設定資料夾的群組權限

tag-icon tag-icon active-directory permissions powershell access-control-list
設定資料夾的群組權限

我有一個包含很多子資料夾的資料夾

  • D:\資料\子資料夾1
  • D:\資料\子資料夾2
  • D:\資料\子資料夾3
  • D:\資料\子資料夾4
  • D:\資料\子資料夾5

我需要為每個子資料夾建立三個活動目錄組,如下所示。

  • FS_Data-子資料夾1_讀取
  • FS_Data-Subfolder1_Change
  • FS_Data-Subfolder1_Full

完成此操作後,我必須映射資料夾、Activedirectory 群組和權限。

設定權限是困難的部分。這就是我走了多遠。我不知道如何將群組綁定到權限,然後將其套用到資料夾。

$SharePath = "\\fs\data\"
$FSGroupPath = "OU=GROUPS,OU=Data,DC=DOMAIN,DC=LOCAL"

Get-ChildItem $SharePath | ForEach-Object {
$GroupNameRead = "FS_Data-" + $_ + "_Read"
$GroupNameChange = "FS_Data-" + $_ + "_Change"
$GroupNameFull = "FS_Data-" + $_ + "_Full"

New-ADGroup -Name $GroupNameRead -DisplayName $GroupNameRead -GroupScope DomainLocal -GroupCategory Security -Path $FSGroupPath -Description "Ger Läs Rättigheter till sökväg: FS\Data\$_"
New-ADGroup -Name $GroupNameChange -DisplayName $GroupNameChange -GroupScope DomainLocal -GroupCategory Security -Path $FSGroupPath -Description "Ger Ändra Rättigheter till sökväg: FS\Data\$_"
New-ADGroup -Name $GroupNameFull -DisplayName $GroupNameFull -GroupScope DomainLocal -GroupCategory Security -Path $FSGroupPath -Description "Ger Fulla Rättigheter till sökväg: FS\Data\$_"

$set_Group   = $GroupNameFull
$set_rights = Modify
$acl = Get-Acl $SharePath
$permission = $set_user,$set_rights,"Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl $SharePath


}

答案1

看看這個例子來自唐瓊斯幫助您:您基本上從資料夾中取得現有的acl對象,並向其新增規則(SetAccessRule),並且該規則包含主體(使用者或群組,權限以及是否允許或拒絕)。然後使用 set-acl 將更新的 aclobject 套用到檔案/資料夾。

#ChangeACL.ps1
$Right="FullControl"

#The possible values for Rights are 
# ListDirectory, ReadData, WriteData 
# CreateFiles, CreateDirectories, AppendData 
# ReadExtendedAttributes, WriteExtendedAttributes, Traverse
# ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes 
# WriteAttributes, Write, Delete 
# ReadPermissions, Read, ReadAndExecute 
# Modify, ChangePermissions, TakeOwnership
# Synchronize, FullControl

$StartingDir=Read-Host "What directory do you want to start at?"
$Principal=Read-Host "What security principal do you want to grant" `
"$Right to? `n Use format domain\username or domain\group"

#define a new access rule.
#note that the $rule line has been artificially broken for print purposes.
#it needs to be one line. the online version of the script is properly
#formatted.
$rule=new-object System.Security.AccessControl.FileSystemAccessRule($Principal,$Right,"Allow")

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
  $acl=get-acl $file.FullName

  #Add this access rule to the ACL
  $acl.SetAccessRule($rule)

  #Write the changes to the object
  set-acl $File.Fullname $acl
  }

答案2

當您在 cmdlet-PassThru上指定參數時New-ADGroup,它會傳回新群組。您傳回的 ADGroup 物件包含一個 SID 屬性,您可以使用該屬性傳遞IdentityReference存取規則:

$readGroup  = New-ADGroup -Name $GroupNameRead -DisplayName $GroupNameRead -GroupScope DomainLocal -GroupCategory Security -Path $FSGroupPath -Description "Ger Läs Rättigheter till sökväg: FS\Data\$_" -PassThru
if(-not($readGroup)) # Make sure it got created, if not, handle the error
{
    # Error handling in here
}
else
{
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($readGroup.SID,Read,Allow)
}

相關內容