stackoom
  简体   繁体   中英

Trying to prevent a security group from applying to other folders/files

 原文  2016-04-21 19:38:17       windows/ powershell/ permissions/ acl

Question

I'm trying to make it so that $ADNameRO and $ADNameRW (that I've created below) don't get applied to folders below it but let the rest of the permissions be inherited.

I've tried to change the propagation flag for those two strings so that it only applied to the Folder and Files that it is added to, but it still get's added to the sub files and folders...

I thought that I might need to change the InheritanceFlags to Object for both of those strings, but when I changed that manually (through Windows GUI) it didn't seem to work correctly...

Any help with this would be appreciated. 

function New-Ace {
  [CmdletBinding()]
  Param(
    [Parameter(Mandatory=$true, Position=0)]
    [Security.Principal.NTAccount]$Account,
    [Parameter(Mandatory=$false, Position=1)]
    [Security.AccessControl.FileSystemRights]$Permissions = 'ReadAndExecute',
    [Parameter(Mandatory=$false, Position=2)]
    [Security.AccessControl.InheritanceFlags]$InheritanceFlags = 'ContainerInherit,ObjectInherit',
    [Parameter(Mandatory=$false, Position=3)]
    [Security.AccessControl.PropagationFlags]$PropagationFlags = 'None',
    [Parameter(Mandatory=$false, Position=4)]
    [Security.AccessControl.AccessControlType]$Type = 'Allow'
  )

  New-Object Security.AccessControl.FileSystemAccessRule(
    $Account, $Permissions, $InheritanceFlags, $PropagationFlags, $Type
  )
}

$domain = 'ESG.INTL'
$administrators = ([wmi]"Win32_Sid.Sid='S-1-5-32-544'").AccountName
$ADDomainUsers = "$domain\Domain Users"

$acl = Get-Acl $path

$administrators, "$domain\Domain Admins" | ForEach-Object {
  $acl.AddAccessRule((New-Ace $_ 'FullControl'))
}
$acl.AddAccessRule((New-Ace $ADNameRW 'Modify'))
$acl.AddAccessRule((New-Ace $ADNameRO 'ReadAndExecute'))
$acl.AddAccessRule((New-Ace $ADDomainUsers 'ReadAndExecute'))

1 answers

solution1
 1 ACCPTED  2016-04-26 19:34:24

Setting access permissions to folders and files without inheritance requires two ACEs: one for "this folder only" and one for "files only". For the former set both inheritance and propagation flags to None , for the latter set inheritance flags to ObjectInherit and propagation flags to InheritOnly : 

$acl.AddAccessRule((New-Ace $ADNameRW 'Modify' 'None'))
$acl.AddAccessRule((New-Ace $ADNameRW 'Modify' 'ObjectInherit' 'InheritOnly'))
$acl.AddAccessRule((New-Ace $ADNameRO 'ReadAndExecute' 'None'))
$acl.AddAccessRule((New-Ace $ADNameRO 'ReadAndExecute' 'ObjectInherit' 'InheritOnly'))

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Windows script batch to copy files from different folders to other folders Prevent other software from opening my files? Trying to list files/folders WITHOUT a specific directory Copy files from different folders Grouping files together in folders created on a per-group basis Upload files from folders and sub-folders to webapp How to operate files in other folders by Windows batch script Move files from sub folders to parent directory Extracting several files from several folders Searching a list of keywords from text files in folders
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM