PowerShell Set-Acl New-Object:找不到 "FileSystemAccessRule" 和参数计数的重载:“4”
PowerShell Set-Acl New-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "4"
我完成了脚本的所有部分,包括创建目录名称、根据预定义的目录结构创建目录、根据附加到硬编码名称的项目编号创建 AD 组,然后添加组到特定目录,并为该组设置 ACL。
我似乎无法绕过错误:
New-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "4".
这是脚本:
$domain="DOMAIN"
$tldn="net"
$pathArr=@()
$pathArr+=$path1=Read-Host -Prompt "Enter first path"
$pathArr+=$path2=Read-Host -Prompt "Enter second path"
[int]$projectNumber=try { Read-Host -Prompt "Enter project number" } catch { Write-Host "Not a numeric value. Please try again."; exit }
[string]$mainFolder=[string]${projectNumber}+"_"+(Read-Host -Prompt "Please give the main folder name")
$projectNumberString=[string]$projectNumber
$projectName=Read-Host -Prompt "Please give the project name"
$fullProjectName="${projectNumberString}_${projectName}"
$pathArr+=$path3="$path1$mainFolder"
$pathArr+=$path4="$path2$mainFolder"
$pathArr+=$path5="$path3$fullProjectName"
$pathArr+=$path6="$path4$fullProjectName"
# Region: Create organizational units in Active Directory
# Names
$ouN1="XYZOU"
$ouN2="ABCOU"
# Paths
$ouP0="DC=$domain,DC=$tldn"
$ouP1="OU=$ouN1,$ouP0"
$ouP2="OU=$ouN2,$ouP1"
Write-Host "Checking for required origanization units..."
try
{
New-ADOrganizationalUnit -Name $ouN1 -Path $ouP1
New-ADOrganizationalUnit -Name $ouN2 -Path $ouP2
}
catch
{
Out-Null
}
Write-Host "Creating AD Group..."
[string]$group="BEST_${projectNumberString}"
$groupdomain="$domain$group"
$ADGroupParams= @{
'Name' = "$group"
'SamAccountName' = "$group"
'GroupCategory' = "Security"
'GroupScope' = "Global"
'DisplayName' = "$group"
'Path' = "OU=MyBusinessOU,DC=$domain,DC=$tldn"
'Description' = "Test share"
}
$secgroup=New-ADGroup @ADGroupParams
# Region: Set permissions
Write-Host "Setting permissions..."
# get permissions
$acl = Get-Acl -Path $path6
# add a new permission
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Traverse","Executefile","ListDirectory","ReadData", "ReadAttributes", "ReadExtendedAttributes","CreateFiles","WriteData", 'ContainerInherit, ObjectInherit', "CreateDirectories","AppendData", "WriteAttributes", "WriteExtendedAttributes", "DeleteSubdirectoriesAndFiles", "ReadPermissions"
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
$PropagationFlags=[System.Security.AccessControl.PropagationFlags]”None”
$AccessControl=[System.Security.AccessControl.AccessControlType]”Allow”
$permission = "$groupdomain", "$InheritanceFlags", "$PropagationFlags", "$AccessControl"
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)
# set new permissions
$acl | Set-Acl -Path $path6
同样,我正在尝试在 Windows 环境
的 Active Directory 中执行我通常会手动执行的操作
- 创建广告组
- 将组添加到共享
- 设置群组权限
- 此脚本不会将用户添加到组
最后也是最后一步是设置权限;不幸的是,当我 运行 脚本、更改语法或方法(以下几篇在线文章中的示例)并在这上面花费数小时时,我没有取得任何进展。唯一的进步是它不能超载的数量从 18 个减少到 4 个。
提前感谢您的帮助!
