新建共享,NTFS权限设置
1. Overview
Some time ago, I was automating a few tasks with PowerShell and needed to set NTFS permissions on a folder. I was tempted to use the good old ICACLS.EXE command line, but I wanted to keep it all within PowerShell. While there are a number of different permissions you could want to set for a folder, my specific case called the following:
- Create a new folder
- Check the default permissions on the new folder
- Turn off inheritance on that folder, removing existing inherited permissions from the parent folder
- Grant “Full Control” permissions to Administrators, propagating via inheritance to files and subfolders
- Grant “Read” permissions to Users, propagating via inheritance to files and subfolders
- Review the permissions on the folder
2. The old ICACLS
In the old CMD.EXE world, you would use ICACLS.The commands would look like this:
- MD F:\Folder
- ICACLS F:\Folder
- ICACLS F:\Folder /INHERITANCE:R
- ICACLS F:\Folder /GRANT Administrators:(CI)(OI)F
- ICACLS F:\Folder /GRANT Users: (CI)(OI)R
- ICACLS F:\Folder
新建共享rollback,赋予 ddv\test01、Administrators用户完全控制权限
mkdir d:\rollback
net share rollback=d:\rollback /GRANT:ddv\test01,FULL /GRANT:administrators,FULL
cacls D:\ /T /E /C /G Users:F
cacls D:\ /T /E /C /P everyone:R
3. The PowerShell way
After some investigation, I found the PowerShell cmdlets to do the same things. You essentially rely on Get-Acl and Set-Acl to get, show and set permissions on a folder. Unfortunately, there are no cmdlets to help with the actual manipulation of the permissions. However, you can use a few .NET classes and methods to do the work. Here’s what I ended up with:
- New-Item F:\Folder –Type Directory
- Get-Acl F:\Folder | Format-List
- $acl = Get-Acl F:\Folder
- $acl.SetAccessRuleProtection($True, $False)
- $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
- $acl.AddAccessRule($rule)
- $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
- $acl.AddAccessRule($rule)
- Set-Acl F:\Folder $acl
- Get-Acl F:\Folder | Format-List
4. Looking at the output
To show how this works, here’s the output you should get from those commands. Be sure to use the option to “Run as Administrator” if you’re creating a folder outside your user’s folders. Note that I made a few changes from the cmdlets shown previously. I also included couple of calls to the GetAccessRules method to get extra details about the permissions.
PS F:\> New-Item F:\Folder -Type Directory
Directory: F:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 11/6/2010 8:10 PM Folder
PS F:\> $acl = Get-Acl F:\Folder
PS F:\> $acl | Format-List
Path : Microsoft.PowerShell.Core\FileSystem::F:\Folder
Owner : BUILTIN\Administrators
Group : NORTHAMERICA\Domain Users
Access : BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
NT AUTHORITY\Authenticated Users Allow Modify, Synchronize
NT AUTHORITY\Authenticated Users Allow -536805376
BUILTIN\Users Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow -1610612736
Audit :
Sddl : O:BAG:S-1-5-21-124525095-708259637-1543119021-513D:(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID
;GA;;;SY)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)(A;ID;0x1200a9;;;BU)(A;OICIIOID;GXGR;;;BU)
PS F:\> $acl.GetAccessRules($true, $true, [System.Security.Principal.NTAccount])
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : True
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : 268435456
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : True
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : True
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : 268435456
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : True
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : Modify, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited : True
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : -536805376
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited : True
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited : True
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : -1610612736
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited : True
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
PS F:\> $acl.SetAccessRuleProtection($True, $False)
PS F:\> $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
PS F:\> $acl.AddAccessRule($rule)
PS F:\> $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
PS F:\> $acl.AddAccessRule($rule)
PS F:\> Set-Acl F:\Folder $acl
PS F:\> Get-Acl F:\Folder | Format-List
Path : Microsoft.PowerShell.Core\FileSystem::F:\Folder
Owner : BUILTIN\Administrators
Group : NORTHAMERICA\Domain Users
Access : BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow Read, Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-124525095-708259637-1543119021-513D:PAI(A;OICI;FA;;;BA)(A;OICI;FR;;;BU)
PS F:\> (Get-Acl F:\Folder).GetAccessRules($true, $true, [System.Security.Principal.NTAccount])
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : Read, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
PS F:\>
5. Controlling parent folder inheritance
The script uses SetAccessRuleProtection, which is a method to control whether inheritance from the parent folder should be blocked ($True means no Inheritance) and if the previously inherited access rules should be preserved ($False means remove previously inherited permissions).
