我的新雇主为数百个用户设置了文件夹redirect,而设置它的人并不知道他在做什么。 因此,没有遵循redirect的文件夹/主目录上的权限的最佳做法 。
让人们访问他们redirect的文件夹位置的解决scheme是,将“ Full Control权限(当然是NTFS权限,不是“共享”权限)应用于根目录(“主目录”)的Everyone并将其传播到所有子文件夹和文件在根之下。
什么可能会出错,对吗? 这不像CEO的“ My Documents文件夹中有机密信息,或者任何人将感染CryptoWall并encryption其他人的文件。 对?
所以,无论如何,现在CryptoWall感染已被删除,备份已经恢复,许多人希望我们用不太可怕的东西replace当前的权限,我想不必点击几个权限对话百个文件夹。
PowerShell如何为我解决这个问题,让生活重新过得去?
感谢JScott将我引用到System.Security.Principal …类或方法,或者任何它,一些PowerShell用一组子文件夹replace那些适合用户主目录的ACL:
$Root = "Path to the root folder that holds all the user home directories" $Paths = Get-ChildItem $Root | Select-Object -Property Name,FullName $DAAR = New-Object system.security.accesscontrol.filesystemaccessrule("MyDomain\Domain Admins","FullControl","ContainerInherit, ObjectInherit","None","Allow") #Domain Admin Access Rule. $SysAR = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","ContainerInherit, ObjectInherit","None","Allow") #SYSTEM Access Rule. foreach ($Folder in $Paths) { Write-Host "Generating ACL for $($folder.FullName) ... " #For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output. $ACL = New-Object System.Security.AccessControl.DirectorySecurity #Creates a blank ACL object to add access rules into, also blanks out the ACL for each iteration of the loop. $objUser = New-Object System.Security.Principal.NTAccount("MyDomain\"+$folder.name) #Creating the right type of User Object to feed into our ACL, and populating it with the user whose folder we're currently on. $UserAR = New-Object system.security.accesscontrol.filesystemaccessrule( $objuser ,"FullControl","ContainerInherit, ObjectInherit","None","Allow") #Access Rule for the user whose folder we're dealing with during this iteration. $acl.SetOwner($objUser) $acl.SetAccessRuleProtection($true, $false) #Change the inheritance/propagation settings of the folder we're dealing with $acl.SetAccessRule($UserAR) $acl.SetAccessRule($DAAR) $acl.SetAccessRule($SysAR) Write-Host "Changing ACL on $($folder.FullName) to:" $acl | fl #For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output. Set-Acl -Path $Folder.Fullname -ACLObject $acl }
如果主文件夹/redirect文件夹设置为“授予用户专有权”,则以前的答案将不起作用。 这是因为当select了这个不被推荐的选项时,只有SYSTEM和THE USER才有这个文件夹的权限。 然后,您不能更改该权限(即使是pipe理员),而无需获得该文件夹的所有权。
这是一个解决这个问题的方法,而不需要拥有所有权。 这是一个两步的过程。
创build一个运行ICACLS的powershell脚本来修改文件夹和子文件夹的权限。
运行PSexec启动Powershell脚本。
采取和修改: https : //mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/
1创build/复制/盗取PowerShell脚本(需要PS 3.0或更好)
#ChangePermissions.ps1 # CACLS rights are usually # F = FullControl # C = Change # R = Readonly # W = Write $StartingDir= "c:\shares\users" ##Path to root of users home dirs $Principal="domain\username" #or "administrators" $Permission="F" $Verify=Read-Host `n "You are about to change permissions on all" ` "files starting at"$StartingDir.ToUpper() `n "for security"` "principal"$Principal.ToUpper() ` "with new right of"$Permission.ToUpper()"."`n ` "Do you want to continue? [Y,N]" if ($Verify -eq "Y") { foreach ($FOLDER in $(Get-ChildItem -path $StartingDir -directory -recurse)) { $temp = $Folder.fullname CACLS `"$temp`" /E /P `"${Principal}`":${Permission} >$NULL #write-host $Folder.FullName } }
从命令行:
psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1'"