作为Powershell的新手我试图使用以下脚本汇总一个脚本来自各种TechNet脚本示例:
$FolderPath = 'c:\folder'
$Shares=[WMICLASS]'WIN32_Share'
$ShareName='Home$'
New-Item -type directory -Path $FolderPath
$Shares.Create($FolderPath,$ShareName,0)
$Acl = Get-Acl $FolderPath
$Acl.SetAccessRuleProtection($True, $False)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('Administrators','FullControl','ContainerInherit, ObjectInherit', 'None', 'Allow')
$Acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
$Acl.AddAccessRule($rule)
Set-Acl $FolderPath $Acl
Get-Acl $FolderPath | Format-List
上述脚本在创建文件夹方面效果很好,并将权限设置为:
Share: Everyone "Full"
NTFS: Users "Read"
我似乎无法弄清楚如何应用以下权限,我正在努力使用System.SecurityControl.FileSystemAccessRule的参数来设置以下NTFS权限。
Set Share permissions:
Authenticated Users: change
Administrators: full control
Set NTFS permissions:
Administrators: full control
SYSTEM: full control
Authenticated users: list folder/read data & create folders/append data, this folder only
Creator/Owner: full control, subfolders and files only
任何帮助将不胜感激。 提前谢谢。
答案 0 :(得分:0)
如果你试图搜索,你本可以自己解决这个问题。我之前在这里创建了一个共享权限的答案,并且很容易找到NTFS权限。试试这个:
#Local path
$FolderPath = 'c:\folder'
$Shares=[WMICLASS]'WIN32_Share'
#Share name
$ShareName='Home$'
#Create folder
New-Item -type directory -Path $FolderPath
#Create share rights
#Define a trustee (person/group to give access right)
$trustee = ([wmiclass]‘Win32_trustee’).psbase.CreateInstance()
$trustee.Domain = "NT Authority"
$trustee.Name = “Authenticated Users”
#Define an access control entry (permission-entry)
$ace = ([wmiclass]‘Win32_ACE’).psbase.CreateInstance()
#Modify-rights
$ace.AccessMask = 1245631
#Inheritance for folders and files
$ace.AceFlags = 3
$ace.AceType = 0
#Assign rights to Authenticated users ($trustee)
$ace.Trustee = $trustee
$trustee2 = ([wmiclass]‘Win32_trustee’).psbase.CreateInstance()
$trustee2.Domain = "BUILTIN" #Or domain name
$trustee2.Name = “Administrators”
$ace2 = ([wmiclass]‘Win32_ACE’).psbase.CreateInstance()
#Full control
$ace2.AccessMask = 2032127
$ace2.AceFlags = 3
$ace2.AceType = 0
#Assign rights to Administrators ($trustee2)
$ace2.Trustee = $trustee2
#Create ACL/security descriptor. This is the security-definitions that you set on the share.
$sd = ([wmiclass]‘Win32_SecurityDescriptor’).psbase.CreateInstance()
#Specify that a DACL (ACL/security/permissions) are available, so the share isn't set to full access for everyone
$sd.ControlFlags = 4
#Add our rules
$sd.DACL = $ace, $ace2
#Set Administrators ($trustee2) as owner and group of ITEM (will be the share)
$sd.group = $trustee2
$sd.owner = $trustee2
#Create share with the security rules
$shares.create($FolderPath, $ShareName, 0, 100, "Description", "", $sd) | Out-Null
#Get NTFS permissiongs
$Acl = Get-Acl $FolderPath
#Disable inheritance and clear permissions
$Acl.SetAccessRuleProtection($True, $False)
#Define NTFS rights
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('Administrators','FullControl','ContainerInherit, ObjectInherit', 'None', 'Allow')
$Acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('SYSTEM','FullControl','ContainerInherit, ObjectInherit', 'None', 'Allow')
$Acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Authenticated Users",@("ReadData", "AppendData", "Synchronize"), "None", "None", "Allow")
$Acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('CREATOR OWNER','FullControl','ContainerInherit, ObjectInherit', 'InheritOnly', 'Allow')
$Acl.AddAccessRule($rule)
#Save ACL changes (NTFS permissions)
Set-Acl $FolderPath $Acl | Out-Null
#Show ACL so user can verify changes
Get-Acl $FolderPath | Format-List