We have several Windows network shares, in a common location (\\server-name\share) that hosts a common set of files. These shares are replicated across roughly 300 hundred servers. We have the actual replication down, but we're running into an unanticipated problem: server admins half the world away changing file permissions on our share, and breaking replication in creative ways.
我们在一个公共位置(\\ server-name \ share)中有几个Windows网络共享,它们托管一组公共文件。这些共享在大约300台服务器上复制。我们实际上已经复制了,但是我们遇到了一个意料之外的问题:服务器管理员在世界各地改变了我们共享的文件权限,并以创造性的方式打破了复制。
To detect this early on, we'd like to write a script to check each server's network share and ensure that a few permissions exist for the share folder & its contents:
为了在早期检测到这一点,我们想编写一个脚本来检查每个服务器的网络共享,并确保共享文件夹及其内容存在一些权限:
- Everyone needs read access
- User X needs change/modify
- User Y needs full control
每个人都需要读取权限
用户X需要更改/修改
用户Y需要完全控制
Now, so far I've got a nice script that checks that at least each share exists. The complication stems from the fact that (due to a nice Active Directory tree), the usernames are consistent across servers (always of the form "DOMAIN/user"), but their guid numbers vary.
现在,到目前为止,我有一个很好的脚本,可以检查至少每个共享是否存在。复杂性源于这样一个事实:(由于一个漂亮的Active Directory树),用户名在服务器之间是一致的(总是“DOMAIN / user”形式),但它们的guid数字是不同的。
So far I've been looking at cacls.exe and the newer version Icacls.exe, but the options are confusing and seem to be centered around changing the Access Control Lists, which I don't want to do. Any tool that's Windows built-in is preferable, I'm just unsure how to approach this.
到目前为止,我一直在查看cacls.exe和更新版本的Icacls.exe,但选项很混乱,似乎集中在更改访问控制列表,我不想这样做。任何Windows内置的工具都是可取的,我只是不确定如何处理这个问题。
So it comes down to is: on some arbitrary server, if I only know the NAME of a user, is there a way to figure out what file permissions they have on a given folder?
所以它归结为:在某个任意服务器上,如果我只知道用户的NAME,有没有办法弄清楚他们在给定文件夹上有哪些文件权限?
1 个解决方案
#1
0
icacls
does allow the use of the "friendly name" form for specifying the user. Which means you should be able to use the human style names. So 'bob' should point to the same person in all of your domains.
icacls允许使用“友好名称”表单来指定用户。这意味着您应该能够使用人类风格的名称。所以'bob'应该指向所有域中的同一个人。
You can grant a user a permission without changing anything else using /grant:r
which means "if it's already there do nothing, otherwise add it". So,
您可以使用/ grant:r授予用户权限而无需更改任何其他内容,这意味着“如果它已经在那里什么都不做,否则添加它”。所以,
Everyone needs read accessicacls \a\directory\somewhere /t /grant:r Everybody:(rd)
每个人都需要读访问icacls \ a \ directory \ somewhere / t / grant:r每个人:(rd)
I assume you want them to be able to list the contents of the directory as well as read.
我假设你希望他们能够列出目录的内容以及阅读。
User X needs change/modifyicacls \a\directory\somewhere /t /grant:r bobX:m
用户X需要更改/修改icacls \ a \ directory \ somewhere / t / grant:r bobX:m
And so on. I assume that 'm' is sufficient to convey the 'modify' permission.
等等。我认为'm'足以传达'修改'权限。
ACLs are just another name for "permissions". So, if you want to change permissions then you want to change the ACLs.
ACL只是“权限”的另一个名称。因此,如果要更改权限,则需要更改ACL。
#1
0
icacls
does allow the use of the "friendly name" form for specifying the user. Which means you should be able to use the human style names. So 'bob' should point to the same person in all of your domains.
icacls允许使用“友好名称”表单来指定用户。这意味着您应该能够使用人类风格的名称。所以'bob'应该指向所有域中的同一个人。
You can grant a user a permission without changing anything else using /grant:r
which means "if it's already there do nothing, otherwise add it". So,
您可以使用/ grant:r授予用户权限而无需更改任何其他内容,这意味着“如果它已经在那里什么都不做,否则添加它”。所以,
Everyone needs read accessicacls \a\directory\somewhere /t /grant:r Everybody:(rd)
每个人都需要读访问icacls \ a \ directory \ somewhere / t / grant:r每个人:(rd)
I assume you want them to be able to list the contents of the directory as well as read.
我假设你希望他们能够列出目录的内容以及阅读。
User X needs change/modifyicacls \a\directory\somewhere /t /grant:r bobX:m
用户X需要更改/修改icacls \ a \ directory \ somewhere / t / grant:r bobX:m
And so on. I assume that 'm' is sufficient to convey the 'modify' permission.
等等。我认为'm'足以传达'修改'权限。
ACLs are just another name for "permissions". So, if you want to change permissions then you want to change the ACLs.
ACL只是“权限”的另一个名称。因此,如果要更改权限,则需要更改ACL。