none
如何快速获取一个用户有权限访问的共享文件夹? RRS feed

  • 问题

  • 环境:windows server 2008 r2  文件服务器。

    需求:如何快速获取一个用户有权限访问的共享文件夹?

    用途:为了给新入职用户分配一致的权限。

    因为,之前的管理员没有采取 组 来组织用户账号,并授权权限。故,有此想法。先谢谢给予帮助的人!

    2015年3月31日 9:20

答案

  • 你好!

    根据我的经验,我们不能直接得到共享文件列表某个用户对这些文件有访问权限,只能列出所有共享文件和他的安全信息,然后观察用户A是否在列表内。

    你可以列出文件服务器的共享文件和权限通过function List-Sharedfolderpermission,运行以下的脚本在文件服务器上的Windows Powershell:

    function List-Sharedfolderpermission{
    
    
    Param
    (
    	[Parameter(Mandatory=$false)]
    	[Alias('Computer')][String[]]$ComputerName=$Env:COMPUTERNAME,
    
    	[Parameter(Mandatory=$false)]
    	[Alias('NTFS')][Switch]$NTFSPermission,
    	
    	[Parameter(Mandatory=$false)]
    	[Alias('Cred')][System.Management.Automation.PsCredential]$Credential
    )
    
    $RecordErrorAction = $ErrorActionPreference
    #change the error action temporarily
    $ErrorActionPreference = "SilentlyContinue"
    
    Function GetSharedFolderPermission($ComputerName)
    {
    	#test server connectivity
    	$PingResult = Test-Connection -ComputerName $ComputerName -Count 1 -Quiet
    	if($PingResult)
    	{
    		#check the credential whether trigger
    		if($Credential)
    		{
    			$SharedFolderSecs = Get-WmiObject -Class Win32_LogicalShareSecuritySetting `
    			-ComputerName $ComputerName -Credential $Credential -ErrorAction SilentlyContinue
    		}
    		else
    		{
    			$SharedFolderSecs = Get-WmiObject -Class Win32_LogicalShareSecuritySetting `
    			-ComputerName $ComputerName -ErrorAction SilentlyContinue
    		}
    		
    		foreach ($SharedFolderSec in $SharedFolderSecs) 
    		{ 
    		    $Objs = @() #define the empty array
    			
    	        $SecDescriptor = $SharedFolderSec.GetSecurityDescriptor()
    	        foreach($DACL in $SecDescriptor.Descriptor.DACL)
    			{  
    				$DACLDomain = $DACL.Trustee.Domain
    				$DACLName = $DACL.Trustee.Name
    				if($DACLDomain -ne $null)
    				{
    	           		$UserName = "$DACLDomain\$DACLName"
    				}
    				else
    				{
    					$UserName = "$DACLName"
    				}
    				
    				#customize the property
    				$Properties = @{'ComputerName' = $ComputerName
    								'ConnectionStatus' = "Success"
    								'SharedFolderName' = $SharedFolderSec.Name
    								'SecurityPrincipal' = $UserName
    								'FileSystemRights' = [Security.AccessControl.FileSystemRights]`
    								$($DACL.AccessMask -as [Security.AccessControl.FileSystemRights])
    								'AccessControlType' = [Security.AccessControl.AceType]$DACL.AceType}
    				$SharedACLs = New-Object -TypeName PSObject -Property $Properties
    				$Objs += $SharedACLs
    
    	        }
    			$Objs|Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal, `
    			FileSystemRights,AccessControlType
    	    }  
    	}
    	else
    	{
    		$Properties = @{'ComputerName' = $ComputerName
    						'ConnectionStatus' = "Fail"
    						'SharedFolderName' = "Not Available"
    						'SecurityPrincipal' = "Not Available"
    						'FileSystemRights' = "Not Available"
    						'AccessControlType' = "Not Available"}
    		$SharedACLs = New-Object -TypeName PSObject -Property $Properties
    		$Objs += $SharedACLs
    		$Objs|Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal, `
    		FileSystemRights,AccessControlType
    	}
    }
    
