在远程服务器上执行icacls命令

Question

下面是我所拥有的代码，它在单个服务器运行时执行得很好。

$Hostname = $env:COMPUTERNAME
$CsvData = Import-Csv -Path "C:\Ansible\status_report_2021.csv" | Where-Object{$_.ServerName -eq $Hostname} | Select-Object SystemFolderPath

foreach($path in $CsvData)
{

$path = $path.SystemFolderPath
$path = $path.trim('\')

# break inheritance on the folder and copy ACEs as uninherited
icacls $path /inheritance:d

#remove all BUILTIN\Users granted ACEs
icacls $path /remove:g BUILTIN\Users

#grant only BUILTIN\Users Read&Execute. avoid using (S,GE,GR) = RX.
#(S,GE,GR) is a specific right and icacls would create 2 ACEs.
#same meaning but if we can avoid it's better
icacls $path /grant:r "BUILTIN\Users:(OI)(CI)RX"

#remove SYSTEM
icacls $path /remove:g "NT AUTHORITY\SYSTEM"

#grant SYSTEM as Full control on "this folder, subfolder and files"
icacls $path /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)F"

icacls $path

}

请告诉我如何为远程服务器执行这些icacls命令。

Answer 1

我想您可以使用Group-Object的组合将csv中的所有服务器名称及其SystemFolderPath条目组合在一起，并对这些组进行循环。

在循环中，使用Invoke-Command让icacls命令在每个服务器上执行。

有点像

Import-Csv -Path "C:\Ansible\status_report_2021.csv" | Group-Object ServerName | ForEach-Object {
    $server = $_.Name
    foreach ($path in ($_.Group.SystemFolderPath | Select-Object -Unique)) {
        Invoke-Command -ComputerName $server -ScriptBlock {
            param ([string]$path)
            # break inheritance on the folder and copy ACEs as uninherited
            icacls $path /inheritance:d

            # remove all BUILTIN\Users granted ACEs
            icacls $path /remove:g BUILTIN\Users

            # grant only BUILTIN\Users Read&Execute. avoid using (S,GE,GR) = RX.
            # (S,GE,GR) is a specific right and icacls would create 2 ACEs.
            # same meaning but if we can avoid it's better
            icacls $path /grant:r "BUILTIN\Users:(OI)(CI)RX"

            # remove SYSTEM
            icacls $path /remove:g "NT AUTHORITY\SYSTEM"

            # grant SYSTEM as Full control on "this folder, subfolder and files"
            icacls $path /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)F"

            icacls $path
        } -ArgumentList $path.Trim('\')
    }
}

Answer 2

首先，将所有CSV条目按服务器分组--通过这种方式，我们可以同时将所有受影响的路径发送到每个服务器：

$PathsPerServer = Import-Csv -Path "C:\Ansible\status_report_2021.csv" | Group-Object ServerName

现在，我们可以对每个不同的服务器使用Invoke-Command，并为每个相关路径执行icacls语句：

$PathsPerServer | ForEach-Object {
    # enumerate all the paths for this server, we need to pass them as arguments to Invoke-Command
    $paths = $_.Group | Select-Object -Expand SystemFolderPath | ForEach-Object Trim

    Invoke-Command -ComputerName $_.Name -ScriptBlock {
        param([string[]]$Paths)

        foreach ($path in $Paths) {
            # break inheritance on the folder and copy ACEs as uninherited
            icacls $path /inheritance:d

            #remove all BUILTIN\Users granted ACEs
            icacls $path /remove:g BUILTIN\Users

            #grant only BUILTIN\Users Read&Execute. avoid using (S,GE,GR) = RX.
            #(S,GE,GR) is a specific right and icacls would create 2 ACEs.
            #same meaning but if we can avoid it's better
            icacls $path /grant:r "BUILTIN\Users:(OI)(CI)RX"

            #remove SYSTEM
            icacls $path /remove:g "NT AUTHORITY\SYSTEM"

            #grant SYSTEM as Full control on "this folder, subfolder and files"
            icacls $path /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)F"

            icacls $path
        }
    } -ArgumentList $paths
}