All geek questions in one place

Setting permissions for windows files

I have the following code that should go through folders in a file archive and turn all permissions into read permissions. However, there is a problem: it does not replace existing permissions that are simply added to them. Secondly, if the folder does not receive inherited permissions, it gives an error message

Set-Acl: this process does not have the “SeSecurityPrivilege” privilege, which is required for this operation.

I checked the permissions and I have full control over them

function NotMigrated($SiteURL, $Folder) {
    try {
        $SiteString=[String]$SiteURL
        $pos = $SiteString.LastIndexOf("/")         
        $Site = $SiteString.Substring($pos+1)
        $parent=((get-item $Folder ).parent).Fullname

        $AllFolders = Get-ChildItem -Recurse -Path $Folder |? {$_.psIsContainer -eq $True}
        $FilesInRoot = Get-ChildItem -Path $Folder | ? {$_.psIsContainer -eq $False}
        $acl= get-acl $Folder
        foreach ($usr in $acl.access) {
            $acl.RemoveAccessRule($usr)
            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($usr.IdentityReference,"Read","none","none","Allow")
            $Acl.AddAccessRule($rule)
        }
        $acl | Set-Acl
     } catch { continue }

    #Loop through all folders (recursive) that exist within the folder supplied by the operator
    foreach ($CurrentFolder in $AllFolders) {
        #Set the FolderRelativePath by removing the path of the folder supplied by the operator from the fullname of the folder
        $FolderRelativePath = ($CurrentFolder.FullName).Substring($Folder.Length)
        $FileSource = $Folder + $FolderRelativePath

        try {
            $acl= get-acl $FileSource
            foreach ($usr in $acl.access) {
                $acl.RemoveAccessRule($usr)
                $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($usr.IdentityReference,"Read","none","none","Allow")
                $acl.AddAccessRule($rule)
            }
            $acl | Set-Acl 
        } catch { continue }

        #For each file in the source folder being evaluated, call the UploadFile function to upload the file to the appropriate location
    }
}
+4
source share
2 answers

, Set-Acl Cmdlet/FileSystem. Set-Acl, . ( ​​SeRestorePrivilege), . , , SACL /, .

Set-Acl , , , . SetAccessControl() :

(Get-Item c:\path\to\folder).SetAccessControl()

, SeSecurityPrivilege. :

  • ACE ACE, . , , "" ACE, . ACE "Deny", "" ACE, "", , , . , ACE, ACE , , ...
  • , .

, , :

try {
    $acl = get-acl $FileSource

    # Only look for explicit Allow ACEs
    foreach ($usr in ($acl.access | where { $_.IsInherited -eq $false -and $_.AccessControlType -eq 'Allow' })) {
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
            $usr.IdentityReference,
            "Read",
            $usr.InheritanceFlags,
            $usr.PropagationFlags,
            $usr.AccessControlType
        )

        # Calling SetAccessRule() is like calling Remove() then Add()
        $acl.SetAccessRule($rule)
    }
    (Get-Item $FileSource).SetAccessControl($acl)
} catch { continue }
+1

, , , , .

$UsersToFix = (Get-Content C:\users\john\Desktop\fix.txt) 

Function Fix-Rights(){ 
Param($Folder = "x") 

If ($Folder -gt ""){ 
        $MovedFolder = "C:\data\profiles\Student\$Folder" 
        Write-Host "Starting to repair rights for $Folder" -ForegroundColor GREEN -BackgroundColor BLACK 
        &takeown /F $MovedFolder /A /R /D Y 
        &icacls $MovedFolder /reset /T /C  
        &icacls $MovedFolder /setowner wc1\$Folder /T /C  
        &icacls $MovedFolder /grant wc1\$Folder':(OI)(CI)F' 
        &icacls $MovedFolder /inheritance:d 
        &icacls $MovedFolder /remove "creator owner" 
        Write-Host "Finished repairing rights for $Folder" -ForegroundColor GREEN -BackgroundColor BLACK 
} 

} 

ForEach ($User in $UsersToFix){ 
Fix-Rights $User 
}

script Technet

0

Source: https://habr.com/ru/post/1599516/

More articles:


All Articles