6. Building the access rules
To build a new access rule, the script also uses the New-Object cmdlet and specify the full name of the FileSystemAccessRule class. There are many constructors for this specific class of objects. I used one of the more complete ones, which takes 5 parameters:
- Identity (name of the user or group)
- Rights (including the common Read, Write, Modify and FullControl, among many others)
- Inheritance Flags (including None, ContainerInherit or ObjectInheritance)
- Propagation Flags (including None or InheritOnly, among others)
- Type (Allow or Deny)
I am using the .NET classes in this part, and that’s why you have to use the full name of the class (like System.Security.AccessControl.FileSystemAccessRule) and the full name of the data types (like [System.Security.Accesscontrol.InheritanceFlags]).
7. Using variables
The script also uses a few variables (names starting with a $ sign). In order to change the permissions, for instance, I started by copying the existing ACL to a variable called $acl using the Get-Acl cmdlet. Next, I modified $acl in memory and finally I applied the $acl back to the folder using Set-Acl cmdlet. You could avoid using the $rule variable, but your code would get a bit more complex. For instance, I could change the script shown previously to use only the $acl variable:
- $acl = Get-Acl F:\Folder
- $acl.SetAccessRuleProtection($True, $False)
- $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")))
- $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")))
- Set-Acl F:\Folder $acl
This does cut 2 lines from that section of the script. While I see of lot of fans of using a smaller number of command lines (even if they are longer command lines), I find the version that uses the additional $rule variable easier to understand.
8. Default permissions
You might have noticed that the initial attributes for the folder includes quite a few inherited permissions. Those are inherited from the parent folder F:\, and are the default permissions when you format an NTFS volume. Here are they in a nicely formatted table:
Identity |
Type |
Rights |
BUILTIN\Administrators |
Allow |
FullControl |
BUILTIN\Administrators |
Allow |
268435456 |
NT AUTHORITY\SYSTEM |
Allow |
FullControl |
NT AUTHORITY\SYSTEM |
Allow |
268435456 |
BUILTIN\Users |
Allow |
ReadAndExecute, Synchronize |
NT AUTHORITY\Authenticated Users |
Allow |
Modify, Synchronize |
NT AUTHORITY\Authenticated Users |
Allow |
-536805376 |
Some of the rights are fully spelled out (like “Full Control”, “Modify”, “Read”, “Write”, “Synchronize” and “ReadAndExecute”). More complex combinations are shown as numbers. The infrastructure only translates the numeric code into text for the most common ones.
9. Setting the Owner
Another fairly common operation is setting a new owner for a folder. This is useful when provisioning a folder for a specific user and wanting to give the user the ownership of the folder itself. It’s also handy if a administrator has been locked out of a folder. If I am the administrator, I can set the owner to myself and then grant myself permissions to access the folder. In CMD.EXE, you would use
- ICACLS F:\Folder /SETOWNER Administrators
The PowerShell equivalent would be:
- $acl = Get-Acl F:\Folder
- $acl.SetOwner([System.Security.Principal.NTAccount] "Administrators")
- Set-Acl F:\Folder $acl
10. It’s actually a Security Descriptor
The information returned by Get-Acl is actually better described as a “Security Descriptor”, not really an ACL (Access Control List). It contains a number of security-related information, including the Owner, the Group Owner, the Discretionary Access Control List (also known as DACL, which is where we added the two rules), the Audit Access Control List (also known as SACL). Technically, adding the two rules actually adds two ACEs (Access Control Entries) to the DACL (Discretionary Access Control List).
