When setting security descriptors, various resources provide the combination of PropagationFlags and InheritanceFlags to get the desired Apply to. Unfortunately documentation on these is sparse and clear explanation what these flags mean is even sparser. Yet, when I use the combination from those sources, I do not get the desired results. Specifically, to achieve Apply to = this folder only, both flags should be None, but when I do this, the result is Apply to this folder, subfolders and files. The combination that works though is PropagationFlags="InheritOnly" and InheritanceFlags="None". I am using powershell to set ACL. Can someone comment on why is everybody claiming that they both should be none to get This folder while it apparently does not work?
设置安全描述符时,各种资源提供PropagationFlags和InheritanceFlags的组合以获得所需的Apply。不幸的是,关于这些的文档是稀疏而清晰的解释,这些标志的含义甚至更稀疏。然而,当我使用这些来源的组合时,我没有得到预期的结果。具体来说,要仅实现Apply to = this文件夹,两个标志都应为None,但是当我这样做时,结果是Apply to this folder,子文件夹和文件。可行的组合是PropagationFlags =“InheritOnly”和InheritanceFlags =“None”。我使用PowerShell来设置ACL。有人可以评论为什么每个人都声称他们都应该没有得到这个文件夹,而它显然不起作用?
1 个解决方案
#1
1
The flags are documented on MSDN: PropagationFlags, InheritanceFlags and the combination ACL Propagation Rules. When in doubt I usually create the access rule manually with GUI and see what it looks like using (Get-ACL c:\path).Access.
这些标志记录在MSDN上:PropagationFlags,InheritanceFlags和组合ACL传播规则。如果有疑问,我通常使用GUI手动创建访问规则,并查看它的外观(Get-ACL c:\ path).Access。
To create a "this folder only"-permission you need to set both inheritance and propagation to "None". Ex:
要创建“仅此文件夹” - 权限,您需要将继承和传播都设置为“无”。例如:
$acl = Get-Acl .\test
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule "BUILTIN\Users","ReadAndExecute", "None", "None","Allow"
$acl.AddAccessRule($rule)
Set-Acl -Path .\test -AclObject $acl
Be aware that AddAccessRule will ignore the change if there already is a less resitricted rule for the BUILTIN\Users. You would need to use something like $acl.ModifyAccessRule("Set",$rule,[ref]$null) to modify an exisiting one.
请注意,如果BUILTIN \ Users已经有较少的重新规定规则,AddAccessRule将忽略该更改。您需要使用$ acl.ModifyAccessRule(“Set”,$ rule,[ref] $ null)之类的东西来修改现有的。
#1
1
The flags are documented on MSDN: PropagationFlags, InheritanceFlags and the combination ACL Propagation Rules. When in doubt I usually create the access rule manually with GUI and see what it looks like using (Get-ACL c:\path).Access.
这些标志记录在MSDN上:PropagationFlags,InheritanceFlags和组合ACL传播规则。如果有疑问,我通常使用GUI手动创建访问规则,并查看它的外观(Get-ACL c:\ path).Access。
To create a "this folder only"-permission you need to set both inheritance and propagation to "None". Ex:
要创建“仅此文件夹” - 权限,您需要将继承和传播都设置为“无”。例如:
$acl = Get-Acl .\test
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule "BUILTIN\Users","ReadAndExecute", "None", "None","Allow"
$acl.AddAccessRule($rule)
Set-Acl -Path .\test -AclObject $acl
Be aware that AddAccessRule will ignore the change if there already is a less resitricted rule for the BUILTIN\Users. You would need to use something like $acl.ModifyAccessRule("Set",$rule,[ref]$null) to modify an exisiting one.
请注意,如果BUILTIN \ Users已经有较少的重新规定规则,AddAccessRule将忽略该更改。您需要使用$ acl.ModifyAccessRule(“Set”,$ rule,[ref] $ null)之类的东西来修改现有的。