Question

我希望能够通过WMI远程管理用户访问。特别是，我希望能够将特定应用程序池用户的完全访问权限授予特定文件夹。为此，我编写了一个概念验证脚本，似乎工作正常。

    $DomainName = "IIS APPPOOL"
    $UserName = "MyAppPoolName"
    $FolderPath = "E:\wwwroot\WebsiteFolder"
    $RemoteComputerName = "RemoteWebServer"

    #Accessmask values
    $FILE_READ_DATA        = 0x000001
    $FILE_WRITE_DATA       = 0x000002
    $FILE_APPEND_DATA      = 0x000004
    $FILE_READ_EA          = 0x000008
    $FILE_WRITE_EA         = 0x000010
    $FILE_EXECUTE          = 0x000020
    $FILE_TRAVERSE         = 0x000020
    $FILE_DELETE_CHILD     = 0x000040
    $FILE_READ_ATTRIBUTES  = 0x000080
    $FILE_WRITE_ATTRIBUTES = 0x000100
    $DELETE                = 0x010000
    $READ_CONTROL          = 0x020000
    $WRITE_DAC             = 0x040000
    $WRITE_OWNER           = 0x080000
    $SYNCHRONIZE           = 0x100000
    #AccessMask shortcuts
    $NTFSfullcontrol =  $FILE_READ_DATA + $FILE_WRITE_DATA + $FILE_APPEND_DATA + $FILE_READ_EA + $FILE_WRITE_EA + 
                        $FILE_EXECUTE + $FILE_DELETE_CHILD + $FILE_READ_ATTRIBUTES + $FILE_WRITE_ATTRIBUTES + 
                        $DELETE + $READ_CONTROL + $SYNCHRONIZE + $WRITE_DAC + $WRITE_OWNER   
    $NTFSchange =       $FILE_READ_DATA + $FILE_WRITE_DATA + $FILE_APPEND_DATA + $FILE_READ_EA + $FILE_WRITE_EA + 
                        $FILE_EXECUTE + $FILE_READ_ATTRIBUTES + $FILE_WRITE_ATTRIBUTES + 
                        $DELETE + $READ_CONTROL + $SYNCHRONIZE 
    $NTFSread =         $FILE_READ_DATA + $FILE_READ_EA + $FILE_EXECUTE + $FILE_READ_ATTRIBUTES + $READ_CONTROL + $SYNCHRONIZE

    #Username/Group to give permissions to
    $trustee = ([wmiclass]'Win32_trustee').psbase.CreateInstance()
    $trustee.Domain = $DomainName
    $trustee.Name = $UserName

    #Create access-list
    $ace = ([wmiclass]'Win32_ACE').psbase.CreateInstance()
    $ace.AccessMask = $NTFSfullcontrol
    $ace.AceFlags = 3
    $ace.AceType = 0
    $ace.Trustee = $trustee

    #Securitydescriptor containting access
    $sd = ([wmiclass]'Win32_SecurityDescriptor').psbase.CreateInstance()
    $sd.ControlFlags = 4
    $sd.DACL = $ace

    # Read the existing permissions
    $wmiPath = $FolderPath.Replace("\","\\")
    $settings = Get-WmiObject -Class Win32_LogicalFileSecuritySetting -Filter "Path='$wmiPath'" -ComputerName $RemoteComputerName
    $security = $settings.GetSecurityDescriptor()

    # Loop through the existing list of users to copy them to the new Security Descriptor
    foreach($wmiAce in $security.Descriptor.DACL) {
        $sd.DACL += $wmiAce
    }
    $sd.Group = $security.Descriptor.Group
    $sd.Owner = $security.Descriptor.Owner

    # Change permissions
    $folder = Get-WmiObject -Class Win32_Directory -Filter "Name='$wmiPath'" -ComputerName $RemoteComputerName
    $folder.ChangeSecurityPermissions($sd, 4)

虽然脚本正在实现我想要做的事情，但是有一个＆＃34;副作用＆＃34;。运行脚本后，如果尝试删除该文件夹，则会显示一条消息：

**This folder is shared with other people**
If you delete this folder, it will no longer be shared
Folder: E:\wwwroot\WebsiteFolder
Share Name: WebsiteFolder

甚至更奇怪的是，如果我打开文件夹的属性并选中共享标签，则表示文件夹不共享。即使在高级共享中，也可以选中此框以及＃34;共享此文件夹＆＃34;未经检查。有人知道为什么会这样吗？谢谢， // Francesco

为什么Win32_Directory.ChangeSecurityPermissions创建共享？

0 个答案: