使用set-acl和powershell设置继承和传播标志

Question

我试图模仿右键单击文件夹,在文件夹上设置"修改",并将权限应用于特定文件夹和子文件夹和文件的操作.

我主要使用Powershell,但是继承只被设置为"子文件夹和文件"而不是整个"这个文件夹,子文件夹和文件".

System.Security.AccessControl.PropagationFlags是否有一些未列出的标志会正确设置？

到目前为止,这就是我正在使用的内容.

$Folders = Get-childItem c:\TEMP\
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
$objType = [System.Security.AccessControl.AccessControlType]::Allow 

foreach ($TempFolder in $Folders)
{
echo "Loop Iteration"
$Folder = $TempFolder.FullName

$acl = Get-Acl $Folder
$permission = "domain\user","Modify", $InheritanceFlag, $PropagationFlag, $objType
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission

$acl.SetAccessRule($accessRule)
Set-Acl $Folder $acl
} 

Answer 1

这是一个表,可帮助查找不同权限组合所需的标志.

    ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    ?             ? folder only ? folder, sub-folders and files ? folder and sub-folders ? folder and files ? sub-folders and files ? sub-folders ?    files    ?
    ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    ? Propagation ? none        ? none                          ? none                   ? none             ? InheritOnly           ? InheritOnly ? InheritOnly ?
    ? Inheritance ? none        ? Container|Object              ? Container              ? Object           ? Container|Object      ? Container   ? Object      ?
    ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

所以,正如大卫所说,你会想要的

    InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit 
    PropagationFlags.None
    

Answer 2

我想你的答案可以在这个页面上找到.从页面:

此文件夹,子文件夹和文件:

InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit 
PropagationFlags.None

Answer 3

仅仅因为你在PowerShell中就不会忘记好的前任.有时他们可以提供最简单的解决方案,例如:

icacls.exe $folder /grant 'domain\user:(OI)(CI)(M)'

Answer 4

这是描述标志的 MSDN 页面以及它们的各种组合的结果。

Flag combinations => Propagation results
=========================================
No Flags => Target folder.
ObjectInherit => Target folder, child object (file), grandchild object (file).
ObjectInherit and NoPropagateInherit => Target folder, child object (file).
ObjectInherit and InheritOnly => Child object (file), grandchild object (file).
ObjectInherit, InheritOnly, and NoPropagateInherit => Child object (file).
ContainerInherit => Target folder, child folder, grandchild folder.
ContainerInherit, and NoPropagateInherit => Target folder, child folder.
ContainerInherit, and InheritOnly => Child folder, grandchild folder.
ContainerInherit, InheritOnly, and NoPropagateInherit => Child folder.
ContainerInherit, and ObjectInherit => Target folder, child folder, child object (file), grandchild folder, grandchild object (file).
ContainerInherit, ObjectInherit, and NoPropagateInherit => Target folder, child folder, child object (file).
ContainerInherit, ObjectInherit, and InheritOnly => Child folder, child object (file), grandchild folder, grandchild object (file).
ContainerInherit, ObjectInherit, NoPropagateInherit, InheritOnly => Child folder, child object (file).

要让它递归地将权限应用于目录以及所有子目录和文件，您需要使用这些标志：

InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit 
PropagationFlags.None

因此，您需要为示例进行的特定代码更改是：

$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None

Answer 5

下面是一些简洁的Powershell代码,通过修改现有的ACL(访问控制列表)将新权限应用于文件夹.

# Get the ACL for an existing folder
$existingAcl = Get-Acl -Path 'C:\DemoFolder'

# Set the permissions that you want to apply to the folder
$permissions = $env:username, 'Read,Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow'

# Create a new FileSystemAccessRule object
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permissions

# Modify the existing ACL to include the new rule
$existingAcl.SetAccessRule($rule)

# Apply the modified access rule to the folder
$existingAcl | Set-Acl -Path 'C:\DemoFolder'

每个中值的$permissions变量列表涉及到的参数,此构造为FileSystemAccessRule类.

礼貌本页面.