我想:
- 创建新文件夹
- 设置文件夹的共享名称,以便用户可以查看
- 创建AD组FS-TESTSHARE-R
- 创建AD组FS-TESTSHARE-RW
- 将两个组都应用到新的共享文件夹
- 将"完全读取"权限设置为FS-TESTSHARE-R
- 将"完全读取/权限"权限设置为FS-TESTSHARE-RW
- 将完全访问权限设置为域管理员
这是我玩了一段时间后现在的状态,但我想确保我没有错过任何东西。我已经决定(暂时不考虑参数设置,但我可以稍后再谈。这看起来正确吗?或者有更好的方法来写脚本吗?
我还遇到了一堆关于意外的错误
New-ADGroup
-Name "FS-$NAME-RW"
-SamAccountName "FS-"+$NAME+"-RW"
-GroupCategory Security
-GroupScope Global
-DisplayName "$NAME Read-Write Access"
-Path "CN=$LOCATION,CN=SECURITY GROUPS,CN=FILE SHARE GROUPS,DC=ESG,DC=INTL"
-Description "Members of this group have read-write access to the test share"
New-ADGroup
-Name "FS-$NAME-R"
-SamAccountName "FS-"+$NAME+"-R"
-GroupCategory Security
-GroupScope Global
-DisplayName "$NAME Read Access"
-Path "CN=$LOCATION,CN=SECURITY GROUPS,CN=FILE SHARE GROUPS,DC=ESG,DC=INTL"
-Description "Members of this group have read access to the test share"
# create new folder
New-Item -Path $Path -ItemType Directory
# get permissions
$acl = Get-Acl -Path $Path
#Get Security Groups
get-adobject -searchbase "CN=SECURITY GROUPS,CN=FILE SHARE GROUPS,DC=ESG,DC=INTL" -ldapfilter {(objectclass=group)}
# add a new permission
$acl.SetAccessRuleProtection($True, $False)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("esg.intlDomain Admins","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("esg.intl"FS-"+$NAME+"-R"","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("esg.intl"FS-"+$NAME+"-RW"","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
# set new permissions
$acl | Set-Acl -Path $path
我也遇到了一些错误,我不确定我是否理解如何修复它们。。。
At C:UsersA-Shane.JohnsonDesktopShareFolderCreation.ps1:44 char:96
+ ... " -ldapfilter {(objectclass=group)}
+ ~
Use `{ instead of { in variable names.
At C:UsersA-Shane.JohnsonDesktopShareFolderCreation.ps1:55 char:82
+ ... ule("esg.intl"FS-"+$NAME+"-R"","FullControl", "ContainerInherit, ObjectInherit" ...
+ ~~~~~~~~~~~~~~~~
Unexpected token 'FS-"+$NAME+"-R""' in expression or statement.
At C:UsersA-Shane.JohnsonDesktopShareFolderCreation.ps1:55 char:82
+ ... ule("esg.intl"FS-"+$NAME+"-R"","FullControl", "ContainerInherit, ObjectInherit" ...
+ ~
Missing closing ')' in expression.
At C:UsersA-Shane.JohnsonDesktopShareFolderCreation.ps1:55 char:164
+ ... "None", "Allow")
+ ~
Unexpected token ')' in expression or statement.
At C:UsersA-Shane.JohnsonDesktopShareFolderCreation.ps1:58 char:82
+ ... ule("esg.intl"FS-"+$NAME+"-RW"","FullControl", "ContainerInherit, ObjectInherit ...
+ ~~~~~~~~~~~~~~~~~
Unexpected token 'FS-"+$NAME+"-RW""' in expression or statement.
At C:UsersA-Shane.JohnsonDesktopShareFolderCreation.ps1:58 char:82
+ ... ule("esg.intl"FS-"+$NAME+"-RW"","FullControl", "ContainerInherit, ObjectInherit ...
+ ~
Missing closing ')' in expression.
At C:UsersA-Shane.JohnsonDesktopShareFolderCreation.ps1:58 char:165
+ ... "None", "Allow")
+ ~
Unexpected token ')' in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : OpenBraceNeedsToBeBackTickedInVariableName
好吧,我看到了几件事。首先,字符串插值。。。您所在的位置:
"FS-"+$NAME+"-RW"
您可以将其简化为:
"FS-$NAME-RW"
当在这样的双引号中找到一个变量时,它会尝试将该变量自动扩展为字符串。我不打算讨论规定或规则,因为我认为这只会使事情过于复杂。只需说明一下,当将此更改应用于脚本中的所有实例时,它可能会删除大部分错误。。。并且可能创建新的命令,因为随后将正确地解释若干命令。
接下来,命令语法。你的前两个命令,除非你已经转义了新行,而且这根本没有反映在你的问题中,否则很可能不会像你预期的那样执行。如果你想像现在这样把参数隔开,我建议你把它们设置为哈希表,然后在执行命令时扩展哈希表。你可以这样做:
$GroupParams= @{
'Name' = "FS-$NAME-RW"
'SamAccountName' = "FS-$NAME-RW"
'GroupCategory' = "Security"
'GroupScope' = "Global"
'DisplayName' = "$NAME Read-Write Access"
'Path' = "CN=$LOCATION,CN=SECURITY GROUPS,CN=FILE SHARE GROUPS,DC=ESG,DC=INTL"
'Description' = "Members of this group have read-write access to the test share"
}
New-ADGroup @GroupParams
你的LDAFilter行错误,好吧,那行看起来是多余的,所以我想把它注释掉,然后继续。
请注意,您正在向读取组授予FullAccess权限,您可能希望将其更改为ReadAndExecute。
最后,如果你的ACL有问题,那么我会给你和任何人在处理文件共享的ACL时一样的建议。明确定义您的设置,然后将其作为访问规则应用。我使用以下作为模板:
$Rights = [System.Security.AccessControl.FileSystemRights]"FullControl"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit"
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount("IIS_IUSRS")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $Rights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL = Get-ACL "C:Temp"
$objACL.AddAccessRule($objACE)
Set-ACL "C:Temp" $objACL
顺便说一句,你从来没有真正处理过声明共享名称之类的整个网络共享问题。您可能需要运行get-help New-SMBShare -Full以获取有关设置网络共享的更多信息。