Also listed by Get-ACL is SDDL string. The SDDL a string that combines all the information returned by Get-Acl in a single string. It’s a bit hard to parse for humans, but it’s closer to the internal representation.
11. Looking at the other methods
There are a number of additional methods available to handle the Security Descriptor returned by Get-Acl. If you want to look into them, just pipe the output to Get-Member. See the example below:
PS F:\> Get-Acl F:\Folder | Get-Member
TypeName: System.Security.AccessControl.DirectorySecurity
Name MemberType Definition
---- ---------- ----------
Access CodeProperty System.Security.AccessControl.AuthorizationRuleCollection Access{get=...
Group CodeProperty System.String Group{get=GetGroup;}
Owner CodeProperty System.String Owner{get=GetOwner;}
Path CodeProperty System.String Path{get=GetPath;}
Sddl CodeProperty System.String Sddl{get=GetSddl;}
AccessRuleFactory Method System.Security.AccessControl.AccessRule AccessRuleFactory(System.Sec...
AddAccessRule Method System.Void AddAccessRule(System.Security.AccessControl.FileSystemAcc...
AddAuditRule Method System.Void AddAuditRule(System.Security.AccessControl.FileSystemAudi...
AuditRuleFactory Method System.Security.AccessControl.AuditRule AuditRuleFactory(System.Secur...
Equals Method bool Equals(System.Object obj)
GetAccessRules Method System.Security.AccessControl.AuthorizationRuleCollection GetAccessRu...
GetAuditRules Method System.Security.AccessControl.AuthorizationRuleCollection GetAuditRul...
GetGroup Method System.Security.Principal.IdentityReference GetGroup(type targetType)
GetHashCode Method int GetHashCode()
GetOwner Method System.Security.Principal.IdentityReference GetOwner(type targetType)
GetSecurityDescriptorBinaryForm Method byte[] GetSecurityDescriptorBinaryForm()
GetSecurityDescriptorSddlForm Method string GetSecurityDescriptorSddlForm(System.Security.AccessControl.Ac...
GetType Method type GetType()
ModifyAccessRule Method bool ModifyAccessRule(System.Security.AccessControl.AccessControlModi...
ModifyAuditRule Method bool ModifyAuditRule(System.Security.AccessControl.AccessControlModif...
PurgeAccessRules Method System.Void PurgeAccessRules(System.Security.Principal.IdentityRefere...
PurgeAuditRules Method System.Void PurgeAuditRules(System.Security.Principal.IdentityReferen...
RemoveAccessRule Method bool RemoveAccessRule(System.Security.AccessControl.FileSystemAccessR...
RemoveAccessRuleAll Method System.Void RemoveAccessRuleAll(System.Security.AccessControl.FileSys...
RemoveAccessRuleSpecific Method System.Void RemoveAccessRuleSpecific(System.Security.AccessControl.Fi...
RemoveAuditRule Method bool RemoveAuditRule(System.Security.AccessControl.FileSystemAuditRul...
RemoveAuditRuleAll Method System.Void RemoveAuditRuleAll(System.Security.AccessControl.FileSyst...
RemoveAuditRuleSpecific Method System.Void RemoveAuditRuleSpecific(System.Security.AccessControl.Fil...
ResetAccessRule Method System.Void ResetAccessRule(System.Security.AccessControl.FileSystemA...
SetAccessRule Method System.Void SetAccessRule(System.Security.AccessControl.FileSystemAcc...
SetAccessRuleProtection Method System.Void SetAccessRuleProtection(bool isProtected, bool preserveIn...
SetAuditRule Method System.Void SetAuditRule(System.Security.AccessControl.FileSystemAudi...
SetAuditRuleProtection Method System.Void SetAuditRuleProtection(bool isProtected, bool preserveInh...
SetGroup Method System.Void SetGroup(System.Security.Principal.IdentityReference iden...
SetOwner Method System.Void SetOwner(System.Security.Principal.IdentityReference iden...
SetSecurityDescriptorBinaryForm Method System.Void SetSecurityDescriptorBinaryForm(byte[] binaryForm), Syste...
SetSecurityDescriptorSddlForm Method System.Void SetSecurityDescriptorSddlForm(string sddlForm), System.Vo...