    Function GetSharedFolderNTFSPermission($ComputerName)
    {
    	#test server connectivity
    	$PingResult = Test-Connection -ComputerName $ComputerName -Count 1 -Quiet
    	if($PingResult)
    	{
    		#check the credential whether trigger
    		if($Credential)
    		{
    			$SharedFolders = Get-WmiObject -Class Win32_Share `
    			-ComputerName $ComputerName -Credential $Credential -ErrorAction SilentlyContinue
    		}
    		else
    		{
    			$SharedFolders = Get-WmiObject -Class Win32_Share `
    			-ComputerName $ComputerName -ErrorAction SilentlyContinue
    		}
    
    		foreach($SharedFolder in $SharedFolders)
    		{
    			$Objs = @()
    			
    			$SharedFolderPath = [regex]::Escape($SharedFolder.Path)
    			if($Credential)
    			{	
    				$SharedNTFSSecs = Get-WmiObject -Class Win32_LogicalFileSecuritySetting `
    				-Filter "Path='$SharedFolderPath'" -ComputerName $ComputerName  -Credential $Credential
    			}
    			else
    			{
    				$SharedNTFSSecs = Get-WmiObject -Class Win32_LogicalFileSecuritySetting `
    				-Filter "Path='$SharedFolderPath'" -ComputerName $ComputerName
    			}
    			
    			$SecDescriptor = $SharedNTFSSecs.GetSecurityDescriptor()
    			foreach($DACL in $SecDescriptor.Descriptor.DACL)
    			{  
    				$DACLDomain = $DACL.Trustee.Domain
    				$DACLName = $DACL.Trustee.Name
    				if($DACLDomain -ne $null)
    				{
    	           		$UserName = "$DACLDomain\$DACLName"
    				}
    				else
    				{
    					$UserName = "$DACLName"
    				}
    				
    				#customize the property
    				$Properties = @{'ComputerName' = $ComputerName
    								'ConnectionStatus' = "Success"
    								'SharedFolderName' = $SharedFolder.Name
    								'SecurityPrincipal' = $UserName
    								'FileSystemRights' = [Security.AccessControl.FileSystemRights]`
    								$($DACL.AccessMask -as [Security.AccessControl.FileSystemRights])
    								'AccessControlType' = [Security.AccessControl.AceType]$DACL.AceType
    								'AccessControlFalgs' = [Security.AccessControl.AceFlags]$DACL.AceFlags}
    								
    				$SharedNTFSACL = New-Object -TypeName PSObject -Property $Properties
    	            $Objs += $SharedNTFSACL
    	        }
    			$Objs |Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal,FileSystemRights, `
    			AccessControlType,AccessControlFalgs -Unique
    		}
    	}
    	else
    	{
    		$Properties = @{'ComputerName' = $ComputerName
    						'ConnectionStatus' = "Fail"
    						'SharedFolderName' = "Not Available"
    						'SecurityPrincipal' = "Not Available"
    						'FileSystemRights' = "Not Available"
    						'AccessControlType' = "Not Available"
    						'AccessControlFalgs' = "Not Available"}
    					
    		$SharedNTFSACL = New-Object -TypeName PSObject -Property $Properties
    	    $Objs += $SharedNTFSACL
    		$Objs |Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal,FileSystemRights, `
    		AccessControlType,AccessControlFalgs -Unique
    	}
    } 
    
    foreach($CN in $ComputerName)
    {
    	
    	if($NTFSPermission)
    	{
    		GetSharedFolderNTFSPermission -ComputerName $CN
    	}
    	else
    	{
    		GetSharedFolderPermission -ComputerName $CN
    	}
    }
    #restore the error action
    $ErrorActionPreference = $RecordErrorAction
    
    }

    参考:

    Lists all the shared folder permissions or NTFS permissions (PowerShell)

    然后观察用户A是否在权限列表里:

    List-Sharedfolderpermission -NTFSPermission|where{$_.SecurityPrincipal -eq "Domain\User"}|ft

    Best Regards,

    Anna Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com


    2015年4月1日 8:11
    版主

全部回复

  • 你的意思不是很明白,你如果是管理员完全可以给某个用户分配相应的权限,如果没有权限,如果是管理员,可以夺取文件的权限,然后在给用户相应的权限。
    2015年3月31日 11:52
  • 原用户A 有多个共享文件夹被授权读写和读取。

    新用户B需要授权为读取,参考用户A的授权就完事了。因为不知道用户A具体有哪些文件夹,只能通过去该用户电脑上统计,方可得知。

    我期望达成的目标是:

    这这服务器上通过某种方法获取到该用户A被授权的所有共享文件夹清单。而不是先去统计好有哪些,再一个一个的授权。

    2015年4月1日 1:27
  • 你好!

    根据我的经验,我们不能直接得到共享文件列表某个用户对这些文件有访问权限,只能列出所有共享文件和他的安全信息,然后观察用户A是否在列表内。

    你可以列出文件服务器的共享文件和权限通过function List-Sharedfolderpermission,运行以下的脚本在文件服务器上的Windows Powershell:

    function List-Sharedfolderpermission{
    
    
    Param
    (
    	[Parameter(Mandatory=$false)]
    	[Alias('Computer')][String[]]$ComputerName=$Env:COMPUTERNAME,
    
    	[Parameter(Mandatory=$false)]
    	[Alias('NTFS')][Switch]$NTFSPermission,
    	
    	[Parameter(Mandatory=$false)]
    	[Alias('Cred')][System.Management.Automation.PsCredential]$Credential
    )
    
    $RecordErrorAction = $ErrorActionPreference
    #change the error action temporarily
    $ErrorActionPreference = "SilentlyContinue"
    
    Function GetSharedFolderPermission($ComputerName)
    {
    	#test server connectivity
    	$PingResult = Test-Connection -ComputerName $ComputerName -Count 1 -Quiet
    	if($PingResult)
    	{
    		#check the credential whether trigger
    		if($Credential)
    		{
    			$SharedFolderSecs = Get-WmiObject -Class Win32_LogicalShareSecuritySetting `
    			-ComputerName $ComputerName -Credential $Credential -ErrorAction SilentlyContinue
    		}
    		else
    		{
    			$SharedFolderSecs = Get-WmiObject -Class Win32_LogicalShareSecuritySetting `
    			-ComputerName $ComputerName -ErrorAction SilentlyContinue
    		}
    		
    		foreach ($SharedFolderSec in $SharedFolderSecs) 
    		{ 
    		    $Objs = @() #define the empty array
    			
    	        $SecDescriptor = $SharedFolderSec.GetSecurityDescriptor()
    	        foreach($DACL in $SecDescriptor.Descriptor.DACL)
    			{  
    				$DACLDomain = $DACL.Trustee.Domain
    				$DACLName = $DACL.Trustee.Name
    				if($DACLDomain -ne $null)
    				{
    	           		$UserName = "$DACLDomain\$DACLName"
    				}
    				else
    				{
    					$UserName = "$DACLName"
    				}
    				
    				#customize the property
    				$Properties = @{'ComputerName' = $ComputerName
    								'ConnectionStatus' = "Success"
    								'SharedFolderName' = $SharedFolderSec.Name
    								'SecurityPrincipal' = $UserName
    								'FileSystemRights' = [Security.AccessControl.FileSystemRights]`
    								$($DACL.AccessMask -as [Security.AccessControl.FileSystemRights])
    								'AccessControlType' = [Security.AccessControl.AceType]$DACL.AceType}
    				$SharedACLs = New-Object -TypeName PSObject -Property $Properties
    				$Objs += $SharedACLs
    
    	        }
    			$Objs|Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal, `
    			FileSystemRights,AccessControlType
    	    }  
    	}
    	else
    	{
    		$Properties = @{'ComputerName' = $ComputerName
    						'ConnectionStatus' = "Fail"
    						'SharedFolderName' = "Not Available"
    						'SecurityPrincipal' = "Not Available"
    						'FileSystemRights' = "Not Available"
    						'AccessControlType' = "Not Available"}
    		$SharedACLs = New-Object -TypeName PSObject -Property $Properties
    		$Objs += $SharedACLs
    		$Objs|Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal, `
    		FileSystemRights,AccessControlType
    	}
    }
    
    Function GetSharedFolderNTFSPermission($ComputerName)
    {
    	#test server connectivity
    	$PingResult = Test-Connection -ComputerName $ComputerName -Count 1 -Quiet
    	if($PingResult)
    	{
    		#check the credential whether trigger
    		if($Credential)
    		{
    			$SharedFolders = Get-WmiObject -Class Win32_Share `
    			-ComputerName $ComputerName -Credential $Credential -ErrorAction SilentlyContinue
    		}
    		else
    		{
    			$SharedFolders = Get-WmiObject -Class Win32_Share `
    			-ComputerName $ComputerName -ErrorAction SilentlyContinue
    		}
    
    		foreach($SharedFolder in $SharedFolders)
    		{
    			$Objs = @()
    			
    			$SharedFolderPath = [regex]::Escape($SharedFolder.Path)
    			if($Credential)
    			{	
    				$SharedNTFSSecs = Get-WmiObject -Class Win32_LogicalFileSecuritySetting `
    				-Filter "Path='$SharedFolderPath'" -ComputerName $ComputerName  -Credential $Credential
    			}
    			else
    			{
    				$SharedNTFSSecs = Get-WmiObject -Class Win32_LogicalFileSecuritySetting `
    				-Filter "Path='$SharedFolderPath'" -ComputerName $ComputerName
    			}
    			
    			$SecDescriptor = $SharedNTFSSecs.GetSecurityDescriptor()
    			foreach($DACL in $SecDescriptor.Descriptor.DACL)
    			{  
    				$DACLDomain = $DACL.Trustee.Domain
    				$DACLName = $DACL.Trustee.Name
    				if($DACLDomain -ne $null)
    				{
    	           		$UserName = "$DACLDomain\$DACLName"
    				}
    				else
    				{
    					$UserName = "$DACLName"
    				}
    				
    				#customize the property
    				$Properties = @{'ComputerName' = $ComputerName
    								'ConnectionStatus' = "Success"
    								'SharedFolderName' = $SharedFolder.Name
    								'SecurityPrincipal' = $UserName
    								'FileSystemRights' = [Security.AccessControl.FileSystemRights]`
    								$($DACL.AccessMask -as [Security.AccessControl.FileSystemRights])
    								'AccessControlType' = [Security.AccessControl.AceType]$DACL.AceType
    								'AccessControlFalgs' = [Security.AccessControl.AceFlags]$DACL.AceFlags}
    								
    				$SharedNTFSACL = New-Object -TypeName PSObject -Property $Properties
    	            $Objs += $SharedNTFSACL
    	        }
    			$Objs |Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal,FileSystemRights, `
    			AccessControlType,AccessControlFalgs -Unique
    		}
    	}
    	else
    	{
    		$Properties = @{'ComputerName' = $ComputerName
    						'ConnectionStatus' = "Fail"
    						'SharedFolderName' = "Not Available"
    						'SecurityPrincipal' = "Not Available"
    						'FileSystemRights' = "Not Available"
    						'AccessControlType' = "Not Available"
    						'AccessControlFalgs' = "Not Available"}
    					
    		$SharedNTFSACL = New-Object -TypeName PSObject -Property $Properties
    	    $Objs += $SharedNTFSACL
    		$Objs |Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal,FileSystemRights, `
    		AccessControlType,AccessControlFalgs -Unique
    	}
    } 
    
    foreach($CN in $ComputerName)
    {
    	
    	if($NTFSPermission)
    	{
    		GetSharedFolderNTFSPermission -ComputerName $CN
    	}
    	else
    	{
    		GetSharedFolderPermission -ComputerName $CN
    	}
    }
    #restore the error action
    $ErrorActionPreference = $RecordErrorAction
    
    }

    参考:

    Lists all the shared folder permissions or NTFS permissions (PowerShell)

    然后观察用户A是否在权限列表里:

    List-Sharedfolderpermission -NTFSPermission|where{$_.SecurityPrincipal -eq "Domain\User"}|ft

    Best Regards,

    Anna Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com


    2015年4月1日 8:11
    版主
  • 很好的帮助。原谅我没及时回复。


    List-Sharedfolderpermission -NTFSPermission|where{$_.SecurityPrincipal -eq "Domain\User"}|ft


    这条语句执行后出来的结果清单,看起来好像显示得不完整哦。
    • 已编辑 gnepgnehc 2015年5月14日 6:48 找到方法
    2015年5月14日 6:13
  • 你好!

    请运行命令:

    Get-ExecutionPolicy

    如果是restricted,请运行以下命令改成 Bypass

    Set-ExecutionPolicy Bypass

    这是Powershell是否可以执行.ps1的policy,默认情况下是不允许直接运行.ps1文件为了服务器安全考虑,当然该policy还有其他选项请参考:

    https://technet.microsoft.com/en-us/library/hh847748.aspx

    Best Regards,

    Anna Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    2015年5月14日 6:23
    版主