ich das Internet und verschiedene Fragen Stackoverflow Scheuern haben versucht, dies aus zu verwirren. Ich habe vielleicht nicht die beste Lösung, aber ich denke, es erfüllt die Frage. Nach meinen Recherchen behandelt Powershells Set-Acl
Vererbung nicht richtig. Der Schlüssel zum folgenden Code ist zwei Dinge: das Objekt System.Security.AccessControl.DirectorySecurity
und die alternative Methode zum Festlegen der ACL verwenden $dir.SetAccessControl()
Die untergeordneten Elemente des Zielordners (sowohl Ordner als auch Dateien) erben erfolgreich die mit Ihrem Zielordner verknüpften Berechtigungen.
aufrufen Beispiel:
[email protected]()
$newACL+=New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @("MyLocalGroup1","ReadAndExecute,Synchronize","ContainerInherit,ObjectInherit","None","Allow")
$newACL+=New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @("MyLocalGroup2","FullControl","ContainerInherit,ObjectInherit","None","Allow")
Set-FolderPermissions -Path $Path -KeepDefault -ResetOwner -AccessRuleList $newACL
Funktion:
function Set-FolderPermissions {
# The whole point of this script is because Set-Acl bungles inheritance
[CmdletBinding(SupportsShouldProcess=$false)]
Param ([Parameter(Mandatory=$true, ValueFromPipeline=$false)] [ValidateNotNullOrEmpty()] [string]$Path,
[Parameter(Mandatory=$false, ValueFromPipeline=$false)] [switch]$KeepExisting,
[Parameter(Mandatory=$false, ValueFromPipeline=$false)] [switch]$KeepDefault,
[Parameter(Mandatory=$false, ValueFromPipeline=$false)] [switch]$ResetOwner,
[Parameter(Mandatory=$true, ValueFromPipeline=$false)] [System.Security.AccessControl.FileSystemAccessRule[]]$AccessRuleList)
Process {
$aryDefaultACL="NT AUTHORITY\SYSTEM","CREATOR OWNER","BUILTIN\Administrators"
[email protected]()
$owner=New-Object System.Security.Principal.NTAccount("BUILTIN","Administrators")
$acl=Get-Acl -Path $Path
# Save only needed individual rules.
if ($KeepExisting.IsPresent) {
if ($KeepDefault.IsPresent) {
# Keep everything
$acl.Access | ForEach-Object { $tempACL+=$_ }
}
else {
# Remove the defaults, keep everything else
for ($i=0; $i -lt $acl.Access.Count; $i++) {
if (!$aryDefaultACL.Contains($acl.Access[$i].IdentityReference.Value)) { $tempACL+=$acl.Access[$i] }
}
}
}
else {
if ($KeepDefault.IsPresent) {
# Keep only the default, drop everything else
for ($i=0; $i -lt $acl.Access.Count; $i++) {
if ($aryDefaultACL.Contains($acl.Access[$i].IdentityReference.Value)) { $tempACL+=$acl.Access[$i] }
}
}
#else { # Do nothing, because $TempACL is already empty. }
}
# Add the new rules
# I could have been modifying $acl this whole time, but it turns out $tempACL=$acl doesn't work so well.
# As the rules are removed from $acl, they are also removed from $tempACL
for ($i=0; $i -lt $AccessRuleList.Count; $i++) { $tempACL+=$AccessRuleList[$i] }
# This is the object that you're looking for...
$aclDS=New-Object System.Security.AccessControl.DirectorySecurity -ArgumentList @($Path,[System.Security.AccessControl.AccessControlSections]::None)
# The object, apparently, comes with a bonus rule...
$aclDS.RemoveAccessRuleSpecific($aclDS.Access[0])
# Add the rules to our new object
for ($i=0; $i -lt $tempACL.Count; $i++) {
# I tried adding the rules directly but they didn't work. I have to re-create them.
$tempRule=New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($tempACL[$i].IdentityReference,$tempACL[$i].FileSystemRights,$tempACL[$i].InheritanceFlags,$tempACL[$i].PropagationFlags,$tempACL[$i].AccessControlType)
$aclDS.AddAccessRule($tempRule)
}
# This has to be done after all the rules are added, otherwise it doesn't work
$aclDS.SetAccessRuleProtection($true,$false)
if ($ResetOwner.IsPresent) {
# Often, the default owner is SYSTEM. This ownership will prevent you from making any changes.
# So, we change owner to the local Administrator
$acl.SetOwner($owner)
# We have to apply it now because we are applying our ACLs in two stages. We won't be using Set-Acl again.
Set-Acl -Path $Path -AclObject $acl
}
# Lastly, apply our ACls
$dir=Get-Item -Path $Path
$dir.SetAccessControl($aclDS)
}
}
Was ist $ acl? Versuchen Sie, die Sicherheitsbeschreibung von ** $ filename ** in ** $ acl ** zu kopieren? –