0

我有数千个文件夹,我需要更改具有完全控制访问权限的用户才能修改访问权限。以下是我所拥有的清单:

  1. 更改 NTFS 权限的脚本:

    $acl = 获取 Acl "G:\Folder" $acl | Format-List $acl.GetAccessRules($true, $true, [System.Security.Principal.NTAccount]) #second $true on the following line 打开继承,$False 关闭 $acl.SetAccessRuleProtection($True, $True) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") $acl.AddAccessRule($rule) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("My-ServerTeam","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") $acl.AddAccessRule($rule) $rule = New-Object System.Security. AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit" , "None", "Allow") $acl.AddAccessRule($rule) Set-Acl "G:\Folder" $acl Get-Acl "G:\Folder" | 格式列表

  2. 包含需要从完全控制更改为修改的目录和用户的文本文件。

我总是可以为路径和/或用户名创建一个变量并创建一个 ForEach 循环,但我不确定如何将每个文件夹的 ACL 中存在的用户更改为修改,但保持管理员帐户作为完全控制。任何帮助,将不胜感激。

4

1 回答 1

0

Went another route and got what I needed. I'm not surprised noone tried to help me on this one.... it was tough. I'll post the scripts for the next person who has this issue. There are two scripts. The first I obtained from the internet and altered a bit. The second script launches the first with the parameters required to automate.

First Script Named SetFolderPermission.ps1:

param ([string]$Path, [string]$Access, [string]$Permission = ("Modify"), [switch]$help)
function GetHelp() {
$HelpText = @"

DESCRIPTION:
NAME: SetFolderPermission.ps1
Sets FolderPermissions for User on a Folder.
Creates folder if not exist.

PARAMETERS: 
-Path           Folder to Create or Modify (Required)
-User           User who should have access (Required)
-Permission     Specify Permission for User, Default set to Modify (Optional)
-help           Prints the HelpFile (Optional)

SYNTAX:
./SetFolderPermission.ps1 -Path C:\Folder\NewFolder -Access Domain\UserName -Permission FullControl

Creates the folder C:\Folder\NewFolder if it doesn't exist.
Sets Full Control for Domain\UserName

./SetFolderPermission.ps1 -Path C:\Folder\NewFolder -Access Domain\UserName

Creates the folder C:\Folder\NewFolder if it doesn't exist.
Sets Modify (Default Value) for Domain\UserName

./SetFolderPermission.ps1 -help

Displays the help topic for the script

Below Are Available Values for -Permission

"@
$HelpText

[system.enum]::getnames([System.Security.AccessControl.FileSystemRights])

}

<#
function CreateFolder ([string]$Path) {

    # Check if the folder Exists

    if (Test-Path $Path) {
        Write-Host "Folder: $Path Already Exists" -ForeGroundColor Yellow
    } else {
        Write-Host "Creating $Path" -Foregroundcolor Green
        New-Item -Path $Path -type directory | Out-Null
    }
}
#>

function SetAcl ([string]$Path, [string]$Access, [string]$Permission) {

    # Get ACL on FOlder

    $GetACL = Get-Acl $Path

    # Set up AccessRule

    $Allinherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
    $Allpropagation = [system.security.accesscontrol.PropagationFlags]"None"
    $AccessRule = New-Object system.security.AccessControl.FileSystemAccessRule($Access, $Permission, $AllInherit, $Allpropagation, "Allow")

    # Check if Access Already Exists

    if ($GetACL.Access | Where {$_.IdentityReference -eq $Access}) {

        Write-Host "Modifying Permissions For: $Access on directory: $Path" -ForeGroundColor Yellow

        $AccessModification = New-Object system.security.AccessControl.AccessControlModification
        $AccessModification.value__ = 2
        $Modification = $False
        $GetACL.ModifyAccessRule($AccessModification, $AccessRule, [ref]$Modification) | Out-Null
    } else {

        Write-Host "Adding Permission: $Permission For: $Access"

        $GetACL.AddAccessRule($AccessRule)
    }

    Set-Acl -aclobject $GetACL -Path $Path

    Write-Host "Permission: $Permission Set For: $Access on directory: $Path" -ForeGroundColor Green
}

if ($help) { GetHelp }

if ($Access -AND $Permission) { 
    SetAcl $Path $Access $Permission
}

The next script calls the first script and adds the needed parameters. A CSV containing 2 columns with the folders and usernames with full control.

$path = "C:\Scripts\scandata\TwoColumnCSVwithPathandUserwithFullControl.csv"
$csv = Import-csv -path $path
foreach($line in $csv){
$userN = $line.IdentityReference
$PathN = $line.Path
$dir = "$PathN"
$DomUser = "$userN"
$Perm = "Modify"
$scriptPath = "C:\Scripts\SetFolderPermission.ps1"
$argumentList1 = '-Path'
$argumentList2 = "$dir"
$argumentList3 = '-Access'
$argumentList4 = "$DomUser"
$argumentList5 = '-Permission'
$argumentList6 = "$Perm"
Invoke-Expression "$scriptPath $argumentList1 $argumentList2 $argumentList3 $argumentList4 $argumentList5 $argumentList6"
于 2013-05-16T13:58:37.717 回答