问题
I have a directory which I want to go through recursively and set permissions on all the folders. So the order of operations should be:
- Remove all ACL from folder
- Add ACL to folder
- Set ACL
I tried the below code, but I am getting the error
Cannot set the ACL because the method that it needs to invoke, SetSecurityDescriptor, does not exist.
foreach ($folder in Get-ChildItem -Path c:\perms -Recurse -Directory) {
$AccessRule = New-Object System.Security.Accesscontrol.FileSystemAccessRule ("user", "FullControl", "ContainerInherit,ObjectInherit", "InheritOnly", "Allow")
$acl = Get-Acl $folder
$acl.SetAcccessRule($AccessRule)
Set-Acl -Path $folder.FullName -AclObject $acl
}
I got rid of the error message, and it added the ACL, but I want to basically remove all ACLs from the folder and add new ones.
I updated my script to look like this:
$acl = Get-Acl -Path "c:\perms"
$acl.SetAccessRuleProtection($true,$false)
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) | Out-Null }
$ace = New-Object System.Security.Accesscontrol.FileSystemAccessRule ("user", "FullControl", "ContainerInherit,ObjectInherit", "InheritOnly", "Allow")
$acl.AddAccessRule($ace)
Set-Acl -Path "c:\perms" -AclObject $acl
If I want to add multiple $ace, is it just a matter of declaring $ace2, $ace3 and then calling $acl.AddAccessRule($ace2), $acl.AddAccessRule($ace3).
回答1:
Use SetAccessRuleProtection() to disable inheritance and remove inherited ACEs:
$acl.SetAccessRuleProtection($true, $false)
Use RemoveAccessRule() to remove existing (non-inherited) ACEs:
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) | Out-Null }
Use AddAccessRule() to add new ACEs:
$ace = New-Object Security.AccessControl.FileSystemAccessRule "user", ...
$acl.AddAccessRule($ace)
...
Do this only for the topmost folder. Leave inheritance enabled everywhere below, so your changes are propagated automatically.
来源:https://stackoverflow.com/questions/48410379/recursively-set-permissions-on-folders-using-powershell