积极答复者
如何快速获取一个用户有权限访问的共享文件夹?

问题
答案
-
你好!
根据我的经验,我们不能直接得到共享文件列表某个用户对这些文件有访问权限,只能列出所有共享文件和他的安全信息,然后观察用户A是否在列表内。
你可以列出文件服务器的共享文件和权限通过function List-Sharedfolderpermission,运行以下的脚本在文件服务器上的Windows Powershell:
function List-Sharedfolderpermission{ Param ( [Parameter(Mandatory=$false)] [Alias('Computer')][String[]]$ComputerName=$Env:COMPUTERNAME, [Parameter(Mandatory=$false)] [Alias('NTFS')][Switch]$NTFSPermission, [Parameter(Mandatory=$false)] [Alias('Cred')][System.Management.Automation.PsCredential]$Credential ) $RecordErrorAction = $ErrorActionPreference #change the error action temporarily $ErrorActionPreference = "SilentlyContinue" Function GetSharedFolderPermission($ComputerName) { #test server connectivity $PingResult = Test-Connection -ComputerName $ComputerName -Count 1 -Quiet if($PingResult) { #check the credential whether trigger if($Credential) { $SharedFolderSecs = Get-WmiObject -Class Win32_LogicalShareSecuritySetting ` -ComputerName $ComputerName -Credential $Credential -ErrorAction SilentlyContinue } else { $SharedFolderSecs = Get-WmiObject -Class Win32_LogicalShareSecuritySetting ` -ComputerName $ComputerName -ErrorAction SilentlyContinue } foreach ($SharedFolderSec in $SharedFolderSecs) { $Objs = @() #define the empty array $SecDescriptor = $SharedFolderSec.GetSecurityDescriptor() foreach($DACL in $SecDescriptor.Descriptor.DACL) { $DACLDomain = $DACL.Trustee.Domain $DACLName = $DACL.Trustee.Name if($DACLDomain -ne $null) { $UserName = "$DACLDomain\$DACLName" } else { $UserName = "$DACLName" } #customize the property $Properties = @{'ComputerName' = $ComputerName 'ConnectionStatus' = "Success" 'SharedFolderName' = $SharedFolderSec.Name 'SecurityPrincipal' = $UserName 'FileSystemRights' = [Security.AccessControl.FileSystemRights]` $($DACL.AccessMask -as [Security.AccessControl.FileSystemRights]) 'AccessControlType' = [Security.AccessControl.AceType]$DACL.AceType} $SharedACLs = New-Object -TypeName PSObject -Property $Properties $Objs += $SharedACLs } $Objs|Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal, ` FileSystemRights,AccessControlType } } else { $Properties = @{'ComputerName' = $ComputerName 'ConnectionStatus' = "Fail" 'SharedFolderName' = "Not Available" 'SecurityPrincipal' = "Not Available" 'FileSystemRights' = "Not Available" 'AccessControlType' = "Not Available"} $SharedACLs = New-Object -TypeName PSObject -Property $Properties $Objs += $SharedACLs $Objs|Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal, ` FileSystemRights,AccessControlType } } Function GetSharedFolderNTFSPermission($ComputerName) { #test server connectivity $PingResult = Test-Connection -ComputerName $ComputerName -Count 1 -Quiet if($PingResult) { #check the credential whether trigger if($Credential) { $SharedFolders = Get-WmiObject -Class Win32_Share ` -ComputerName $ComputerName -Credential $Credential -ErrorAction SilentlyContinue } else { $SharedFolders = Get-WmiObject -Class Win32_Share ` -ComputerName $ComputerName -ErrorAction SilentlyContinue } foreach($SharedFolder in $SharedFolders) { $Objs = @() $SharedFolderPath = [regex]::Escape($SharedFolder.Path) if($Credential) { $SharedNTFSSecs = Get-WmiObject -Class Win32_LogicalFileSecuritySetting ` -Filter "Path='$SharedFolderPath'" -ComputerName $ComputerName -Credential $Credential } else { $SharedNTFSSecs = Get-WmiObject -Class Win32_LogicalFileSecuritySetting ` -Filter "Path='$SharedFolderPath'" -ComputerName $ComputerName } $SecDescriptor = $SharedNTFSSecs.GetSecurityDescriptor() foreach($DACL in $SecDescriptor.Descriptor.DACL) { $DACLDomain = $DACL.Trustee.Domain $DACLName = $DACL.Trustee.Name if($DACLDomain -ne $null) { $UserName = "$DACLDomain\$DACLName" } else { $UserName = "$DACLName" } #customize the property $Properties = @{'ComputerName' = $ComputerName 'ConnectionStatus' = "Success" 'SharedFolderName' = $SharedFolder.Name 'SecurityPrincipal' = $UserName 'FileSystemRights' = [Security.AccessControl.FileSystemRights]` $($DACL.AccessMask -as [Security.AccessControl.FileSystemRights]) 'AccessControlType' = [Security.AccessControl.AceType]$DACL.AceType 'AccessControlFalgs' = [Security.AccessControl.AceFlags]$DACL.AceFlags} $SharedNTFSACL = New-Object -TypeName PSObject -Property $Properties $Objs += $SharedNTFSACL } $Objs |Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal,FileSystemRights, ` AccessControlType,AccessControlFalgs -Unique } } else { $Properties = @{'ComputerName' = $ComputerName 'ConnectionStatus' = "Fail" 'SharedFolderName' = "Not Available" 'SecurityPrincipal' = "Not Available" 'FileSystemRights' = "Not Available" 'AccessControlType' = "Not Available" 'AccessControlFalgs' = "Not Available"} $SharedNTFSACL = New-Object -TypeName PSObject -Property $Properties $Objs += $SharedNTFSACL $Objs |Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal,FileSystemRights, ` AccessControlType,AccessControlFalgs -Unique } } foreach($CN in $ComputerName) { if($NTFSPermission) { GetSharedFolderNTFSPermission -ComputerName $CN } else { GetSharedFolderPermission -ComputerName $CN } } #restore the error action $ErrorActionPreference = $RecordErrorAction }
参考:
Lists all the shared folder permissions or NTFS permissions (PowerShell)
然后观察用户A是否在权限列表里:
List-Sharedfolderpermission -NTFSPermission|where{$_.SecurityPrincipal -eq "Domain\User"}|ft
Best Regards,
Anna Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com
- 已编辑 AnnaWYModerator 2015年4月1日 8:12
- 已建议为答案 AnnaWYModerator 2015年4月7日 11:37
- 已标记为答案 AnnaWYModerator 2015年4月10日 1:59
全部回复
-
你好!
根据我的经验,我们不能直接得到共享文件列表某个用户对这些文件有访问权限,只能列出所有共享文件和他的安全信息,然后观察用户A是否在列表内。
你可以列出文件服务器的共享文件和权限通过function List-Sharedfolderpermission,运行以下的脚本在文件服务器上的Windows Powershell:
function List-Sharedfolderpermission{ Param ( [Parameter(Mandatory=$false)] [Alias('Computer')][String[]]$ComputerName=$Env:COMPUTERNAME, [Parameter(Mandatory=$false)] [Alias('NTFS')][Switch]$NTFSPermission, [Parameter(Mandatory=$false)] [Alias('Cred')][System.Management.Automation.PsCredential]$Credential ) $RecordErrorAction = $ErrorActionPreference #change the error action temporarily $ErrorActionPreference = "SilentlyContinue" Function GetSharedFolderPermission($ComputerName) { #test server connectivity $PingResult = Test-Connection -ComputerName $ComputerName -Count 1 -Quiet if($PingResult) { #check the credential whether trigger if($Credential) { $SharedFolderSecs = Get-WmiObject -Class Win32_LogicalShareSecuritySetting ` -ComputerName $ComputerName -Credential $Credential -ErrorAction SilentlyContinue } else { $SharedFolderSecs = Get-WmiObject -Class Win32_LogicalShareSecuritySetting ` -ComputerName $ComputerName -ErrorAction SilentlyContinue } foreach ($SharedFolderSec in $SharedFolderSecs) { $Objs = @() #define the empty array $SecDescriptor = $SharedFolderSec.GetSecurityDescriptor() foreach($DACL in $SecDescriptor.Descriptor.DACL) { $DACLDomain = $DACL.Trustee.Domain $DACLName = $DACL.Trustee.Name if($DACLDomain -ne $null) { $UserName = "$DACLDomain\$DACLName" } else { $UserName = "$DACLName" } #customize the property $Properties = @{'ComputerName' = $ComputerName 'ConnectionStatus' = "Success" 'SharedFolderName' = $SharedFolderSec.Name 'SecurityPrincipal' = $UserName 'FileSystemRights' = [Security.AccessControl.FileSystemRights]` $($DACL.AccessMask -as [Security.AccessControl.FileSystemRights]) 'AccessControlType' = [Security.AccessControl.AceType]$DACL.AceType} $SharedACLs = New-Object -TypeName PSObject -Property $Properties $Objs += $SharedACLs } $Objs|Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal, ` FileSystemRights,AccessControlType } } else { $Properties = @{'ComputerName' = $ComputerName 'ConnectionStatus' = "Fail" 'SharedFolderName' = "Not Available" 'SecurityPrincipal' = "Not Available" 'FileSystemRights' = "Not Available" 'AccessControlType' = "Not Available"} $SharedACLs = New-Object -TypeName PSObject -Property $Properties $Objs += $SharedACLs $Objs|Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal, ` FileSystemRights,AccessControlType } } Function GetSharedFolderNTFSPermission($ComputerName) { #test server connectivity $PingResult = Test-Connection -ComputerName $ComputerName -Count 1 -Quiet if($PingResult) { #check the credential whether trigger if($Credential) { $SharedFolders = Get-WmiObject -Class Win32_Share ` -ComputerName $ComputerName -Credential $Credential -ErrorAction SilentlyContinue } else { $SharedFolders = Get-WmiObject -Class Win32_Share ` -ComputerName $ComputerName -ErrorAction SilentlyContinue } foreach($SharedFolder in $SharedFolders) { $Objs = @() $SharedFolderPath = [regex]::Escape($SharedFolder.Path) if($Credential) { $SharedNTFSSecs = Get-WmiObject -Class Win32_LogicalFileSecuritySetting ` -Filter "Path='$SharedFolderPath'" -ComputerName $ComputerName -Credential $Credential } else { $SharedNTFSSecs = Get-WmiObject -Class Win32_LogicalFileSecuritySetting ` -Filter "Path='$SharedFolderPath'" -ComputerName $ComputerName } $SecDescriptor = $SharedNTFSSecs.GetSecurityDescriptor() foreach($DACL in $SecDescriptor.Descriptor.DACL) { $DACLDomain = $DACL.Trustee.Domain $DACLName = $DACL.Trustee.Name if($DACLDomain -ne $null) { $UserName = "$DACLDomain\$DACLName" } else { $UserName = "$DACLName" } #customize the property $Properties = @{'ComputerName' = $ComputerName 'ConnectionStatus' = "Success" 'SharedFolderName' = $SharedFolder.Name 'SecurityPrincipal' = $UserName 'FileSystemRights' = [Security.AccessControl.FileSystemRights]` $($DACL.AccessMask -as [Security.AccessControl.FileSystemRights]) 'AccessControlType' = [Security.AccessControl.AceType]$DACL.AceType 'AccessControlFalgs' = [Security.AccessControl.AceFlags]$DACL.AceFlags} $SharedNTFSACL = New-Object -TypeName PSObject -Property $Properties $Objs += $SharedNTFSACL } $Objs |Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal,FileSystemRights, ` AccessControlType,AccessControlFalgs -Unique } } else { $Properties = @{'ComputerName' = $ComputerName 'ConnectionStatus' = "Fail" 'SharedFolderName' = "Not Available" 'SecurityPrincipal' = "Not Available" 'FileSystemRights' = "Not Available" 'AccessControlType' = "Not Available" 'AccessControlFalgs' = "Not Available"} $SharedNTFSACL = New-Object -TypeName PSObject -Property $Properties $Objs += $SharedNTFSACL $Objs |Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal,FileSystemRights, ` AccessControlType,AccessControlFalgs -Unique } } foreach($CN in $ComputerName) { if($NTFSPermission) { GetSharedFolderNTFSPermission -ComputerName $CN } else { GetSharedFolderPermission -ComputerName $CN } } #restore the error action $ErrorActionPreference = $RecordErrorAction }
参考:
Lists all the shared folder permissions or NTFS permissions (PowerShell)
然后观察用户A是否在权限列表里:
List-Sharedfolderpermission -NTFSPermission|where{$_.SecurityPrincipal -eq "Domain\User"}|ft
Best Regards,
Anna Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com
- 已编辑 AnnaWYModerator 2015年4月1日 8:12
- 已建议为答案 AnnaWYModerator 2015年4月7日 11:37
- 已标记为答案 AnnaWYModerator 2015年4月10日 1:59
-
你好!
请运行命令:
Get-ExecutionPolicy
如果是restricted,请运行以下命令改成 Bypass
Set-ExecutionPolicy Bypass
这是Powershell是否可以执行.ps1的policy,默认情况下是不允许直接运行.ps1文件为了服务器安全考虑,当然该policy还有其他选项请参考:
https://technet.microsoft.com/en-us/library/hh847748.aspx
Best Regards,
Anna Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com