SET-ACL 文件夹权限未正确应用于我的 PowerShell 脚本
SET-ACL folder permissions not applying correctly with my PowerShell script
我有两个脚本:第一个创建一个新的根文件夹,第二个创建一个新的子文件夹。
它大部分工作正常,但是当继承的权限被下拉到子文件夹时,权限不会显示在“安全”选项卡上。但是,如果我检查高级权限正确显示...
这似乎导致了问题,因为继承的权限似乎没有正确应用于文件夹。
我做错了什么?
用图片说明一下:
这是我的两个脚本:
Root/Parent 文件夹创建:
# Create initial ACE
# Create the initial Object
# Set domain - This could also be changed to prompt for domain if we decide it is needed
# Define local Administrators group by Well Known SID
# Set additional ACEs for the new AD File Share Groups
# Set ACLs on the new folder
function New-Ace {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true, Position=0)]
[Security.Principal.NTAccount]$Account,
[Parameter(Mandatory=$false, Position=1)]
[Security.AccessControl.FileSystemRights]$Permissions = 'ReadAndExecute',
[Parameter(Mandatory=$false, Position=2)]
[Security.AccessControl.InheritanceFlags]$InheritanceFlags = 'ContainerInherit,ObjectInherit',
[Parameter(Mandatory=$false, Position=3)]
[Security.AccessControl.PropagationFlags]$PropagationFlags = 'NoPropagateInherit',
[Parameter(Mandatory=$false, Position=4)]
[Security.AccessControl.AccessControlType]$Type = 'Allow'
)
New-Object Security.AccessControl.FileSystemAccessRule(
$Account, $Permissions, $InheritanceFlags, $PropagationFlags, $Type
)
}
$domain = 'ESG.INTL'
$administrators = ([wmi]"Win32_Sid.Sid='S-1-5-32-544'").AccountName
$ADDomainUsers = "$domain\Domain Users"
$acl = Get-Acl $path
$administrators, "$domain\Domain Admins" | ForEach-Object {
$acl.AddAccessRule((New-Ace $_ 'FullControl'))
}
$acl.AddAccessRule((New-Ace $ADNameRW 'Modify'))
$acl.AddAccessRule((New-Ace $ADNameRO 'ReadAndExecute'))
$acl.AddAccessRule((New-Ace $ADDomainUsers 'ReadAndExecute'))
$acl.SetAccessRuleProtection($true, $false)
Set-Acl $path $acl
子文件夹创建:
# Create initial ACE
# Create the initial Object
# Set domain - This could also be changed to prompt for domain if we decide it is needed
# Define local Administrators group by Well Known SID
# Set additional ACEs for the new AD File Share Groups
# Set ACLs on the new folder
function New-Ace {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true, Position=0)]
[Security.Principal.NTAccount]$Account,
[Parameter(Mandatory=$false, Position=1)]
[Security.AccessControl.FileSystemRights]$Permissions = 'ReadAndExecute',
[Parameter(Mandatory=$false, Position=2)]
[Security.AccessControl.InheritanceFlags]$InheritanceFlags = 'ContainerInherit,ObjectInherit',
[Parameter(Mandatory=$false, Position=3)]
[Security.AccessControl.PropagationFlags]$PropagationFlags = 'NoPropagateInherit',
[Parameter(Mandatory=$false, Position=4)]
[Security.AccessControl.AccessControlType]$Type = 'Allow'
)
New-Object Security.AccessControl.FileSystemAccessRule(
$Account, $Permissions, $InheritanceFlags, $PropagationFlags, $Type
)
}
$acl = Get-Acl $path
$acl.AddAccessRule((New-Ace $ADNameRW 'Modify'))
$acl.AddAccessRule((New-Ace $ADNameRO 'ReadAndExecute'))
Set-Acl $path $acl
我发现我做错了什么;我误解了传播标志以及它们如何应用于子文件夹和文件。本质上,我需要在两个脚本上将其设置为 NONE 才能按我想要的方式工作:
[Security.AccessControl.PropagationFlags]$PropagationFlags = 'None',
这允许两个文件夹继承并适当地向下应用每个级别的权限。
我有两个脚本:第一个创建一个新的根文件夹,第二个创建一个新的子文件夹。
它大部分工作正常,但是当继承的权限被下拉到子文件夹时,权限不会显示在“安全”选项卡上。但是,如果我检查高级权限正确显示...
