PowerScript ACL 文件夹访问权限删除用户组权限

Question

使用 Powershell 脚本，如何删除域用户组对文件夹的访问权限？

信息：

简而言之，我正在为我的用户设置个人文件夹。我编写了以下脚本。它创建用户文件夹并设置权限。然后假设从新创建的文件夹的域用户组中删除读取能力。该脚本运行时没有错误，但不会删除域用户的读取权限。我会完全抛弃这个小组，但还没有弄清楚那部分。注释代码块给出了错误，所以我现在绕过它。

脚本：

PARAM($Alias)

# Assign Drive letter/Home Drive Active Directory user 
$HomeDrive=’U:’

$UserRoot=’\\server\User_data\’

$HomeDirectory=$UserRoot+'ittest'

SET-ADUSER ittest  –HomeDrive $HomeDrive –HomeDirectory $HomeDirectory 



# Create the folder on the root of the common Users Share



NEW-ITEM –path $HomeDirectory -type directory -force 

$Domain=’Domain’

$HomeFolderACL=GET-ACL $HomeDirectory 

$IdentityReference=$Domain+’\’+'ittest' 


# Set parameters for Access rule


#$FileSystemAccessRights= [System.Security.AccessControl.FileSystemRights]::FullControl

#$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]::ContainerInherit
#$InheritanceFlags2=[System.Security.AccessControl.InheritanceFlags]::ObjectInherit

#$PropagationFlags=[System.Security.AccessControl.PropagationFlags]::None

#$AccessControl=[System.Security.AccessControl.AccessControlType]::Allow

#$UserAccess=New-Object System.Security.Principal.NTAccount($IdentityReference)

# Build Access Rule from parameters


#$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($UserAccess,$InheritanceFlags,$IdentityReference,$FileSystemAccessRights,$PropogationFlags,$AccessControl)

$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($IdentityReference,[System.Security.AccessControl.FileSystemRights]::FullControl,[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessControl.AccessControlType]::Allow)



# Get current Access Rule from Home Folder for User


$HomeFolderACL.AddAccessRule($AccessRule)

SET-ACL –path $HomeDirectory -AclObject $HomeFolderACL



# Remove "domain user" read Access Rule from parameters

$domainuser =$Domain+’\’+'Domain Users' 

$objUser = New-Object System.Security.Principal.NTAccount($domainuser)


$AccessRule2 = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($objUser,[System.Security.AccessControl.FileSystemRights]::READ,[System.Security.AccessControl.InheritanceFlags]::NONE,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessControl.AccessControlType]::allow)


#Get current Access Rule from Home Folder for User


$HomeFolderAclRead= GET-ACL $HomeDirectory


$HomeFolderAclRead.RemoveAccessRule($AccessRule2)
SET-ACL –path $HomeDirectory -AclObject $HomeFolderAclRead

感谢所有回复并整理代码的人。不幸的是，它的工作原理与原始代码相同，并提供此错误。

  # Set the ACLs for the path with the user added and the Domain Users group removed from the rule set
    SET-ACL –path $HomeDirectory -AclObject $HomeFolderAclRead

NEW-OBJECT：找不到“FileSystemAccessRule”的重载和参数计数：“6”。 在行：25 字符：15 + $AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($Us ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [New-Object], MethodException + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand 真的 Set-Acl：无法将参数绑定到参数“AclObject”，因为它为空。 在行：40 字符：41 + SET-ACL –路径 $HomeDirectory -AclObject $HomeFolderAclRead +~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [Set-Acl], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAclCommand

错误与它如何使用变量和构造函数有关。

如果我改变这个

$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($UserAccess,$InheritanceFlags,$IdentityReference,$FileSystemAccessRights,$PropogationFlags,$AccessControl)

到

$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($IdentityReference,[System.Security.AccessControl.FileSystemRights]::FullControl,[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessControl.AccessControlType]::Allow)

脚本将继续执行，但会出现此错误。

Set-Acl：无法将参数绑定到参数“AclObject”，因为它为空。 在行：41 字符：41 + SET-ACL –路径 $HomeDirectory -AclObject $HomeFolderAclRead +~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [Set-Acl], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAclCommand

Answer 1

这是我最终使用的最终脚本 感谢所有帮助！

PARAM($Alias)

# Import active directory module for running AD cmdlets
Import-module ActiveDirectory

#Store the data from UserList.csv in the $List variable

$List1 = Get-ADGroupMember -identity "FilteredDomainUsers" | select  samaccountname | Export-csv  C:\export\temp_file1.csv

