2

在尝试从用户的主驱动器中删除域用户时,我发现 Powershell 3.0 出现不寻常的情况,并想联系以查看是否有人对原因有任何想法。

伪代码,这样你就可以理解我想要做什么

 Create a new folder
 Grant User access to write their home drive
 Remove Inherited Permissions from folder
 Remove general access from all Domain Users

实际代码(为简单起见删除了错误处理)

$UserName = "auser"
$Path = "\\domain.com\user\users\" + $UserName
$UserIdentityReference = "DOMAIN\" + $UserName

$NewFolder = New-Item -ItemType directory -Path $Path

#Need to allow the user to write to the folder
$GrantUserAccesRule = New-Object System.Security.AccessControl.FileSystemAccessRule($UserIdentityReference, @("ListDirectory", "ReadData", "WriteData", "CreateFiles", "CreateDirectories", "AppendData", "ReadExtendedAttributes", "WriteExtendedAttributes", "Traverse", "ExecuteFile", "ReadAttributes", "WriteAttributes", "Write", "ReadPermissions", "Read", "ReadAndExecute", "Modify", "Synchronize"), "ContainerInherit,ObjectInherit", "None", "Allow")
$acl = Get-Acl $NewFolder
$acl.AddAccessRule($GrantUserAccesRule)
Set-Acl -aclobject $acl -Path $NewFolder

# Remove inheritence from parent folder.
$acl = Get-Acl $NewFolder
$acl.SetAccessRuleProtection($true,$true)
Set-Acl -aclobject $acl -Path $NewFolder

#Need to prevent any domain user from accessing the folder
$acl = Get-Acl $NewFolder
$RemoveDomainUsersACLRule = $acl | Select -ExpandProperty Access | where-object {$_.IdentityReference -eq $UserIdentityReference}
$acl.RemoveAccessRule($RemoveDomainUsersACLRule)
#ERROR OCCURS HERE
Set-Acl -aclobject $acl -Path $NewFolder

错误是:

Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
At line:4 char:3
+   Set-Acl -aclobject $acl -Path $NewFolder
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo          : PermissionDenied: (\\gifs.com\user\users\tautomation:String) [Set-Acl], PrivilegeNotHeldException
  + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand

奇怪的是,我一执行SetAccessRuleProtection($true,$true),就无法添加角色,也无法移除刚刚添加的角色。

我尝试过的事情

  • 我可以删除我添加的角色,只要我在 SetAccessRuleProtection 之前执行它。

  • 从文件资源管理器中手动删除“域用户”组有效。

  • 以提升的用户身份运行 powershell。这没什么区别

研究已经完成: 我已阅读 http://blogs.technet.com/b/josebda/archive/2010/11/12/how-to-handle-ntfs-folder-permissions-security-descriptors-and-acls-在-powershell.aspx

4

1 回答 1

4

听起来像这个 Connect 错误。我总是建议对文件/文件夹使用 SetAccessControl() 而不是使用 Set-Acl(Set-Acl 对文件系统有一些问题)。我会将所有 Set-Acl 调用更改为此:

(Get-Item $NewFolder).SetAccessControl($acl)
于 2015-09-16T03:44:15.977 回答