Question

我是PS脚本的新手。刚开始编写脚本以查找文件夹是否为用户正确许可。文件夹名称和AD帐户名称相同。如果文件夹名称是XX11223，则用户XX11223应该有权访问该特定文件夹。未正确许可的文件夹应打印到文件。有人请帮忙。

$Paths = Get-Content "Path.txt"

#To get the subfolders for which the permissions has to be checked

$Folder = foreach ($Path in $Paths) {
    $Path = $Path | Select-Object -Unique
    Write-Host $Path -ForegroundColor Green
    Get-ChildItem $Path | Where-Object { $_.Attributes -eq 'Directory' } | Select-Object FullName
}

#To get the ACLs for the list of folders from above

$ACLS = Get-Content $Folder

$Out = foreach ($ACL in $ACLS) { 
    Write-Host $ACL -ForegroundColor Cyan
    Get-Acl $ACL | Select-Object AccesstoString
}

我被困在这里并且不知道如何继续。：（

Answer 1

这一切都取决于什么构成“适当的权限”，但如果您希望用户在其文件夹中授予FullControl，您可以执行以下操作：

检索每个文件夹的ACL：

$FolderAcl = Get-Acl $path

构造表示相应文件夹的NTAccount对象

$Account   = New-Object System.Security.Principal.NTAccount "DOMAIN\user"

然后从ACL授予FullControl到相关帐户的所有显式访问规则条目：

$FullControl = $FolderAcl.GetAccessRules($true,$false,[System.Security.Principal.NTAccount]) | Where-Object {
    $_.FileSystemRights -eq "FullControl" -and 
    $_.AccessControlType -eq "Allow" -and 
    $_.IdentityReference -eq $Account
}

如果$FullControl包含$null（即没有找到访问规则），请打印到文件。

if(-not $FullControl){
    $path |Out-File C:\wrongPermissions.txt
}

如果要查找具有Modify权限的ACE，包括Modify包含在其他权限（例如FullControl）中的权限，则可以对该值执行按位AND运算Modify，如此：

$ModifyValue = [System.Security.AccessControl.FileSystemRights]::Modify -as [int]
$ACEswithModify = $FolderAcl.Access |?{ ($_.FileSystemRights -band $ModifyValue) -eq $ModifyValue }

Answer 2

以下是我的尝试：

$Paths = Get-Content "Path.txt"

#To get the subfolders for which the permissions has to be checked

$Folder = foreach ($Path in $Paths) {
    $Path = $Path | Select-Object -Unique
    Write-Host $Path -ForegroundColor Green
    Get-ChildItem $Path | Where-Object { $_.Attributes -eq 'Directory' } | Select-Object FullName
}

#To get the ACLs for the list of folders from above

$ACLS = Get-Content $Folder

$Out = foreach ($ACL in $ACLS) {
    $accessOK = $false
    Write-Host $ACL -ForegroundColor Cyan
    $folderName = (Get-Item $ACL).Name
    (Get-Acl $ACL).Access | % {
        if($_.IdentityReference.ToString().Split("\")[1] -match $folderName) {
            if($_.AccessControlType.ToString() -match "Allow") {
                $accessOK = $true
            }
        }
    }
    if(!$accessOK) { $ACL }
}

$Out应仅包含在文件夹后命名的用户无权访问的路径。

评论：您的命名可能会产生误导。我不会将$ACL称为包含字符串的变量，该字符串实际上是完整路径:)。这就是我没有修改其余代码的原因。我会试着告诉你重写时的意思：

$rootList = Get-Content "Path.txt"

$pathList = foreach ($root in $rootList) {
    $path = $root | Select-Object -Unique
    Write-Host $path -ForegroundColor Green
    #with powershell 3
    Get-ChildItem $path -Directory | Select-Object FullName
}

$Out = foreach ($path in $pathList) {
    $accessOK = $false
    Write-Host $path -ForegroundColor Cyan
    $folderName = (Get-Item $ACL).Name
    (Get-Acl $path).Access | % {
        if($_.IdentityReference.ToString().Split("\")[1] -match $folderName) {
            if($_.AccessControlType.ToString() -match "Allow") {
                $accessOK = $true
            }
        }
    }
    if(!$accessOK) { $path }
}

Answer 3

感谢@Sodawillow和@Mathias。

我尝试将两个代码组合在一起并编写一个新代码以获得所需的输出。用户应具有对文件夹的“修改”访问权限。但是所有路径都被写入文件。请检查以下代码并提出建议。

$rootList = Get-Content "Path.txt"

$pathList = foreach ($root in $rootList) {
$path = $root | Select-Object -Unique
Write-Host $path -ForegroundColor Green
Get-ChildItem $path -Directory | Select-Object FullName}

foreach ($path in $pathList) {
$path1 = $path | Select-Object -Unique
$folderName = (Get-Item $path1).Name
$FolderAcl = (Get-Acl $path1).Access

$Permission = $FolderAcl | Where-Object {
$_.FileSystemRights -like "*Modify*" -and 
$_.IdentityReference -like "*$folderName*"
}
if(-not $Permission){
$path1 >> wrongPermissions.txt}

}

检查文件夹是否有权访问

3 个答案: