1. Overview

Some time ago, I was automating a few tasks with PowerShell and needed to set NTFS permissions on a folder. I was tempted to use the good old ICACLS.EXE command line, but I wanted to keep it all within PowerShell. While there are a number of different permissions you could want to set for a folder, my specific case called the following:

-          Create a new folder

-          Check the default permissions on the new folder

-          Turn off inheritance on that folder, removing existing inherited permissions from the parent folder

-          Grant “Full Control” permissions to Administrators, propagating via inheritance to files and subfolders

-          Grant “Read” permissions to Users, propagating via inheritance to files and subfolders

-          Review the permissions on the folder

2. The old ICACLS

In the old CMD.EXE world, you would use ICACLS.The commands would look like this:

-          MD F:\Folder

-          ICACLS F:\Folder

-          ICACLS F:\Folder /INHERITANCE:R

-          ICACLS F:\Folder /GRANT Administrators:(CI)(OI)F

-          ICACLS F:\Folder /GRANT Users: (CI)(OI)R

-          ICACLS F:\Folder

新建共享rollback,赋予 ddv\test01、Administrators用户完全控制权限

mkdir d:\rollback
net share rollback=d:\rollback /GRANT:ddv\test01,FULL /GRANT:administrators,FULL

cacls D:\ /T /E /C /G Users:F
cacls D:\ /T /E /C /P everyone:R

3. The PowerShell way

After some investigation, I found the PowerShell cmdlets to do the same things. You essentially rely on Get-Acl and Set-Acl to get, show and set permissions on a folder. Unfortunately, there are no cmdlets to help with the actual manipulation of the permissions. However, you can use a few .NET classes and methods to do the work. Here’s what I ended up with:

-          New-Item F:\Folder –Type Directory

-          Get-Acl F:\Folder | Format-List

-          $acl = Get-Acl F:\Folder

-          $acl.SetAccessRuleProtection($True, $False)

-          $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

-          $acl.AddAccessRule($rule)

-          $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")

-          $acl.AddAccessRule($rule)

-          Set-Acl F:\Folder $acl

-          Get-Acl F:\Folder  | Format-List

4. Looking at the output

To show how this works, here’s the output you should get from those commands. Be sure to use the option to “Run as Administrator” if you’re creating a folder outside your user’s folders. Note that I made a few changes from the cmdlets shown previously. I also included couple of calls to the GetAccessRules method to get extra details about the permissions.

PS F:\> New-Item F:\Folder -Type Directory

Directory: F:\

Mode                LastWriteTime     Length Name

----                -------------     ------ ----

d----         11/6/2010   8:10 PM            Folder

PS F:\> $acl = Get-Acl F:\Folder

PS F:\> $acl | Format-List

Path   : Microsoft.PowerShell.Core\FileSystem::F:\Folder

Owner  : BUILTIN\Administrators

Group  : NORTHAMERICA\Domain Users

Access : BUILTIN\Administrators Allow  FullControl

BUILTIN\Administrators Allow  268435456

NT AUTHORITY\SYSTEM Allow  FullControl

NT AUTHORITY\SYSTEM Allow  268435456

NT AUTHORITY\Authenticated Users Allow  Modify, Synchronize

NT AUTHORITY\Authenticated Users Allow  -536805376

BUILTIN\Users Allow  ReadAndExecute, Synchronize

BUILTIN\Users Allow  -1610612736

Audit  :

Sddl   : O:BAG:S-1-5-21-124525095-708259637-1543119021-513D:(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID

;GA;;;SY)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)(A;ID;0x1200a9;;;BU)(A;OICIIOID;GXGR;;;BU)

PS F:\> $acl.GetAccessRules($true, $true, [System.Security.Principal.NTAccount])

FileSystemRights  : FullControl

AccessControlType : Allow

IdentityReference : BUILTIN\Administrators

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : 268435456

AccessControlType : Allow

IdentityReference : BUILTIN\Administrators

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

FileSystemRights  : FullControl

AccessControlType : Allow

IdentityReference : NT AUTHORITY\SYSTEM

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : 268435456

AccessControlType : Allow

IdentityReference : NT AUTHORITY\SYSTEM

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

FileSystemRights  : Modify, Synchronize

AccessControlType : Allow

IdentityReference : NT AUTHORITY\Authenticated Users

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : -536805376

AccessControlType : Allow

IdentityReference : NT AUTHORITY\Authenticated Users

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

FileSystemRights  : ReadAndExecute, Synchronize

AccessControlType : Allow

IdentityReference : BUILTIN\Users

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : -1610612736

AccessControlType : Allow

IdentityReference : BUILTIN\Users

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

PS F:\> $acl.SetAccessRuleProtection($True, $False)