ToString Method string ToString()
PSChildName NoteProperty System.String PSChildName=test
PSDrive NoteProperty System.Management.Automation.PSDriveInfo PSDrive=C
PSParentPath NoteProperty System.String PSParentPath=Microsoft.PowerShell.Core\FileSystem::C:\
PSPath NoteProperty System.String PSPath=Microsoft.PowerShell.Core\FileSystem::C:\test
PSProvider NoteProperty System.Management.Automation.ProviderInfo PSProvider=Microsoft.PowerS...
AccessRightType Property System.Type AccessRightType {get;}
AccessRuleType Property System.Type AccessRuleType {get;}
AreAccessRulesCanonical Property System.Boolean AreAccessRulesCanonical {get;}
AreAccessRulesProtected Property System.Boolean AreAccessRulesProtected {get;}
AreAuditRulesCanonical Property System.Boolean AreAuditRulesCanonical {get;}
AreAuditRulesProtected Property System.Boolean AreAuditRulesProtected {get;}
AuditRuleType Property System.Type AuditRuleType {get;}
AccessToString ScriptProperty System.Object AccessToString {get=$toString = "";...
AuditToString ScriptProperty System.Object AuditToString {get=$toString = "";...
To find the specific parameters for a given method, just filter the output and pipe it to Format-List. For instance, here are the details about the GetAccessRules method used in the script:
PS F:\> Get-Acl F:\Folder | Get-Member -MemberType Method "GetAccessRules" | Format-List
TypeName : System.Security.AccessControl.DirectorySecurity
Name : GetAccessRules
MemberType : Method
Definition : System.Security.AccessControl.AuthorizationRuleCollection GetAccessRules(bool includeExplicit, bool includ
eInherited, type targetType)
Here’s a short version, this time looking at the definition for the SetAccessRuleProtection method:
PS F:\> Get-Acl F:\Folder | Get-Member "SetAccessRuleProtection" | FL
TypeName : System.Security.AccessControl.DirectorySecurity
Name : SetAccessRuleProtection
MemberType : Method
Definition : System.Void SetAccessRuleProtection(bool isProtected, bool preserveInheritance)
12. Conclusion
I hope this helped you understand how to manipulate Security Descriptors and Access Control Lists using PowerShell. ACLs are used in several other places, like Registry entries, Active Directory objects and File Shares. I’m sure that adding these abilities to your PowerShell tool belt will eventually come in handy.
As usual, the MSDN site is a great reference. You can find all the details about the methods I used here by searching for the method name on MSDN. You can also look at an overview of the methods related to Security Descriptors (with lots of links) at: http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.aspx.
Also be sure to check my other blog posts about PowerShell athttp://blogs.technet.com/b/josebda/archive/tags/powershell/.
FROM:http://blogs.technet.com/b/josebda/archive/2010/11/12/how-to-handle-ntfs-folder-permissions-security-descriptors-and-acls-in-powershell.aspx
新建共享,NTFS权限设置的更多相关文章
- NTFS权限设置时卡死
客户是一家技术咨询和零部件制造的小公司,使用的文件服务器为R410上插4块1T硬盘做raid 5,服务器操作系统为windows server 2008R2,所有的设计资料的授权都是结合域账户和NTF ...
- Linux下mysql新建账号及权限设置各种方式总结
来自:http://justcoding.iteye.com/blog/1941116 1.权限赋予 说明:mysql部署在服务器A上,内网上主机B通过客户端工具连接服务器A以进行数据库操作,需要服务 ...
- Linux下mysql新建账号及权限设置
http://www.cnblogs.com/eczhou/archive/2012/07/12/2588187.html 1.权限赋予 说明:mysql部署在服务器A上,内网上主机B通过客户端工具连 ...
- NTFS权限和共享权限的区别
共享权限 共享权限有三种:完全控制.更改.读取 共持本地安全性.换句话说,他在同一台计算机上以不同用户名登录,对硬盘上同一文件夹可以有不同的访问权限. 注意:NTFS权限对从网络访问和本机登录的用户都 ...
- NTFS权限概述
NTFS权限概述 NTFS是我常见的一种磁盘格式,在Windows系统中使用广泛,它打破了FAT的局限性.在我使用ntfs格式分区的时候经常会涉及到ntfs权限设置问题,来帮助我们对文件的处理.那么什 ...
- IIS中的上传目录权限设置问题
虽然 Apache 的名声可能比 IIS 好,但我相信用 IIS 来做 Web 服务器的人一定也不少.说实话,我觉得 IIS 还是不错的,尤其是 Windows 2003 的 IIS 6(马上 Lon ...
- 多站点IIS用户安全权限设置
如果我们为每个站点都建立一个用户,并设置该用户只有访问本站点的权限,那么就能将访问权限控制在每个站点文件夹内,旁注问题也就解决了 一.这样配置的好处? 不知大家有没有听过旁注?我简单的解释一下吧:有个 ...
- NTFS权限详解
NTFS权限是作为一个Windows管理员必备的知识,许多经验丰富的管理员都能够很熟悉地对文件.文件夹.注册表项等进行安全性的权限设置,包括完全控制.修改.只读等.而谈论NTFS权限这个话题也算是老生 ...
- 利用NTFS权限与虚拟目录,在IIS 6.0的默认FTP站点中做用户隔离。
默认FTP站点为不隔离用户站点,利用NTFS权限设置,达到仅能访问指定目录效果. 是否允许匿名连接 FTP站点主目录:站点范围内有没有用户需要上传,有的话,要勾选“写入”:具体用户使用NTFS还给予写 ...
随机推荐
- HDU 1171 Big Event in HDU(DP)
点我看题目 题意 : 给你一个n,然后n组数据,每组两个数字,一个是物品的价值,另外一个是物品的数量,让你尽量将这些东西分成价值相等的两份,如果无法相等就前一份要大于后一份. 思路 :这个题可以转化成 ...
- POJ 2531 Network Saboteur
http://poj.org/problem?id=2531 题意 :有N台电脑,每两台电脑之间都有个通信量C[i][j]; 问如何将其分成两个子网,能使得子网之间的通信量最大. 也就是说将所有节点分 ...
- eclipse+tomcat7解决项目中文乱码的一个思路
1. 在代码层面进行编码的修改操作,参考博文的方法一:http://www.cnblogs.com/longshiyVip/p/4873058.html 2. 如果项目使用了struts2等前端框架, ...
- VC多文档编程技巧(取消一开始时打开的空白文档)
VC多文档编程技巧(取消一开始时打开的空白文档) http://blog.csdn.net/crazyvoice/article/details/6185461 VC多文档编程技巧(取消一开始时打开的 ...
- 【HDOJ】2062 Subset sequence
这道题目非常好,饶了点儿圈子.我的思路是,先按照组排列.例如,1 2 31 2 2 1 3 11 2 3 2 1 3 ...
- URAL1012. K-based Numbers. Version 2
链接 考查大数 正好拿来学习下JAVA JAVA好高端.. import java.io.*; import java.math.*; import java.text.*; import java. ...
- jquery图片播放插件Fancybox(灯箱)
效果预览Demo源码下载 Fancybox的特点如下: 可以支持图片.html文本.flash动画.iframe以及ajax的支持 可以自定义播放器的CSS样式 可以以组的形式进行播放 如果将鼠标滚动 ...
- 关于I/O的那点事
转载请著名作者和地址http://www.cnblogs.com/scotth/p/3645489.html 1.关于 IO (fopen出现的错误 errorCode 183) 相关知识点: < ...
- Error:Could not open initscript class cache for initialization script 'C:\Users\Avishek\AppData\Local\Temp\asLocalRepo14.gradle' (C:\Users\Avishek.gradle\caches\2.2.1\scripts\asLocalRepo14_dkwbdtenxxg
Error:Could not open initscript class cache for initialization script 见鬼 Android Studio打开项目时遇到这个问题 昨 ...
- lightoj 1008
水题,开根号判断大致范围,再找即可. #include<cstdio> #include<cmath> #include<cstdlib> using namesp ...