$list2 = Import-CSV -header samaccountname  C:\export\temp_file1.csv


#Loop through user in the CSV
ForEach ($User in $List2)
{
$UserString =  $User | select-object

$string = $UserString.samaccountname
$string1=$string.ToString()



write-output $string1 


# Assign Drive letter/Home Drive Active Directory user 
$HomeDrive=’U:’

$UserRoot=’\\Server\User_data\’

$HomeDirectory=$UserRoot+ $String1

SET-ADUSER $string1  –HomeDrive $HomeDrive –HomeDirectory $HomeDirectory 


# Create the folder on the root of the common Users Share


NEW-ITEM –path $HomeDirectory -type directory -force 

$Domain=’domain’

$HomeFolderACL=GET-ACL $HomeDirectory 

$IdentityReference=$Domain+’\’+$String1
write-output $IdentityReference
# Set parameters for Access rule



# Build Access Rule from parameters


$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($IdentityReference,  [System.Security.AccessControl.FileSystemRights]::FullControl,[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessControl.AccessControlType]::Allow)


# Get current Access Rule from Home Folder for User


$HomeFolderACL.AddAccessRule($AccessRule)

SET-ACL –path $HomeDirectory -AclObject $HomeFolderACL


write-output $string1

 }

Answer 2

您在这里并不具体，所以我将做出一些假设。看起来您的文件夹已经通过继承或其他方式设置了 Domain\Domain User 访问权限。如果是这种情况，您不需要像现在这样创建规则，因为该规则已经存在，所以您可以删除它。

#Create Domain Users object
$DomUsers = New-Object System.Security.Principal.NTAccount("$Domain\Domain Users")
#Get ACLs for folder
$ACLs = Get-ACL $HomeDirectory
#Loop through Access Rules for the ACLs matching any that match the Domain Users object, and tell the ACL object to remove that rule
$ACLs | Select -ExpandProperty Access | 
    Where{ $_.IdentityReference -eq $DomUsers } | 
    ForEach{ $ACLs.RemoveAccessRule($_) }
#Set the new set of ACLs back to the folder.
Set-ACL $HomeDirectory -ACLObject $ACLs

这将适用于现有规则，而不是尝试重新创建要删除的规则。这样你就不必担心规则是否准确，因为如果你制定的规则与你试图删除的规则不完全一样，它实际上不会删除它，即使它是愚蠢的比如规则有不同的继承标志什么的。

我更新了你的脚本，它现在应该可以通过这些修改完成你想要的（你需要更新你的域名）：

PARAM($Alias="ittest")

# Assign Drive letter/Home Drive Active Directory user 
$HomeDrive=’U:’
$UserRoot=’\\server\User_data\’
$HomeDirectory=$UserRoot+$Alias

SET-ADUSER $alias –HomeDrive $HomeDrive –HomeDirectory $HomeDirectory 

# Create the folder on the root of the common Users Share
NEW-ITEM –path $HomeDirectory -type directory -force | Out-Null

$Domain=’Domain’
$HomeFolderACL=GET-ACL $HomeDirectory 
$IdentityReference= "$Domain\$Alias"

# Set parameters for Access rule
$FileSystemAccessRights= [System.Security.AccessControl.FileSystemRights]"FullControl"
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit"
$PropagationFlags=[System.Security.AccessControl.PropagationFlags]::None
$AccessControl=[System.Security.AccessControl.AccessControlType]::Allow
$UserAccess=New-Object System.Security.Principal.NTAccount($IdentityReference)

# Build Access Rule from parameters
$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($UserAccess,$InheritanceFlags,$IdentityReference,$FileSystemAccessRights,$PropogationFlags,$AccessControl)

# Add Access Rule to the Home Folder rule set for User
$HomeFolderACL.AddAccessRule($AccessRule)

### Remove "domain user" read Access Rule from parameters ###
# Create Domain Users object
$DomUsers = New-Object System.Security.Principal.NTAccount("$Domain\Domain Users")

# Loop through Access Rules for the ACLs matching any that match the Domain Users object, and tell the ACL object to remove that rule
$HomeFolderACL | Select -ExpandProperty Access | 
    Where{ $_.IdentityReference -eq $DomUsers } | 
    ForEach{ $HomeFolderACL.RemoveAccessRule($_) }

# Set the ACLs for the path with the user added and the Domain Users group removed from the rule set
SET-ACL –path $HomeDirectory -AclObject $HomeFolderAclRead