我有一个types“文件共享”的群集资源,但是当我尝试configuration“安全”参数时,我得到以下错误(摘录):
Set-ClusterParameter : Parameter 'security' does not exist on the cluster object 使用cluster.exe我得到了一个更好的结果,即命令正常工作时通常没有。 但是,当我签入故障转移群集pipe理器的权限没有改变。 在Server 2003中,cluster.exe方法起作用。
有任何想法吗?
更新:
整个命令和错误。
PS C:\> $resource=get-clusterresource testshare PS C:\> $resource Name State Group ResourceType ---- ----- ----- ------------ testshare Offline Test File Share PS C:\> $resource|set-clusterparameter security "domain\account,grant,f" Set-ClusterParameter : Parameter 'security' does not exist on the cluster object 'testshare'. If you are trying to upda te an existing parameter, please make sure the parameter name is specified correctly. You can check for the current par ameters by passing the .NET object received from the appropriate Get-Cluster* cmdlet to "| Get-ClusterParameter". If yo u are trying to update a common property on the cluster object, you should set the property directly on the .NET object received by the appropriate Get-Cluster* cmdlet. You can check for the current common properties by passing the .NET o bject received from the appropriate Get-Cluster* cmdlet to "| fl *". If you are trying to create a new unknown paramete r, please use -Create with this Set-ClusterParameter cmdlet. At line:1 char:31 + $resource|set-clusterparameter <<<< security "domain\account,grant,f" + CategoryInfo : NotSpecified: (:) [Set-ClusterParameter], ClusterCmdletException + FullyQualifiedErrorId : Set-ClusterParameter,Microsoft.FailoverClusters.PowerShell.SetClusterParameterCommand
我发现了一个易于使用和明显的答案。 这很简单,人们可能不相信这是一个微软的解决scheme。
$ permissions是包含帐户(域\用户),权限(fullcontrol)和types(允许)的权限数组。
# create access rule based on permissions $rule = new-object system.security.accesscontrol.filesystemaccessrule $permissions # get an acl, remove access rules, add our rule $acl = get-acl "c:\" # need to get acl from root of drive to avoid inheritance $acl.access | foreach-object {$acl.removeaccessrule($_)} $acl.setaccessrule($rule) # get security descriptor from acl and convert to binary security descriptor $sddl = $acl.sddl $sdhelper = [wmiclass]"win32_securitydescriptorhelper" $binarysd = ($sdhelper.sddltobinarysd($sddl)).binarysd # get cluster resources from registry $resources = get-childitem "hklm:\cluster\resources" # ...with paths that powershell will understand $resources = $resources | foreach-object {$_.pspath} # find clustershare resource path $resource = $resources | where-object {(get-itemproperty $_ name).name -eq $clustershare} # derive path to resource parameters $parameters = "$resource\parameters" # configure security descriptor set-itemproperty $parameters "security descriptor" $binarysd
这真的很简单。
唯一的问题是,这只适用于一个节点,必须在每个节点上重复。 它确实存在故障转移(当共享失败回到节点时,在节点上设置的权限将重新出现)。 另外它只适用于“全面控制”,而不是“读取”或其他权限。 不知道为什么。
我不会接受这个答案,因为它确实不是。 但它似乎是最接近这个问题的解决scheme,在Windows Server 2003中根本不存在(cluster.exe可以设置共享权限),并且微软似乎并不在任何地方。