我有以下代码,它应该通过fileshare中的文件夹并将所有权限转换为读取权限.但是,存在一个问题:它不会替换它只是添加到它们的权限.其次,如果文件夹没有继承权限,则会出错
Set-Acl : The process does not possess the ‘SeSecurityPrivilege’ privilege which is required for this operation.
我检查了权限,我完全控制它们
function NotMigrated($SiteURL,$Folder) {
try {
$SiteString=[String]$SiteURL
$pos = $SiteString.LastIndexOf("/")
$Site = $SiteString.Substring($pos+1)
$parent=((get-item $Folder ).parent).Fullname
$AllFolders = Get-ChildItem -Recurse -Path $Folder |? {$_.psIsContainer -eq $True}
$FilesInRoot = Get-ChildItem -Path $Folder | ? {$_.psIsContainer -eq $False}
$acl= get-acl $Folder
foreach ($usr in $acl.access) {
$acl.RemoveAccessRule($usr)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($usr.IdentityReference,"Read","none","Allow")
$Acl.AddAccessRule($rule)
}
$acl | Set-Acl
} catch { continue }
#Loop through all folders (recursive) that exist within the folder supplied by the operator
foreach ($CurrentFolder in $AllFolders) {
#Set the FolderRelativePath by removing the path of the folder supplied by the operator from the fullname of the folder
$FolderRelativePath = ($CurrentFolder.FullName).Substring($Folder.Length)
$FileSource = $Folder + $FolderRelativePath
try {
$acl= get-acl $FileSource
foreach ($usr in $acl.access) {
$acl.RemoveAccessRule($usr)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($usr.IdentityReference,"Allow")
$acl.AddAccessRule($rule)
}
$acl | Set-Acl
} catch { continue }
#For each file in the source folder being evaluated,call the UploadFile function to upload the file to the appropriate location
}
}
解决方法
最大的问题不在于您的代码,而在于
Set-Acl Cmdlet/FileSystem provider combination.当调用Set-Acl时,正在尝试编写整个安全描述符.如果您没有升级(或者如果您的管理员帐户未被授予SeRestorePrivilege),那就不起作用了.但是,如果你被提升,那么你有可能在你正在修改的文件/文件夹上有
destroying your SACL.
出于这个原因,我会不惜一切代价避免使用Set-Acl,直到我上面链接的错误得到修复.相反,您可以使用文件和文件夹对象可用的SetAccessControl()方法:
(Get-Item c:\path\to\folder).SetAccessControl()
完成后,您不应再看到SeSecurityPrivilege错误.但是你仍然会遇到这两个问题:
>您正在寻找为该文件夹中包含的所有ACE制作新的ACE.我想你想要做的是寻找没有被继承的’允许’ACE.如果你有任何’拒绝’ACE,你最终会得到新的’允许’ACE授予’读’访问权限,我打赌你不想这样做.此外,如果您包含继承的ACE,您最终会为每个ACE添加一个新的显式ACE,除非您中断继承,否则无法删除继承的ACE.
>您没有复制现有的继承和传播标志,并且您没有使用文件夹的默认值.
try {
$acl = get-acl $FileSource
# Only look for explicit Allow ACEs
foreach ($usr in ($acl.access | where { $_.IsInherited -eq $false -and $_.AccessControlType -eq 'Allow' })) {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
$usr.IdentityReference,$usr.InheritanceFlags,$usr.PropagationFlags,$usr.AccessControlType
)
# Calling SetAccessRule() is like calling Remove() then Add()
$acl.SetAccessRule($rule)
}
(Get-Item $FileSource).SetAccessControl($acl)
} catch { continue }
