问题
Trying my hand at Powershell and I'm trying to figure out how to add specific permissions to our user account. The code below will add the service account to the folders Security tab, however it will not adjust the permissions. Any idea why?
#variables
$okeeffename = "WCFService"
$domain = "InsideServices.dev.com"
$okeeffedirectory = "d:\webcontent\$domain\$okeeffename"
#create webcontent and application folders
Write-Host "Creating directories" -ForegroundColor Yellow
New-Item -Path $okeeffedirectory -type directory -ErrorAction Stop
#adjust security for folders
$okeefferights = Get-Acl $okeeffedirectory
$read = New-Object system.security.accesscontrol.filesystemaccessrule($useraccount, "Read", "Allow")
$list = New-Object system.security.accesscontrol.filesystemaccessrule($useraccount, "ListDirectory", "Allow")
$readexecute = New-Object system.security.accesscontrol.filesystemaccessrule($useraccount, "ReadAndExecute", "Allow")
$okeefferights.SetAccessRule($read)
$okeefferights.SetAccessRule($list)
$okeefferights.SetAccessRule($readexecute)
Set-Acl -Path $okeeffedirectory -AclObject $okeefferights
Second question: I'm trying to add the following permissions for the service account to the folder. Can someone point out the keyword Powershell uses for the List Folder Contents permission?
EDIT
By toggling the Allow/Deny value for the FileSystemRights I found that each of the specs are only changing the Special Permissions Permission on the folder. Quick screen shot:
回答1:
This is fairly easy to find out when you know what exactly you are looking for. What you need is a [System.Security.AccessControl.FileSystemRights]. We can find the available rights list by using [enum] as such:
PS C:\windows\system32> [enum]::GetNames([System.Security.AccessControl.FileSystemRights])
ListDirectory
ReadData
WriteData
CreateFiles
CreateDirectories
AppendData
ReadExtendedAttributes
WriteExtendedAttributes
Traverse
ExecuteFile
DeleteSubdirectoriesAndFiles
ReadAttributes
WriteAttributes
Write
Delete
ReadPermissions
Read
ReadAndExecute
Modify
ChangePermissions
TakeOwnership
Synchronize
FullControl
You can create several rights in one object like (this should allow a user read/execute only access to a folder and its' contents):
$Rights = [System.Security.AccessControl.FileSystemRights]"ListDirectory,ReadData,Traverse,ExecuteFile,ReadAttributes,ReadPermissions,Read,ReadAndExecute"
My usual template for setting ACLs is this:
$Rights = [System.Security.AccessControl.FileSystemRights]"FullControl"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit"
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount("Domain\User")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $Rights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL = Get-ACL "C:\Temp"
$objACL.AddAccessRule($objACE)
Set-ACL "C:\Temp" $objACL
From that you should be able to manipulate the code to accomplish what you want.
回答2:
To build an ACE that shows up as "list folder contents" in the "Security" tab you need to combine 5 file system rights:
ListDirectoryReadAttributesReadExtendedAttributesReadPermissionsTraverse
and set inheritance to ContainerInherit.
$list = New-Object Security.AccessControl.FileSystemAccessRule($useraccount, 'Traverse,ListDirectory,ReadAttributes,ReadExtendedAttributes,ReadPermissions', 'ContainerInherit', 'None', 'Allow')
the most straightforward way to find out the specific combination of file system rights and inheritance flags for a particular ACE is to create it manually and inspect the result in the Advanced Security Settings:
来源:https://stackoverflow.com/questions/28309231/append-security-rights-to-a-folder-via-powershell