PS F:\> $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

PS F:\> $acl.AddAccessRule($rule)

PS F:\> $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")

PS F:\> $acl.AddAccessRule($rule)

PS F:\> Set-Acl F:\Folder $acl

PS F:\> Get-Acl F:\Folder  | Format-List

Path   : Microsoft.PowerShell.Core\FileSystem::F:\Folder

Owner  : BUILTIN\Administrators

Group  : NORTHAMERICA\Domain Users

Access : BUILTIN\Administrators Allow  FullControl

BUILTIN\Users Allow  Read, Synchronize

Audit  :

Sddl   : O:BAG:S-1-5-21-124525095-708259637-1543119021-513D:PAI(A;OICI;FA;;;BA)(A;OICI;FR;;;BU)

PS F:\> (Get-Acl F:\Folder).GetAccessRules($true, $true, [System.Security.Principal.NTAccount])

FileSystemRights  : FullControl

AccessControlType : Allow

IdentityReference : BUILTIN\Administrators

IsInherited       : False

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : None

FileSystemRights  : Read, Synchronize

AccessControlType : Allow

IdentityReference : BUILTIN\Users

IsInherited       : False

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : None

PS F:\>

5. Controlling parent folder inheritance

The script uses SetAccessRuleProtection, which is a method to control whether inheritance from the parent folder should be blocked ($True means no Inheritance) and if the previously inherited access rules should be preserved ($False means remove previously inherited permissions).

6. Building the access rules

To build a new access rule, the script also uses the New-Object cmdlet and specify the full name of the FileSystemAccessRule class. There are many constructors for this specific class of objects. I used one of the more complete ones, which takes 5 parameters:

-          Identity (name of the user or group)

-          Rights (including the common Read, Write, Modify and FullControl, among many others)

-          Inheritance Flags (including None, ContainerInherit or ObjectInheritance)

-          Propagation Flags (including None or InheritOnly, among others)

-          Type (Allow or Deny)

I am using the .NET classes in this part, and that’s why you have to use the full name of the class (like System.Security.AccessControl.FileSystemAccessRule) and the full name of the data types (like [System.Security.Accesscontrol.InheritanceFlags]).

7. Using variables

The script also uses a few variables (names starting with a $ sign). In order to change the permissions, for instance, I started by copying the existing ACL to a variable called $acl using the Get-Acl cmdlet. Next, I modified $acl in memory and finally I applied the $acl back to the folder using Set-Acl cmdlet. You could avoid using the $rule variable, but your code would get a bit more complex. For instance, I could change the script shown previously to use only the $acl variable:

-          $acl = Get-Acl F:\Folder

-          $acl.SetAccessRuleProtection($True, $False)

-          $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")))

-          $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")))

-          Set-Acl F:\Folder $acl

This does cut 2 lines from that section of the script. While I see of lot of fans of using a smaller number of command lines (even if they are longer command lines), I find the version that uses the additional $rule variable easier to understand.

8. Default permissions

You might have noticed that the initial attributes for the folder includes quite a few inherited permissions. Those are inherited from the parent folder F:\, and are the default permissions when you format an NTFS volume. Here are they in a nicely formatted table:

Identity

Type

Rights

BUILTIN\Administrators

Allow

FullControl

BUILTIN\Administrators

Allow

268435456

NT AUTHORITY\SYSTEM

Allow

FullControl

NT AUTHORITY\SYSTEM

Allow

268435456

BUILTIN\Users

Allow

ReadAndExecute, Synchronize

NT AUTHORITY\Authenticated Users

Allow

Modify, Synchronize

NT AUTHORITY\Authenticated Users

Allow

-536805376

Some of the rights are fully spelled out (like “Full Control”, “Modify”, “Read”, “Write”, “Synchronize” and “ReadAndExecute”). More complex combinations are shown as numbers. The infrastructure only translates the numeric code into text for the most common ones.