编辑
我根据指出我错过了 $FileSystemAccessRights
论点的评论修改了脚本。
$permission
变量更改为:
$permission = "$groupdomain", "$FileSystemAccessRights", "$InheritanceFlags", "$PropagationFlags", "$AccessControl"
我仍然得到这个输出:
New-Object : Cannot convert argument "1", with value: "ExecuteFile Executefile ListDirectory ReadData ReadAttributes
ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData WriteAttributes
WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions", for "FileSystemAccessRule" to type
"System.Security.AccessControl.FileSystemRights": "Cannot convert value "ExecuteFile Executefile ListDirectory ReadData
ReadAttributes ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData
WriteAttributes WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions" to type
"System.Security.AccessControl.FileSystemRights". Error: "Unable to match the identifier name ExecuteFile Executefile ListDirectory
ReadData ReadAttributes ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData
WriteAttributes WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions to a valid enumerator name. Specify one of the
following enumerator names and try again: ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData,
ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes,
WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership, Synchronize,
FullControl""
编辑
我尝试从变量中删除引号,因为似乎除了 $groupdomain
之外每个变量都已经有引号,然后出现此错误:
New-Object : Cannot convert argument "1", with value: "System.Object[]", for "FileSystemAccessRule" to type
"System.Security.AccessControl.FileSystemRights": "Cannot convert value
"ExecuteFile,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,ContainerInherit,
ObjectInherit,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions" to
type "System.Security.AccessControl.FileSystemRights". Error: "Unable to match the identifier name
ExecuteFile,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,ContainerInherit,
ObjectInherit,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions to a
valid enumerator name. Specify one of the following enumerator names and try again: ListDirectory, ReadData, WriteData,
CreateFiles, CreateDirectories, AppendData, ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile,
DeleteSubdirectoriesAndFiles, ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify,
ChangePermissions, TakeOwnership, Synchronize, FullControl""
编辑
尝试了 Stephen 的建议,用引号将整个 New-Object 括起来,然后出现此错误:
Cannot convert argument "rule", with value: "New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList
WOLF\Elite_1035 Write, Read ContainerInherit, ObjectInherit None Allow", for "SetAccessRule" to type
"System.Security.AccessControl.FileSystemAccessRule": "Cannot convert the "New-Object -TypeName
System.Security.AccessControl.FileSystemAccessRule -ArgumentList WOLF\Elite_1035 Write, Read ContainerInherit, ObjectInherit None
Allow" value of type "System.String" to type "System.Security.AccessControl.FileSystemAccessRule"."
编辑
错误消失了,但我仍然没有看到任何组添加到 $path6
的安全属性中。
理论上,我也可以通过这样做来添加所有权限:
$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Traverse,Executefile,ListDirectory,ReadData, ReadAttributes, ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles, ReadPermissions"
您在参数中忘记了 $FileSystemAccessRights
$permission = $groupdomain, $FileSystemAccessRights, $InheritanceFlags, $PropagationFlags, $AccessControl
编辑,删除双引号。
您还有两个问题:
首先创建一个$principal对象
$principal = New-Object System.Security.Principal.NTAccount($groupdomain)
然后尝试减少 $FileSystemAccessRights 因为它有问题,尝试一些简单的开始,比如 Read/Write 访问。
$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Read, Write"
更新变量 $permission 的创建以包含主体:
$permission = $principal, $FileSystemAccessRights, $InheritanceFlags, $PropagationFlags, $AccessControl
New-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "5".
此错误的解决方案是扩展您的变量而不是字符串(字符串周围没有引号)。因此,字符串变量中的任何逗号都被解析为参数。
Powershell 可以使用 @
子句将变量扩展为字符串。
解决方案:
$permission = @($groupdomain), @($InheritanceFlags), @($PropagationFlags), @($AccessControl)
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
但是,您在示例中所做的...
$permission = "$groupdomain", "$InheritanceFlags", "$PropagationFlags", "$AccessControl"
...有点重复造轮子,可能会导致您遇到的问题。此外,您在没有任何 ADuser 或 SID 的情况下传递了参数,这也会给您带来这些错误。
可靠的解决方案
也适用于这个问题:
PowerShell ACL Not Applying
首先,诸如
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Traverse","Executefile","ListDirectory","ReadData", "ReadAttributes", "ReadExtendedAttributes","CreateFiles","WriteData", 'ContainerInherit, ObjectInherit', "CreateDirectories","AppendData", "WriteAttributes", "WriteExtendedAttributes", "DeleteSubdirectoriesAndFiles", "ReadPermissions"
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
$PropagationFlags=[System.Security.AccessControl.PropagationFlags]”None”
很冗长,很难说出你得到了什么(字符串、对象、枚举……)
由于这些属性的枚举已在这些属性的 EnumerationObjects 中设置,您可以按字面意义将字符串作为参数传递:
$InheritanceFlags = "ContainerInherit, ObjectInherit"
$FileSystemAccessRights = "Traverse,Executefile,ListDirectory,ReadData, ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions"
.
etc...
