我有一个特定的文件夹(C:\ Windows \ winsxs \ amd64_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.1.7601.17514_none_a926cbb502a97a6e)我需要能够通过powershell脚本更改权限。
我需要能够让System能够在此文件夹中创建文件。
当我检查Get-Acl命令时,它显示NT Authority \ System已经是文件夹的所有者?通过Set-ACL运行以使该系统帐户能够创建文件的最佳命令是什么?
提前致谢。
(到目前为止,我已经尝试过这段代码......但我的访问被拒绝了)
$folder = "C:\Windows\winsxs\amd64_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.1.7601.17514_none_a926cbb502a97a6e"
$myUser = "NT AUTHORITY\SYSTEM"
$acl = Get-Acl $folder
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$myUser", "ReadData", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$myUser", "CreateFiles", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$myUser", "AppendData", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl $folder $acl
Set-Acl : Attempted to perform an unauthorized operation.
At line:10 char:1
+ Set-Acl $folder $acl
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Windows\wins...926cbb502a97a6e:String) [Set-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
答案 0 :(得分:2)
C:\Windows\winsxs
是Windows组件商店。非常 非常 在篡改其中的任何内容时要小心。
您获得拒绝访问权限的原因"最有可能的原因是组件存储由NT Authority\TrustedInstaller
安全主体拥有。管理员甚至SYSTEM只有那里的读/执行权限。如果您希望能够修改其中一个子文件夹的权限,则需要先获取winsxs
文件夹的所有权,并授予管理员完全访问权限。
在完成所做的任何更改后,请特别注意将所有权还原为NT Authority\TrustedInstaller
(并恢复在获得所有权时可能已删除的权限)。
这样的事情应该有效(不经过测试,所以要小心处理):
$fldr = 'C:\Windows\winsxs'
# get backup copy of folder ACL
$aclBackup = Get-Acl $fldr
try {
# take ownership
$acl = Get-Acl $fldr
$admins = New-Object Security.Principal.NTAccount('Builtin', 'Administrators')
$acl.SetOwner($admins)
Set-Acl -AclObject $acl -Path $fldr
# not certain if taking ownership and adding permissions in one step works,
# thus using two steps
$acl = Get-Acl $fldr
$ace = New-Object Security.AccessControl.FileSystemAccessRule('Builtin\Administrators', 'FullControl', 'ContainerInherit, ObjectInherit', 'InheritOnly', 'Allow')
$acl.AddAccessRule($ace)
Set-Acl -AclObject $acl -Path $fldr
# change permissions of subfolder
$sf = "$fldr\amd64_microsoft-windows-..."
$acl = Get-Acl $sf
$ace = New-Object Security.AccessControl.FileSystemAccessRule('NT Authority\SYSTEM', 'FullControl', 'ContainerInherit, ObjectInherit', 'InheritOnly', 'Allow')
$acl.AddAccessRule($ace)
Set-Acl -AclObject $acl -Path $sf
# ...
# more stuff
# ...
} finally {
# always restore original ACL on winsxs folder (error or not)
Set-Acl -AclObject $aclBackup -Path $fldr
}