9. Setting the Owner

Another fairly common operation is setting a new owner for a folder. This is useful when provisioning a folder for a specific user and wanting to give the user the ownership of the folder itself. It’s also handy if a administrator has been locked out of a folder. If I am the administrator, I can set the owner to myself  and then grant myself permissions to access the folder. In CMD.EXE, you would use

-          ICACLS F:\Folder /SETOWNER Administrators

The PowerShell equivalent would be:

-          $acl = Get-Acl F:\Folder

-          $acl.SetOwner([System.Security.Principal.NTAccount] "Administrators")

-          Set-Acl F:\Folder $acl

10. It’s actually a Security Descriptor

The information returned by Get-Acl is actually better described as a “Security Descriptor”, not really an ACL (Access Control List). It contains a number of security-related information, including the Owner, the Group Owner, the Discretionary Access Control List (also known as DACL, which is where we added the two rules), the Audit Access Control List (also known as SACL). Technically, adding the two rules actually adds two ACEs (Access Control Entries) to the DACL (Discretionary Access Control List).

Also listed by Get-ACL is SDDL string. The SDDL a string that combines all the information returned by Get-Acl in a single string. It’s a bit hard to parse for humans, but it’s closer to the internal representation.

11. Looking at the other methods

There are a number of additional methods available to handle the Security Descriptor returned by Get-Acl. If you want to look into them, just pipe the output to Get-Member. See the example below:

PS F:\> Get-Acl F:\Folder | Get-Member

TypeName: System.Security.AccessControl.DirectorySecurity

Name                            MemberType     Definition

----                            ----------     ----------

Access                          CodeProperty   System.Security.AccessControl.AuthorizationRuleCollection Access{get=...

Group                           CodeProperty   System.String Group{get=GetGroup;}

Owner                           CodeProperty   System.String Owner{get=GetOwner;}

Path                            CodeProperty   System.String Path{get=GetPath;}

Sddl                            CodeProperty   System.String Sddl{get=GetSddl;}

AccessRuleFactory               Method         System.Security.AccessControl.AccessRule AccessRuleFactory(System.Sec...

AddAccessRule                   Method         System.Void AddAccessRule(System.Security.AccessControl.FileSystemAcc...

AddAuditRule                    Method         System.Void AddAuditRule(System.Security.AccessControl.FileSystemAudi...

AuditRuleFactory                Method         System.Security.AccessControl.AuditRule AuditRuleFactory(System.Secur...

Equals                          Method         bool Equals(System.Object obj)

GetAccessRules                  Method         System.Security.AccessControl.AuthorizationRuleCollection GetAccessRu...

GetAuditRules                   Method         System.Security.AccessControl.AuthorizationRuleCollection GetAuditRul...

GetGroup                        Method         System.Security.Principal.IdentityReference GetGroup(type targetType)

GetHashCode                     Method         int GetHashCode()

GetOwner                        Method         System.Security.Principal.IdentityReference GetOwner(type targetType)

GetSecurityDescriptorBinaryForm Method         byte[] GetSecurityDescriptorBinaryForm()

GetSecurityDescriptorSddlForm   Method         string GetSecurityDescriptorSddlForm(System.Security.AccessControl.Ac...

GetType                         Method         type GetType()

ModifyAccessRule                Method         bool ModifyAccessRule(System.Security.AccessControl.AccessControlModi...

ModifyAuditRule                 Method         bool ModifyAuditRule(System.Security.AccessControl.AccessControlModif...

PurgeAccessRules                Method         System.Void PurgeAccessRules(System.Security.Principal.IdentityRefere...

PurgeAuditRules                 Method         System.Void PurgeAuditRules(System.Security.Principal.IdentityReferen...

RemoveAccessRule                Method         bool RemoveAccessRule(System.Security.AccessControl.FileSystemAccessR...

RemoveAccessRuleAll             Method         System.Void RemoveAccessRuleAll(System.Security.AccessControl.FileSys...

RemoveAccessRuleSpecific        Method         System.Void RemoveAccessRuleSpecific(System.Security.AccessControl.Fi...

RemoveAuditRule                 Method         bool RemoveAuditRule(System.Security.AccessControl.FileSystemAuditRul...

RemoveAuditRuleAll              Method         System.Void RemoveAuditRuleAll(System.Security.AccessControl.FileSyst...

RemoveAuditRuleSpecific         Method         System.Void RemoveAuditRuleSpecific(System.Security.AccessControl.Fil...

ResetAccessRule                 Method         System.Void ResetAccessRule(System.Security.AccessControl.FileSystemA...

SetAccessRule                   Method         System.Void SetAccessRule(System.Security.AccessControl.FileSystemAcc...

SetAccessRuleProtection         Method         System.Void SetAccessRuleProtection(bool isProtected, bool preserveIn...

SetAuditRule                    Method         System.Void SetAuditRule(System.Security.AccessControl.FileSystemAudi...

