创建注册表项和值,禁用继承设置无权限
Create Registry key and values, disable inheritance set no permissions
我正在尝试创建一个注册表项和一些值,然后关闭继承并设置权限(实际上是没有权限)在您创建键和值时是否可以这样做?
我看到很多关于将继承设置为打开的帖子,但没有看到太多关于将其关闭和不设置权限的帖子。我意识到"why would you want to do this?"但这是合作伙伴的要求。
下面的代码创建了对象,但似乎没有对权限进行任何操作。虽然它不是最终状态,但它什么也不做,因为继承已打开。
所以我需要的是禁用继承并且不设置任何权限。
$ResgistryKeyPath = "HKLM:\Software\Policies\Microsoft\Windows\RTestBob"
New-Item $ResgistryKeyPath -Force
New-ItemProperty -Path $ResgistryKeyPath -Propertytype DWORD -Name
Deny_Write -Value 1 -Force | Out-Null
$AddACL = New-Object System.Security.AccessControl.RegistryAccessRule ("Domain Admins", "FullControl", "Allow")
$AddACL = New-Object System.Security.AccessControl.RegistryAccessRule ("auth\me", "FullControl", "ObjectInherit,ContainerInherit", "None", "Allow")
这实际上是答案,从主要角度来看它确实有效。
[void][Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')
#Set some variables
$RegistryKeyPath1 = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b"
$RegistryKeyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices"
$DisableInheritance=$true
$PreserveInheritanceIfDisabled =$True
#Create the registry keys
Try {
New-Item $RegistryKeyPath1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Write -Value 1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Read -Value 1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Execute -Value 1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath -propertyType DWORD -Name Deny_All -Value 1 -Force | Out-Null
}
Catch
{
[System.Windows.forms.MessageBox]::Show('Key exists and an error has occured. Please check the registry manually in this location','Error','OKCancel','Error') ; exit
}
Try {
#Remove Inheritance - Inheritance is removed from both keys so that if one is done the other will have to be also.
$acl = Get-Acl $RegistryKeyPath1
$acl.SetAccessRuleProtection($DisableInheritance, $preserveInheritanceIfDisabled)
Set-Acl $RegistryKeyPath1 $acl
$acl1 = Get-Acl $RegistryKeyPath
$acl1.SetAccessRuleProtection($DisableInheritance, $preserveInheritanceIfDisabled)
Set-Acl $RegistryKeyPath $acl1
#Remove Permissions
$aclPerm1 = get-acl $RegistryKeyPath1
$aclPerm1.PurgeAccessRules([System.Security.Principal.NTAccount] "Authenticated Users") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath1 $aclPerm1
$aclPerm1.PurgeAccessRules([System.Security.Principal.NTAccount] "Administrators") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath1 $aclperm1
$aclPerm = get-acl $RegistryKeyPath
$aclPerm.PurgeAccessRules([System.Security.Principal.NTAccount] "Authenticated Users") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath $aclPerm
$aclPerm.PurgeAccessRules([System.Security.Principal.NTAccount] "Administrators") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath $aclperm
[System.Windows.forms.MessageBox]::Show('Successfully Implemented!','Success','OKCancel','Information')
}
Catch
{
[System.Windows.forms.MessageBox]::Show('An error has occured. Please check the registry manually in this location','Error','OKCancel','Error')
}
@Bob:非常感谢。我花了几个小时试图弄清楚为什么我的代码不起作用。看来和你一样,每次都要用一个新的acl对象。
我认为这是一个糟糕的 PowerShell 垃圾收集器。怎么不能回收变量?
所以,这行不通:
运行 代码第一次出现在控制台上。检查密钥的权限。他们应该没问题。
现在手动删除密钥并再次 运行 代码。将创建它们的密钥,但不会分配权限。
这是因为您重复使用了相同的变量。我猜它是 PowerShell 上的垃圾收集器。
我找到了一种更好的方法来避免对同一件事使用大量变量:
一种方法是使用函数。因此,您始终可以在本地定义 $acl。
第二种方法是在完成您使用 $acl 完成的任务后使用 "Remove-Variable"。例如,在 Bob 的代码中,您可以这样做:
[void][Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')
#Set some variables
$RegistryKeyPath1 = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b"
$RegistryKeyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices"
$DisableInheritance=$true
$PreserveInheritanceIfDisabled=$true
#Create the registry keys
Try {
New-Item $RegistryKeyPath1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Write -Value 1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Read -Value 1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Execute -Value 1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath -propertyType DWORD -Name Deny_All -Value 1 -Force | Out-Null
}
Catch
{
[System.Windows.forms.MessageBox]::Show('Key exists and an error has occured. Please check the registry manually in this location','Error','OKCancel','Error') ; exit
}
Try {
#Remove Inheritance - Inheritance is removed from both keys so that if one is done the other will have to be also.