这似乎导致了问题,因为继承的权限似乎没有正确应用于文件夹。
我做错了什么? 用图片说明一下:
这是我的两个脚本:
Root/Parent 文件夹创建:
# Create initial ACE
# Create the initial Object
# Set domain - This could also be changed to prompt for domain if we decide it is needed
# Define local Administrators group by Well Known SID
# Set additional ACEs for the new AD File Share Groups
# Set ACLs on the new folder
function New-Ace {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true, Position=0)]
[Security.Principal.NTAccount]$Account,
[Parameter(Mandatory=$false, Position=1)]
[Security.AccessControl.FileSystemRights]$Permissions = 'ReadAndExecute',
[Parameter(Mandatory=$false, Position=2)]
[Security.AccessControl.InheritanceFlags]$InheritanceFlags = 'ContainerInherit,ObjectInherit',
[Parameter(Mandatory=$false, Position=3)]
[Security.AccessControl.PropagationFlags]$PropagationFlags = 'NoPropagateInherit',
[Parameter(Mandatory=$false, Position=4)]
[Security.AccessControl.AccessControlType]$Type = 'Allow'
)
New-Object Security.AccessControl.FileSystemAccessRule(
$Account, $Permissions, $InheritanceFlags, $PropagationFlags, $Type
)
}
$domain = 'ESG.INTL'
$administrators = ([wmi]"Win32_Sid.Sid='S-1-5-32-544'").AccountName
$ADDomainUsers = "$domain\Domain Users"
$acl = Get-Acl $path
$administrators, "$domain\Domain Admins" | ForEach-Object {
$acl.AddAccessRule((New-Ace $_ 'FullControl'))
}
$acl.AddAccessRule((New-Ace $ADNameRW 'Modify'))
$acl.AddAccessRule((New-Ace $ADNameRO 'ReadAndExecute'))
$acl.AddAccessRule((New-Ace $ADDomainUsers 'ReadAndExecute'))
$acl.SetAccessRuleProtection($true, $false)
Set-Acl $path $acl
子文件夹创建:
# Create initial ACE
# Create the initial Object
# Set domain - This could also be changed to prompt for domain if we decide it is needed
# Define local Administrators group by Well Known SID
# Set additional ACEs for the new AD File Share Groups
# Set ACLs on the new folder
function New-Ace {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true, Position=0)]
[Security.Principal.NTAccount]$Account,
[Parameter(Mandatory=$false, Position=1)]
[Security.AccessControl.FileSystemRights]$Permissions = 'ReadAndExecute',
[Parameter(Mandatory=$false, Position=2)]
[Security.AccessControl.InheritanceFlags]$InheritanceFlags = 'ContainerInherit,ObjectInherit',
[Parameter(Mandatory=$false, Position=3)]
[Security.AccessControl.PropagationFlags]$PropagationFlags = 'NoPropagateInherit',
[Parameter(Mandatory=$false, Position=4)]
[Security.AccessControl.AccessControlType]$Type = 'Allow'
)
New-Object Security.AccessControl.FileSystemAccessRule(
$Account, $Permissions, $InheritanceFlags, $PropagationFlags, $Type
)
}
$acl = Get-Acl $path
$acl.AddAccessRule((New-Ace $ADNameRW 'Modify'))
$acl.AddAccessRule((New-Ace $ADNameRO 'ReadAndExecute'))
Set-Acl $path $acl
我发现我做错了什么;我误解了传播标志以及它们如何应用于子文件夹和文件。本质上,我需要在两个脚本上将其设置为 NONE 才能按我想要的方式工作:
[Security.AccessControl.PropagationFlags]$PropagationFlags = 'None',
这允许两个文件夹继承并适当地向下应用每个级别的权限。