如何快速获取一个用户有权限访问的共享文件夹？

全部回复

• 

  

  0

  登录进行投票

  你的意思不是很明白，你如果是管理员完全可以给某个用户分配相应的权限，如果没有权限，如果是管理员，可以夺取文件的权限，然后在给用户相应的权限。

  2015年3月31日 11:52

  回复

  |

  引用
• 

  

  0

  登录进行投票

  原用户A 有多个共享文件夹被授权读写和读取。

  新用户B需要授权为读取，参考用户A的授权就完事了。因为不知道用户A具体有哪些文件夹，只能通过去该用户电脑上统计，方可得知。

  我期望达成的目标是：

  这这服务器上通过某种方法获取到该用户A被授权的所有共享文件夹清单。而不是先去统计好有哪些，再一个一个的授权。

  2015年4月1日 1:27

  回复

  |

  引用
• 

  

  0

  登录进行投票

  你好！

  根据我的经验，我们不能直接得到共享文件列表某个用户对这些文件有访问权限，只能列出所有共享文件和他的安全信息，然后观察用户A是否在列表内。

  你可以列出文件服务器的共享文件和权限通过function List-Sharedfolderpermission，运行以下的脚本在文件服务器上的Windows Powershell:

  function List-Sharedfolderpermission{
  
  
  Param
  (
  	[Parameter(Mandatory=$false)]
  	[Alias('Computer')][String[]]$ComputerName=$Env:COMPUTERNAME,
  
  	[Parameter(Mandatory=$false)]
  	[Alias('NTFS')][Switch]$NTFSPermission,
  	
  	[Parameter(Mandatory=$false)]
  	[Alias('Cred')][System.Management.Automation.PsCredential]$Credential
  )
  
  $RecordErrorAction = $ErrorActionPreference
  #change the error action temporarily
  $ErrorActionPreference = "SilentlyContinue"
  
  Function GetSharedFolderPermission($ComputerName)
  {
  	#test server connectivity
  	$PingResult = Test-Connection -ComputerName $ComputerName -Count 1 -Quiet
  	if($PingResult)
  	{
  		#check the credential whether trigger
  		if($Credential)
  		{
  			$SharedFolderSecs = Get-WmiObject -Class Win32_LogicalShareSecuritySetting `
  			-ComputerName $ComputerName -Credential $Credential -ErrorAction SilentlyContinue
  		}
  		else
  		{
  			$SharedFolderSecs = Get-WmiObject -Class Win32_LogicalShareSecuritySetting `
  			-ComputerName $ComputerName -ErrorAction SilentlyContinue
  		}
  		
  		foreach ($SharedFolderSec in $SharedFolderSecs) 
  		{ 
  		    $Objs = @() #define the empty array
  			
  	        $SecDescriptor = $SharedFolderSec.GetSecurityDescriptor()
  	        foreach($DACL in $SecDescriptor.Descriptor.DACL)
  			{  
  				$DACLDomain = $DACL.Trustee.Domain
  				$DACLName = $DACL.Trustee.Name
  				if($DACLDomain -ne $null)
  				{
  	           		$UserName = "$DACLDomain\$DACLName"
  				}
  				else
  				{
  					$UserName = "$DACLName"
  				}
  				
  				#customize the property
  				$Properties = @{'ComputerName' = $ComputerName
  								'ConnectionStatus' = "Success"
  								'SharedFolderName' = $SharedFolderSec.Name
  								'SecurityPrincipal' = $UserName
  								'FileSystemRights' = [Security.AccessControl.FileSystemRights]`
  								$($DACL.AccessMask -as [Security.AccessControl.FileSystemRights])
  								'AccessControlType' = [Security.AccessControl.AceType]$DACL.AceType}
  				$SharedACLs = New-Object -TypeName PSObject -Property $Properties
  				$Objs += $SharedACLs
  
  	        }
  			$Objs|Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal, `
  			FileSystemRights,AccessControlType
  	    }  
  	}
  	else
  	{
  		$Properties = @{'ComputerName' = $ComputerName
  						'ConnectionStatus' = "Fail"
  						'SharedFolderName' = "Not Available"
  						'SecurityPrincipal' = "Not Available"
  						'FileSystemRights' = "Not Available"
  						'AccessControlType' = "Not Available"}
  		$SharedACLs = New-Object -TypeName PSObject -Property $Properties
  		$Objs += $SharedACLs
  		$Objs|Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal, `
  		FileSystemRights,AccessControlType
  	}
  }
  
  Function GetSharedFolderNTFSPermission($ComputerName)
  {
  	#test server connectivity
  	$PingResult = Test-Connection -ComputerName $ComputerName -Count 1 -Quiet
  	if($PingResult)
  	{
  		#check the credential whether trigger
  		if($Credential)
  		{
  			$SharedFolders = Get-WmiObject -Class Win32_Share `
  			-ComputerName $ComputerName -Credential $Credential -ErrorAction SilentlyContinue
  		}
  		else
  		{
  			$SharedFolders = Get-WmiObject -Class Win32_Share `
  			-ComputerName $ComputerName -ErrorAction SilentlyContinue
  		}
  
  		foreach($SharedFolder in $SharedFolders)
  		{
  			$Objs = @()
  			
