在我们的组织中,我们的网络共享驱动器分为用于各个组/部门/项目或协作的根/父级文件夹。
典型的结构如下: 会计(根/父母) 每个人(第二级/儿童) 管理员(二级/子级) 共享(二级/子级)
我们将为帐户分配一个根级别组,该组仅提供对此文件夹的读取访问权限。这样,我们将在第二级分配了Read / Write和ReadOnly组,它们将成为根级组的成员。将用户分配到第二级组,并且仅在第二级管理访问。
我已经使用帮助脚本创建了一个全新的根文件夹,创建了6个安全组,正确分配了权限,并为每个文件夹分配了一些必需的通用用户。
现在,我想添加到脚本中首先询问用户,您是从头开始创建新的根文件夹还是在现有的文件夹结构中添加?
如果将其添加到现有文件夹结构中,我该如何循环浏览“ G驱动器”,让用户也选择要添加的根文件夹。显示并选择在该根级别文件夹中分配的安全组。然后建立新的两个安全组并分配正确的访问权限。
我的原始脚本如下。
我正在尝试遍历我们的G驱动器,并让用户选择一个文件夹,然后显示分配的访问权限,但是我不知道如何让他们选择一个选项并将其分配给变量,或者那甚至是最好的方法。
Import-Module ActiveDirectory
$path = "\\earth\data\group\"
$newFolderName = Read-Host -Prompt "Enter Name of New Folder"
$newFolderFull = $path + $newFolderName
Write-Output "New Folder will be: $newFolderFull"
$confirm = Read-Host "Confirm? Y/N"
If(!(($confirm) -ne "y"))
{
Write-Output "Create AD Groups"
$groupNamePGroup = "EG_P-$newFolderName"
$groupNameAdminRW = "EG-$newFolderName-Admin-RW"
$groupNameAdminRF = "EG-$newFolderName-Admin-RF"
$groupNameEveryoneRW = "EG-$newFolderName-Everyone-RW"
$groupNameEveryoneRF = "EG-$newFolderName-Everyone-RF"
$groupNameScannedDocsRW = "EG-$newFolderName-ScannedDocs-RW"
New-AdGroup $groupNamePGroup -samAccountName $groupNamePGroup -GroupScope DomainLocal -path "OU=SecurityGroups,OU=Metro,DC=metrogr,DC=org"
New-AdGroup $groupNameAdminRW -samAccountName $groupNameAdminRW -GroupScope DomainLocal -path "OU=SecurityGroups,OU=Metro,DC=metrogr,DC=org"
New-AdGroup $groupNameAdminRF -samAccountName $groupNameAdminRF -GroupScope DomainLocal -path "OU=SecurityGroups,OU=Metro,DC=metrogr,DC=org"
New-AdGroup $groupNameEveryoneRW -samAccountName $groupNameEveryoneRW -GroupScope DomainLocal -path "OU=SecurityGroups,OU=Metro,DC=metrogr,DC=org"
New-AdGroup $groupNameEveryoneRF -samAccountName $groupNameEveryoneRF -GroupScope DomainLocal -path "OU=SecurityGroups,OU=Metro,DC=metrogr,DC=org"
New-AdGroup $groupNameScannedDocsRW -samAccountName $groupNameScannedDocsRW -GroupScope DomainLocal -path "OU=SecurityGroups,OU=Metro,DC=metrogr,DC=org"
Write-Output "Add Folder.."
New-Item $newFolderFull -ItemType Directory
New-Item $newFolderFull\Admin -ItemType Directory
New-Item $newFolderFull\Everyone -ItemType Directory
New-Item $newFolderFull\ScannedDocs -ItemType Directory
New-Item $newFolderFull\Everyone\ScannedDocs -ItemType Directory
Write-Output "Remove Inheritance.."
