问题:使用Powershell脚本如何删除域用户组对文件夹的访问权限。
的信息:
简而言之,我正在为我的用户设置个人文件夹。我编写了以下脚本。它创建了用户文件夹并设置了权限。然后,假设从域用户组中删除新创建的文件夹的读取能力。该脚本运行时没有错误,但不会删除域用户读取权限。我会彻底抛弃这个小组,但还没有想出那个部分。注释代码块给出了错误,所以我现在就去处理它。
脚本:
PARAM($Alias)
# Assign Drive letter/Home Drive Active Directory user
$HomeDrive=’U:’
$UserRoot=’\\server\User_data\’
$HomeDirectory=$UserRoot+'ittest'
SET-ADUSER ittest –HomeDrive $HomeDrive –HomeDirectory $HomeDirectory
# Create the folder on the root of the common Users Share
NEW-ITEM –path $HomeDirectory -type directory -force
$Domain=’Domain’
$HomeFolderACL=GET-ACL $HomeDirectory
$IdentityReference=$Domain+’\’+'ittest'
# Set parameters for Access rule
#$FileSystemAccessRights= [System.Security.AccessControl.FileSystemRights]::FullControl
#$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]::ContainerInherit
#$InheritanceFlags2=[System.Security.AccessControl.InheritanceFlags]::ObjectInherit
#$PropagationFlags=[System.Security.AccessControl.PropagationFlags]::None
#$AccessControl=[System.Security.AccessControl.AccessControlType]::Allow
#$UserAccess=New-Object System.Security.Principal.NTAccount($IdentityReference)
# Build Access Rule from parameters
#$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($UserAccess,$InheritanceFlags,$IdentityReference,$FileSystemAccessRights,$PropogationFlags,$AccessControl)
$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($IdentityReference,[System.Security.AccessControl.FileSystemRights]::FullControl,[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessControl.AccessControlType]::Allow)
# Get current Access Rule from Home Folder for User
$HomeFolderACL.AddAccessRule($AccessRule)
SET-ACL –path $HomeDirectory -AclObject $HomeFolderACL
# Remove "domain user" read Access Rule from parameters
$domainuser =$Domain+’\’+'Domain Users'
$objUser = New-Object System.Security.Principal.NTAccount($domainuser)
$AccessRule2 = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($objUser,[System.Security.AccessControl.FileSystemRights]::READ,[System.Security.AccessControl.InheritanceFlags]::NONE,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessControl.AccessControlType]::allow)
#Get current Access Rule from Home Folder for User
$HomeFolderAclRead= GET-ACL $HomeDirectory
$HomeFolderAclRead.RemoveAccessRule($AccessRule2)
SET-ACL –path $HomeDirectory -AclObject $HomeFolderAclRead
感谢所有回复并汇总代码的人。不幸的是,它与原始代码的工作点相同,并提供了此错误。
SET-ACL -path $ HomeDirectory -AclObject $ HomeFolderAclRead NEW-OBJECT:找不到“FileSystemAccessRule”的重载和参数count:“6”。 在行:25 char:15 + $ AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule($ Us ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo:InvalidOperation:(:) [New-Object],MethodException + FullyQualifiedErrorId:ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
真 Set-Acl:无法将参数绑定到参数'AclObject',因为它为null。 在线:40 char:41 + SET-ACL -path $ HomeDirectory -AclObject $ HomeFolderAclRead + ~~~~~~~~~~~~~~~~~~ + CategoryInfo:InvalidData :( :) [Set-Acl],ParameterBindingValidationException + FullyQualifiedErrorId:ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAclCommand
错误与它如何使用变量和构造函数有关。
如果我改变了这个
$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($UserAccess,$InheritanceFlags,$IdentityReference,$FileSystemAccessRights,$PropogationFlags,$AccessControl)
到
$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($IdentityReference,[System.Security.AccessControl.FileSystemRights]::FullControl,[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessControl.AccessControlType]::Allow)
脚本将继续,但会改为显示此错误。
Set-Acl : Cannot bind argument to parameter 'AclObject' because it is null.
