当我使用powershell和set-acl设置新的filesystemaccess规则时,我将继承标志设置为传播到子对象和叶对象
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
"username","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")))
Set-Acl -path $filename -aclObject $acl
当我在安全选项卡中查看资源管理器中的权限..高级..传播设置正确。但如果我亲眼看看孩子们,他们就不会显示新的安全规则。
如果在资源管理器中,我添加了另一个具有不同SID的规则..并保存它(不强制选项'替换所有子对象权限...')。然后手册和powershell规则都显示在孩子身上。它似乎需要某种启动才能让孩子们接受新的传播规则。为了让子对象显示添加了新规则,我缺少什么?
答案 0 :(得分:5)
我遇到了同样的逻辑问题......
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
"username","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")))
最后'无'你说的是:不要传播...... 改为:
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
"username","FullControl", "ContainerInherit, ObjectInherit", "InheritOnly", "Allow")))
它将传播您的设置。 在此处查看访问规则选项:http://msdn.microsoft.com/en-us/library/ms147785.aspx
这些是传播标志:http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.propagationflags.aspx
答案 1 :(得分:1)
这很奇怪。我有类似的代码,以相同的方式设置权限。我从来没有检查过孩子的权限是否设置了。它可能只是Windows资源管理器UI中的一些奇怪现象。您是否使用PowerShell获取其中一个子项的ACL以检查是否应用了权限?
供参考,这里是the code I use to grant permissions:
foreach( $permission in $Permissions )
{
$right = ($permission -as "Security.AccessControl.FileSystemRights")
if( -not $right )
{
throw "Invalid FileSystemRights: $permission. Must be one of $([Enum]::GetNames("Security.AccessControl.FileSystemRights"))."
}
$rights = $rights -bor $right
}
Write-Host "Granting $Identity $Permissions on $Path."
# We don't use Get-Acl because it returns the whole security descriptor, which includes owner information.
# When passed to Set-Acl, this causes intermittent errors. So, we just grab the ACL portion of the security descriptor.
# See http://www.bilalaslam.com/2010/12/14/powershell-workaround-for-the-security-identifier-is-not-allowed-to-be-the-owner-of-this-object-with-set-acl/
$currentAcl = (Get-Item $Path).GetAccessControl("Access")
$inheritanceFlags = [Security.AccessControl.InheritanceFlags]::None
if( Test-Path $Path -PathType Container )
{
$inheritanceFlags = ([Security.AccessControl.InheritanceFlags]::ContainerInherit -bor `
[Security.AccessControl.InheritanceFlags]::ObjectInherit)
}
$propagationFlags = [Security.AccessControl.PropagationFlags]::None
$accessRule = New-Object "Security.AccessControl.FileSystemAccessRule" $identity,$rights,$inheritanceFlags,$propagationFlags,"Allow"
$currentAcl.SetAccessRule( $accessRule )
Set-Acl $Path $currentAcl
答案 2 :(得分:0)
我一直在搜索互联网和几个StackOverflow试图解决这个问题。我可能没有最好的解决方案,但我认为它满足了这个问题。根据我的研究,Powershell的Set-Acl只是没有正确处理继承。下面代码的关键是两件事:System.Security.AccessControl.DirectorySecurity对象并使用替代方法设置ACL $dir.SetAccessControl()目标文件夹(文件夹和文件)的子代将成功继承附加到的权限你的目标文件夹。
调用示例:
$newACL=@()
$newACL+=New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @("MyLocalGroup1","ReadAndExecute,Synchronize","ContainerInherit,ObjectInherit","None","Allow")
$newACL+=New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @("MyLocalGroup2","FullControl","ContainerInherit,ObjectInherit","None","Allow")
Set-FolderPermissions -Path $Path -KeepDefault -ResetOwner -AccessRuleList $newACL
功能:
function Set-FolderPermissions {
# The whole point of this script is because Set-Acl bungles inheritance
[CmdletBinding(SupportsShouldProcess=$false)]
Param ([Parameter(Mandatory=$true, ValueFromPipeline=$false)] [ValidateNotNullOrEmpty()] [string]$Path,
[Parameter(Mandatory=$false, ValueFromPipeline=$false)] [switch]$KeepExisting,
[Parameter(Mandatory=$false, ValueFromPipeline=$false)] [switch]$KeepDefault,
[Parameter(Mandatory=$false, ValueFromPipeline=$false)] [switch]$ResetOwner,
[Parameter(Mandatory=$true, ValueFromPipeline=$false)] [System.Security.AccessControl.FileSystemAccessRule[]]$AccessRuleList)
Process {
$aryDefaultACL="NT AUTHORITY\SYSTEM","CREATOR OWNER","BUILTIN\Administrators"
$tempACL=@()
$owner=New-Object System.Security.Principal.NTAccount("BUILTIN","Administrators")
$acl=Get-Acl -Path $Path
# Save only needed individual rules.
if ($KeepExisting.IsPresent) {
if ($KeepDefault.IsPresent) {
# Keep everything
$acl.Access | ForEach-Object { $tempACL+=$_ }
}
else {
# Remove the defaults, keep everything else
for ($i=0; $i -lt $acl.Access.Count; $i++) {
if (!$aryDefaultACL.Contains($acl.Access[$i].IdentityReference.Value)) { $tempACL+=$acl.Access[$i] }
}
}
}
else {
if ($KeepDefault.IsPresent) {
# Keep only the default, drop everything else
for ($i=0; $i -lt $acl.Access.Count; $i++) {
if ($aryDefaultACL.Contains($acl.Access[$i].IdentityReference.Value)) { $tempACL+=$acl.Access[$i] }
}
}
#else { # Do nothing, because $TempACL is already empty. }
}
# Add the new rules
# I could have been modifying $acl this whole time, but it turns out $tempACL=$acl doesn't work so well.
# As the rules are removed from $acl, they are also removed from $tempACL
for ($i=0; $i -lt $AccessRuleList.Count; $i++) { $tempACL+=$AccessRuleList[$i] }
# This is the object that you're looking for...
$aclDS=New-Object System.Security.AccessControl.DirectorySecurity -ArgumentList @($Path,[System.Security.AccessControl.AccessControlSections]::None)
# The object, apparently, comes with a bonus rule...
$aclDS.RemoveAccessRuleSpecific($aclDS.Access[0])
# Add the rules to our new object
for ($i=0; $i -lt $tempACL.Count; $i++) {
# I tried adding the rules directly but they didn't work. I have to re-create them.
$tempRule=New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($tempACL[$i].IdentityReference,$tempACL[$i].FileSystemRights,$tempACL[$i].InheritanceFlags,$tempACL[$i].PropagationFlags,$tempACL[$i].AccessControlType)
$aclDS.AddAccessRule($tempRule)
}
# This has to be done after all the rules are added, otherwise it doesn't work
$aclDS.SetAccessRuleProtection($true,$false)
if ($ResetOwner.IsPresent) {
# Often, the default owner is SYSTEM. This ownership will prevent you from making any changes.
# So, we change owner to the local Administrator
$acl.SetOwner($owner)
# We have to apply it now because we are applying our ACLs in two stages. We won't be using Set-Acl again.
Set-Acl -Path $Path -AclObject $acl
}
# Lastly, apply our ACls
$dir=Get-Item -Path $Path
$dir.SetAccessControl($aclDS)
}
}