icacls $newFolderFull /inheritance:d
icacls $newFolderFull\Admin /inheritance:d
icacls $newFolderFull\Everyone /inheritance:d
icacls $newFolderFull\ScannedDocs /inheritance:d
# Rights
$readOnly = [Security.AccessControl.FileSystemRights]"ReadAndExecute"
$readWrite = [Security.AccessControl.FileSystemRights]"Write","DeleteSubdirectoriesAndFiles","ReadAndExecute"
# Inheritance
$inheritanceFlag = [Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$rootInheritanceFlag = [Security.AccessControl.InheritanceFlags]"None"
# Propagation
$propagationFlag = [Security.AccessControl.PropagationFlags]::None
# User Groups
$PUserRF = New-Object System.Security.Principal.NTAccount($groupNamePGroup)
$AdminUserRW = New-Object System.Security.Principal.NTAccount($groupnameAdminRW)
$AdminUserRF = New-Object System.Security.Principal.NTAccount($groupnameAdminRF)
$EveryoneUserRW = New-Object System.Security.Principal.NTAccount($groupnameEveryoneRW)
$EveryoneUserRF = New-Object System.Security.Principal.NTAccount($groupnameEveryoneRF)
$ScannedDocsUserRW = New-Object System.Security.Principal.NTAccount($groupnameScannedDocsRW)
# Type
$type = [Security.AccessControl.AccessControlType]::Allow
#Add Group membership
Add-ADGroupMember -Identity $groupNamePGroup -Members $groupNameAdminRW,$groupNameAdminRF,$groupNameEveryoneRW,$groupNameEveryoneRF,$groupNameScannedDocsRW
Add-ADGroupMember -Identity $groupNameEveryoneRW -Members NDPSSCAN
Add-ADGroupMember -Identity $groupNameScannedDocsRW -Members NDPSSCAN
# ACL
$accessControlEntryDefault = New-Object System.Security.AccessControl.FileSystemAccessRule @("Domain Users", $readOnly, $inheritanceFlag, $propagationFlag, $type)
$accessControlRootEntryRF = New-Object System.Security.AccessControl.FileSystemAccessRule @($PUserRF, $readOnly, $rootInheritanceFlag, $propagationFlag, $type)
$accessControlAdminEntryRW = New-Object System.Security.AccessControl.FileSystemAccessRule @($AdminUserRW, $readWrite, $inheritanceFlag, $propagationFlag, $type)
$accessControlAdminEntryRF = New-Object System.Security.AccessControl.FileSystemAccessRule @($AdminUserRF, $readOnly, $inheritanceFlag, $propagationFlag, $type)
$accessControlEveryoneEntryRW = New-Object System.Security.AccessControl.FileSystemAccessRule @($EveryoneUserRW, $readWrite, $inheritanceFlag, $propagationFlag, $type)
$accessControlEveryoneEntryRF = New-Object System.Security.AccessControl.FileSystemAccessRule @($EveryoneUserRF, $readOnly, $inheritanceFlag, $propagationFlag, $type)
$accessControlScannedDocsEntryRW = New-Object System.Security.AccessControl.FileSystemAccessRule @($ScannedDocsUserRW, $readWrite, $inheritanceFlag, $propagationFlag, $type)
#Wait 5 seconds (Script was running to quickly and having issues with ACL)
Write-Output "Wait 5"
Start-Sleep 1
Write-Output "Wait 4"
Start-Sleep 1
Write-Output "Wait 3"
Start-Sleep 1
Write-Output "Wait 2"
Start-Sleep 1
Write-Output "Wait 1"
Start-Sleep 1
#Set Access Controls
#Using SetAccessControl instead of Set-ACL as InfoSec accounts don't have the required security permission
$objACL = Get-ACL $newFolderFull
$objACL.RemoveAccessRuleAll($accessControlEntryDefault)
$objACL.AddAccessRule($accessControlRootEntryRF)
#Set-ACL $newFolderFull $objACL
(Get-Item -Path $newFolderFull).SetAccessControl($objACL)
$objACL = Get-ACL $newFolderFull\Admin
$objACL.RemoveAccessRuleAll($accessControlEntryDefault)
$objACL.AddAccessRule($accessControlAdminEntryRW)
$objACL.AddAccessRule($accessControlAdminEntryRF)
#Set-ACL $newFolderFull\Admin $objACL
(Get-Item -Path $newFolderFull\Admin).SetAccessControl($objACL)
$objACL = Get-ACL $newFolderFull\Everyone
$objACL.RemoveAccessRuleAll($accessControlEntryDefault)
$objACL.AddAccessRule($accessControlEveryoneEntryRW)
$objACL.AddAccessRule($accessControlEveryoneEntryRF)
#Set-ACL $newFolderFull\Everyone $objACL
(Get-Item -Path $newFolderFull\Everyone).SetAccessControl($objACL)
$objACL = Get-ACL $newFolderFull\ScannedDocs
$objACL.RemoveAccessRuleAll($accessControlEntryDefault)
$objACL.AddAccessRule($accessControlScannedDocsEntryRW)
#Set-ACL $newFolderFull\ScannedDocs $objACL
(Get-Item -Path $newFolderFull\ScannedDocs).SetAccessControl($objACL)
}
$folders = get-childitem "\\earth\data\group\" | where {$_.mode -like "d*"}
# folder list
$n = 1
foreach ($folder in $folders)
{
$fName = $folder.FullName
"$n : $fname"
$n++
}
$choice = read-host -Prompt "Which folder would you like to add too?"
$choice = $choice -1
$rootFolder = $folders[$choice]
$rootFolder
Write-Output "Please verify a valid EG_P Group"
((Get-Item "\\earth\data\group\$rootFolder").GetAccessControl('Access')).Access