SetAuditRuleProtection          Method         System.Void SetAuditRuleProtection(bool isProtected, bool preserveInh...

SetGroup                        Method         System.Void SetGroup(System.Security.Principal.IdentityReference iden...

SetOwner                        Method         System.Void SetOwner(System.Security.Principal.IdentityReference iden...

SetSecurityDescriptorBinaryForm Method         System.Void SetSecurityDescriptorBinaryForm(byte[] binaryForm), Syste...

SetSecurityDescriptorSddlForm   Method         System.Void SetSecurityDescriptorSddlForm(string sddlForm), System.Vo...

ToString                        Method         string ToString()

PSChildName                     NoteProperty   System.String PSChildName=test

PSDrive                         NoteProperty   System.Management.Automation.PSDriveInfo PSDrive=C

PSParentPath                    NoteProperty   System.String PSParentPath=Microsoft.PowerShell.Core\FileSystem::C:\

PSPath                          NoteProperty   System.String PSPath=Microsoft.PowerShell.Core\FileSystem::C:\test

PSProvider                      NoteProperty   System.Management.Automation.ProviderInfo PSProvider=Microsoft.PowerS...

AccessRightType                 Property       System.Type AccessRightType {get;}

AccessRuleType                  Property       System.Type AccessRuleType {get;}

AreAccessRulesCanonical         Property       System.Boolean AreAccessRulesCanonical {get;}

AreAccessRulesProtected         Property       System.Boolean AreAccessRulesProtected {get;}

AreAuditRulesCanonical          Property       System.Boolean AreAuditRulesCanonical {get;}

AreAuditRulesProtected          Property       System.Boolean AreAuditRulesProtected {get;}

AuditRuleType                   Property       System.Type AuditRuleType {get;}

AccessToString                  ScriptProperty System.Object AccessToString {get=$toString = "";...

AuditToString                   ScriptProperty System.Object AuditToString {get=$toString = "";...

To find the specific parameters for a given method, just filter the output and pipe it to Format-List. For instance, here are the details about the GetAccessRules method used in the script:

PS F:\> Get-Acl F:\Folder | Get-Member -MemberType Method "GetAccessRules" | Format-List

TypeName   : System.Security.AccessControl.DirectorySecurity

Name       : GetAccessRules

MemberType : Method

Definition : System.Security.AccessControl.AuthorizationRuleCollection GetAccessRules(bool includeExplicit, bool includ

eInherited, type targetType)

Here’s a short version, this time looking at the definition for the SetAccessRuleProtection method:

PS F:\> Get-Acl F:\Folder | Get-Member "SetAccessRuleProtection" | FL

TypeName   : System.Security.AccessControl.DirectorySecurity

Name       : SetAccessRuleProtection

MemberType : Method

Definition : System.Void SetAccessRuleProtection(bool isProtected, bool preserveInheritance)

12. Conclusion

I hope this helped you understand how to manipulate Security Descriptors and Access Control Lists using PowerShell. ACLs are used in several other places, like Registry entries, Active Directory objects and File Shares. I’m sure that adding these abilities to your PowerShell tool belt will eventually come in handy.

As usual, the MSDN site is a great reference. You can find all the details about the methods I used here by searching for the method name on MSDN. You can also look at an overview of the methods related to Security Descriptors (with lots of links) at: http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.aspx.

Also be sure to check my other blog posts about PowerShell athttp://blogs.technet.com/b/josebda/archive/tags/powershell/.

FROM:http://blogs.technet.com/b/josebda/archive/2010/11/12/how-to-handle-ntfs-folder-permissions-security-descriptors-and-acls-in-powershell.aspx

新建共享,NTFS权限设置的更多相关文章

  1. NTFS权限设置时卡死

    客户是一家技术咨询和零部件制造的小公司,使用的文件服务器为R410上插4块1T硬盘做raid 5,服务器操作系统为windows server 2008R2,所有的设计资料的授权都是结合域账户和NTF ...

  2. Linux下mysql新建账号及权限设置各种方式总结

    来自:http://justcoding.iteye.com/blog/1941116 1.权限赋予 说明:mysql部署在服务器A上,内网上主机B通过客户端工具连接服务器A以进行数据库操作,需要服务 ...

  3. Linux下mysql新建账号及权限设置

    http://www.cnblogs.com/eczhou/archive/2012/07/12/2588187.html 1.权限赋予 说明:mysql部署在服务器A上,内网上主机B通过客户端工具连 ...

