Fatal编程技术网
  • powershell/
  • Powershell 如何创建文件夹、共享和应用NTFS权限

Powershell 如何创建文件夹、共享和应用NTFS权限

powershell

Powershell 如何创建文件夹、共享和应用NTFS权限,powershell,Powershell,作为Powershell的新手,我尝试使用以下来自各种TechNet脚本示例的脚本编写一个脚本: $FolderPath = 'c:\folder' $Shares=[WMICLASS]'WIN32_Share' $ShareName='Home$' New-Item -type directory -Path $FolderPath $Shares.Create($FolderPath,$ShareName,0) $Acl = Get-Acl $FolderPath $Acl.Set

作为Powershell的新手,我尝试使用以下来自各种TechNet脚本示例的脚本编写一个脚本:

$FolderPath = 'c:\folder'

$Shares=[WMICLASS]'WIN32_Share'

$ShareName='Home$'

New-Item -type directory -Path $FolderPath

$Shares.Create($FolderPath,$ShareName,0)

$Acl = Get-Acl $FolderPath
$Acl.SetAccessRuleProtection($True, $False)
$rule = New-Object   System.Security.AccessControl.FileSystemAccessRule('Administrators','FullControl','ContainerInherit, ObjectInherit', 'None', 'Allow')
$Acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
$Acl.AddAccessRule($rule)

Set-Acl $FolderPath $Acl
Get-Acl $FolderPath  | Format-List
上述脚本在创建文件夹方面运行良好,并将权限设置为:

Share: Everyone "Full"
NTFS: Users "Read"
我似乎不知道如何应用下面的权限,我正在努力使用System.Security.AccessControl.FileSystemAccessRule的参数来设置下面的NTFS权限

Set Share permissions:  
Authenticated Users: change
Administrators: full control

Set NTFS permissions: 
Administrators: full control
SYSTEM: full control
Authenticated users: list folder/read data & create folders/append data, this folder only
Creator/Owner: full control, subfolders and files only
任何帮助都将不胜感激。
提前感谢。

如果您尝试搜索,您可以自己解决此问题。我在前面为共享权限创建了一个答案,NTFS权限也很容易找到。试试这个:

#Local path
$FolderPath = 'c:\folder'

$Shares=[WMICLASS]'WIN32_Share'
#Share name
$ShareName='Home$'

#Create folder
New-Item -type directory -Path $FolderPath

#Create share rights

#Define a trustee (person/group to give access right)
$trustee = ([wmiclass]‘Win32_trustee’).psbase.CreateInstance()
$trustee.Domain = "NT Authority"
$trustee.Name = “Authenticated Users”

#Define an access control entry (permission-entry)
$ace = ([wmiclass]‘Win32_ACE’).psbase.CreateInstance()
#Modify-rights
$ace.AccessMask = 1245631
#Inheritance for folders and files
$ace.AceFlags = 3
$ace.AceType = 0
#Assign rights to Authenticated users ($trustee)
$ace.Trustee = $trustee

$trustee2 = ([wmiclass]‘Win32_trustee’).psbase.CreateInstance()
$trustee2.Domain = "BUILTIN"  #Or domain name
$trustee2.Name = “Administrators”

$ace2 = ([wmiclass]‘Win32_ACE’).psbase.CreateInstance()
#Full control
$ace2.AccessMask = 2032127
$ace2.AceFlags = 3
$ace2.AceType = 0
#Assign rights to Administrators ($trustee2)
$ace2.Trustee = $trustee2

#Create ACL/security descriptor. This is the security-definitions that you set on the share.
$sd = ([wmiclass]‘Win32_SecurityDescriptor’).psbase.CreateInstance()
#Specify that a DACL (ACL/security/permissions) are available, so the share isn't set to full access for everyone
$sd.ControlFlags = 4
#Add our rules
$sd.DACL = $ace, $ace2
#Set Administrators ($trustee2) as owner and group of ITEM (will be the share)
$sd.group = $trustee2
$sd.owner = $trustee2

#Create share with the security rules
$shares.create($FolderPath, $ShareName, 0, 100, "Description", "", $sd) | Out-Null

#Get NTFS permissiongs
$Acl = Get-Acl $FolderPath
#Disable inheritance and clear permissions
$Acl.SetAccessRuleProtection($True, $False)
#Define NTFS rights
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('Administrators','FullControl','ContainerInherit, ObjectInherit', 'None', 'Allow')
$Acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('SYSTEM','FullControl','ContainerInherit, ObjectInherit', 'None', 'Allow')
$Acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Authenticated Users",@("ReadData", "AppendData", "Synchronize"), "None", "None", "Allow")
$Acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('CREATOR OWNER','FullControl','ContainerInherit, ObjectInherit', 'InheritOnly', 'Allow')
$Acl.AddAccessRule($rule)

#Save ACL changes (NTFS permissions)
Set-Acl $FolderPath $Acl | Out-Null
#Show ACL so user can verify changes
Get-Acl $FolderPath  | Format-List
忘记共享权限。nowGraimer补充道,谢谢你对我问题的快速回答。您为NTFS提供的脚本命令非常难理解。当我运行脚本时,我在$sd.DACL=$ace,$ace2上收到一个错误(异常设置“DACL”:“无法将类型为'System.Management.Automation.PSObject'的对象强制转换为类型为'System.Management.ManagementBaseObject'。”当我检查共享权限时,组中的一个显示为帐户未知(S-1-5-5-0-290585),我相信这是经过身份验证的用户。有什么想法吗?否则你的答案就对了。谢谢!!我忘了问,有没有办法将文件夹上的缓存设置设置为“共享文件夹中的任何文件或程序都不能脱机使用”我将其更改为$sd.DACL=$ace.psObject.baseobject,$ace2.psObject.baseobject,现在通过设置“已验证用户的读取和更改”组,它似乎可以完美地工作。我不知道为什么它可以工作-我找到了另一个示例并应用了它,称之为即兴创作!我说得太早了!使用上述NTFS权限不会作为inte应用nded。不确定需要对$sd.DACL=$ace,$ace2执行什么操作(异常设置“DACL”):“无法将类型为“System.Management.Automation.PSObject”的对象强制转换为类型为“System.Management.ManagementBaseObject”。”以通过为共享上经过身份验证的用户设置正确的权限来修复此问题。