$acl = Get-Acl $RegistryKeyPath1
$acl.SetAccessRuleProtection($DisableInheritance, $preserveInheritanceIfDisabled)
Set-Acl $RegistryKeyPath1 $acl
Remove-Variable acl
$acl = Get-Acl $RegistryKeyPath
$acl.SetAccessRuleProtection($DisableInheritance, $preserveInheritanceIfDisabled)
Set-Acl $RegistryKeyPath $acl
Remove-Variable acl
#Remove Permissions
$acl = get-acl $RegistryKeyPath1
$acl.PurgeAccessRules([System.Security.Principal.NTAccount] "Authenticated Users") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath1 $acl
$acl.PurgeAccessRules([System.Security.Principal.NTAccount] "Administrators") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath1 $acl
Remove-Variable acl
$acl = get-acl $RegistryKeyPath
$acl.PurgeAccessRules([System.Security.Principal.NTAccount] "Authenticated Users") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath $acl
$acl.PurgeAccessRules([System.Security.Principal.NTAccount] "Administrators") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath $acl
Remove-Variable acl
[System.Windows.forms.MessageBox]::Show('Successfully Implemented!','Success','OKCancel','Information')
}
Catch
{
[System.Windows.forms.MessageBox]::Show('An error has occured. Please check the registry manually in this location','Error','OKCancel','Error')
}
这不是很好,但至少可以用。这应该记录在某处。
vbs 确实确实是一个更好的垃圾收集器。
我正在尝试创建一个注册表项和一些值,然后关闭继承并设置权限(实际上是没有权限)在您创建键和值时是否可以这样做?
我看到很多关于将继承设置为打开的帖子,但没有看到太多关于将其关闭和不设置权限的帖子。我意识到"why would you want to do this?"但这是合作伙伴的要求。
下面的代码创建了对象,但似乎没有对权限进行任何操作。虽然它不是最终状态,但它什么也不做,因为继承已打开。 所以我需要的是禁用继承并且不设置任何权限。
$ResgistryKeyPath = "HKLM:\Software\Policies\Microsoft\Windows\RTestBob"
New-Item $ResgistryKeyPath -Force
New-ItemProperty -Path $ResgistryKeyPath -Propertytype DWORD -Name
Deny_Write -Value 1 -Force | Out-Null
$AddACL = New-Object System.Security.AccessControl.RegistryAccessRule ("Domain Admins", "FullControl", "Allow")
$AddACL = New-Object System.Security.AccessControl.RegistryAccessRule ("auth\me", "FullControl", "ObjectInherit,ContainerInherit", "None", "Allow")
这实际上是答案,从主要角度来看它确实有效。
[void][Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')
#Set some variables
$RegistryKeyPath1 = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b"
$RegistryKeyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices"
$DisableInheritance=$true
$PreserveInheritanceIfDisabled =$True
#Create the registry keys
Try {
New-Item $RegistryKeyPath1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Write -Value 1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Read -Value 1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Execute -Value 1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath -propertyType DWORD -Name Deny_All -Value 1 -Force | Out-Null
}
Catch
{
[System.Windows.forms.MessageBox]::Show('Key exists and an error has occured. Please check the registry manually in this location','Error','OKCancel','Error') ; exit
}
Try {
#Remove Inheritance - Inheritance is removed from both keys so that if one is done the other will have to be also.