  4. NTFS权限和共享权限的区别

    共享权限 共享权限有三种:完全控制.更改.读取 共持本地安全性.换句话说,他在同一台计算机上以不同用户名登录,对硬盘上同一文件夹可以有不同的访问权限. 注意:NTFS权限对从网络访问和本机登录的用户都 ...

  5. NTFS权限概述

    NTFS权限概述 NTFS是我常见的一种磁盘格式,在Windows系统中使用广泛,它打破了FAT的局限性.在我使用ntfs格式分区的时候经常会涉及到ntfs权限设置问题,来帮助我们对文件的处理.那么什 ...

  6. IIS中的上传目录权限设置问题

    虽然 Apache 的名声可能比 IIS 好,但我相信用 IIS 来做 Web 服务器的人一定也不少.说实话,我觉得 IIS 还是不错的,尤其是 Windows 2003 的 IIS 6(马上 Lon ...

  7. 多站点IIS用户安全权限设置

    如果我们为每个站点都建立一个用户,并设置该用户只有访问本站点的权限,那么就能将访问权限控制在每个站点文件夹内,旁注问题也就解决了 一.这样配置的好处? 不知大家有没有听过旁注?我简单的解释一下吧:有个 ...

  8. NTFS权限详解

    NTFS权限是作为一个Windows管理员必备的知识,许多经验丰富的管理员都能够很熟悉地对文件.文件夹.注册表项等进行安全性的权限设置,包括完全控制.修改.只读等.而谈论NTFS权限这个话题也算是老生 ...

  9. 利用NTFS权限与虚拟目录,在IIS 6.0的默认FTP站点中做用户隔离。

    默认FTP站点为不隔离用户站点,利用NTFS权限设置,达到仅能访问指定目录效果. 是否允许匿名连接 FTP站点主目录:站点范围内有没有用户需要上传,有的话,要勾选“写入”:具体用户使用NTFS还给予写 ...

随机推荐

  1. underscore vs jquery

    http://wordpress.tv/2013/06/23/k-adam-white-underscore-and-backbone-jquerys-new-friends/ http://www. ...

  2. Vector 的清空

    前两天比赛有一道题,有用到了vector的清空,用的是swap,我一开始还不太清楚,所以去查了下资料,转载一篇关于vector的清空的. vector <int> vecInt; ; i& ...

  3. POJ 3321 Apple Tree(树状数组)

    点我看题目  题意 : 大概是说一颗树有n个分岔,然后给你n-1对关系,标明分岔u和分岔v是有边连着的,然后给你两个指令,让你在Q出现的时候按照要求输出. 思路 :典型的树状数组.但是因为没有弄好数组 ...

  4. PHP 系统常量及自定义常量

    __FILE__ 这个默认常量是 PHP 程序文件名.若引用文件 (include 或 require)则在引用文件内的该常量为引用文件名,而不是引用它的文件名. __LINE__ 这个默认常量是 P ...

  5. Node.js tools for visual studio 在vs中使用Node.js

    简单介绍 PTVS开发团队又开发出一款可以在VS里编写Node.js应用程序的插件——NTVS(Node.js Tools for Visual Studio),开发者可以在VS里轻松开发Node.j ...

  6. javaweb学习总结(三十三)——使用JDBC对数据库进行CRUD

    一.statement对象介绍 Jdbc中的statement对象用于向数据库发送SQL语句,想完成对数据库的增删改查,只需要通过这个对象向数据库发送增删改查语句即可. Statement对象的exe ...

  7. 【Linux安全】防止任意用户使用 su 切换到 root

    防止任意用户使用 su 切换到 root 在终端中输入下列命令 vim /etc/pam.d/su (按 i 进行编辑,qw 保存并推出) 在头部加入行: auth required pam_whee ...

  8. java复制文件的4种方式

    尽管Java提供了一个可以处理文件的IO操作类.但是没有一个复制文件的方法.复制文件是一个重要的操作,当你的程序必须处理很多文件相关的时候.然而有几种方法可以进行Java文件复制操作,下面列举出4中最 ...

  9. poj3177

    边双连通有一个非常简单的做法就是先找出所有桥,然后再dfs一次不走桥即可答案是(叶子节点的个数+1)/2 type node=record next,po:longint; end; ..] of n ...

  10. eclipse 修改设置Ctrl+Shift+F长度

    在window的Preferences中的Java->Code Style->Formatter 到了这一步就是找到Ctrl+Shift+F的格式化模板了,这里不能直接修改.因为是ecli ...