I'm pretty new to powershell scripting (nearly 1 month since I started learning powershell.)
我是PowerShell脚本的新手(自从我开始学习PowerShell以来近一个月)。
I'm currently working on a script with powershell 2.0 to clean folder NTFS ACL. I want to delete every acl except the administrator one.
我目前正在使用powershell 2.0编写一个脚本来清理文件夹NTFS ACL。我想删除除管理员之外的每个acl。
My problem is that I can't find a way to delete every acl that are not administrator, without knowing them.
我的问题是,我无法找到一种方法来删除不是管理员的每个acl,而不知道它们。
So I came here to sought for powershell pro.
所以我来到这里寻求powershell pro。
4 个解决方案
#1
9
This code remove acl :
此代码删除acl:
$acl = Get-Acl \\remote_server\share_folder\HAL.9000
$acl.Access | %{$acl.RemoveAccessRule($_)}
This code add administrator acl :
此代码添加管理员acl:
#BUILTIN administrator
$acl = Get-Acl \\remote_server\share_folder\HAL.9000
$permission = "BUILTIN\Administrators","FullControl", "ContainerInherit,ObjectInherit","None","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
Set-Acl \\remote_server\share_folder\HAL.9000 $acl
#Domain controller administrator
$acl = Get-Acl \\remote_server\share_folder\HAL.9000
$permission = "DOMAINCONTROLLER\Administrators","FullControl", "ContainerInherit,ObjectInherit","None","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
Set-Acl \\remote_server\share_folder\HAL.9000 $acl
Hope this will help someone :)
希望这会帮助别人:)
#2
3
For convenience I've copy/pasted all this stuff together in a function. If it can be of use to anyone, here it is:
为方便起见,我将所有这些东西复制/粘贴在一个函数中。如果它对任何人都有用,那么它是:
Function Remove-ACL {
[CmdletBinding(SupportsShouldProcess=$True)]
Param(
[parameter(Mandatory=$true,ValueFromPipeline=$true,Position=0)]
[ValidateNotNullOrEmpty()]
[ValidateScript({Test-Path $_ -PathType Container})]
[String[]]$Folder,
[Switch]$Recurse
)
Process {
foreach ($f in $Folder) {
if ($Recurse) {$Folders = $(Get-ChildItem $f -Recurse -Directory).FullName} else {$Folders = $f}
if ($Folders -ne $null) {
$Folders | ForEach-Object {
# Remove inheritance
$acl = Get-Acl $_
$acl.SetAccessRuleProtection($true,$true)
Set-Acl $_ $acl
# Remove ACL
$acl = Get-Acl $_
$acl.Access | %{$acl.RemoveAccessRule($_)} | Out-Null
# Add local admin
$permission = "BUILTIN\Administrators","FullControl", "ContainerInherit,ObjectInherit","None","Allow"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($rule)
Set-Acl $_ $acl
Write-Verbose "Remove-HCacl: Inheritance disabled and permissions removed from $_"
}
}
else {
Write-Verbose "Remove-HCacl: No subfolders found for $f"
}
}
}
}
Usage:
用法:
# For only one folder:
Remove-ACL 'C:\Folder' -Verbose
# For all subfolders:
Remove-ACL 'C:\Folder' -Recurse -Verbose
# Pipe stuff
'C:\Folder 1', 'C:\Folder 2' | Remove-ACL -Verbose
#3
2
This code remove acl : $acl = Get-Acl \remote_server\share_folder\HAL.9000 $acl.Access | %{$acl.RemoveAccessRule($_)}
此代码删除acl:$ acl = Get-Acl \ remote_server \ share_folder \ HAL.9000 $ acl.Access | %{$ acl.RemoveAccessRule($ _)}
it does not work until you do
直到你这样做才行不通
Set-Acl \\remote_server\share_folder\HAL.9000 $acl
#4
0
Why not create a new list. For example:
为什么不创建新列表。例如:
$identity = New-Object System.Security.Principal.NTAccount('NT AUTHORITY\SYSTEM')
$acl = New-Object System.Security.AccessControl.DirectorySecurity
$acl.SetOwner($identity)
$acl.SetGroup($identity)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('NT AUTHORITY\SYSTEM', ’FullControl’, ’ContainerInherit, ObjectInherit’, ’None’,’Allow’)
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('BUILTIN\Administrators', ’FullControl’, ’ContainerInherit, ObjectInherit’, ’None’, ’Allow’)
$acl.AddAccessRule($rule)
Set-Acl -LiteralPath "C:\MyFolder" -AclObject $acl
Get-Acl -LiteralPath "C:\MyFolder" | Format-List
#1
9
This code remove acl :
此代码删除acl:
$acl = Get-Acl \\remote_server\share_folder\HAL.9000
$acl.Access | %{$acl.RemoveAccessRule($_)}
This code add administrator acl :
此代码添加管理员acl:
#BUILTIN administrator
$acl = Get-Acl \\remote_server\share_folder\HAL.9000
$permission = "BUILTIN\Administrators","FullControl", "ContainerInherit,ObjectInherit","None","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
Set-Acl \\remote_server\share_folder\HAL.9000 $acl
#Domain controller administrator
$acl = Get-Acl \\remote_server\share_folder\HAL.9000
$permission = "DOMAINCONTROLLER\Administrators","FullControl", "ContainerInherit,ObjectInherit","None","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
Set-Acl \\remote_server\share_folder\HAL.9000 $acl
Hope this will help someone :)
希望这会帮助别人:)
#2
3
For convenience I've copy/pasted all this stuff together in a function. If it can be of use to anyone, here it is:
为方便起见,我将所有这些东西复制/粘贴在一个函数中。如果它对任何人都有用,那么它是:
Function Remove-ACL {
[CmdletBinding(SupportsShouldProcess=$True)]
Param(
[parameter(Mandatory=$true,ValueFromPipeline=$true,Position=0)]
[ValidateNotNullOrEmpty()]
[ValidateScript({Test-Path $_ -PathType Container})]
[String[]]$Folder,
[Switch]$Recurse
)
Process {
foreach ($f in $Folder) {
if ($Recurse) {$Folders = $(Get-ChildItem $f -Recurse -Directory).FullName} else {$Folders = $f}
if ($Folders -ne $null) {
$Folders | ForEach-Object {
# Remove inheritance
$acl = Get-Acl $_
$acl.SetAccessRuleProtection($true,$true)
Set-Acl $_ $acl
# Remove ACL
$acl = Get-Acl $_
$acl.Access | %{$acl.RemoveAccessRule($_)} | Out-Null
# Add local admin
$permission = "BUILTIN\Administrators","FullControl", "ContainerInherit,ObjectInherit","None","Allow"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($rule)
Set-Acl $_ $acl
Write-Verbose "Remove-HCacl: Inheritance disabled and permissions removed from $_"
}
}
else {
Write-Verbose "Remove-HCacl: No subfolders found for $f"
}
}
}
}
Usage:
用法:
# For only one folder:
Remove-ACL 'C:\Folder' -Verbose
# For all subfolders:
Remove-ACL 'C:\Folder' -Recurse -Verbose
# Pipe stuff
'C:\Folder 1', 'C:\Folder 2' | Remove-ACL -Verbose
#3
2
This code remove acl : $acl = Get-Acl \remote_server\share_folder\HAL.9000 $acl.Access | %{$acl.RemoveAccessRule($_)}
此代码删除acl:$ acl = Get-Acl \ remote_server \ share_folder \ HAL.9000 $ acl.Access | %{$ acl.RemoveAccessRule($ _)}
it does not work until you do
直到你这样做才行不通
Set-Acl \\remote_server\share_folder\HAL.9000 $acl
#4
0
Why not create a new list. For example:
为什么不创建新列表。例如:
$identity = New-Object System.Security.Principal.NTAccount('NT AUTHORITY\SYSTEM')
$acl = New-Object System.Security.AccessControl.DirectorySecurity
$acl.SetOwner($identity)
$acl.SetGroup($identity)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('NT AUTHORITY\SYSTEM', ’FullControl’, ’ContainerInherit, ObjectInherit’, ’None’,’Allow’)
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule('BUILTIN\Administrators', ’FullControl’, ’ContainerInherit, ObjectInherit’, ’None’, ’Allow’)
$acl.AddAccessRule($rule)
Set-Acl -LiteralPath "C:\MyFolder" -AclObject $acl
Get-Acl -LiteralPath "C:\MyFolder" | Format-List