  			$SharedFolderPath = [regex]::Escape($SharedFolder.Path)
  			if($Credential)
  			{	
  				$SharedNTFSSecs = Get-WmiObject -Class Win32_LogicalFileSecuritySetting `
  				-Filter "Path='$SharedFolderPath'" -ComputerName $ComputerName  -Credential $Credential
  			}
  			else
  			{
  				$SharedNTFSSecs = Get-WmiObject -Class Win32_LogicalFileSecuritySetting `
  				-Filter "Path='$SharedFolderPath'" -ComputerName $ComputerName
  			}
  			
  			$SecDescriptor = $SharedNTFSSecs.GetSecurityDescriptor()
  			foreach($DACL in $SecDescriptor.Descriptor.DACL)
  			{  
  				$DACLDomain = $DACL.Trustee.Domain
  				$DACLName = $DACL.Trustee.Name
  				if($DACLDomain -ne $null)
  				{
  	           		$UserName = "$DACLDomain\$DACLName"
  				}
  				else
  				{
  					$UserName = "$DACLName"
  				}
  				
  				#customize the property
  				$Properties = @{'ComputerName' = $ComputerName
  								'ConnectionStatus' = "Success"
  								'SharedFolderName' = $SharedFolder.Name
  								'SecurityPrincipal' = $UserName
  								'FileSystemRights' = [Security.AccessControl.FileSystemRights]`
  								$($DACL.AccessMask -as [Security.AccessControl.FileSystemRights])
  								'AccessControlType' = [Security.AccessControl.AceType]$DACL.AceType
  								'AccessControlFalgs' = [Security.AccessControl.AceFlags]$DACL.AceFlags}
  								
  				$SharedNTFSACL = New-Object -TypeName PSObject -Property $Properties
  	            $Objs += $SharedNTFSACL
  	        }
  			$Objs |Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal,FileSystemRights, `
  			AccessControlType,AccessControlFalgs -Unique
  		}
  	}
  	else
  	{
  		$Properties = @{'ComputerName' = $ComputerName
  						'ConnectionStatus' = "Fail"
  						'SharedFolderName' = "Not Available"
  						'SecurityPrincipal' = "Not Available"
  						'FileSystemRights' = "Not Available"
  						'AccessControlType' = "Not Available"
  						'AccessControlFalgs' = "Not Available"}
  					
  		$SharedNTFSACL = New-Object -TypeName PSObject -Property $Properties
  	    $Objs += $SharedNTFSACL
  		$Objs |Select-Object ComputerName,ConnectionStatus,SharedFolderName,SecurityPrincipal,FileSystemRights, `
  		AccessControlType,AccessControlFalgs -Unique
  	}
  } 
  
  foreach($CN in $ComputerName)
  {
  	
  	if($NTFSPermission)
  	{
  		GetSharedFolderNTFSPermission -ComputerName $CN
  	}
  	else
  	{
  		GetSharedFolderPermission -ComputerName $CN
  	}
  }
  #restore the error action
  $ErrorActionPreference = $RecordErrorAction
  
  }

  参考：

  Lists all the shared folder permissions or NTFS permissions (PowerShell)

  然后观察用户A是否在权限列表里：

  List-Sharedfolderpermission -NTFSPermission|where{$_.SecurityPrincipal -eq "Domain\User"}|ft

  Best Regards,

  Anna Wang

  ---

  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

  
  

  • 已编辑 AnnaWYModerator 2015年4月1日 8:12
  • 已建议为答案 AnnaWYModerator 2015年4月7日 11:37
  • 已标记为答案 AnnaWYModerator 2015年4月10日 1:59

  2015年4月1日 8:11

  回复

  |

  引用

  版主
• 

  

  0

  登录进行投票

  很好的帮助。原谅我没及时回复。

  
  

  List-Sharedfolderpermission -NTFSPermission|where{$_.SecurityPrincipal -eq "Domain\User"}|ft

  
  

  这条语句执行后出来的结果清单，看起来好像显示得不完整哦。
  

  • 已编辑 gnepgnehc 2015年5月14日 6:48 找到方法

  2015年5月14日 6:13

  回复

  |

  引用
• 

  

  0

  登录进行投票

  你好！

  请运行命令：

  Get-ExecutionPolicy

  如果是restricted，请运行以下命令改成 Bypass

  Set-ExecutionPolicy Bypass

  这是Powershell是否可以执行.ps1的policy，默认情况下是不允许直接运行.ps1文件为了服务器安全考虑，当然该policy还有其他选项请参考：

  https://technet.microsoft.com/en-us/library/hh847748.aspx

  Best Regards,

  Anna Wang

  ---

  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

  2015年5月14日 6:23

  回复

  |

  引用

  版主