本文共 3797 字,大约阅读时间需要 12 分钟。
背景介绍:
蛋疼客户Windows 2008 R2移除IUSR_LCHAS028针对文件夹和文件的写权限。如下:
| 1 | File "C:\INETPUB\WWWROOT\ESP\js\tiny_mce\plugins\searchreplace\langs". User IUSR_LCHAS028 has wrong permissions: Full access. Must have no Write access. |
一共好几千条的记录。。。
可以通过使用图形界面的权限管理来完成,但teamlead非要使用命令和脚本来实现(显得高大上?)
Boss发话了,只能开搞了...........
去Google上搜了下,有相关资料。。。使用命令icacls来实现。
=======================我是分割线===========================
写了个批处理脚本,如下:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | ::#+-------------------------------------------------------------------+ ::#| = : = : = : = : = : = : = : = : = : = : = : = : = : = : = : = : = | ::#|{>/-------------------------------------------------------------\<}| ::#|: | Author: Anson Liu ::#| :| Email: liuzsz@cn.ibm.com/Anson.liu@live.com ::#| :| Date : 4:00:00 PM 1/15/2015 ::#| :| ::#| :| ::#|: | Purpose: ::#| :| Backup, Remove, Restore the permission for folder and file. ::#|: | ::#|: | ::#| :| /^(o.o)^\ Version: 1 ::#|{>\-------------------------------------------------------------/<}| ::#| = : = : = : = : = : = : = : = : = : = : = : = : = : = : = : = : = | ::#+-------------------------------------------------------------------+ cls @ECHO OFF CLS color 0a ::set variable for path set PATH=C:\win\ ::change to the target path according your environment set BACK_PERMISSION=c:\ ::change to the location for backup permission GOTO MENU :MENU ECHO. ECHO. =-=-=-=-=Manage the permission for folder and file=-=-=-=-= ECHO. ECHO. 1 Backup the permission ECHO. ECHO. 2 Remove the permission ECHO. ECHO. 3 Restore the permission ECHO. ECHO. 4 Exit ECHO. ECHO. ECHO. echo. Choose the number: set /p ID= if "%id%" == "1" goto cmd1 if "%id%" == "2" goto cmd2 if "%id%" == "3" goto cmd3 IF "%id%" == "4" exit PAUSE :cmd1 echo Backup the permission c:\windows\system32\icacls.exe %PATH%* /save %bACK_PERMISSION%\win_backuppemission.txt /T goto MENU :cmd2 echo Remove the permission c:\windows\system32\icacls.exe %PATH% /remove chris /T GOTO MENU :cmd3 echo Restore the permission c:\windows\system32\icacls.exe %PATH% /restore %bACK_PERMISSION%\win_backuppemission.txt GOTO MENU |
注意
::set variableset PATH=C:\win\ 设置为需要移除的文件夹
set BACK_PERMISSION=c:\ 这个为权限备份位置 c:\windows\system32\icacls.exe %PATH%* /save %bACK_PERMISSION%\win_backuppemission.txt /T这条命令备份win文件夹及下面子文件夹和文件的权限。
c:\windows\system32\icacls.exe %PATH% /remove chris /T此条命令是移除Chris针对win文件夹,子文件夹及文件的所有权限。
c:\windows\system32\icacls.exe %PATH% /restore %bACK_PERMISSION%\win_backuppemission.txt还原用户Chris对win文件夹,子文件夹及文件的权限。
======================other knowledge=======================
Using iCACLS
To edit a file you must already have the "Change" ACL (or be the file's owner)
To use the iCACLS command to change the permissions of a file requires "FULL Control" (or be the file's owner)
File "Ownership" will always override all ACL's - you always have Full Control over files that you create.
Inherited folder permissions are displayed as:
OI - Object inherit - This folder and files. (no inheritance to subfolders) CI - Container inherit - This folder and subfolders. IO - Inherit only - The ACE does not apply to the current file/directoryThese can also be combined as folllows: (OI)(CI) This folder, subfolders, and files. (OI)(CI)(IO) Subfolders and files only. (CI)(IO) Subfolders only. (OI) (IO) Files only.
So BUILTIN\Administrators:(OI)(CI)F means that both files and Subdirectories will inherit 'F' (Fullcontrol)
similarly (CI)R means Directories will inherit 'R' (Read folders only = List permission)
When cacls is applied to the current folder only there is no inheritance and so no output.
reference: