在远程服务器上执行 icacls 命令
Execute icacls command on remote servers
下面是我拥有的代码,当 运行 对于单个服务器
时,它可以完美执行
$Hostname = $env:COMPUTERNAME
$CsvData = Import-Csv -Path "C:\Ansible\status_report_2021.csv" | Where-Object{$_.ServerName -eq $Hostname} | Select-Object SystemFolderPath
foreach($path in $CsvData)
{
$path = $path.SystemFolderPath
$path = $path.trim('\')
# break inheritance on the folder and copy ACEs as uninherited
icacls $path /inheritance:d
#remove all BUILTIN\Users granted ACEs
icacls $path /remove:g BUILTIN\Users
#grant only BUILTIN\Users Read&Execute. avoid using (S,GE,GR) = RX.
#(S,GE,GR) is a specific right and icacls would create 2 ACEs.
#same meaning but if we can avoid it's better
icacls $path /grant:r "BUILTIN\Users:(OI)(CI)RX"
#remove SYSTEM
icacls $path /remove:g "NT AUTHORITY\SYSTEM"
#grant SYSTEM as Full control on "this folder, subfolder and files"
icacls $path /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)F"
icacls $path
}
请告诉我如何为远程服务器执行这些 icacls 命令。
我想您可以使用 Group-Object 的组合将 csv 中的所有服务器名称及其 SystemFolderPath 条目组合在一起,然后遍历这些组。
在循环内使用 Invoke-Command 让 icacls 命令在每个服务器上执行。
类似
Import-Csv -Path "C:\Ansible\status_report_2021.csv" | Group-Object ServerName | ForEach-Object {
$server = $_.Name
foreach ($path in ($_.Group.SystemFolderPath | Select-Object -Unique)) {
Invoke-Command -ComputerName $server -ScriptBlock {
param ([string]$path)
# break inheritance on the folder and copy ACEs as uninherited
icacls $path /inheritance:d
# remove all BUILTIN\Users granted ACEs
icacls $path /remove:g BUILTIN\Users
# grant only BUILTIN\Users Read&Execute. avoid using (S,GE,GR) = RX.
# (S,GE,GR) is a specific right and icacls would create 2 ACEs.
# same meaning but if we can avoid it's better
icacls $path /grant:r "BUILTIN\Users:(OI)(CI)RX"
# remove SYSTEM
icacls $path /remove:g "NT AUTHORITY\SYSTEM"
# grant SYSTEM as Full control on "this folder, subfolder and files"
icacls $path /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)F"
icacls $path
} -ArgumentList $path.Trim('\')
}
}
首先按服务器对所有 CSV 条目进行分组 - 这样我们就可以将所有受影响的路径一次发送到每个单独的服务器:
$PathsPerServer = Import-Csv -Path "C:\Ansible\status_report_2021.csv" | Group-Object ServerName
现在我们可以对每个不同的服务器使用 Invoke-Command 并对每个相关路径执行 icacls 语句:
$PathsPerServer | ForEach-Object {
# enumerate all the paths for this server, we need to pass them as arguments to Invoke-Command
$paths = $_.Group | Select-Object -Expand SystemFolderPath | ForEach-Object Trim
Invoke-Command -ComputerName $_.Name -ScriptBlock {
param([string[]]$Paths)
foreach ($path in $Paths) {
# break inheritance on the folder and copy ACEs as uninherited
icacls $path /inheritance:d
#remove all BUILTIN\Users granted ACEs
icacls $path /remove:g BUILTIN\Users
#grant only BUILTIN\Users Read&Execute. avoid using (S,GE,GR) = RX.
#(S,GE,GR) is a specific right and icacls would create 2 ACEs.
