powershell - 删除继承后，使用 powershell 从 NTFS 文件夹中删除组失败并显示 SeSecurityPrivilege

Question

当我尝试从用户主驱动器中删除域用户时，我发现 Powershell 3.0 出现了不寻常的情况，并想联系看看是否有人知道原因。

伪代码，以便您可以理解我想要做什么

 Create a new folder
 Grant User access to write their home drive
 Remove Inherited Permissions from folder
 Remove general access from all Domain Users

实际代码(为了简单起见，删除了错误处理)

$UserName = "auser"
$Path = "\\domain.com\user\users\" + $UserName
$UserIdentityReference = "DOMAIN\" + $UserName

$NewFolder = New-Item -ItemType directory -Path $Path

#Need to allow the user to write to the folder
$GrantUserAccesRule = New-Object System.Security.AccessControl.FileSystemAccessRule($UserIdentityReference, @("ListDirectory", "ReadData", "WriteData", "CreateFiles", "CreateDirectories", "AppendData", "ReadExtendedAttributes", "WriteExtendedAttributes", "Traverse", "ExecuteFile", "ReadAttributes", "WriteAttributes", "Write", "ReadPermissions", "Read", "ReadAndExecute", "Modify", "Synchronize"), "ContainerInherit,ObjectInherit", "None", "Allow")
$acl = Get-Acl $NewFolder
$acl.AddAccessRule($GrantUserAccesRule)
Set-Acl -aclobject $acl -Path $NewFolder

# Remove inheritence from parent folder.
$acl = Get-Acl $NewFolder
$acl.SetAccessRuleProtection($true,$true)
Set-Acl -aclobject $acl -Path $NewFolder

#Need to prevent any domain user from accessing the folder
$acl = Get-Acl $NewFolder
$RemoveDomainUsersACLRule = $acl | Select -ExpandProperty Access | where-object {$_.IdentityReference -eq $UserIdentityReference}
$acl.RemoveAccessRule($RemoveDomainUsersACLRule)
#ERROR OCCURS HERE
Set-Acl -aclobject $acl -Path $NewFolder

错误是:

Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
At line:4 char:3
+   Set-Acl -aclobject $acl -Path $NewFolder
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo          : PermissionDenied: (\\gifs.com\user\users\tautomation:String) [Set-Acl], PrivilegeNotHeldException
  + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand

奇怪的是，我一执行SetAccessRuleProtection($true,$true)，就无法添加角色，也无法删除刚刚添加的角色。

我尝试过的事情

• 只要在 SetAccessRuleProtection 之前执行此操作，我就可以删除添加的角色。

• 可以从文件资源管理器中手动删除“域用户”组。

• 以提升的用户身份运行 powershell。这没有什么区别

研究已经完成: 我读了 http://blogs.technet.com/b/josebda/archive/2010/11/12/how-to-handle-ntfs-folder-permissions-security-descriptors-and-acls-in-powershell.aspx

Answer 1

听起来像this Connect bug 。我始终建议对文件/文件夹使用 SetAccessControl()，而不是使用 Set-Acl(Set-Acl 对文件系统有一些问题)。我会将所有 Set-Acl 调用更改为:

(Get-Item $NewFolder).SetAccessControl($acl)