Windows-Server-2008-R2
如何在 2008 上使用 Powershell 為集群共享配置權限?
我有一個“文件共享”類型的集群資源,但是當我嘗試配置“安全”參數時,我收到以下錯誤(摘錄):
Set-ClusterParameter : Parameter 'security' does not exist on the cluster object
使用 cluster.exe 我得到了更好的結果,即當命令起作用時通常什麼都沒有。但是當我簽入故障轉移群集管理器時,權限並沒有改變。在 Server 2003 中,cluster.exe 方法有效。
有任何想法嗎?
更新:
整個命令和錯誤。
PS C:\> $resource=get-clusterresource testshare PS C:\> $resource Name State Group ResourceType ---- ----- ----- ------------ testshare Offline Test File Share PS C:\> $resource|set-clusterparameter security "domain\account,grant,f" Set-ClusterParameter : Parameter 'security' does not exist on the cluster object 'testshare'. If you are trying to upda te an existing parameter, please make sure the parameter name is specified correctly. You can check for the current par ameters by passing the .NET object received from the appropriate Get-Cluster* cmdlet to "| Get-ClusterParameter". If yo u are trying to update a common property on the cluster object, you should set the property directly on the .NET object received by the appropriate Get-Cluster* cmdlet. You can check for the current common properties by passing the .NET o bject received from the appropriate Get-Cluster* cmdlet to "| fl *". If you are trying to create a new unknown paramete r, please use -Create with this Set-ClusterParameter cmdlet. At line:1 char:31 + $resource|set-clusterparameter <<<< security "domain\account,grant,f" + CategoryInfo : NotSpecified: (:) [Set-ClusterParameter], ClusterCmdletException + FullyQualifiedErrorId : Set-ClusterParameter,Microsoft.FailoverClusters.PowerShell.SetClusterParameterCommand
我找到了一個易於使用且顯而易見的答案。它是如此簡單,人們可能不會相信這是 Microsoft 的解決方案。
$permissions 是一個權限數組,包含一個帳戶(域\使用者)、一個權限(完全控制)和一個類型(允許)。
# create access rule based on permissions $rule = new-object system.security.accesscontrol.filesystemaccessrule $permissions # get an acl, remove access rules, add our rule $acl = get-acl "c:\" # need to get acl from root of drive to avoid inheritance $acl.access | foreach-object {$acl.removeaccessrule($_)} $acl.setaccessrule($rule) # get security descriptor from acl and convert to binary security descriptor $sddl = $acl.sddl $sdhelper = [wmiclass]"win32_securitydescriptorhelper" $binarysd = ($sdhelper.sddltobinarysd($sddl)).binarysd # get cluster resources from registry $resources = get-childitem "hklm:\cluster\resources" # ...with paths that powershell will understand $resources = $resources | foreach-object {$_.pspath} # find clustershare resource path $resource = $resources | where-object {(get-itemproperty $_ name).name -eq $clustershare} # derive path to resource parameters $parameters = "$resource\parameters" # configure security descriptor set-itemproperty $parameters "security descriptor" $binarysd
真的就是這麼簡單。
唯一的問題是,這只適用於一個節點,並且必須在每個節點上重複。它確實可以在故障轉移中存活(並且當共享故障回復到節點時,節點上設置的權限將重新出現)。此外,它僅適用於“完全控制”,不適用於“讀取”或其他權限。不知道為什麼。
我不會接受這個作為答案,因為它確實不是。但它似乎是最接近這個問題的解決方案,在 Windows Server 2003 中根本不存在(cluster.exe 可以設置共享權限),而且微軟似乎也沒有解決任何問題。