none
通过Powershell 夺权 RRS feed

  • Question

  • 我有一台文件服务器,某个文件下的子文件夹做了NTFS权限,启用了禁用继承并且管理员无权限访问改文件夹!现在文件夹不用了要清理文件夹内的文件,但因管理员没有权限,每次都要夺权,是否有powershell命令可以直接取消权限限制并授予administrator所有权限!
    Tuesday, 22 June 2021 7:42 AM

Answers

  • 您好,

    看图上的结果没什么问题,这样的话可以试下这个

    $path = "D:\test"
    $account = New-Object System.Security.Principal.NTAccount("CONTOSO", "Administrator")
    $acl = (Get-Item -Path $path).GetAccessControl("Owner")
    $acl.SetOwner($account)
    (Get-Item -Path $path).SetAccessControl($acl)

    或者也可以试下用takeown和icacls

    $path = "D:\test"
    $user = "CONTOSO\administrator"
    takeown /f $path /r /d y
    icacls $path /setowner $user

    祝好

    Ian Xue


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    • Edited by Ian Xue Tuesday, 29 June 2021 4:21 AM
    • Marked as answer by small-fish Tuesday, 29 June 2021 8:16 AM
    Tuesday, 29 June 2021 3:07 AM

All replies

  • 您好,

    您可以试下这个。这里假设文件夹的路径是\\server\share\folder,需要添加权限的账户是CONTOSO\administrator,您可以按实际情况自行修改。

    $path = "\\server\share\folder"
    $user = "CONTOSO\administrator"
    $acl = Get-Acl -Path $path
    $aceAllow = New-Object System.Security.AccessControl.FileSystemAccessRule ($user,"FullControl","ContainerInherit, ObjectInherit","None","Allow")
    $aceDeny = New-Object System.Security.AccessControl.FileSystemAccessRule ($user,1,"Deny")
    $acl.RemoveAccessRuleall($aceDeny)
    $acl.AddAccessRule($aceAllow)
    $acl | Set-Acl -Path $path  

    如您还有其他疑问,请随时与我们联系。如果回答是有帮助的,请将其标记为答案,可以帮助其他有相同问题的社区成员快速找到有用的答复。

    祝好

    Ian Xue


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, 22 June 2021 9:08 AM
  • 您好,

    请问上面的回复能否解决您的问题?

    如您还有其他疑问,请随时与我们联系。如果回答是有帮助的,请将其标记为答案,可以帮助其他社区成员快速找到有用的答复。

    祝好

    Ian Xue


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, 23 June 2021 6:27 AM
  • 如下图:本地administrator 本身对test没有权限,现在可以通过-安全-高级-更改所有者为administrator来夺权即可打开test文件夹,因为我的文件服务器上很多文件夹都做了类似设置,如果手动一个个点的话工作量太多,如何通过powershell 命令实现批量文件夹的夺权!

    执行powershell 报错如下

    • Edited by small-fish Wednesday, 23 June 2021 8:14 AM
    Wednesday, 23 June 2021 8:00 AM
  •      这个好像是更改共享文件夹的所有者吧!然后就可以更改文件夹权限了!

          我们这操作量倒是不高,围观学习下哈!

    Wednesday, 23 June 2021 8:49 AM
  • 您好,

    这个报错是没有权限,可以试下右键选择以管理员运行powershell,然后运行上面的脚本。如果还要更改所有者的话,可以这样

    $path = "\\server\share\folder"
    $account = New-Object System.Security.Principal.NTAccount("CONTOSO", "Administrator")
    $acl = Get-Acl -Path $path
    $acl.SetOwner($account)
    $acl | Set-Acl -Path $path 


    祝好

    Ian Xue


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    • Edited by Ian Xue Wednesday, 23 June 2021 9:25 AM
    Wednesday, 23 June 2021 8:56 AM
  • 您好,

    请问上面的回复能够解决您的问题吗?

    如果回答是有帮助的,请将其标记为答案。如您还有其他疑问,可以随时回帖与我们联系。

    祝好

    Ian Xue


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, 24 June 2021 8:11 AM
  • 您好,

    请问上面的回复能否解决您的问题?

    如果回答是有帮助的,请将其标记为答案,可以帮助其他社区成员快速找到有用的答复。如您还需要其他帮助,请随时回帖与我们联系。

    祝好

    Ian Xue


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, 25 June 2021 7:53 AM
  • 您好,

    Xue,请教一下,如果我想将二三层甚至更深的所有文件夹包括子文件进行夺权的话,该如何是好~

    Monday, 28 June 2021 7:41 AM
  • 您好,

    这个可以在外面加一层循环,比如像是这样

    $path = "\\server\share\folder"
    $account = New-Object System.Security.Principal.NTAccount("CONTOSO", "Administrator")
    Get-ChildItem -Path $path -Recurse | ForEach-Object {
        $acl = Get-Acl -Path $_.FullName
        $acl.SetOwner($account)
        $acl | Set-Acl -Path $_.FullName 
    }

    如果还有疑问的话,您可以另外开个贴单独讨论。

    祝好

    Ian Xue


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Ian Xue Monday, 28 June 2021 9:36 AM
    Monday, 28 June 2021 8:11 AM
  • 

    右键选择以管理员运行powershell 还是报错,报错如下

    set-acl 不允许将安全标识符作为此对象的所有者

    get-acl 尝试执行未经授权的操作

    Tuesday, 29 June 2021 1:06 AM
  • 您好,

    这个看起来可能是权限的问题。您可以试下右键管理员打开PowerShell,运行

    whoami /priv

    然后把结果贴上来看下。

    祝好

    Ian Xue


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, 29 June 2021 1:35 AM
  • Tuesday, 29 June 2021 2:19 AM
  • 您好,

    看图上的结果没什么问题,这样的话可以试下这个

    $path = "D:\test"
    $account = New-Object System.Security.Principal.NTAccount("CONTOSO", "Administrator")
    $acl = (Get-Item -Path $path).GetAccessControl("Owner")
    $acl.SetOwner($account)
    (Get-Item -Path $path).SetAccessControl($acl)

    或者也可以试下用takeown和icacls

    $path = "D:\test"
    $user = "CONTOSO\administrator"
    takeown /f $path /r /d y
    icacls $path /setowner $user

    祝好

    Ian Xue


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    • Edited by Ian Xue Tuesday, 29 June 2021 4:21 AM
    • Marked as answer by small-fish Tuesday, 29 June 2021 8:16 AM
    Tuesday, 29 June 2021 3:07 AM
  • $path = "D:\test" $user = "CONTOSO\administrator" takeown /f $path /r /d y icacls $path /setowner $user

    这个可以,其他都不行!谢谢!

    Tuesday, 29 June 2021 8:16 AM