主页 / server / 问题 / 727456
Accepted
HopelessN00b
Asked: 2015-10-08 12:32:04 +0800 CST

停!我继承了重定向文件夹/主目录的权限噩梦

  • 772

我的新雇主为其数百名用户设置了文件夹重定向,而设置它的人并不真正知道他在做什么。因此,未遵循重定向文件夹/主目录权限的最佳做法。

让人们访问他们重定向的文件夹位置的解决方案是改为在根目录(“Home”)应用Full Control权限(NTFS 权限,当然不是“共享”权限)并将其传播到根目录下的所有子文件夹和文件Everyone.

有什么可能出错的,对吧?这不像 CEO 的My Documents文件夹中有机密信息,或者任何人都会感染 CryptoWall 并加密其他所有人的文件。正确的?

所以,无论如何,既然 CryptoWall 感染已被删除并已恢复备份,许多人希望我们用不那么可怕的东西替换当前权限,我不想在几个权限对话框中单击一百个文件夹。

PowerShell 如何为我解决这个问题,让生活重获新生?

windows

2 个回答

  1. Best Answer

    感谢 JScott向我介绍了System.Security.Principal... 类或方法或其他任何东西,一些 PowerShell 将一堆子文件夹上的 ACL 替换为适合用户主目录的 ACL:

    $Root = "Path to the root folder that holds all the user home directories"

$Paths = Get-ChildItem $Root | Select-Object -Property Name,FullName

$DAAR = New-Object system.security.accesscontrol.filesystemaccessrule("MyDomain\Domain Admins","FullControl","ContainerInherit, ObjectInherit","None","Allow")
#Domain Admin Access Rule.

$SysAR = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","ContainerInherit, ObjectInherit","None","Allow")
#SYSTEM Access Rule.

foreach ($Folder in $Paths)
{

    Write-Host "Generating ACL for $($folder.FullName) ... "
    #For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output.

    $ACL = New-Object System.Security.AccessControl.DirectorySecurity
    #Creates a blank ACL object to add access rules into, also blanks out the ACL for each iteration of the loop.

    $objUser = New-Object System.Security.Principal.NTAccount("MyDomain\​"+$folder.name)
    #Creating the right type of User Object to feed into our ACL, and populating it with the user whose folder we're currently on.

    $UserAR = New-Object system.security.accesscontrol.filesystemaccessrule( $objuser ,"FullControl","ContainerInherit, ObjectInherit","None","Allow")
    #Access Rule for the user whose folder we're dealing with during this iteration.

    $acl.SetOwner($objUser)
    $acl.SetAccessRuleProtection($true, $false)
    #Change the inheritance/propagation settings of the folder we're dealing with

    $acl.SetAccessRule($UserAR)
    $acl.SetAccessRule($DAAR)
    $acl.SetAccessRule($SysAR)

    Write-Host "Changing ACL on $($folder.FullName) to:"
    $acl | fl
    #For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output.

    Set-Acl -Path $Folder.Fullname -ACLObject $acl

}
    • 18

  2. 如果主文件夹/重定向文件夹设置为“授予用户专有权”,则先前的答案将不起作用。This is because when this option is selected which is not recommended , only SYSTEM and THE USER have rights to the folder. 然后,如果不获得文件夹的所有权,您就无法更改权限(即使是管理员)。

    这是一种在不取得所有权的情况下解决此问题的方法。这是一个两步的过程。

    创建一个运行 ICACLS 的 powershell 脚本以修改文件夹和子文件夹的权限。

    运行 PSexec 以启动 Powershell 脚本。

    取自并修改自: https ://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/

    1 创建/复制/窃取 powershell 脚本(需要 PS 3.0 或更高版本)

    #ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write

$StartingDir= "c:\shares\users"   ##Path to root of users home dirs
$Principal="domain\username"    #or "administrators"
$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($FOLDER in $(Get-ChildItem -path $StartingDir -directory -recurse)) {

$temp = $Folder.fullname
CACLS `"$temp`" /E /P `"${Principal}`":${Permission} >$NULL
#write-host $Folder.FullName 
}
}
    1. 运行 PSEXEC,它作为 SYSTEM 帐户运行,因此可以更改只有 SYSTEM 和用户有权访问的文件夹的权限。安装并运行 PSexec。https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

    从命令行:

    psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1'"
    • 2

相关问题