Windows
停!我繼承了重定向文件夾/主目錄的權限噩夢
我的新雇主為其數百名使用者設置了文件夾重定向,而設置它的人並不真正知道他在做什麼。因此,未遵循重定向文件夾/主目錄權限的最佳做法。
讓人們訪問其重定向文件夾位置的解決方案是改為將
Full Control
權限(NTFS 權限,當然不是“共享”權限)應用到Everyone
根目錄(“Home”)並將其傳播到根目錄下的所有子文件夾和文件.有什麼可能出錯的,對吧?這不像 CEO 的
My Documents
文件夾中有機密資訊,或者任何人都會感染 CryptoWall 並加密其他所有人的文件。正確的?所以,無論如何,既然 CryptoWall 感染已被刪除並已恢復備份,許多人希望我們用不那麼可怕的東西替換目前權限,我不想在幾個權限對話框中點擊一百個文件夾。
PowerShell 如何為我解決這個問題,讓生活重獲新生?
感謝 JScott向我介紹了
System.Security.Principal
… 類或方法或其他任何東西,一些 PowerShell 將一堆子文件夾上的 ACL 替換為適合使用者主目錄的 ACL:$Root = "Path to the root folder that holds all the user home directories" $Paths = Get-ChildItem $Root | Select-Object -Property Name,FullName $DAAR = New-Object system.security.accesscontrol.filesystemaccessrule("MyDomain\Domain Admins","FullControl","ContainerInherit, ObjectInherit","None","Allow") #Domain Admin Access Rule. $SysAR = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","ContainerInherit, ObjectInherit","None","Allow") #SYSTEM Access Rule. foreach ($Folder in $Paths) { Write-Host "Generating ACL for $($folder.FullName) ... " #For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output. $ACL = New-Object System.Security.AccessControl.DirectorySecurity #Creates a blank ACL object to add access rules into, also blanks out the ACL for each iteration of the loop. $objUser = New-Object System.Security.Principal.NTAccount("MyDomain\"+$folder.name) #Creating the right type of User Object to feed into our ACL, and populating it with the user whose folder we're currently on. $UserAR = New-Object system.security.accesscontrol.filesystemaccessrule( $objuser ,"FullControl","ContainerInherit, ObjectInherit","None","Allow") #Access Rule for the user whose folder we're dealing with during this iteration. $acl.SetOwner($objUser) $acl.SetAccessRuleProtection($true, $false) #Change the inheritance/propagation settings of the folder we're dealing with $acl.SetAccessRule($UserAR) $acl.SetAccessRule($DAAR) $acl.SetAccessRule($SysAR) Write-Host "Changing ACL on $($folder.FullName) to:" $acl | fl #For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output. Set-Acl -Path $Folder.Fullname -ACLObject $acl }