使用 PowerShell 为 "IIS AppPool" 授予对文件夹的访问权限

Using PowerShell to grant access to a folder for an "IIS AppPool"

我正在编写一个脚本来自动部署我的平台,但我无法弄清楚如何设置一个应用程序池以获得我下面的代码的权限,只是在下面插入带有应用程序池名称的文本。我认为这是因为这是一个友好的名称,当您通常单击检查名称时,它会获取正确的用户,但我无法弄清楚在 powershell 中执行此操作很热。

function Set_iis_perms {
    param (
        [parameter(position=0)]
        $AppPoolName,
        [parameter(position=1)]
        $FileName
    )
    $acl = Get-Acl $FileName
    $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(("iis apppool$Apppool_Name"),"Modify","Allow")))
    $acl | Set-Acl $FileName
}

即使有人能指出我正确的方向,我也会非常感激。

亲切的问候 Dom

通过 Get/Set-ACL 和 icacls 设置 ACL 是很常见的事情,在很多资源中都有介绍。示例:

Setting ACL on folder or file using PowerShell

This script will set folder permission on a folder (c: and C:2) and its sub folder. If the folder does not exist, it will create the folder, set as shared and add the groups to the folder. Group_Name has to be replaced with Actual Group.

Application Pool Identities

Setting permissions for ASP.NET application on IIS with PowerShell

根据这个 Whosebug 问答

How can I add ACL permissions for IIS APPPOOL* accounts via Powershell?

Set-Acl $directory $acl $user = New-Object
System.Security.Principal.NTAccount("$domain\$username")

UPDATE: Seems that it won't accept the "IIS APPPOOL\AppPoolName" as an NTAccount identifier. Now, there are two ways to accomplish what you are trying to do:

Create a new SID object with the AppPoolIdentities SID and translate it into an NTAccount, like this: http://iformattable.blogspot.com/2007/12/convert-sid-to-ntaccount-with.html, and you should be able to treat it like any other NTAccount object. If you still want to be able to pass domain/usernames for real accounts, built in some simple logic that defaults to the AppPool SID if username is "AweSomeAppPool" and domain is empty, just as an example.

Use PowerShell to invoke icacls.exe, and use it to grant/revoke whatever permissions you want, like this (first normal icacls form command prompt, then powershell, notice the difference):

icacls.exe test.txt /grant "IIS AppPool\DefaultAppPool":(OI)(CI)M
cmd /c icacls test.txt /grant "IIS AppPool\DefaultAppPool:(OI)(CI)M"