$acl = Get-Acl $RegistryKeyPath1
$acl.SetAccessRuleProtection($DisableInheritance, $preserveInheritanceIfDisabled)
Set-Acl $RegistryKeyPath1 $acl
$acl1 = Get-Acl $RegistryKeyPath
$acl1.SetAccessRuleProtection($DisableInheritance, $preserveInheritanceIfDisabled)
Set-Acl $RegistryKeyPath $acl1
#Remove Permissions
$aclPerm1 = get-acl $RegistryKeyPath1
$aclPerm1.PurgeAccessRules([System.Security.Principal.NTAccount] "Authenticated Users") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath1 $aclPerm1
$aclPerm1.PurgeAccessRules([System.Security.Principal.NTAccount] "Administrators") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath1 $aclperm1
$aclPerm = get-acl $RegistryKeyPath
$aclPerm.PurgeAccessRules([System.Security.Principal.NTAccount] "Authenticated Users") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath $aclPerm
$aclPerm.PurgeAccessRules([System.Security.Principal.NTAccount] "Administrators") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath $aclperm
[System.Windows.forms.MessageBox]::Show('Successfully Implemented!','Success','OKCancel','Information')
}
Catch
{
[System.Windows.forms.MessageBox]::Show('An error has occured. Please check the registry manually in this location','Error','OKCancel','Error')
}
@Bob:非常感谢。我花了几个小时试图弄清楚为什么我的代码不起作用。看来和你一样,每次都要用一个新的acl对象。
我认为这是一个糟糕的 PowerShell 垃圾收集器。怎么不能回收变量?
所以,这行不通:
运行 代码第一次出现在控制台上。检查密钥的权限。他们应该没问题。
现在手动删除密钥并再次 运行 代码。将创建它们的密钥,但不会分配权限。
这是因为您重复使用了相同的变量。我猜它是 PowerShell 上的垃圾收集器。
我找到了一种更好的方法来避免对同一件事使用大量变量:
一种方法是使用函数。因此,您始终可以在本地定义 $acl。
第二种方法是在完成您使用 $acl 完成的任务后使用 "Remove-Variable"。例如,在 Bob 的代码中,您可以这样做:
[void][Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') #Set some variables $RegistryKeyPath1 = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b" $RegistryKeyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices" $DisableInheritance=$true $PreserveInheritanceIfDisabled=$true #Create the registry keys Try { New-Item $RegistryKeyPath1 -Force | Out-Null New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Write -Value 1 -Force | Out-Null New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Read -Value 1 -Force | Out-Null New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Execute -Value 1 -Force | Out-Null New-ItemProperty -path $RegistryKeyPath -propertyType DWORD -Name Deny_All -Value 1 -Force | Out-Null } Catch { [System.Windows.forms.MessageBox]::Show('Key exists and an error has occured. Please check the registry manually in this location','Error','OKCancel','Error') ; exit } Try { #Remove Inheritance - Inheritance is removed from both keys so that if one is done the other will have to be also. $acl = Get-Acl $RegistryKeyPath1 $acl.SetAccessRuleProtection($DisableInheritance, $preserveInheritanceIfDisabled) Set-Acl $RegistryKeyPath1 $acl Remove-Variable acl $acl = Get-Acl $RegistryKeyPath $acl.SetAccessRuleProtection($DisableInheritance, $preserveInheritanceIfDisabled) Set-Acl $RegistryKeyPath $acl Remove-Variable acl #Remove Permissions $acl = get-acl $RegistryKeyPath1 $acl.PurgeAccessRules([System.Security.Principal.NTAccount] "Authenticated Users") #Administrators, SYSTEM, ALL APPLICATION PACKAGES set-acl $RegistryKeyPath1 $acl $acl.PurgeAccessRules([System.Security.Principal.NTAccount] "Administrators") #Administrators, SYSTEM, ALL APPLICATION PACKAGES set-acl $RegistryKeyPath1 $acl Remove-Variable acl $acl = get-acl $RegistryKeyPath $acl.PurgeAccessRules([System.Security.Principal.NTAccount] "Authenticated Users") #Administrators, SYSTEM, ALL APPLICATION PACKAGES set-acl $RegistryKeyPath $acl $acl.PurgeAccessRules([System.Security.Principal.NTAccount] "Administrators") #Administrators, SYSTEM, ALL APPLICATION PACKAGES set-acl $RegistryKeyPath $acl Remove-Variable acl [System.Windows.forms.MessageBox]::Show('Successfully Implemented!','Success','OKCancel','Information') } Catch { [System.Windows.forms.MessageBox]::Show('An error has occured. Please check the registry manually in this location','Error','OKCancel','Error') }
这不是很好,但至少可以用。这应该记录在某处。
vbs 确实确实是一个更好的垃圾收集器。