{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 放我归山 的问题《PowerShell Setting advanced NTFS permissions》','https://www.manongdao.com/q-1234363.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm trying to apply NTFS permissions that are defined in the 'Advanced' tab of the Windows security settings. One ACL $Rule is for This folder only and another one is for the Subfolders and files only.
The permissions are heavily modified as you can see below:
(Get-Acl 'L:\Test\Beez\RAPJOUR\Appels List\Correct').Access
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : CreateFiles, AppendData, DeleteSubdirectoriesAndFiles, ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : Domain\Dirk
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : DeleteSubdirectoriesAndFiles, Modify, Synchronize
AccessControlType : Allow
IdentityReference : Domain\Dirk
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
- Everything is on except for : Full control, Write attributes, Write extended attributes, Delete, Change permissions and Take ownership.
- Everything is on except for : Full control, Change permissions and Take ownership.
This is a piece of the code I use to apply permissions. In this case it has to be defined in the part Change:
$f = 'L:\Test\Beez\RAPJOUR\Appels List\Wrong'
$ADobject = 'Domain\User'
$acl = Get-Acl $f
$Grant = 'Change'
# Remove user/group first
$rule = New-Object system.security.AccessControl.FileSystemAccessRule("$ADobject","Read",,,"Allow")
$acl.RemoveAccessRuleAll($rule)
# Add read permissions
if ($Grant -eq 'ReadAndExecute') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Allow")
}
if ($Grant -eq 'Change') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "Modify", "ContainerInherit, ObjectInherit", "Synchronize", "Allow DeleteSubdirectoriesAndFiles")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "AppendData", "ContainerInherit, ObjectInherit", "ReadAndExecute","Synchronize", "Allow CreateFiles","DeleteSubdirectoriesAndFiles")
}
if ($Grant -eq 'Modify') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
}
if ($Grant -eq 'FullControl') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
}
if ($Grant -eq 'ListFolderContents') {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "ReadAndExecute", "ContainerInherit", "None", "Allow")
}
$acl.AddAccessRule($rule)
Set-Acl $f $acl
I can't seem to get the syntax right.. Thank you for your help.
Thanks to this post I've already found the part for:
- 'Subfolders and files only':
"ContainerInherit, ObjectInherit", "InheritOnly" - 'This folder only':
"None", "InheritOnly"
Object access permissions in Windows are controlled via Access Control Lists (ACL), which basically consist of a list of Access Control Entries (ACE). Each ACE is a set of attributes that controls whether access is granted or denied, who the ACE applies to, if the ACE was inherited from a parent object, and whether it should be inherited by child objects.
If you take a look at the documentation of the
FileSystemAccessRuleclass, you'll see that the "full" constructor takes 5 parameters:IdentityReference/String: An object or string that identifies the trustee (user, group, computer, ...) to whom the ACE applies.FileSystemRights: The actual permissions to be granted or denied.InheritanceFlags: Flags to control which object types inherit permissions from this object (containers, leaf objects, or none).PropagationFlags: Flags to control propagation of permissions. The flagInheritOnlyexempts the current object from receiving the ACE. The flagNoPropagateInheritrestricts inheritance to immediate child objects.AccessControlType: The type of the ACE (allow or deny).Now, if you want to assign multiple access rights to a given trustee, you can either do that with individual ACEs:
Or by providing the permissions as a comma-separated string:
Note, however, that you cannot grant and deny permissions with the same ACE. If you want to deny specific access rights you need to do it with a separate ACE:
Note also, that explicit permissions take precedence over inherited permissions, and
Denytakes precedence overAllow.You know how it goes when you're fighting world problems. The moment you post the question, you find the answer 5 minutes later...
Thanks to the answer of Frode F. on another question, I found the solution to my own problem. I had to copy the output of the line
FileSystemRightsin$Correct.Accessand paste it in anArrayas you can see below: