icacls或PowerShell - 拒绝除“Domain Admins”之外的所有人和%USERNAME% [英] icacls or PowerShell - Deny everyone except "Domain Admins" and %USERNAME%
问题描述
我有一个文件共享\\filesvr1 \Store1
上面的路径全部完全控制DOMAIN / SalesStaff的权限。
我还有一个登录脚本,可以在下次登录时在\\filesvr1 \Store1中创建%USERNAME%文件夹:
因为DOMAIN / SalesStaff中的每个人都拥有Store1的权限,所以组中的所有用户都可以访问所有%USERNAME%文件夹。
如何通过PowerShell或icacls设置权限以拒绝所有人除了"%USERNAME"之外和"域管理员"在每个文件夹上?
换句话说,DOMAIN / BigJohn和Domain Admins可以完全控制\\filesvr1 \Store1 \ BigJohn(其他人都被拒绝)?
如果不存在" \\filesvr1 \Store1\%USERNAME%" goto createIt else goto mapIt
:createIt
md" \\filesvr1 \Store1 \%USERNAME%"
goto mapIt
:mapIt
net使用i:/ DELETE
net use i:" \\filesvr1 \Store1 \%USERNAME%" / PERSISTENT:NO
这可能有效。它还消除了你错综复杂的逻辑:
如果不存在" \\filesvr1 \Store1 \%USERNAME%" (
md" \\filesvr1 \Store1 \%USERNAME%"
icacls " \\filesvr1 \Store1 \%USERNAME%"
/ inheritance:r
icacls" \\filesvr1 \Store1 \%USERNAME%" / grant domain \Administrators:F " Domain \ %username%:F
)
如果存在i:\ *。* net use i:/ DELETE
net use i:" \\filesvr1 \Store1 \%USERNAME%" / PERSISTENT:否
Hi,
I have a file share \\filesvr1\Store1
The path above has all Full Control permissions for DOMAIN/SalesStaff.
I also have a logon script to make a %USERNAME% folder in \\filesvr1\Store1 on next logon:
Because everybody in DOMAIN/SalesStaff has permissions to Store1 all users in the group can access all %USERNAME% folders.
How can I set permissions via PowerShell or icacls to deny everyone except "%USERNAME" and "Domain Admins" on each folder?
In other words DOMAIN/BigJohn and Domain Admins have Full control of \\filesvr1\Store1\BigJohn (everyone else denied)?
if not exist "\\filesvr1\Store1\%USERNAME%" goto createIt else goto mapIt :createIt
md "\\filesvr1\Store1\%USERNAME%"
goto mapIt
:mapIt
net use i: /DELETE
net use i: "\\filesvr1\Store1\%USERNAME%" /PERSISTENT:NO
This might work. It also gets rid of your convoluted logic:
if not exist "\\filesvr1\Store1\%USERNAME%" (
md "\\filesvr1\Store1\%USERNAME%"
icacls "\\filesvr1\Store1\%USERNAME%" /inheritance :r
icacls "\\filesvr1\Store1\%USERNAME%" /grant domain\administrators:F "Domain\%username%:F
)
if exist i:\*.* net use i: /DELETE
net use i: "\\filesvr1\Store1\%USERNAME%" /PERSISTENT:NO
这篇关于icacls或PowerShell - 拒绝除“Domain Admins”之外的所有人和%USERNAME%的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!