将主文件夹的权限移动到新的Active
将主文件夹的权限移动到新的Active
提问于 2020-11-23 13:35:51
我需要将100+用户的主文件夹从一个AD移动到另一个AD。每个用户的samAccountName在两个AD中都是相同的,但是ObjectGUID不同,因为用户是用CSV文件而不是信任来导出和导入的。
复制并不是真正的问题-我相信我有一个工作的机器人复制线,但我更担心的是在移动后设置文件夹的权限。我想迭代每个主文件夹,并将所有权和完全控制分配给其samAccountName与文件夹名称匹配的用户。
但是,我对Powershell Get-ACL和Set-ACL命令并不完全满意。如果我正确地理解了它,我需要先将ACL从一个文件夹抓取到一个变量中,然后操作该变量上的权限,然后使用Set-ACL应用正确的权限。
我想象的方式是:
- 从文件夹到$UserACL的Get-ACL
- 获取用户文件夹的名称
- 看看是否可以将文件夹名与samAccountName匹配
- 如果是的话,将用户权限添加到$UserACL
- 通过在用户文件夹上运行Set-ACL来设置文件夹的权限
- 如果不匹配,则设置权限,以便只有管理员才能访问该文件夹(有许多非活动帐户不能仅被删除)
伪码:
$baseACL = Get-ACL -Path [ExampleDir]
$HomeFolders = Get-ChildItem [RootDir] | Where-Object {$_.PSIsContainer} | Foreach-Object {$_.Name}
$ADUsers=Import-csv 'UserCSV.csv' -Delimiter ';'
Foreach ($Folder in $HomeFolders) {
ForEach ($User in $ADUsers) {
if ($Folder -eq $($User.samAccountName)) {
# Set properties
$useridentity = "[AD]\$Folder"
$admidentity = "BUILTIN\Administrators"
$fileSystemRights = "FullControl"
$type = "Allow"
# Create new rule
$fileSystemAccessRuleArgumentList = $useridentity, $admidentity, $fileSystemRights, $type
$fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
# Apply new rule
$baseACL.SetAccessRule($fileSystemAccessRule)
Set-Acl -Path "[Path]\$Folder" -AclObject $baseACL
}
Else {
$admidentity = "BUILTIN\Administrators"
$fileSystemRights = "FullControl"
$type = "Allow"
# Create new rule
$fileSystemAccessRuleArgumentList = $admidentity, $fileSystemRights, $type
$fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
# Apply new rule
$baseACL.SetAccessRule($fileSystemAccessRule)
Set-Acl -Path "[Path]\$Folder" -AclObject $baseACL
}
}
}这只是设置权限而不是所有权,所以我不确定这是否有可能立即使用powershell。还是我需要看看仙人掌和外卖?
回答 1
Server Fault用户
回答已采纳
发布于 2020-12-09 10:26:18
我在这里找到了一个经过一些调整的解决方案:停下来!我继承了重定向文件夹/主目录的权限噩梦
我完成的脚本主要如下所示:
#requires -PSEdition Desktop
#requires -version 5.1
#requires -Modules ActiveDirectory
#requires -RunAsAdministrator
[CmdLetBinding()]
Param ()
$AD = [DOMAIN CONTROLLER]
$Root = [HOME DIRECTORY]
$Paths = Get-ChildItem $Root -Directory | Select-Object -Property Name,FullName
# Local Admin access rule
$LASID = Get-LocalGroup -Name 'Administrators' | Select-Object -ExpandProperty SID
$LAAR = New-Object System.Security.AccessControl.FileSystemAccessRule($LASID, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
# Domain Admin access rule
$DASID = Get-ADGroup -Server $AD -Filter { Name -eq 'Domain Admins' } | Select-Object -ExpandProperty SID
$DAAR = New-Object System.Security.AccessControl.FileSystemAccessRule($DASID, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
# System Access rule
$SysAR = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
Try {
foreach ($Directory in $Paths) {
$samExists = $(try {Get-ADUser -Server $AD -Identity $($Directory.Name)} catch {$null})
if ($samExists -ne $null) {
# For error handling purposes - not all folders will map to a user of the exact same name
Write-Output "Creating User ACL for $($Directory.FullName) ... "
# Creates a blank ACL object to to add access rules into, also blanks out the ACL for each iteration of the loop
$ACL = New-Object System.Security.AccessControl.DirectorySecurity
# Creating the right type of user object to feed into our ACL and populating it with the user whose folder we're currently on
$UserSID = Get-ADUser -Server $AD -Identity $($Directory.Name) | Select-Object -ExpandProperty SID
# $objUser = New-Object System.Security.Principal.NTAccount($UserSID)
# Access rule for the user whose folder we're dealing with this iteration
$UserAR = New-Object System.Security.AccessControl.FileSystemAccessRule($UserSID, "FullControl","ContainerInherit,ObjectInherit", "None", "Allow")
# Change the inheritance, propagation settings for the folder we're dealing with
$ACL.SetOwner($UserSID)
$ACL.SetAccessRuleProtection($true,$false)
$ACL.SetAccessRule($UserAR)
$ACL.SetAccessRule($LAAR)
$ACL.SetAccessRule($DAAR)
$ACL.SetAccessRule($SysAR)
# For error handling purposes - not all folders will map to a user of the exact same name
$ACL | Format-List
Set-Acl -Path $Directory.FullName -AclObject $ACL
}
else {
# For error handling purposes - not all folders will map to a user of the exact same name
Write-Warning "Creating Admin ACL for $($Directory.FullName) ... "
# Creates a blank ACL object to to add access rules into, also blanks out the ACL for each iteration of the loop
$ACL = New-Object System.Security.AccessControl.DirectorySecurity
# Creating the right type of user object to feed into our ACL and populating it with the user whose folder we're currently on
# $objUser = New-Object System.Security.Principal.NTAccount($DASID)
# Change the inheritance, propagation settings for the folder we're dealing with
$ACL.SetOwner($DASID)
$ACL.SetAccessRuleProtection($true,$false)
$ACL.SetAccessRule($LAAR)
$ACL.SetAccessRule($DAAR)
$ACL.SetAccessRule($SysAR)
# For error handling purposes - not all folders will map to a user of the exact same name
$ACL | Format-List
Set-Acl -Path $Directory.FullName -AclObject $ACL
}
}
}
Catch {
Write-Host -BackgroundColor Red "Error: $($_.Exception)"
Break
}页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/1043598
复制相关文章
相似问题
腾讯云开发者
