Hop*_*00b 22 windows powershell active-directory home-directory folder-redirection
我的新雇主为其数百名用户设置了文件夹重定向,而设置它的人并不真正知道他在做什么。因此,没有遵循重定向文件夹/主目录权限的最佳实践。
让人们访问其重定向文件夹位置的解决方案是将Full Control权限(NTFS 权限,当然不是“共享”权限)应用到Everyone根目录(“Home”)并将其向下传播到根目录下的所有子文件夹和文件.
什么可能出错,对吧?这不像 CEO 在他的My Documents文件夹中有机密信息,或者任何人都会感染 CryptoWall 并加密其他人的文件。对?
所以,无论如何,既然 CryptoWall 感染已被删除并已恢复备份,许多人希望我们用不那么可怕的东西替换当前的权限,我希望不必在几个权限对话框中单击一百个文件夹。
PowerShell 如何为我解决这个问题,让生活重新变得有价值?
Hop*_*00b 18
感谢 JScott向我推荐System.Security.Principal... 类或方法或其他任何东西,一些 PowerShell 将一堆子文件夹上的 ACL 替换为适合用户主目录的 ACL:
$Root = "Path to the root folder that holds all the user home directories"
$Paths = Get-ChildItem $Root | Select-Object -Property Name,FullName
$DAAR = New-Object system.security.accesscontrol.filesystemaccessrule("MyDomain\Domain Admins","FullControl","ContainerInherit, ObjectInherit","None","Allow")
#Domain Admin Access Rule.
$SysAR = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","ContainerInherit, ObjectInherit","None","Allow")
#SYSTEM Access Rule.
foreach ($Folder in $Paths)
{
Write-Host "Generating ACL for $($folder.FullName) ... "
#For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output.
$ACL = New-Object System.Security.AccessControl.DirectorySecurity
#Creates a blank ACL object to add access rules into, also blanks out the ACL for each iteration of the loop.
$objUser = New-Object System.Security.Principal.NTAccount("MyDomain\?"+$folder.name)
#Creating the right type of User Object to feed into our ACL, and populating it with the user whose folder we're currently on.
$UserAR = New-Object system.security.accesscontrol.filesystemaccessrule( $objuser ,"FullControl","ContainerInherit, ObjectInherit","None","Allow")
#Access Rule for the user whose folder we're dealing with during this iteration.
$acl.SetOwner($objUser)
$acl.SetAccessRuleProtection($true, $false)
#Change the inheritance/propagation settings of the folder we're dealing with
$acl.SetAccessRule($UserAR)
$acl.SetAccessRule($DAAR)
$acl.SetAccessRule($SysAR)
Write-Host "Changing ACL on $($folder.FullName) to:"
$acl | fl
#For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output.
Set-Acl -Path $Folder.Fullname -ACLObject $acl
}
| 归档时间: |
|
| 查看次数: |
2668 次 |
| 最近记录: |