用fullcontrol修改用户的NTFS安全性

Question

我需要数千个文件夹来更改具有Fullcontrol访问权限的用户以修改访问权限。以下是我所拥有的一份清单：

1. 更改NTFS的脚本会： System.Security.AccessControl.FileSystemAccessRule("My-ServerTeam"，= $acl =Get“G：\文件夹”$acl $acl Format-List $acl.GetAccessRules( $true，$true，System.Security.Principal.NTAccount) #second $true，在下一行中打开继承，$False关闭$acl.SetAccessRuleProtection($True，$True) $rule = New-Object $acl "FullControl"，"ContainerInherit，ObjectInherit"，"None"，“Acl”，ObjectInherit(FullControl)= New-Object #，“，“ObjectInherit”、“无”、“允许”、$acl.AddAccessRule( $rule ) $rule= New-Object $rule "Read“、"ContainerInherit、ObjectInherit”、"None“、”Allow“($rule) $acl.AddAccessRule($rule) Set-Acl”G：\文件夹“$acl Get-Acl”G：\文件夹“\$rule格式列表
2. 包含需要从fullcontrol修改的目录和用户的文本文件。

我总是可以为路径和/或用户名创建一个变量，并创建一个ForEach循环，但我不知道如何更改每个文件夹中存在的用户，但将Admin帐户保持为完全控制。任何帮助都将不胜感激。

Answer 1

走了另一条路得到了我想要的。我一点也不奇怪没人想帮我.这很艰难。我将为下一个有此问题的人发布脚本。有两个剧本。第一个是我从网上得到的，我做了一些改动。第二个脚本使用自动化所需的参数启动第一个脚本。

第一个名为SetFolderPermission.ps1的脚本：

param ([string]$Path, [string]$Access, [string]$Permission = ("Modify"), [switch]$help)
function GetHelp() {
$HelpText = @"

DESCRIPTION:
NAME: SetFolderPermission.ps1
Sets FolderPermissions for User on a Folder.
Creates folder if not exist.

PARAMETERS: 
-Path           Folder to Create or Modify (Required)
-User           User who should have access (Required)
-Permission     Specify Permission for User, Default set to Modify (Optional)
-help           Prints the HelpFile (Optional)

SYNTAX:
./SetFolderPermission.ps1 -Path C:\Folder\NewFolder -Access Domain\UserName -Permission FullControl

Creates the folder C:\Folder\NewFolder if it doesn't exist.
Sets Full Control for Domain\UserName

./SetFolderPermission.ps1 -Path C:\Folder\NewFolder -Access Domain\UserName

Creates the folder C:\Folder\NewFolder if it doesn't exist.
Sets Modify (Default Value) for Domain\UserName

./SetFolderPermission.ps1 -help

Displays the help topic for the script

Below Are Available Values for -Permission

"@
$HelpText

[system.enum]::getnames([System.Security.AccessControl.FileSystemRights])

}

<#
function CreateFolder ([string]$Path) {

    # Check if the folder Exists

    if (Test-Path $Path) {
        Write-Host "Folder: $Path Already Exists" -ForeGroundColor Yellow
    } else {
        Write-Host "Creating $Path" -Foregroundcolor Green
        New-Item -Path $Path -type directory | Out-Null
    }
}
#>

function SetAcl ([string]$Path, [string]$Access, [string]$Permission) {

    # Get ACL on FOlder

    $GetACL = Get-Acl $Path

    # Set up AccessRule

    $Allinherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
    $Allpropagation = [system.security.accesscontrol.PropagationFlags]"None"
    $AccessRule = New-Object system.security.AccessControl.FileSystemAccessRule($Access, $Permission, $AllInherit, $Allpropagation, "Allow")

    # Check if Access Already Exists

    if ($GetACL.Access | Where {$_.IdentityReference -eq $Access}) {

        Write-Host "Modifying Permissions For: $Access on directory: $Path" -ForeGroundColor Yellow

        $AccessModification = New-Object system.security.AccessControl.AccessControlModification
        $AccessModification.value__ = 2
        $Modification = $False
        $GetACL.ModifyAccessRule($AccessModification, $AccessRule, [ref]$Modification) | Out-Null
    } else {

        Write-Host "Adding Permission: $Permission For: $Access"

        $GetACL.AddAccessRule($AccessRule)
    }

    Set-Acl -aclobject $GetACL -Path $Path

    Write-Host "Permission: $Permission Set For: $Access on directory: $Path" -ForeGroundColor Green
}

if ($help) { GetHelp }

if ($Access -AND $Permission) { 
    SetAcl $Path $Access $Permission
}

下一个脚本调用第一个脚本并添加所需的参数。一个CSV，包含带有文件夹的2列和带有完全控制的用户名。

$path = "C:\Scripts\scandata\TwoColumnCSVwithPathandUserwithFullControl.csv"
$csv = Import-csv -path $path
foreach($line in $csv){
$userN = $line.IdentityReference
$PathN = $line.Path
$dir = "$PathN"
$DomUser = "$userN"
$Perm = "Modify"
$scriptPath = "C:\Scripts\SetFolderPermission.ps1"
$argumentList1 = '-Path'
$argumentList2 = "$dir"
$argumentList3 = '-Access'
$argumentList4 = "$DomUser"
$argumentList5 = '-Permission'
$argumentList6 = "$Perm"
Invoke-Expression "$scriptPath $argumentList1 $argumentList2 $argumentList3 $argumentList4 $argumentList5 $argumentList6"