Question

我希望这个powershell脚本能够创建一个新目录，并为一个组添加/分配权限。

该组正在添加，但权限未显示在“安全”选项卡上的“属性”下。如果要进入Advances安全性，权限会显示在那里。

此外，不会根据需要从新的子文件夹中删除父文件夹权限。

$groups = "DOMAIN\GROUP"
$Perm = "MODIFY"
$Permission = [System.Security.AccessControl.FileSystemRights] $Perm
$AllInherit = [System.Security.AccessControl.InheritanceFlags] "None"
$AllPropagation = [System.Security.AccessControl.PropagationFlags] "InheritOnly"
$path = "c:\temp\test"
new-item -path $path -itemtype directory -force
$group = $groups
$GetACL = Get-Acl $Path
$Access = New-Object System.Security.Principal.NTAccount ($group)
$AccessRule = New-Object system.security.AccessControl.FileSystemAccessRule($Access, $perm, $AllInherit, $Allpropagation, "Allow")
$GetACL.SetAccessRule($AccessRule)
SET-ACL -PATH $path $getacl

Answer 1

这是我为类似目的而写的函数：

function Add-AclEntry {
    # Adds a new entry to the specified file system object ACL. For
    # folders the new permissions are applied recursively.
    # Returns: null.
    param(
        [Parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [String]$sPath,

        [Parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        # Access group (full notation).
        [String]$sGroup,

        [Parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        # List of access rights, comma separated.
        [String]$sRights,

        [Parameter(Mandatory=$false)]
        [ValidateSet("Allow", "Deny")]
        [String]$sType = "Allow"
    )

    $cRights = [System.Security.AccessControl.FileSystemRights]$sRights
    $oType = [System.Security.AccessControl.AccessControlType]::$sType
    $oGroup = New-Object -TypeName System.Security.Principal.NTAccount($sGroup)

    # Inheritance flags: full inheritance.
    if ((Get-Item $sPath).PSIsContainer) {
        $oInheritanceFlags = (`
             [System.Security.AccessControl.InheritanceFlags]::ObjectInherit `
        -bor [System.Security.AccessControl.InheritanceFlags]::ContainerInherit)
    } else {
        $oInheritanceFlags = `
            [System.Security.AccessControl.InheritanceFlags]::None
    }
    $oPropagationFlags = [System.Security.AccessControl.PropagationFlags]::None

    # Creating access control entry and adding it to the ACL.
    $oAce = New-Object `
        -TypeName System.Security.AccessControl.FileSystemAccessRule `
        ($oGroup, $cRights, $oInheritanceFlags, $oPropagationFlags, $oType)
    $oAcl = Get-Acl -Path $sPath
    $oAcl.AddAccessRule($oAce)
    Set-Acl -Path $sPath -AclObject $oAcl

    return $null
}

示例用法（为Modify群组添加Authenticated Users权限）：

$sGroup = "NT AUTHORITY\Authenticated Users"
$sRights = "Delete, Read, Traverse, Write"
Add-AclEntry -sPath $sFolder -sGroup $sGroup -sRights $sRights

希望有所帮助。

使用powershell

1 个答案: