この一部を実行する Powershell 関数がありますが、所有権を取得して権限を追加するためにドメイン アカウントは使用されません...ローカル管理者を使用します。Powershell でこれを行うより良い方法はありますか?
<#
.SYNOPSIS
Take ownership of a folder giving the ownership to ourdomain\myuser
.DESCRIPTION
Takes ownership of a file the way my boss said to do when deleting a user's home directory.
Using the GUI:
1. Right click the folder and select properties.
2. Click the "Security" tab.
3. Click the "Advanced" button.
4. Next to the "Owner:" label, click "Change"
5. Enter ourdomain\myuser
6. Click OK, OK, OK
7. Right click the folder and select properties.
8. Click the "Security" tab.
9. Click the "Advanced" button.
10. Click "Add"
11. Next to "Principal:" click "Select a principal"
12. Enter ourdomain\myuser
13. Click OK
14. Check "Full control"
15. Click OK, OK, OK
16. You should now be able to manipulate or delete the folder.
.NOTES
File Name : Microsoft.PowerShell_profile.ps1
.EXAMPLE
Take-Ownership R:\Redirected\Users\<username>
#>
function Take-Ownership {
param(
[String]$Folder
)
# Take ownership of the folder...
# (though I'd prefer if I could specify a user or group instead)
takeown.exe /A /F $Folder
# Obtain the current ACL for this folder.
$CurrentACL = Get-Acl $Folder
# Add FullControl permissions to the ACL for the user.
Write-Host ...Adding ourdomain\myuser to $Folder -Fore Yellow
$SystemACLPermission = "ourdomain\myuser","FullControl","ContainerInherit,ObjectInherit","None","Allow"
$SystemAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $SystemACLPermission
$CurrentACL.AddAccessRule($SystemAccessRule)
#Write-Host ...Adding Infrastructure Services to $Folder -Fore Yellow
#$AdminACLPermission = "ourdomain\myuser","FullControl","ContainerInherit,ObjectInherit"."None","Allow"
#$SystemAccessRule = new-object System.Security.AccessControl.FilesystemAccessRule $AdminACLPermission
#$CurrentACL.AddAccessRule($SystemAccessRule)
# Set the ACL again.
Set-Acl -Path $Folder -AclObject $CurrentACL
}
答え1
オブジェクトの所有者を Administrators グループに設定する場合は、ローカル管理者である必要があります。そうでない場合、クォータの計算はファイルの所有権に基づいており、クォータは管理者には影響しないため、ユーザーがディスク クォータを簡単に回避できる可能性があります。
管理者としてスクリプトを実行している場合は、少しいじってみれば、オブジェクトの所有者を任意のセキュリティプリンシパルに設定できます。この権限調整スクリプトLee Holmes 氏によるもので、余分な空白を削除して 1 回のセッションで複数回実行できるように少し編集しました。
param( ## The privilege to adjust. This set is taken from
## http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
[ValidateSet(
"SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
"SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
"SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
"SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
"SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
"SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
"SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
"SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
"SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
"SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
"SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
$Privilege,
## The process on which to adjust the privilege. Defaults to the current process.
$ProcessId = $pid,
## Switch to disable the privilege, rather than enable it.
[Switch] $Disable
)
## Taken from P/Invoke.NET with minor adjustments.
$definition = @'
using System;
using System.Runtime.InteropServices;
public class AdjPriv
{
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
if(disable)
{
tp.Attr = SE_PRIVILEGE_DISABLED;
}
else
{
tp.Attr = SE_PRIVILEGE_ENABLED;
}
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
}
'@
$processHandle = (Get-Process -id $ProcessId).Handle
try {
Add-Type $definition
} catch {} # Silent failure on re-registration
[AdjPriv]::EnablePrivilege($processHandle, $Privilege, $Disable)
として保存しましたprivs.ps1。その後、プロセスで をオンにするために.\privs.ps1 SeRestorePrivilegeを呼び出すことができSeRestorePrivilege、これにより、ファイルの所有権を任意のユーザーに設定できます。
次に、呼び出しの代わりにtakeown、既に持っている ACL オブジェクトを使用できます。
$ownerPrincipal = New-Object System.Security.Principal.NTAccount($newOwnerName)
$CurrentACL.SetOwner($ownerPrincipal)
新しい ACL が適用されると、同時に新しい所有者が設定されます。
最後に、追加の権限を無効にすることができます。
.\privs.ps1 SeRestorePrivilege -Disable