我在您创建的 $FileSystemAccessRights
数组中也遇到了错误的语句:
'ContainerInherit, ObjectInherit'
不应该在那里。这不是有效的枚举字符串。
参见:FileSystemRights-Enumeration
这就是您收到此错误的原因:
Unable to match the identifier name
用于 $FileSystemAccessRights
变量。
第二个,FileSystemAccessRule class 需要传递 3 或 5 个参数.
参见:FileSystemAccessRule-Class
- IdentityReference(SID 或来自 AD 的完整 samaccountname)
- FileSystemRights(以字符串括起来并用逗号分隔的枚举)
- [可选]InheritanceFlags
- [可选]PropagationFlags
- AccessControlType(字符串;如果是“拒绝”或“允许”)
确保你向它传递了 3 或 5 个参数,不多也不少。
第三种,靠谱的设置ACL:
# Region: Set permissions
Write-Host "Setting permissions..."
# get permissions
$acl = Get-Acl -Path $path6
# add a new permission
$user = $secgroup
$InheritanceFlags="ContainerInherit, ObjectInherit"
$FileSystemAccessRights="Traverse,Executefile,ListDirectory,ReadData, ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions"
$PropagationFlags="None"
$AccessControl="Allow"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(@($user), @($FileSystemAccessRights), @($InheritanceFlags), @($PropagationFlags), @($AccessControl))
$acl.SetAccessRule($rule)
#set new permissions
path6.SetAccessControl($acl)
请注意,我以 OP 发布的其他方式使用函数,而 OP 忘记将 $secgroup
变量传递给函数。
根据我的经验,这是在 powershell 中设置 ACL 的最可靠方法。
我完成了脚本的所有部分,包括创建目录名称、根据预定义的目录结构创建目录、根据附加到硬编码名称的项目编号创建 AD 组,然后添加组到特定目录,并为该组设置 ACL。
我似乎无法绕过错误:
New-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "4".
这是脚本:
$domain="DOMAIN"
$tldn="net"
$pathArr=@()
$pathArr+=$path1=Read-Host -Prompt "Enter first path"
$pathArr+=$path2=Read-Host -Prompt "Enter second path"
[int]$projectNumber=try { Read-Host -Prompt "Enter project number" } catch { Write-Host "Not a numeric value. Please try again."; exit }
[string]$mainFolder=[string]${projectNumber}+"_"+(Read-Host -Prompt "Please give the main folder name")
$projectNumberString=[string]$projectNumber
$projectName=Read-Host -Prompt "Please give the project name"
$fullProjectName="${projectNumberString}_${projectName}"
$pathArr+=$path3="$path1$mainFolder"
$pathArr+=$path4="$path2$mainFolder"
$pathArr+=$path5="$path3$fullProjectName"
$pathArr+=$path6="$path4$fullProjectName"
# Region: Create organizational units in Active Directory
# Names
$ouN1="XYZOU"
$ouN2="ABCOU"
# Paths
$ouP0="DC=$domain,DC=$tldn"
$ouP1="OU=$ouN1,$ouP0"
$ouP2="OU=$ouN2,$ouP1"
Write-Host "Checking for required origanization units..."
try
{
New-ADOrganizationalUnit -Name $ouN1 -Path $ouP1
New-ADOrganizationalUnit -Name $ouN2 -Path $ouP2
}
catch
{
Out-Null
}
Write-Host "Creating AD Group..."
[string]$group="BEST_${projectNumberString}"
$groupdomain="$domain$group"
$ADGroupParams= @{
'Name' = "$group"
'SamAccountName' = "$group"
'GroupCategory' = "Security"
'GroupScope' = "Global"
'DisplayName' = "$group"
'Path' = "OU=MyBusinessOU,DC=$domain,DC=$tldn"
'Description' = "Test share"
}
$secgroup=New-ADGroup @ADGroupParams
# Region: Set permissions
Write-Host "Setting permissions..."
