1

我必须删除所有普通用户(即非管理员)的目录(及其子目录和文件)的所有权限。

我在 PowerShell 中尝试了以下操作,但什么也没发生:

New-Item "C:\Test" -type Directory
$acl=get-acl "C:\Test"
$inherit=[system.security.accesscontrol.InheritanceFlags]"ContainerInherit,ObjectInherit"
$propagation=[system.security.accesscontrol.Propagation]"None"
$ar=New-Object system.security.accesscontrol.FileSystemAccessRule("Users","FullControl",$inherit,$propagation,"Allow")
$acl.RemoveAccessRuleAll($ar)
Set-Acl "C:\Test" $acl

如果我尝试$env:computername\Users(而不仅仅是Users)我会收到以下错误: Exception calling "RemoveAccessRuleAll" with "1" argument(s): "Some or all identity references could not be translated.

为了识别所有用户,我必须传递什么身份?

4

2 回答 2

4

这将做到:

function AddNTFSPermissions($path, $object, $permission) {
    $FileSystemRights = [System.Security.AccessControl.FileSystemRights]$permission
    $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
    $PropagationFlag = [System.Security.AccessControl.PropagationFlags]"None"
    $AccessControlType =[System.Security.AccessControl.AccessControlType]::Allow
    $Account = New-Object System.Security.Principal.NTAccount($object)
    $FileSystemAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Account, $FileSystemRights, $InheritanceFlag, $PropagationFlag, $AccessControlType)
    $DirectorySecurity = Get-ACL $path
    $DirectorySecurity.AddAccessRule($FileSystemAccessRule)
    Set-ACL $path -AclObject $DirectorySecurity
}

function RemoveNTFSPermissions($path, $object, $permission) {
    $FileSystemRights = [System.Security.AccessControl.FileSystemRights]$permission
    $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
    $PropagationFlag = [System.Security.AccessControl.PropagationFlags]"None"
    $AccessControlType =[System.Security.AccessControl.AccessControlType]::Allow
    $Account = New-Object System.Security.Principal.NTAccount($object)
    $FileSystemAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Account, $FileSystemRights, $InheritanceFlag, $PropagationFlag, $AccessControlType)
    $DirectorySecurity = Get-ACL $path
    $DirectorySecurity.RemoveAccessRuleAll($FileSystemAccessRule)
    Set-ACL $path -AclObject $DirectorySecurity
}

function RemoveInheritance($path) {
    $isProtected = $true
    $preserveInheritance = $true
    $DirectorySecurity = Get-ACL $path
    $DirectorySecurity.SetAccessRuleProtection($isProtected, $preserveInheritance)
    Set-ACL $path -AclObject $DirectorySecurity
}

# Create folder
$Path = "C:\Test"
New-Item $Path -Type Directory

# Remove permissions
RemoveInheritance $Path
RemoveNTFSPermissions $Path "Authenticated Users" "Modify, ChangePermissions"
RemoveNTFSPermissions $Path "Users" "Modify, ChangePermissions"
于 2012-07-14T01:17:18.173 回答
0

首先,您是否真的尝试过:

$($env:computername\Users)

你能试一下吗 :

$(WinNT://WORKGROUP/$env:computername/Utilisateurs)

看看:

$obj = [ADSI]"WinNT://$env:COMPUTERNAME"
$obj.children | where {$_.name -eq "users"} | fl *
于 2012-07-13T06:37:21.060 回答