#same meaning but if we can avoid it's better
icacls $path /grant:r "BUILTIN\Users:(OI)(CI)RX"
#remove SYSTEM
icacls $path /remove:g "NT AUTHORITY\SYSTEM"
#grant SYSTEM as Full control on "this folder, subfolder and files"
icacls $path /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)F"
icacls $path
}
} -ArgumentList $paths
}
下面是我拥有的代码,当 运行 对于单个服务器
时,它可以完美执行
$Hostname = $env:COMPUTERNAME
$CsvData = Import-Csv -Path "C:\Ansible\status_report_2021.csv" | Where-Object{$_.ServerName -eq $Hostname} | Select-Object SystemFolderPath
foreach($path in $CsvData)
{
$path = $path.SystemFolderPath
$path = $path.trim('\')
# break inheritance on the folder and copy ACEs as uninherited
icacls $path /inheritance:d
#remove all BUILTIN\Users granted ACEs
icacls $path /remove:g BUILTIN\Users
#grant only BUILTIN\Users Read&Execute. avoid using (S,GE,GR) = RX.
#(S,GE,GR) is a specific right and icacls would create 2 ACEs.
#same meaning but if we can avoid it's better
icacls $path /grant:r "BUILTIN\Users:(OI)(CI)RX"
#remove SYSTEM
icacls $path /remove:g "NT AUTHORITY\SYSTEM"
#grant SYSTEM as Full control on "this folder, subfolder and files"
icacls $path /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)F"
icacls $path
}
请告诉我如何为远程服务器执行这些 icacls 命令。
我想您可以使用 Group-Object 的组合将 csv 中的所有服务器名称及其 SystemFolderPath 条目组合在一起,然后遍历这些组。
在循环内使用 Invoke-Command 让 icacls 命令在每个服务器上执行。
类似
Import-Csv -Path "C:\Ansible\status_report_2021.csv" | Group-Object ServerName | ForEach-Object {
$server = $_.Name
foreach ($path in ($_.Group.SystemFolderPath | Select-Object -Unique)) {
Invoke-Command -ComputerName $server -ScriptBlock {
param ([string]$path)
# break inheritance on the folder and copy ACEs as uninherited
icacls $path /inheritance:d
# remove all BUILTIN\Users granted ACEs
icacls $path /remove:g BUILTIN\Users
# grant only BUILTIN\Users Read&Execute. avoid using (S,GE,GR) = RX.
# (S,GE,GR) is a specific right and icacls would create 2 ACEs.
# same meaning but if we can avoid it's better
icacls $path /grant:r "BUILTIN\Users:(OI)(CI)RX"
# remove SYSTEM
icacls $path /remove:g "NT AUTHORITY\SYSTEM"
# grant SYSTEM as Full control on "this folder, subfolder and files"
icacls $path /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)F"
icacls $path
} -ArgumentList $path.Trim('\')
}
}
首先按服务器对所有 CSV 条目进行分组 - 这样我们就可以将所有受影响的路径一次发送到每个单独的服务器:
$PathsPerServer = Import-Csv -Path "C:\Ansible\status_report_2021.csv" | Group-Object ServerName
现在我们可以对每个不同的服务器使用 Invoke-Command 并对每个相关路径执行 icacls 语句:
$PathsPerServer | ForEach-Object {
# enumerate all the paths for this server, we need to pass them as arguments to Invoke-Command
$paths = $_.Group | Select-Object -Expand SystemFolderPath | ForEach-Object Trim
Invoke-Command -ComputerName $_.Name -ScriptBlock {
param([string[]]$Paths)
foreach ($path in $Paths) {
# break inheritance on the folder and copy ACEs as uninherited
icacls $path /inheritance:d
#remove all BUILTIN\Users granted ACEs
icacls $path /remove:g BUILTIN\Users
#grant only BUILTIN\Users Read&Execute. avoid using (S,GE,GR) = RX.
#(S,GE,GR) is a specific right and icacls would create 2 ACEs.
#same meaning but if we can avoid it's better
icacls $path /grant:r "BUILTIN\Users:(OI)(CI)RX"
#remove SYSTEM
icacls $path /remove:g "NT AUTHORITY\SYSTEM"
#grant SYSTEM as Full control on "this folder, subfolder and files"
icacls $path /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)F"
icacls $path
}
} -ArgumentList $paths
}