识别具有特殊 NTFS 访问权限的用户
Identify User with special NTFS access permission
我正在执行此命令以获取用户及其权限:
Get-Acl $path |
select -ExpandProperty Access |
where { $_.IdentityReference -match "Users" } |
select -Property * -ExcludeProperty IsInherited |
Format-Table
FileSystemRights AccessControlType IdentityReference InheritanceFlags PropagationFlags
---------------- ----------------- ----------------- ---------------- ----------------
ReadAndExecute, Synchronize Allow BUILTIN\Users ContainerInherit, ObjectInherit None
AppendData Allow BUILTIN\Users ContainerInherit None
CreateFiles Allow BUILTIN\Users ContainerInherit None
在此,一位用户的访问权限为特殊。我需要删除该用户。
请您帮助识别该用户。
Special 只是指与 Read 或 Write.
等命名预设之一不匹配的文件系统访问权限列表
在您的情况下,BUILTIN\Users 在第一个条目中具有 ReadAndExecute 预设,但也具有 AppendData 和 CreateFiles 权限。这两个权限不是完整的 Write 权限,因此它们显示为 Special.
如果您想为您的 BUILTIN\Users 群组删除这些特定权限,您可以使用如下方式:
$path = 'C:\temp\temp'
$acl = get-acl $path
# Check the existing rights
$acl.Access | where IdentityReference -Like 'BUILTIN\Users'
# Get a list of the rules to remove
$rules = $acl.access | Where-Object {
!$_.IsInherited -and
$_.IdentityReference -like 'BUILTIN\Users' -and
$_.FileSystemRights -in 'AppendData','CreateFiles'
}
# Remove those rules from the ACL object
ForEach($rule in $rules) {
$acl.RemoveAccessRule($rule)
}
# Check that the remaining rules look good:
$acl.Access
# Finally, set the ACL
# WARNING: setting file permissions can of course lock you out of files, so be careful!
Set-Acl -Path $path -AclObject $acl
请注意,您问题中的示例显示这两个权限也已通过 InheritanceFlags: ContainerInherit 应用于子文件夹。因此,当您更新 ACL 时,它会尝试将更改应用到所有子文件夹。
如果您真的想删除 C:\ 根目录下的权限条目,就像您的屏幕截图一样,您可以 运行 解决您没有权限的子文件夹的问题。
感谢@Cpt.Whale的帮助
下面的代码解决了我的问题。
$path = 'C:\temp'
$acl = get-acl $path
##Remove Inheritance from Top Folders and Child Objects
Foreach($folder in $path) {
icacls $folder /inheritance:d
Get-ChildItem -Path $folder -Recurse | ?{$_.PSisContainer} | foreach {$subfolder = $_.FullName; icacls $subfolder /inheritance:d}
}
# Check the existing rights
$acl.Access | where IdentityReference -Like 'BUILTIN\Users'
# Get a list of the rules to remove
$rules = $acl.access | Where-Object {
!$_.IsInherited -and
$_.IdentityReference -like 'BUILTIN\Users' -and
$_.FileSystemRights -in 'CreateFiles, AppendData'
}
# Remove those rules from the ACL object
ForEach($rule in $rules) {
$acl.RemoveAccessRule($rule)
}
# Check that the remaining rules look good:
$acl.Access
# Finally, set the ACL
Set-Acl -Path $path -AclObject $acl
我正在执行此命令以获取用户及其权限:
Get-Acl $path |
select -ExpandProperty Access |
where { $_.IdentityReference -match "Users" } |
select -Property * -ExcludeProperty IsInherited |
Format-Table
FileSystemRights AccessControlType IdentityReference InheritanceFlags PropagationFlags
---------------- ----------------- ----------------- ---------------- ----------------
ReadAndExecute, Synchronize Allow BUILTIN\Users ContainerInherit, ObjectInherit None
AppendData Allow BUILTIN\Users ContainerInherit None
CreateFiles Allow BUILTIN\Users ContainerInherit None
在此,一位用户的访问权限为特殊。我需要删除该用户。
请您帮助识别该用户。
Special 只是指与 Read 或 Write.
在您的情况下,BUILTIN\Users 在第一个条目中具有 ReadAndExecute 预设,但也具有 AppendData 和 CreateFiles 权限。这两个权限不是完整的 Write 权限,因此它们显示为 Special.
如果您想为您的 BUILTIN\Users 群组删除这些特定权限,您可以使用如下方式:
$path = 'C:\temp\temp'
$acl = get-acl $path
# Check the existing rights
$acl.Access | where IdentityReference -Like 'BUILTIN\Users'
# Get a list of the rules to remove
$rules = $acl.access | Where-Object {
!$_.IsInherited -and
$_.IdentityReference -like 'BUILTIN\Users' -and
$_.FileSystemRights -in 'AppendData','CreateFiles'
}
# Remove those rules from the ACL object
ForEach($rule in $rules) {
$acl.RemoveAccessRule($rule)
}
# Check that the remaining rules look good:
$acl.Access
# Finally, set the ACL
# WARNING: setting file permissions can of course lock you out of files, so be careful!
Set-Acl -Path $path -AclObject $acl
请注意,您问题中的示例显示这两个权限也已通过 InheritanceFlags: ContainerInherit 应用于子文件夹。因此,当您更新 ACL 时,它会尝试将更改应用到所有子文件夹。
如果您真的想删除 C:\ 根目录下的权限条目,就像您的屏幕截图一样,您可以 运行 解决您没有权限的子文件夹的问题。
感谢@Cpt.Whale的帮助
下面的代码解决了我的问题。
$path = 'C:\temp'
$acl = get-acl $path
##Remove Inheritance from Top Folders and Child Objects
Foreach($folder in $path) {
icacls $folder /inheritance:d
Get-ChildItem -Path $folder -Recurse | ?{$_.PSisContainer} | foreach {$subfolder = $_.FullName; icacls $subfolder /inheritance:d}
}
# Check the existing rights
$acl.Access | where IdentityReference -Like 'BUILTIN\Users'
# Get a list of the rules to remove
$rules = $acl.access | Where-Object {
!$_.IsInherited -and
$_.IdentityReference -like 'BUILTIN\Users' -and
$_.FileSystemRights -in 'CreateFiles, AppendData'
}
# Remove those rules from the ACL object
ForEach($rule in $rules) {
$acl.RemoveAccessRule($rule)
}
# Check that the remaining rules look good:
$acl.Access
# Finally, set the ACL
Set-Acl -Path $path -AclObject $acl