主页 / server / 问题 / 414684
Accepted
Andrew J. Brehm
Asked: 2012-08-07 06:07:35 +0800 CST

如何在 2008 上使用 Powershell 配置集群共享的权限?

  • 772

我有一个“文件共享”类型的集群资源,但是当我尝试配置“安全”参数时,出现以下错误(摘录):

Set-ClusterParameter : Parameter 'security' does not exist on the cluster object

使用 cluster.exe 我得到了更好的结果,即命令工作时通常没有任何结果。但是当我检查故障转移集群管理器时,权限没有改变。在 Server 2003 中,cluster.exe 方法有效。

有任何想法吗?

更新:

完整的命令和错误。

PS C:\> $resource=get-clusterresource testshare
PS C:\> $resource

Name                          State                         Group                         ResourceType
----                          -----                         -----                         ------------
testshare                     Offline                       Test                          File Share


PS C:\> $resource|set-clusterparameter security "domain\account,grant,f"
Set-ClusterParameter : Parameter 'security' does not exist on the cluster object 'testshare'. If you are trying to upda
te an existing parameter, please make sure the parameter name is specified correctly. You can check for the current par
ameters by passing the .NET object received from the appropriate Get-Cluster* cmdlet to "| Get-ClusterParameter". If yo
u are trying to update a common property on the cluster object, you should set the property directly on the .NET object
 received by the appropriate Get-Cluster* cmdlet. You can check for the current common properties by passing the .NET o
bject received from the appropriate Get-Cluster* cmdlet to "| fl *". If you are trying to create a new unknown paramete
r, please use -Create with this Set-ClusterParameter cmdlet.
At line:1 char:31
+ $resource|set-clusterparameter <<<<  security "domain\account,grant,f"
    + CategoryInfo          : NotSpecified: (:) [Set-ClusterParameter], ClusterCmdletException
    + FullyQualifiedErrorId : Set-ClusterParameter,Microsoft.FailoverClusters.PowerShell.SetClusterParameterCommand
windows-server-2008-r2

1 个回答

  1. Best Answer

    我找到了一个易于使用且显而易见的答案。它是如此简单,以至于人们可能不相信它是 Microsoft 的解决方案。

    $permissions 是一个权限数组,包含一个帐户(domain\user)、一个权限(fullcontrol)和一个类型(allow)。

    # create access rule based on permissions
$rule = new-object system.security.accesscontrol.filesystemaccessrule $permissions

# get an acl, remove access rules, add our rule
$acl = get-acl "c:\" # need to get acl from root of drive to avoid inheritance
$acl.access | foreach-object {$acl.removeaccessrule($_)}
$acl.setaccessrule($rule)

# get security descriptor from acl and convert to binary security descriptor
$sddl = $acl.sddl
$sdhelper = [wmiclass]"win32_securitydescriptorhelper"
$binarysd = ($sdhelper.sddltobinarysd($sddl)).binarysd

# get cluster resources from registry
$resources = get-childitem "hklm:\cluster\resources"

# ...with paths that powershell will understand
$resources = $resources | foreach-object {$_.pspath}

# find clustershare resource path
$resource = $resources | where-object {(get-itemproperty $_ name).name -eq $clustershare}

# derive path to resource parameters
$parameters = "$resource\parameters"

# configure security descriptor
set-itemproperty $parameters "security descriptor" $binarysd

    真的就是这么简单。

    唯一的问题是,这只适用于一个节点并且必须在每个节点上重复。它确实在故障转移后仍然存在(并且当共享故障恢复到节点时,节点上设置的权限将重新出现)。此外,它仅适用于“完全控制”,不适用于“读取”或其他权限。不知道为什么。

    我不会接受这个作为答案,因为它确实不是。但它似乎是最接近此问题的解决方案,因为在 Windows Server 2003 中根本不存在(cluster.exe 可以设置共享权限)并且 Microsoft 似乎没有解决任何问题。

    • 1

相关问题