分享程序员开发的那些事...
更新时间:2022-12-02 18:20:07
问题是您的继承能力.您不允许在子文件夹和文件(他在其文件夹中拥有的项目)上继承该权限.这就是为什么您在基本安全性窗口中看不到权限(仅特殊权限")的原因.如果您打开高级安全设置",您将看到用户拥有对OVER THIS文件夹的完全控制权,而不是目录的完全控制权.只要您为CREATOR OWNER添加权限(带有继承),以便所有者可以访问项目,我想您就可以了.但是,您现在可以像这样修复它:
The problem is your inhertiance. You are not allowing the permission to be inherited on subfolders and files(items he owns in his folder). That's why you don't see the permissions(only "Special Permission") in the basic security window. If you open "Advanced Security Settings" you will see that the user has full control OVER THIS folder, and not the contents. As long as you add permissions(with inheritance) for CREATOR OWNER so the owner get's access on to items, I think you'll be fine. However, you could fix it already now like this:
$InheritanceFlag = @([System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.InheritanceFlags]::ObjectInherit)
除非有特殊要求,否则应授予用户对其文件夹的完全访问权限(完全继承).具有固定继承的完整解决方案(我还清理了Set-ACL路径并删除了不必要的returnobject):
Unless there are special requirements, you should give users complete access over his folder(full inheritance). Full solution with fixed inheritance (I also cleaned up your Set-ACL path and removed unnecessary returnobject):
try
{
$NewFolder = New-Item -Path $homeDir -Name $sso -ItemType "Directory"
$Rights = [System.Security.AccessControl.FileSystemRights]"FullControl,Modify,ReadAndExecute,ListDirectory,Read,Write"
$InheritanceFlag = @([System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.InheritanceFlags]::ObjectInherit)
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount "my_full_domain_name\$sso"
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($objUser, $Rights, $InheritanceFlag, $PropagationFlag, $objType)
$ACL = Get-Acl -Path $NewFolder
$ACL.AddAccessRule($objACE)
Set-ACL -Path $NewFolder.FullName -AclObject $ACL
}