我有一個 Powershell 功能可以完成部分工作,但它不使用網域帳戶來取得所有權和新增權限......它使用本機管理員。在 Powershell 中是否有更好的方法來做到這一點?
<#
.SYNOPSIS
Take ownership of a folder giving the ownership to ourdomain\myuser
.DESCRIPTION
Takes ownership of a file the way my boss said to do when deleting a user's home directory.
Using the GUI:
1. Right click the folder and select properties.
2. Click the "Security" tab.
3. Click the "Advanced" button.
4. Next to the "Owner:" label, click "Change"
5. Enter ourdomain\myuser
6. Click OK, OK, OK
7. Right click the folder and select properties.
8. Click the "Security" tab.
9. Click the "Advanced" button.
10. Click "Add"
11. Next to "Principal:" click "Select a principal"
12. Enter ourdomain\myuser
13. Click OK
14. Check "Full control"
15. Click OK, OK, OK
16. You should now be able to manipulate or delete the folder.
.NOTES
File Name : Microsoft.PowerShell_profile.ps1
.EXAMPLE
Take-Ownership R:\Redirected\Users\<username>
#>
function Take-Ownership {
param(
[String]$Folder
)
# Take ownership of the folder...
# (though I'd prefer if I could specify a user or group instead)
takeown.exe /A /F $Folder
# Obtain the current ACL for this folder.
$CurrentACL = Get-Acl $Folder
# Add FullControl permissions to the ACL for the user.
Write-Host ...Adding ourdomain\myuser to $Folder -Fore Yellow
$SystemACLPermission = "ourdomain\myuser","FullControl","ContainerInherit,ObjectInherit","None","Allow"
$SystemAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $SystemACLPermission
$CurrentACL.AddAccessRule($SystemAccessRule)
#Write-Host ...Adding Infrastructure Services to $Folder -Fore Yellow
#$AdminACLPermission = "ourdomain\myuser","FullControl","ContainerInherit,ObjectInherit"."None","Allow"
#$SystemAccessRule = new-object System.Security.AccessControl.FilesystemAccessRule $AdminACLPermission
#$CurrentACL.AddAccessRule($SystemAccessRule)
# Set the ACL again.
Set-Acl -Path $Folder -AclObject $CurrentACL
}
答案1
如果您要將物件的擁有者設定為管理員群組,則您必須是本機管理員。否則,人們可能會輕易規避磁碟配額,因為配額核算是基於檔案所有權,且配額不會影響管理員。
如果您以管理員身分執行腳本,則可以在稍加調整後將物件的擁有者設定為任何安全性主體。你需要這個權限調整腳本來自 Lee Holmes,我對其進行了稍微編輯以刪除多餘的空格並允許它在一個會話中運行多次:
param( ## The privilege to adjust. This set is taken from
## http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
[ValidateSet(
"SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
"SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
"SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
"SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
"SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
"SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
"SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
"SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
"SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
"SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
"SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
$Privilege,
## The process on which to adjust the privilege. Defaults to the current process.
$ProcessId = $pid,
## Switch to disable the privilege, rather than enable it.
[Switch] $Disable
)
## Taken from P/Invoke.NET with minor adjustments.
$definition = @'
using System;
using System.Runtime.InteropServices;
public class AdjPriv
{
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
if(disable)
{
tp.Attr = SE_PRIVILEGE_DISABLED;
}
else
{
tp.Attr = SE_PRIVILEGE_ENABLED;
}
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
}
'@
$processHandle = (Get-Process -id $ProcessId).Handle
try {
Add-Type $definition
} catch {} # Silent failure on re-registration
[AdjPriv]::EnablePrivilege($processHandle, $Privilege, $Disable)
我將其另存為privs.ps1.然後,您可以呼叫.\privs.ps1 SeRestorePrivilege以開啟SeRestorePrivilege您的進程,這允許您將檔案所有權設定為您想要的任何人。
takeown然後,您可以使用已有的 ACL 物件來代替呼叫:
$ownerPrincipal = New-Object System.Security.Principal.NTAccount($newOwnerName)
$CurrentACL.SetOwner($ownerPrincipal)
新所有者將在應用新 ACL 的同時設定。
最後,您可以停用額外權限:
.\privs.ps1 SeRestorePrivilege -Disable