背景介绍:
蛋疼客户Windows 2008 R2移除IUSR_LCHAS028针对文件夹和文件的写权限。如下:
|
1
|
File "C:\INETPUB\WWWROOT\ESP\js\tiny_mce\plugins\searchreplace\langs". User IUSR_LCHAS028 has wrong permissions: Full access. Must have no Write access.
|
一共好几千条的记录。。。
可以通过使用图形界面的权限管理来完成,但teamlead非要使用命令和脚本来实现(显得高大上?)
Boss发话了,只能开搞了...........
去Google上搜了下,有相关资料。。。使用命令icacls来实现。
=======================我是分割线===========================
写了个批处理脚本,如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
::#+-------------------------------------------------------------------+
::#| = : = : = : = : = : = : = : = : = : = : = : = : = : = : = : = : = |
::#|{>/-------------------------------------------------------------\<}|
::#|: | Author: Anson Liu
::#| :| Email: liuzsz@cn.ibm.com/Anson.liu@live.com
::#| :|
Date
: 4:00:00 PM 1/15/2015
::#| :|
::#| :|
::#|: | Purpose:
::#| :| Backup, Remove, Restore the permission for folder and file.
::#|: |
::#|: |
::#| :| /^(o.o)^\ Version: 1
::#|{>\-------------------------------------------------------------/<}|
::#| = : = : = : = : = : = : = : = : = : = : = : = : = : = : = : = : = |
::#+-------------------------------------------------------------------+
cls
@ECHO OFF
CLS
color 0a
::set variable for path
set PATH=C:\win\ ::change to the target path according your environment
set BACK_PERMISSION=c:\ ::change to the location for backup permission
GOTO MENU
:MENU
ECHO.
ECHO. =-=-=-=-=Manage the permission for folder and file=-=-=-=-=
ECHO.
ECHO. 1 Backup the permission
ECHO.
ECHO. 2 Remove the permission
ECHO.
ECHO. 3 Restore the permission
ECHO.
ECHO. 4
Exit
ECHO.
ECHO.
ECHO.
echo. Choose the number:
set /p ID=
if
"%id%"
==
"1"
goto cmd1
if
"%id%"
==
"2"
goto cmd2
if
"%id%"
==
"3"
goto cmd3
IF
"%id%"
==
"4"
exit
PAUSE
:cmd1
echo Backup the permission
c:\windows\system32\icacls.exe %PATH%* /save %bACK_PERMISSION%\win_backuppemission.txt /T
goto MENU
:cmd2
echo Remove the permission
c:\windows\system32\icacls.exe %PATH% /remove chris /T
GOTO MENU
:cmd3
echo Restore the permission
c:\windows\system32\icacls.exe %PATH% /restore %bACK_PERMISSION%\win_backuppemission.txt
GOTO MENU
|
注意
::set variable
set PATH=C:\win\ 设置为需要移除的文件夹
set BACK_PERMISSION=c:\ 这个为权限备份位置
c:\windows\system32\icacls.exe %PATH%* /save %bACK_PERMISSION%\win_backuppemission.txt /T
这条命令备份win文件夹及下面子文件夹和文件的权限。
c:\windows\system32\icacls.exe %PATH% /remove chris /T
此条命令是移除Chris针对win文件夹,子文件夹及文件的所有权限。
c:\windows\system32\icacls.exe %PATH% /restore %bACK_PERMISSION%\win_backuppemission.txt
还原用户Chris对win文件夹,子文件夹及文件的权限。
======================other knowledge=======================
Using iCACLS
-
To edit a file you must already have the "Change" ACL (or be the file's owner)
-
To use the iCACLS command to change the permissions of a file requires "FULL Control" (or be the file's owner)
-
File "Ownership" will always override all ACL's - you always have Full Control over files that you create.
Inherited folder permissions are displayed as:
OI - Object inherit - This folder and files. (no inheritance to subfolders) CI - Container inherit - This folder and subfolders. IO - Inherit only - The ACE does not apply to the current file/directory These can also be combined as folllows: (OI)(CI) This folder, subfolders, and files. (OI)(CI)(IO) Subfolders and files only. (CI)(IO) Subfolders only. (OI) (IO) Files only.
So BUILTIN\Administrators:(OI)(CI)F means that both files and Subdirectories will inherit 'F' (Fullcontrol)
similarly (CI)R means Directories will inherit 'R' (Read folders only = List permission)
When cacls is applied to the current folder only there is no inheritance and so no output.
reference:
http://www.bingd.com/blog/html/ICACLS.htm
1214
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