# get permissions
$acl = Get-Acl -Path $path6
# add a new permission
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Traverse","Executefile","ListDirectory","ReadData", "ReadAttributes", "ReadExtendedAttributes","CreateFiles","WriteData", 'ContainerInherit, ObjectInherit', "CreateDirectories","AppendData", "WriteAttributes", "WriteExtendedAttributes", "DeleteSubdirectoriesAndFiles", "ReadPermissions"
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
$PropagationFlags=[System.Security.AccessControl.PropagationFlags]”None”
$AccessControl=[System.Security.AccessControl.AccessControlType]”Allow”
$permission = "$groupdomain", "$InheritanceFlags", "$PropagationFlags", "$AccessControl"
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)
# set new permissions
$acl | Set-Acl -Path $path6
同样,我正在尝试在 Windows 环境
的 Active Directory 中执行我通常会手动执行的操作- 创建广告组
- 将组添加到共享
- 设置群组权限
- 此脚本不会将用户添加到组
最后也是最后一步是设置权限;不幸的是,当我 运行 脚本、更改语法或方法(以下几篇在线文章中的示例)并在这上面花费数小时时,我没有取得任何进展。唯一的进步是它不能超载的数量从 18 个减少到 4 个。
提前感谢您的帮助!
编辑
我根据指出我错过了 $FileSystemAccessRights
论点的评论修改了脚本。
$permission
变量更改为:
$permission = "$groupdomain", "$FileSystemAccessRights", "$InheritanceFlags", "$PropagationFlags", "$AccessControl"
我仍然得到这个输出:
New-Object : Cannot convert argument "1", with value: "ExecuteFile Executefile ListDirectory ReadData ReadAttributes
ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData WriteAttributes
WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions", for "FileSystemAccessRule" to type
"System.Security.AccessControl.FileSystemRights": "Cannot convert value "ExecuteFile Executefile ListDirectory ReadData
ReadAttributes ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData
WriteAttributes WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions" to type
"System.Security.AccessControl.FileSystemRights". Error: "Unable to match the identifier name ExecuteFile Executefile ListDirectory
ReadData ReadAttributes ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData
WriteAttributes WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions to a valid enumerator name. Specify one of the
following enumerator names and try again: ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData,
ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes,
WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership, Synchronize,
FullControl""
编辑
我尝试从变量中删除引号,因为似乎除了 $groupdomain
之外每个变量都已经有引号,然后出现此错误:
New-Object : Cannot convert argument "1", with value: "System.Object[]", for "FileSystemAccessRule" to type
"System.Security.AccessControl.FileSystemRights": "Cannot convert value
"ExecuteFile,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,ContainerInherit,
ObjectInherit,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions" to
type "System.Security.AccessControl.FileSystemRights". Error: "Unable to match the identifier name
ExecuteFile,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,ContainerInherit,
ObjectInherit,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions to a
valid enumerator name. Specify one of the following enumerator names and try again: ListDirectory, ReadData, WriteData,
CreateFiles, CreateDirectories, AppendData, ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile,
DeleteSubdirectoriesAndFiles, ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify,
ChangePermissions, TakeOwnership, Synchronize, FullControl""
编辑
尝试了 Stephen 的建议,用引号将整个 New-Object 括起来,然后出现此错误:
Cannot convert argument "rule", with value: "New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList
WOLF\Elite_1035 Write, Read ContainerInherit, ObjectInherit None Allow", for "SetAccessRule" to type
"System.Security.AccessControl.FileSystemAccessRule": "Cannot convert the "New-Object -TypeName
System.Security.AccessControl.FileSystemAccessRule -ArgumentList WOLF\Elite_1035 Write, Read ContainerInherit, ObjectInherit None
Allow" value of type "System.String" to type "System.Security.AccessControl.FileSystemAccessRule"."
编辑
错误消失了,但我仍然没有看到任何组添加到 $path6
的安全属性中。
理论上,我也可以通过这样做来添加所有权限:
$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Traverse,Executefile,ListDirectory,ReadData, ReadAttributes, ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles, ReadPermissions"
您在参数中忘记了 $FileSystemAccessRights
$permission = $groupdomain, $FileSystemAccessRights, $InheritanceFlags, $PropagationFlags, $AccessControl
编辑,删除双引号。
您还有两个问题:
首先创建一个$principal对象
$principal = New-Object System.Security.Principal.NTAccount($groupdomain)
然后尝试减少 $FileSystemAccessRights 因为它有问题,尝试一些简单的开始,比如 Read/Write 访问。
$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Read, Write"
更新变量 $permission 的创建以包含主体:
$permission = $principal, $FileSystemAccessRights, $InheritanceFlags, $PropagationFlags, $AccessControl
New-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "5".
此错误的解决方案是扩展您的变量而不是字符串(字符串周围没有引号)。因此,字符串变量中的任何逗号都被解析为参数。
Powershell 可以使用 @
子句将变量扩展为字符串。
解决方案:
$permission = @($groupdomain), @($InheritanceFlags), @($PropagationFlags), @($AccessControl) $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
但是,您在示例中所做的...
$permission = "$groupdomain", "$InheritanceFlags", "$PropagationFlags", "$AccessControl"
...有点重复造轮子,可能会导致您遇到的问题。此外,您在没有任何 ADuser 或 SID 的情况下传递了参数,这也会给您带来这些错误。
可靠的解决方案
也适用于这个问题:
PowerShell ACL Not Applying
首先,诸如
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit” $FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Traverse","Executefile","ListDirectory","ReadData", "ReadAttributes", "ReadExtendedAttributes","CreateFiles","WriteData", 'ContainerInherit, ObjectInherit', "CreateDirectories","AppendData", "WriteAttributes", "WriteExtendedAttributes", "DeleteSubdirectoriesAndFiles", "ReadPermissions" $InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit” $PropagationFlags=[System.Security.AccessControl.PropagationFlags]”None”
很冗长,很难说出你得到了什么(字符串、对象、枚举……) 由于这些属性的枚举已在这些属性的 EnumerationObjects 中设置,您可以按字面意义将字符串作为参数传递:
$InheritanceFlags = "ContainerInherit, ObjectInherit" $FileSystemAccessRights = "Traverse,Executefile,ListDirectory,ReadData, ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions" . etc...
我在您创建的 $FileSystemAccessRights
数组中也遇到了错误的语句:
'ContainerInherit, ObjectInherit'
不应该在那里。这不是有效的枚举字符串。
参见:FileSystemRights-Enumeration
这就是您收到此错误的原因:
Unable to match the identifier name
用于 $FileSystemAccessRights
变量。
第二个,FileSystemAccessRule class 需要传递 3 或 5 个参数.
参见:FileSystemAccessRule-Class
- IdentityReference(SID 或来自 AD 的完整 samaccountname)
- FileSystemRights(以字符串括起来并用逗号分隔的枚举)
- [可选]InheritanceFlags
- [可选]PropagationFlags
- AccessControlType(字符串;如果是“拒绝”或“允许”)
确保你向它传递了 3 或 5 个参数,不多也不少。
第三种,靠谱的设置ACL:
# Region: Set permissions Write-Host "Setting permissions..." # get permissions $acl = Get-Acl -Path $path6 # add a new permission $user = $secgroup $InheritanceFlags="ContainerInherit, ObjectInherit" $FileSystemAccessRights="Traverse,Executefile,ListDirectory,ReadData, ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions" $PropagationFlags="None" $AccessControl="Allow" $rule = New-Object System.Security.AccessControl.FileSystemAccessRule(@($user), @($FileSystemAccessRights), @($InheritanceFlags), @($PropagationFlags), @($AccessControl)) $acl.SetAccessRule($rule) #set new permissions path6.SetAccessControl($acl)
请注意,我以 OP 发布的其他方式使用函数,而 OP 忘记将 $secgroup
变量传递给函数。
根据我的经验,这是在 powershell 中设置 ACL 的最可靠方法。