$ACLFolder2 = Get-Acl $Folder2
$ACLFolder2.AddAccessRule($AccessRuleModify)
$ACL | Format-List
Set-Acl -Path $Folder2 $ACLFolder2
当我通过 UNC 路径执行此操作时,会添加 TestGroup,但会删除所有继承的组:BUILTIN\Administrators、SYSTEM 和从上级继承的另一个 AD 组。如果我检查 GUI 继承,它似乎已启用,而当我禁用并重新启用它时,神秘丢失的组又回来了。
如果我在 Set-ACL 之前添加'$ACL | Format-List',它会返回组...
Get-Acl显示:
Path : Microsoft.PowerShell.Core\FileSystem::\\server\tbd$\test2
Owner : BUILTIN\Administrators
Group : DOMAIN\Domain Users
Access :
DOMAIN\admaccount Allow FullControl
DOMAIN\InheritedGroup Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
Audit :
Sddl : O:BAG:DUD:AI(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-2072)(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-55095)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)
.AddAccessRule 之后:
Path : Microsoft.PowerShell.Core\FileSystem::\\server\tbd$\test2
Owner : BUILTIN\Administrators
Group : DOMAIN\Domain Users
Access :
DOMAIN\TestGroup Allow ReadData, ExecuteFile, Synchronize
DOMAIN\admaccount Allow FullControl
DOMAIN\InheritedGroup Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
Audit :
Sddl : O:BAG:DUD:AI(A;;0x100021;;;S-1-5-21-3230232255-2288239599-1684634387-61957)(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-2072)(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-55095)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)
编辑:
反馈后我直接在服务器上用本地路径进行了测试:
$AccessRuleTraverse = New-Object System.Security.AccessControl.FileSystemAccessRule("TestGroup","Traverse,ListDirectory","None","None","Allow")
$ACL = Get-Acl F:\tbd\test2
$ACL | Format-List
$ACL.AddAccessRule($AccessRuleTraverse)
$ACL | Format-List
Set-Acl -Path F:\tbd\test2 $ACL
Get-Acl显示:
Path : Microsoft.PowerShell.Core\FileSystem::F:\tbd\test2
Owner : BUILTIN\Administrators
Group : BELGIANRAIL\Domain Users
Access : BELGIANRAIL\admaccount Allow FullControl
BELGIANRAIL\InheritedGroup Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
Audit :
Sddl : O:BAG:DUD:AI(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-2072)(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-55095)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)
.AddAccessRule 之后:
Path : Microsoft.PowerShell.Core\FileSystem::F:\tbd\test2
Owner : BUILTIN\Administrators
Group : BELGIANRAIL\Domain Users
Access : BELGIANRAIL\TestGroup Allow ReadData, ExecuteFile, Synchronize
BELGIANRAIL\admaccount Allow FullControl
BELGIANRAIL\InheritedGroup Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
Audit :
Sddl : O:BAG:DUD:AI(A;;0x100021;;;S-1-5-21-3230232255-2288239599-1684634387-61957)(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-2072)(A;OICIID;FA;;;S-1-5-21-3230232255-228823959
9-1684634387-55095)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)
它看起来与通过 UNC 路径相同。但最终结果完全不同,使用本地路径可以正常工作!我想我可以获取本地路径并启动远程 ps 会话。不过使用 UNC 路径会更容易 :)