删除继承后,使用PowerShell从NTFS文件夹中删除组失败,并显示SeSecurityPrivilege

时间:2015-09-16 01:35:27

标签: powershell ntfs scorch

我在尝试从用户主驱动器中删除域用户时发现了Powershell 3.0的常见情况,并希望了解是否有人对此有任何想法。

Psudo代码,这样您就可以了解我正在尝试做什么 

 Create a new folder
 Grant User access to write their home drive
 Remove Inherited Permissions from folder
 Remove general access from all Domain Users

实际代码(为简单起见,删除了错误处理) 

$UserName = "auser"
$Path = "\\domain.com\user\users\" + $UserName
$UserIdentityReference = "DOMAIN\" + $UserName

$NewFolder = New-Item -ItemType directory -Path $Path

#Need to allow the user to write to the folder
$GrantUserAccesRule = New-Object System.Security.AccessControl.FileSystemAccessRule($UserIdentityReference, @("ListDirectory", "ReadData", "WriteData", "CreateFiles", "CreateDirectories", "AppendData", "ReadExtendedAttributes", "WriteExtendedAttributes", "Traverse", "ExecuteFile", "ReadAttributes", "WriteAttributes", "Write", "ReadPermissions", "Read", "ReadAndExecute", "Modify", "Synchronize"), "ContainerInherit,ObjectInherit", "None", "Allow")
$acl = Get-Acl $NewFolder
$acl.AddAccessRule($GrantUserAccesRule)
Set-Acl -aclobject $acl -Path $NewFolder

# Remove inheritence from parent folder.
$acl = Get-Acl $NewFolder
$acl.SetAccessRuleProtection($true,$true)
Set-Acl -aclobject $acl -Path $NewFolder

#Need to prevent any domain user from accessing the folder
$acl = Get-Acl $NewFolder
$RemoveDomainUsersACLRule = $acl | Select -ExpandProperty Access | where-object {$_.IdentityReference -eq $UserIdentityReference}
$acl.RemoveAccessRule($RemoveDomainUsersACLRule)
#ERROR OCCURS HERE
Set-Acl -aclobject $acl -Path $NewFolder

错误是: 

Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
At line:4 char:3
+   Set-Acl -aclobject $acl -Path $NewFolder
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo          : PermissionDenied: (\\gifs.com\user\users\tautomation:String) [Set-Acl], PrivilegeNotHeldException
  + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand

奇怪的是,只要我执行SetAccessRuleProtection($ true,$ true),我就无法添加角色,或删除我刚刚添加的角色。

我尝试过的事情

  • 我可以删除我添加的角色,只要我在SetAccessRuleProtection之前执行此操作。

  • 从文件资源管理器中手动删除“域用户”组。

  • 以提升的用户身份运行PowerShell。这没什么区别

研究已经完成: 我读了 http://blogs.technet.com/b/josebda/archive/2010/11/12/how-to-handle-ntfs-folder-permissions-security-descriptors-and-acls-in-powershell.aspx

1 个答案:

答案 0 :(得分:2)

听起来像this Connect bug。我总是建议对文件/文件夹使用SetAccessControl()而不是使用Set-Acl(Set-Acl对文件系统有一些问题)。我会将所有Set-Acl调用更改为:

(Get-Item $NewFolder).SetAccessControl($acl)
相关问题
最新问题