PowerShell设置Acl新对象：找不到“的重载”；FileSystemAccessRule“；并且参数计数为：“quot；4“；

我完成了脚本中创建目录名的所有部分，根据预定义的目录结构创建目录，根据附加到硬编码名称的项目编号创建广告组，然后将该组添加到特定目录，并为该组设置ACL

我似乎无法绕过这个错误：

新对象：找不到“FileSystemAccessRule”的重载和参数计数：“4”。

以下是脚本：

    $domain="DOMAIN"
    $tldn="net"

    $pathArr=@()
    $pathArr+=$path1=Read-Host -Prompt "Enter first path"
    $pathArr+=$path2=Read-Host -Prompt "Enter second path"
    [int]$projectNumber=try { Read-Host -Prompt "Enter project number" } catch { Write-Host "Not a numeric value. Please try again."; exit }
    [string]$mainFolder=[string]${projectNumber}+"_"+(Read-Host -Prompt "Please give the main folder name")
    $projectNumberString=[string]$projectNumber
    $projectName=Read-Host -Prompt "Please give the project name"
    $fullProjectName="${projectNumberString}_${projectName}"
    $pathArr+=$path3="$path1\$mainFolder"
    $pathArr+=$path4="$path2\$mainFolder"
    $pathArr+=$path5="$path3\$fullProjectName"
    $pathArr+=$path6="$path4\$fullProjectName"

    # Region: Create organizational units in Active Directory
    # Names
    $ouN1="XYZOU"
    $ouN2="ABCOU"

    # Paths
    $ouP0="DC=$domain,DC=$tldn"
    $ouP1="OU=$ouN1,$ouP0"
    $ouP2="OU=$ouN2,$ouP1"

    Write-Host "Checking for required origanization units..."
    try
    {
        New-ADOrganizationalUnit -Name $ouN1 -Path $ouP1
        New-ADOrganizationalUnit -Name $ouN2 -Path $ouP2

    }
    catch
    {
        Out-Null
    }

    Write-Host "Creating AD Group..."
    [string]$group="BEST_${projectNumberString}"
    $groupdomain="$domain\$group"

    $ADGroupParams= @{
        'Name' = "$group" 
        'SamAccountName' = "$group" 
        'GroupCategory' = "Security"
        'GroupScope' = "Global"
        'DisplayName' = "$group"
        'Path' = "OU=MyBusinessOU,DC=$domain,DC=$tldn"
        'Description' = "Test share"
    }
    $secgroup=New-ADGroup @ADGroupParams

    # Region: Set permissions
    Write-Host "Setting permissions..."

    # get permissions
    $acl = Get-Acl -Path $path6

    # add a new permission
    $InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
    $FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Traverse","Executefile","ListDirectory","ReadData", "ReadAttributes", "ReadExtendedAttributes","CreateFiles","WriteData", 'ContainerInherit, ObjectInherit', "CreateDirectories","AppendData", "WriteAttributes", "WriteExtendedAttributes", "DeleteSubdirectoriesAndFiles", "ReadPermissions"
    $InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
    $PropagationFlags=[System.Security.AccessControl.PropagationFlags]”None”
    $AccessControl=[System.Security.AccessControl.AccessControlType]”Allow”
    $permission = "$groupdomain", "$InheritanceFlags", "$PropagationFlags", "$AccessControl"
    $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
    $acl.SetAccessRule($rule)

    # set new permissions
    $acl | Set-Acl -Path $path6

同样，我正在尝试在Windows环境中在Active Directory中手动执行的操作

创建一个广告组

将组添加到共享

设置组的权限

此脚本不会将用户添加到组中

最后也是最后一步是设置权限；不幸的是，当我运行脚本、更改语法或方法（以下是几篇在线文章中的示例）并花费数小时在这方面时，我只是没有取得任何进展。唯一的进步是它不能超载的数字从18降到了4

提前感谢您的帮助

编辑

我根据一条注释修改了脚本，指出我遗漏了

$FileSystemAccessRights

参数

$permission

变量已更改为：

$permission=“$groupdomain”、“$FileSystemAccessRights”、“$InheritanceFlags”、“$PropagationFlags”、“$AccessControl”

我仍然得到以下输出：

New-Object : Cannot convert argument "1", with value: "ExecuteFile Executefile ListDirectory ReadData ReadAttributes 
ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData WriteAttributes 
WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions", for "FileSystemAccessRule" to type 
"System.Security.AccessControl.FileSystemRights": "Cannot convert value "ExecuteFile Executefile ListDirectory ReadData 
ReadAttributes ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData 
WriteAttributes WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions" to type 
"System.Security.AccessControl.FileSystemRights". Error: "Unable to match the identifier name ExecuteFile Executefile ListDirectory 
ReadData ReadAttributes ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData 
WriteAttributes WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions to a valid enumerator name.  Specify one of the 
following enumerator names and try again: ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData, 
ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes, 
WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership, Synchronize, 
FullControl""

编辑

我尝试从变量中删除引号，因为除了

$groupdomain

，似乎每个变量都有引号，然后出现以下错误：

New-Object : Cannot convert argument "1", with value: "System.Object[]", for "FileSystemAccessRule" to type 
"System.Security.AccessControl.FileSystemRights": "Cannot convert value 
"ExecuteFile,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,ContainerInherit, 
ObjectInherit,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions" to 
type "System.Security.AccessControl.FileSystemRights". Error: "Unable to match the identifier name 
ExecuteFile,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,ContainerInherit, 
ObjectInherit,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions to a 
valid enumerator name.  Specify one of the following enumerator names and try again: ListDirectory, ReadData, WriteData, 
CreateFiles, CreateDirectories, AppendData, ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, 
DeleteSubdirectoriesAndFiles, ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, 
ChangePermissions, TakeOwnership, Synchronize, FullControl""

Cannot convert argument "rule", with value: "New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList 
WOLF\Elite_1035 Write, Read ContainerInherit, ObjectInherit None Allow", for "SetAccessRule" to type 
"System.Security.AccessControl.FileSystemAccessRule": "Cannot convert the "New-Object -TypeName 
System.Security.AccessControl.FileSystemAccessRule -ArgumentList WOLF\Elite_1035 Write, Read ContainerInherit, ObjectInherit None 
Allow" value of type "System.String" to type "System.Security.AccessControl.FileSystemAccessRule"."

