使用powershell修改新用户主目录权限

tag-icon tag-icon powershell scripting access-control-list user-permissions home-directory
使用powershell修改新用户主目录权限

我需要脚本方面的帮助。我想要实现的是,当在 ADUC 中创建新用户并创建其配置文件路径(主文件夹)时,它会为用户提供“完全控制”权限。我想将其更改为修改权限。我的问题是每周都会创建多个用户,我想要一个脚本,它可以遍历所有主文件夹,如果找到具有完全控制权的用户,则将其更改为修改。但还有一个管理员安全组,其中包含多个管理员,他们对每个主目录都具有“完全控制权”。我不希望它查看组内并剥夺他们的完全控制权。我需要使用哪些 cmdlet 来忽略该组,只将具有“完全控制”权限的用户更改为修改权限。我有一个脚本可以将特定用户的权限从“完全控制”更改为修改,但不知道正确的方法让它只搜索具有“完全控制”权限的文件夹中的用户帐户。

#ChangeACL.ps1
$Right="Modify"

#The possible values for Rights are 
# ListDirectory
# ReadData 
# WriteData 
# CreateFiles 
# CreateDirectories 
# AppendData 
# ReadExtendedAttributes 
# WriteExtendedAttributes 
# Traverse 
# ExecuteFile 
# DeleteSubdirectoriesAndFiles 
# ReadAttributes 
# WriteAttributes 
# Write 
# Delete 
# ReadPermissions 
# Read 
# ReadAndExecute 
# Modify 
# ChangePermissions 
# TakeOwnership 
# Synchronize 
# FullControl

$StartingDir="\\server\Path" #What directory do you want to start at?"
$Principal="domain\user" #What security principal do you want to grant" `


#define a new access rule.

$rule=new-object System.Security.AccessControl.FileSystemAccessRule($Principal,$Right,"ContainerInherit,ObjectInherit", 'None',"Allow")

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
  $acl=(Get-Item $file.FullName).GetAccessControl('Access')

  #Add this access rule to the ACL
  $acl.SetAccessRule($rule)

  #Write the changes to the object
  #Set-Acl $File.Fullname $acl
  (Get-Item $file.FullName).SetAccessControl($acl)
  }

答案1

经过一些测试后我提出了这个脚本并且似乎有效:

$HomeFolders = Get-ChildItem \\server\Path -Directory
foreach ($HomeFolder in $HomeFolders) {
    $Path = $HomeFolder.FullName
    $Acl = (Get-Item $Path).GetAccessControl('Access')
    $Username = $HomeFolder.Name
    $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("domain\$Username", 'Modify','ContainerInherit,ObjectInherit', 'None', 'Allow')
    $Acl.SetAccessRule($Ar)
       (Get-Item $HomeFolder.FullName).SetAccessControl($acl)
}

答案2

我为可能遇到相同情况的人创建了另一个。它将检查 ACL,并在必要时进行更改。

#set root share to scan 
$HomeFolders = get-childitem \\servername\USERS -Directory

# loop through all folders in root
foreach ($HomeFolder in $HomeFolders) {
    $Path = $HomeFolder.FullName

    #set username based on folder name. Know that this is not going to be 100% accurate 
    # since some user shares may have access granted to other users(ie, managers)
    $Username = $HomeFolder.Name

    # set variable for Username
    $IdentityReferrence = "domain\$Username"

    # create security object specific to user
    $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($IdentityReferrence, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')

    # get acl of folder in loop
    $Acl = (Get-Item $Path).GetAccessControl('Access')

    # look through all access objects
    foreach ($aclitem in $acl.Access) {
        # if a matching userID is found, check the permissions against the new access rule identity reference.
        if ($aclitem.IdentityReference -eq $ar.IdentityReference) {
            # if rights do not match, set the permissions with access rule set before
            if ($aclitem.FileSystemRights -ne $ar.FileSystemRights) { 
                write-host $HomeFolder.FullName "has permission of "$aclitem.FileSystemRights
                $Acl.SetAccessRule($Ar)
                write-host "Correcting permissions on $($homefolder.fullname)"
                (Get-Item $HomeFolder.FullName).SetAccessControl($acl)
            }
        }
    } 
}

相关内容