当我尝试从用户主驱动器中删除域用户时,我发现 Powershell 3.0 出现了不寻常的情况,并想联系看看是否有人知道原因。
伪代码,以便您可以理解我想要做什么
Create a new folder
Grant User access to write their home drive
Remove Inherited Permissions from folder
Remove general access from all Domain Users
实际代码(为了简单起见,删除了错误处理)
$UserName = "auser"
$Path = "\\domain.com\user\users\" + $UserName
$UserIdentityReference = "DOMAIN\" + $UserName
$NewFolder = New-Item -ItemType directory -Path $Path
#Need to allow the user to write to the folder
$GrantUserAccesRule = New-Object System.Security.AccessControl.FileSystemAccessRule($UserIdentityReference, @("ListDirectory", "ReadData", "WriteData", "CreateFiles", "CreateDirectories", "AppendData", "ReadExtendedAttributes", "WriteExtendedAttributes", "Traverse", "ExecuteFile", "ReadAttributes", "WriteAttributes", "Write", "ReadPermissions", "Read", "ReadAndExecute", "Modify", "Synchronize"), "ContainerInherit,ObjectInherit", "None", "Allow")
$acl = Get-Acl $NewFolder
$acl.AddAccessRule($GrantUserAccesRule)
Set-Acl -aclobject $acl -Path $NewFolder
# Remove inheritence from parent folder.
$acl = Get-Acl $NewFolder
$acl.SetAccessRuleProtection($true,$true)
Set-Acl -aclobject $acl -Path $NewFolder
#Need to prevent any domain user from accessing the folder
$acl = Get-Acl $NewFolder
$RemoveDomainUsersACLRule = $acl | Select -ExpandProperty Access | where-object {$_.IdentityReference -eq $UserIdentityReference}
$acl.RemoveAccessRule($RemoveDomainUsersACLRule)
#ERROR OCCURS HERE
Set-Acl -aclobject $acl -Path $NewFolder
错误是:
Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
At line:4 char:3
+ Set-Acl -aclobject $acl -Path $NewFolder
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (\\gifs.com\user\users\tautomation:String) [Set-Acl], PrivilegeNotHeldException
+ FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand
奇怪的是,我一执行SetAccessRuleProtection($true,$true),就无法添加角色,也无法删除刚刚添加的角色。
我尝试过的事情
只要在 SetAccessRuleProtection 之前执行此操作,我就可以删除添加的角色。
可以从文件资源管理器中手动删除“域用户”组。
以提升的用户身份运行 powershell。这没有什么区别
最佳答案
听起来像this Connect bug 。我始终建议对文件/文件夹使用 SetAccessControl(),而不是使用 Set-Acl(Set-Acl 对文件系统有一些问题)。我会将所有 Set-Acl 调用更改为:
(Get-Item $NewFolder).SetAccessControl($acl)
关于powershell - 删除继承后,使用 powershell 从 NTFS 文件夹中删除组失败并显示 SeSecurityPrivilege,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/32598336/