Windows

停!我繼承了重定向文件夾/主目錄的權限噩夢

  • October 15, 2015

我的新雇主為其數百名使用者設置了文件夾重定向,而設置它的人並不真正知道他在做什麼。因此,未遵循重定向文件夾/主目錄權限的最佳做法。

讓人們訪問其重定向文件夾位置的解決方案是改為將Full Control權限(NTFS 權限,當然不是“共享”權限)應用到Everyone根目錄(“Home”)並將其傳播到根目錄下的所有子文件夾和文件.

有什麼可能出錯的,對吧?這不像 CEO 的My Documents文件夾中有機密資訊,或者任何人都會感染 CryptoWall 並加密其他所有人的文件。正確的?

所以,無論如何,既然 CryptoWall 感染已被刪除並已恢復備份,許多人希望我們用不那麼可怕的東西替換目前權限,我不想在幾個權限對話框中點擊一百個文件夾。

PowerShell 如何為我解決這個問題,讓生活重獲新生?

感謝 JScott向我介紹了System.Security.Principal… 類或方法或其他任何東西,一些 PowerShell 將一堆子文件夾上的 ACL 替換為適合使用者主目錄的 ACL:

$Root = "Path to the root folder that holds all the user home directories"

$Paths = Get-ChildItem $Root | Select-Object -Property Name,FullName

$DAAR = New-Object system.security.accesscontrol.filesystemaccessrule("MyDomain\Domain Admins","FullControl","ContainerInherit, ObjectInherit","None","Allow")
#Domain Admin Access Rule.

$SysAR = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","ContainerInherit, ObjectInherit","None","Allow")
#SYSTEM Access Rule.

foreach ($Folder in $Paths)
{

   Write-Host "Generating ACL for $($folder.FullName) ... "
   #For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output.

   $ACL = New-Object System.Security.AccessControl.DirectorySecurity
   #Creates a blank ACL object to add access rules into, also blanks out the ACL for each iteration of the loop.

   $objUser = New-Object System.Security.Principal.NTAccount("MyDomain\​"+$folder.name)
   #Creating the right type of User Object to feed into our ACL, and populating it with the user whose folder we're currently on.

   $UserAR = New-Object system.security.accesscontrol.filesystemaccessrule( $objuser ,"FullControl","ContainerInherit, ObjectInherit","None","Allow")
   #Access Rule for the user whose folder we're dealing with during this iteration.

   $acl.SetOwner($objUser)
   $acl.SetAccessRuleProtection($true, $false)
   #Change the inheritance/propagation settings of the folder we're dealing with

   $acl.SetAccessRule($UserAR)
   $acl.SetAccessRule($DAAR)
   $acl.SetAccessRule($SysAR)

   Write-Host "Changing ACL on $($folder.FullName) to:"
   $acl | fl
   #For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output.

   Set-Acl -Path $Folder.Fullname -ACLObject $acl

}

引用自:https://serverfault.com/questions/727456