Ok, so I'm having trouble with figuring out how to change an ACL for a folder using powershell. I have NAS folders that I would like my script to change the type settings on from 'Allow' to 'Deny' without changing the rules or the principal, but only for specific groups. The reason is that the folder belongs to an individual, and when that individuals AD account expires I want two of the groups that had access to it to no longer have access. Once the individual's AD account is reactivated, the script will "flip" the type back from "Deny" to "Allow". I have figured out how to extract the info, but having a hard time setting it:
好的,所以我在弄清楚如何使用PowerShell更改文件夹的ACL时遇到了麻烦。我有NAS文件夹,我希望我的脚本将类型设置从“允许”更改为“拒绝”而不更改规则或主体,但仅限于特定组。原因是该文件夹属于个人,当个人AD帐户过期时,我希望有权访问它的两个组不再具有访问权限。一旦重新激活个人的AD帐户,脚本将“翻转”类型从“拒绝”返回到“允许”。我已经弄清楚如何提取信息,但很难设置它:
$i = 0
$acl = get-acl c:\scripts
for($i = 0; $i -lt $acl.Access.Count; $i++){
Write-Host $acl.Access.IdentityReference.GetValue($i)
Write-Host $acl.Access.AccessControlType.GetValue($i)
Write-Host $acl.Access.FileSystemRights.GetValue($i)
}
This will spit out each security principal, the type (allow or deny), and the rights either as "Full Control", "Read", "Modify", etc., or numerically if special rights. I've tried to use .SetValue without success. Can anyone help me with the syntax to set the value for AccessControlType (allow or deny)? Thanks in advance.
这会将每个安全主体,类型(允许或拒绝)和权限吐出“完全控制”,“读取”,“修改”等,或者在数字上吐出特殊权利。我试过使用.SetValue但没有成功。任何人都可以帮助我设置AccessControlType(允许或拒绝)的值的语法?提前致谢。
Edit: have tried something like the following without luck (to set the first one on the list):
编辑:尝试了以下没有运气的事情(设置列表中的第一个):
$acl.Access.AccessControlType.SetValue(0)=1
Set-Acl -Path c:\scripts -AclObject $acl
1 个解决方案
#1
0
You could use the AddAccessRule
and RemoveAccessRule
methods of the acl object created by get-acl
.
您可以使用get-acl创建的acl对象的AddAccessRule和RemoveAccessRule方法。
Have a look at my answer to Powershell Disable Parts Of Open File Dialog Box - there is a code example there.
看看我对Powershell禁用部分打开文件对话框的回答 - 那里有一个代码示例。
#1
0
You could use the AddAccessRule
and RemoveAccessRule
methods of the acl object created by get-acl
.
您可以使用get-acl创建的acl对象的AddAccessRule和RemoveAccessRule方法。
Have a look at my answer to Powershell Disable Parts Of Open File Dialog Box - there is a code example there.
看看我对Powershell禁用部分打开文件对话框的回答 - 那里有一个代码示例。