在行:41 char:41 + SET-ACL -path $ HomeDirectory -AclObject $ HomeFolderAclRead + ~~~~~~~~~~~~~~~~~~ + CategoryInfo:InvalidData :( :) [Set-Acl],ParameterBindingValidationException + FullyQualifiedErrorId:ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAclCommand
答案 0 :(得分:0)
你在这里并不具体,所以我要做一些假设。看起来您的文件夹已经通过继承或其他方式设置了域\域用户访问权限。如果是这种情况,您不需要像现在这样创建规则,则规则已经存在,因此您可以将其删除。
#Create Domain Users object
$DomUsers = New-Object System.Security.Principal.NTAccount("$Domain\Domain Users")
#Get ACLs for folder
$ACLs = Get-ACL $HomeDirectory
#Loop through Access Rules for the ACLs matching any that match the Domain Users object, and tell the ACL object to remove that rule
$ACLs | Select -ExpandProperty Access |
Where{ $_.IdentityReference -eq $DomUsers } |
ForEach{ $ACLs.RemoveAccessRule($_) }
#Set the new set of ACLs back to the folder.
Set-ACL $HomeDirectory -ACLObject $ACLs
这将与现有规则一起使用,而不是尝试重新创建要删除的规则。这样您就不必担心规则是否准确,因为如果您制定的规则与您尝试删除规则的规则完全相同,则实际上不会删除它,即使它是一个愚蠢的东西,就像规则有不同的继承标志或其他东西。
我更新了您的脚本,它应该通过这些修改执行您想要的操作(您需要更新您的域名):
PARAM($Alias="ittest")
# Assign Drive letter/Home Drive Active Directory user
$HomeDrive=’U:’
$UserRoot=’\\server\User_data\’
$HomeDirectory=$UserRoot+$Alias
SET-ADUSER $alias –HomeDrive $HomeDrive –HomeDirectory $HomeDirectory
# Create the folder on the root of the common Users Share
NEW-ITEM –path $HomeDirectory -type directory -force | Out-Null
$Domain=’Domain’
$HomeFolderACL=GET-ACL $HomeDirectory
$IdentityReference= "$Domain\$Alias"
# Set parameters for Access rule
$FileSystemAccessRights= [System.Security.AccessControl.FileSystemRights]"FullControl"
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit"
$PropagationFlags=[System.Security.AccessControl.PropagationFlags]::None
$AccessControl=[System.Security.AccessControl.AccessControlType]::Allow
$UserAccess=New-Object System.Security.Principal.NTAccount($IdentityReference)
# Build Access Rule from parameters
$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($UserAccess,$InheritanceFlags,$IdentityReference,$FileSystemAccessRights,$PropogationFlags,$AccessControl)
# Add Access Rule to the Home Folder rule set for User
$HomeFolderACL.AddAccessRule($AccessRule)
### Remove "domain user" read Access Rule from parameters ###
# Create Domain Users object
$DomUsers = New-Object System.Security.Principal.NTAccount("$Domain\Domain Users")
# Loop through Access Rules for the ACLs matching any that match the Domain Users object, and tell the ACL object to remove that rule
$HomeFolderACL | Select -ExpandProperty Access |
Where{ $_.IdentityReference -eq $DomUsers } |
ForEach{ $HomeFolderACL.RemoveAccessRule($_) }
# Set the ACLs for the path with the user added and the Domain Users group removed from the rule set
SET-ACL –path $HomeDirectory -AclObject $HomeFolderAclRead
答案 1 :(得分:0)
这是我最终使用的最终脚本感谢所有帮助!
PARAM($Alias)
# Import active directory module for running AD cmdlets
Import-module ActiveDirectory
#Store the data from UserList.csv in the $List variable
$List1 = Get-ADGroupMember -identity "FilteredDomainUsers" | select samaccountname | Export-csv C:\export\temp_file1.csv
$list2 = Import-CSV -header samaccountname C:\export\temp_file1.csv
#Loop through user in the CSV
ForEach ($User in $List2)
{
$UserString = $User | select-object
$string = $UserString.samaccountname
$string1=$string.ToString()
write-output $string1
# Assign Drive letter/Home Drive Active Directory user
$HomeDrive=’U:’
$UserRoot=’\\Server\User_data\’
$HomeDirectory=$UserRoot+ $String1
SET-ADUSER $string1 –HomeDrive $HomeDrive –HomeDirectory $HomeDirectory
# Create the folder on the root of the common Users Share
NEW-ITEM –path $HomeDirectory -type directory -force
$Domain=’domain’
$HomeFolderACL=GET-ACL $HomeDirectory
$IdentityReference=$Domain+’\’+$String1
write-output $IdentityReference
# Set parameters for Access rule
# Build Access Rule from parameters
$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($IdentityReference, [System.Security.AccessControl.FileSystemRights]::FullControl,[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessControl.AccessControlType]::Allow)
# Get current Access Rule from Home Folder for User
$HomeFolderACL.AddAccessRule($AccessRule)
SET-ACL –path $HomeDirectory -AclObject $HomeFolderACL
write-output $string1
}