我有一個註冊表項,我需要擁有它的所有權,然後設定權限集。我能夠取得所有權,但是在設定權限時,它僅適用於註冊表項的最頂層,它不會向下繼承。我需要修改什麼才能讓權限繼承到整個金鑰?
$AddACL = New-Object System.Security.AccessControl.RegistryAccessRule ("Domain Admins","FullControl","Allow")
$owner = [System.Security.Principal.NTAccount]"Administrators"
$keyCR = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
# Get a blank ACL since you don't have access and need ownership
$aclCR = $keyCR.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
$aclCR.SetOwner($owner)
$keyCR.SetAccessControl($aclCR)
# Get the acl and modify it
$aclCR = $keyCR.GetAccessControl()
$aclCR.SetAccessRule($AddACL)
$keyCR.SetAccessControl($aclCR)
$keyCR.Close()
答案1
在仔細查看 AccessControl 參數後我找到了答案。我在定義要新增的 ACL 時不夠具體。這是目前的程式碼,只單獨加入了top key的權限;
$AddACL = New-Object System.Security.AccessControl.RegistryAccessRule ("Domain Admins","FullControl","Allow")
這是允許在註冊表頂層設定 ACL 並向下繼承的程式碼:
$AddACL = New-Object System.Security.AccessControl.RegistryAccessRule ("Domain Admins","FullControl","ObjectInherit,ContainerInherit","None","Allow")