编辑

尝试Stephen的建议，用引号将整个新对象括起来，然后出现以下错误：

New-Object : Cannot convert argument "1", with value: "System.Object[]", for "FileSystemAccessRule" to type 
"System.Security.AccessControl.FileSystemRights": "Cannot convert value 
"ExecuteFile,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,ContainerInherit, 
ObjectInherit,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions" to 
type "System.Security.AccessControl.FileSystemRights". Error: "Unable to match the identifier name 
ExecuteFile,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,ContainerInherit, 
ObjectInherit,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions to a 
valid enumerator name.  Specify one of the following enumerator names and try again: ListDirectory, ReadData, WriteData, 
CreateFiles, CreateDirectories, AppendData, ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, 
DeleteSubdirectoriesAndFiles, ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, 
ChangePermissions, TakeOwnership, Synchronize, FullControl""

Cannot convert argument "rule", with value: "New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList 
WOLF\Elite_1035 Write, Read ContainerInherit, ObjectInherit None Allow", for "SetAccessRule" to type 
"System.Security.AccessControl.FileSystemAccessRule": "Cannot convert the "New-Object -TypeName 
System.Security.AccessControl.FileSystemAccessRule -ArgumentList WOLF\Elite_1035 Write, Read ContainerInherit, ObjectInherit None 
Allow" value of type "System.String" to type "System.Security.AccessControl.FileSystemAccessRule"."

编辑

错误消失了，但我仍然没有看到任何组添加到

$path6

的安全属性中

理论上，我还可以通过这样做添加所有权限：

---

$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]“遍历、Executefile、ListDirectory、ReadData、ReadAttributes、ReadExtendedAttributes、CreateFiles、WriteData、CreateDirectory、AppendData、WriteAttributes、WriteExtendedAttributes、DeleteSubdirectories和Files、ReadPermissions”

您在参数中忘记了

$FileSystemAccessRights

$permission =  $groupdomain, $FileSystemAccessRights, $InheritanceFlags, $PropagationFlags, $AccessControl

编辑，删除双引号

您还有两个问题：

首先创建一个$principal对象

$principal = New-Object System.Security.Principal.NTAccount($groupdomain)

然后尝试减少$FileSystemAccessRights，因为它有问题，尝试一些简单的方法，比如读/写访问

$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Read, Write"

更新变量$permission的创建以包括主体：

$permission = $principal, $FileSystemAccessRights, $InheritanceFlags, $PropagationFlags, $AccessControl

新对象：找不到“FileSystemAccessRule”和参数计数“5”的重载

此错误的解决方案是展开变量时不使用字符串（字符串周围没有引号）。因此，字符串变量中的任何COMA都被解析为参数

Powershell可以使用

@

子句将变量扩展为字符串

解决方案： 请注意，我以其他方式使用函数，因为OP post和OP忘记将

$secgroup

变量传递给函数。

---

根据我的经验，这是在powershell中设置ACL最可靠的方法。

感谢您指出这一点。我修改了脚本，仍然收到类似的错误消息。有什么想法吗？是的，请尝试删除双引号，我更新了答案。看起来第一个参数是$FileSystemAccessRights，应该是$groupdomain，如答案中所示。我将我的

$permission

变量完全替换为您的变量。似乎是出于某种原因，将大多数参数读取为一个字符串？@MickyBalledelli我发现对于

$FileSystemAccessRights

变量，您的语法与我的不同。我在每个权限属性周围使用了双引号，而您只使用它们对所有属性进行分组（例如，

“读，写”

）。我在我的线路上做了同样的事情，它成功了<代码>$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]“遍历、Executefile、ListDirectory、ReadData、ReadAttributes、ReadExtendedAttributes、CreateFiles、WriteData、CreateDirectory、AppendData、WriteAttributes、WriteExtendedAttributes、DeleteSubdirectories和Files、ReadPermissions”您是否尝试将$permission括在新对象行的括号中？您也可以在整个New Object子句周围加括号。@StephenGTuggy我试过了，然后更新了我的问题。 $InheritanceFlags = "ContainerInherit, ObjectInherit" $FileSystemAccessRights = "Traverse,Executefile,ListDirectory,ReadData, ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions" . etc... # Region: Set permissions Write-Host "Setting permissions..." # get permissions $acl = Get-Acl -Path $path6 # add a new permission $user = $secgroup $InheritanceFlags="ContainerInherit, ObjectInherit" $FileSystemAccessRights="Traverse,Executefile,ListDirectory,ReadData, ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions" $PropagationFlags="None" $AccessControl="Allow" $rule = New-Object System.Security.AccessControl.FileSystemAccessRule(@($user), @($FileSystemAccessRights), @($InheritanceFlags), @($PropagationFlags), @($AccessControl)) $acl.SetAccessRule($rule) #set new permissions path6.SetAccessControl($acl)