我的新雇主為其數百名用戶設置了資料夾重定向,而設置它的人並不真正知道他在做什麼。因此,重定向資料夾/主目錄權限的最佳實踐沒有被關注。
讓人們存取重定向資料夾位置的解決方案是將Full Control權限(當然是 NTFS 權限,而不是“共享”權限)應用到Everyone根目錄(“Home”),並將其傳播到根目錄下的所有子資料夾和檔案。
可能會出什麼問題,對嗎?執行長的資料夾中並不存在機密訊息My Documents,也不會有任何人感染 CryptoWall 並加密其他人的文件。正確的?
所以,無論如何,現在 CryptoWall 感染已被刪除並且備份已恢復,許多人希望我們用不那麼可怕的東西替換當前的權限,而且我不想在幾個選項中單擊權限對話框。 。
PowerShell 如何為我解決這個問題,讓生活再次變得有價值?
答案1
感謝 JScott為了讓我參考System.Security.Principal...類別或方法或其他任何內容,一些 PowerShell 將一堆子資料夾上的 ACL 替換為適合使用者主目錄的 ACL:
$Root = "Path to the root folder that holds all the user home directories"
$Paths = Get-ChildItem $Root | Select-Object -Property Name,FullName
$DAAR = New-Object system.security.accesscontrol.filesystemaccessrule("MyDomain\Domain Admins","FullControl","ContainerInherit, ObjectInherit","None","Allow")
#Domain Admin Access Rule.
$SysAR = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","ContainerInherit, ObjectInherit","None","Allow")
#SYSTEM Access Rule.
foreach ($Folder in $Paths)
{
Write-Host "Generating ACL for $($folder.FullName) ... "
#For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output.
$ACL = New-Object System.Security.AccessControl.DirectorySecurity
#Creates a blank ACL object to add access rules into, also blanks out the ACL for each iteration of the loop.
$objUser = New-Object System.Security.Principal.NTAccount("MyDomain\"+$folder.name)
#Creating the right type of User Object to feed into our ACL, and populating it with the user whose folder we're currently on.
$UserAR = New-Object system.security.accesscontrol.filesystemaccessrule( $objuser ,"FullControl","ContainerInherit, ObjectInherit","None","Allow")
#Access Rule for the user whose folder we're dealing with during this iteration.
$acl.SetOwner($objUser)
$acl.SetAccessRuleProtection($true, $false)
#Change the inheritance/propagation settings of the folder we're dealing with
$acl.SetAccessRule($UserAR)
$acl.SetAccessRule($DAAR)
$acl.SetAccessRule($SysAR)
Write-Host "Changing ACL on $($folder.FullName) to:"
$acl | fl
#For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output.
Set-Acl -Path $Folder.Fullname -ACLObject $acl
}
答案2
之前的答案不會起作用如果主資料夾/重新導向資料夾設定為「授予使用者獨佔權限」。這是因為當選擇此選項時不推薦,只有 SYSTEM 和 THE USER 有權存取該資料夾。然後,您無法在不獲得資料夾所有權的情況下變更權限(即使是管理員)。
這是一種無需取得所有權即可解決此問題的方法。這是一個兩步驟過程。
建立一個執行 ICACLS 的 powershell 腳本來修改資料夾和子資料夾的權限。
執行 PSexec 來啟動 Powershell 腳本。
1 建立/複製/竊取 powershell 腳本(需要 PS 3.0 或更高版本)
#ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write
$StartingDir= "c:\shares\users" ##Path to root of users home dirs
$Principal="domain\username" #or "administrators"
$Permission="F"
$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"
if ($Verify -eq "Y") {
foreach ($FOLDER in $(Get-ChildItem -path $StartingDir -directory -recurse)) {
$temp = $Folder.fullname
CACLS `"$temp`" /E /P `"${Principal}`":${Permission} >$NULL
#write-host $Folder.FullName
}
}
- 運行 PSEXEC,它以 SYSTEM 帳戶運行,因此可以更改只有 SYSTEM 和用戶有權訪問的資料夾的權限。安裝並運行 PSexec。https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
從命令列:
psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1'"