我已经完成了一些研究,但仍然无法找到一种方法来替换父ACL的ACL,就像使用FILEACL使用这一个命令一样:
FILEACL.exe c:\parent_folder\child_folder /INHERIT /REPLACE /SUB
我知道使用get-acl和set-acl cmdlet,甚至使用.NET,但是我可能缺少某种.NET方法。
我不知道我可以做这样的事情,但它似乎没有做我希望替换parent_folder或其任何子代的ACL:
$acl = get-acl "c:\parent_folder"
$acl.SetAccessRuleProtection($False, $True) # Turn on inheritence; 2nd paramter ignored if 1st is false
任何帮助将不胜感激。
答案 0 :(得分:1)
function Reset-FolderPermissionsRecursively {
param (
[Parameter(Mandatory=$true)][string]$modelFolder,
[Parameter(Mandatory=$true)][string]$targetFolder
)
# Reset permissions for parent folder and remove explicit (non-inherited) permissions
$modelFolderAcl = Get-Acl -path $modelFolder
Write-Host "Setting permissions on $targetFolder to match $modelFolder"
Set-Acl -path $targetFolder -aclObject $modelFolderAcl
$acl = Get-Acl $targetFolder
$aces = $acl.Access
foreach ($ace in $aces) {
if ($ace.IsInherited -eq $FALSE) {
Write-Host "Removing $ace on $targetFolder"
$acl.RemoveAccessRule($ace)
Set-Acl $targetFolder $acl
}
}
# Reset permissions for parent folder's children and remove explicit (non-inherited) permissions
Get-ChildItem $targetFolder -recurse -attributes d | foreach {
Write-Host "Setting permissions on" $_.fullName "to match $modelFolder"
Set-Acl -path $_.fullName -aclObject $modelFolderAcl
$acl = Get-Acl $_.FullName
$aces = $acl.Access
foreach ($ace in $aces) {
if ($ace.IsInherited -eq $FALSE) {
Write-Host "Removing $ace on" $_.fullName
$acl.RemoveAccessRule($ace)
Set-Acl $_.FullName $acl
}
}
}
}