Get-ACL Set-ACL 删除继承的组

Get-ACL Set-ACL 删除继承的组

我正在尝试为这样的组设置文件夹权限:

\服务器\共享$\文件夹1\文件夹2

遍历 Share$ -> 遍历文件夹 1 -> 修改文件夹 2

共享中还有更多文件夹,但该组不应获得任何访问权限。这就是为什么我在 $AccessRuleTraverse 中将继承和传播标志设置为“无”、“无”。

$AccessRuleModify = New-Object System.Security.AccessControl.FileSystemAccessRule("TestGroup","Modify","ContainerInherit, ObjectInherit","None","Allow")
$AccessRuleTraverse = New-Object System.Security.AccessControl.FileSystemAccessRule("TestGroup","Traverse,ListDirectory","None","None","Allow")


$ACL = Get-Acl $Share
$ACL.AddAccessRule($AccessRuleTraverse)
$ACL | Format-List
Set-Acl -Path $Share $ACL

$ACLFolder1 = Get-Acl $Folder1
$ACLFolder1.AddAccessRule($AccessRuleTraverse)
$ACL | Format-List
Set-Acl -Path $Folder1 $ACLFolder1

$ACLFolder2 = Get-Acl $Folder2
$ACLFolder2.AddAccessRule($AccessRuleModify)
$ACL | Format-List
Set-Acl -Path $Folder2 $ACLFolder2

当我通过 UNC 路径执行此操作时,会添加 TestGroup,但会删除所有继承的组:BUILTIN\Administrators、SYSTEM 和从上级继承的另一个 AD 组。如果我检查 GUI 继承,它似乎已启用,而当我禁用并重新启用它时,神秘丢失的组又回来了。

如果我在 Set-ACL 之前添加'$ACL | Format-List',它会返回组...

Get-Acl显示:

Path   : Microsoft.PowerShell.Core\FileSystem::\\server\tbd$\test2
Owner  : BUILTIN\Administrators
Group  : DOMAIN\Domain Users
Access :
         DOMAIN\admaccount Allow  FullControl
         DOMAIN\InheritedGroup Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
Audit  :
Sddl   : O:BAG:DUD:AI(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-2072)(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-55095)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)

.AddAccessRule 之后:

Path   : Microsoft.PowerShell.Core\FileSystem::\\server\tbd$\test2
Owner  : BUILTIN\Administrators
Group  : DOMAIN\Domain Users
Access :
         DOMAIN\TestGroup Allow  ReadData, ExecuteFile, Synchronize
         DOMAIN\admaccount Allow  FullControl
         DOMAIN\InheritedGroup Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
Audit  :
Sddl   : O:BAG:DUD:AI(A;;0x100021;;;S-1-5-21-3230232255-2288239599-1684634387-61957)(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-2072)(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-55095)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)

编辑:

反馈后我直接在服务器上用本地路径进行了测试:

$AccessRuleTraverse = New-Object System.Security.AccessControl.FileSystemAccessRule("TestGroup","Traverse,ListDirectory","None","None","Allow")
$ACL = Get-Acl F:\tbd\test2
$ACL | Format-List
$ACL.AddAccessRule($AccessRuleTraverse)
$ACL | Format-List
Set-Acl -Path F:\tbd\test2 $ACL

Get-Acl显示:

Path   : Microsoft.PowerShell.Core\FileSystem::F:\tbd\test2
Owner  : BUILTIN\Administrators
Group  : BELGIANRAIL\Domain Users
Access : BELGIANRAIL\admaccount Allow  FullControl
         BELGIANRAIL\InheritedGroup Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
Audit  : 
Sddl   : O:BAG:DUD:AI(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-2072)(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-55095)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)

.AddAccessRule 之后:

Path   : Microsoft.PowerShell.Core\FileSystem::F:\tbd\test2
Owner  : BUILTIN\Administrators
Group  : BELGIANRAIL\Domain Users
Access : BELGIANRAIL\TestGroup Allow  ReadData, ExecuteFile, Synchronize
         BELGIANRAIL\admaccount Allow  FullControl
         BELGIANRAIL\InheritedGroup Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
Audit  : 
Sddl   : O:BAG:DUD:AI(A;;0x100021;;;S-1-5-21-3230232255-2288239599-1684634387-61957)(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-2072)(A;OICIID;FA;;;S-1-5-21-3230232255-228823959
         9-1684634387-55095)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)

它看起来与通过 UNC 路径相同。但最终结果完全不同,使用本地路径可以正常工作!我想我可以获取本地路径并启动远程 ps 会话。不过使用 UNC 路径会更容易 :)

相关内容