Get-ACL Set-ACL删除inheritance的组

我正在尝试为这样的组设置文件夹权限：

\服务器\共享$ \ Folder1中\文件夹2

遍历Share $ – >遍历文件夹1 – >修改文件夹2

共享中有更多的文件夹，但该组不应该获得任何访问权限。这就是为什么我为$ AccessRuleTraverse中的inheritance和传播标志设置“无”，“无”。

$AccessRuleModify = New-Object System.Security.AccessControl.FileSystemAccessRule("TestGroup","Modify","ContainerInherit, ObjectInherit","None","Allow") $AccessRuleTraverse = New-Object System.Security.AccessControl.FileSystemAccessRule("TestGroup","Traverse,ListDirectory","None","None","Allow") $ACL = Get-Acl $Share $ACL.AddAccessRule($AccessRuleTraverse) $ACL | Format-List Set-Acl -Path $Share $ACL $ACLFolder1 = Get-Acl $Folder1 $ACLFolder1.AddAccessRule($AccessRuleTraverse) $ACL | Format-List Set-Acl -Path $Folder1 $ACLFolder1 $ACLFolder2 = Get-Acl $Folder2 $ACLFolder2.AddAccessRule($AccessRuleModify) $ACL | Format-List Set-Acl -Path $Folder2 $ACLFolder2

当我通过UNCpath执行此操作时，将添加TestGroup，但将删除所有inheritance的组：BUILTIN \ Administrators，SYSTEM和另一个从上面级别inheritance的AD组。如果我检查GUI的inheritance似乎启用，当我禁用和重新启用它的神秘失踪的群体回来了。

如果我添加'$ ACL | Format-List'在Set-ACL之前它返回组…

Get-Acl显示：

 Path : Microsoft.PowerShell.Core\FileSystem::\\server\tbd$\test2 Owner : BUILTIN\Administrators Group : DOMAIN\Domain Users Access : DOMAIN\admaccount Allow FullControl DOMAIN\InheritedGroup Allow FullControl NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl Audit : Sddl : O:BAG:DUD:AI(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-2072)(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-55095)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)

.AddAccessRule之后：

 Path : Microsoft.PowerShell.Core\FileSystem::\\server\tbd$\test2 Owner : BUILTIN\Administrators Group : DOMAIN\Domain Users Access : DOMAIN\TestGroup Allow ReadData, ExecuteFile, Synchronize DOMAIN\admaccount Allow FullControl DOMAIN\InheritedGroup Allow FullControl NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl Audit : Sddl : O:BAG:DUD:AI(A;;0x100021;;;S-1-5-21-3230232255-2288239599-1684634387-61957)(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-2072)(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-55095)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)

编辑：

反馈之后，我用本地path直接在服务器上进行testing：

 $AccessRuleTraverse = New-Object System.Security.AccessControl.FileSystemAccessRule("TestGroup","Traverse,ListDirectory","None","None","Allow") $ACL = Get-Acl F:\tbd\test2 $ACL | Format-List $ACL.AddAccessRule($AccessRuleTraverse) $ACL | Format-List Set-Acl -Path F:\tbd\test2 $ACL

Get-Acl显示：

 Path : Microsoft.PowerShell.Core\FileSystem::F:\tbd\test2 Owner : BUILTIN\Administrators Group : BELGIANRAIL\Domain Users Access : BELGIANRAIL\admaccount Allow FullControl BELGIANRAIL\InheritedGroup Allow FullControl NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl Audit : Sddl : O:BAG:DUD:AI(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-2072)(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-55095)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)

.AddAccessRule之后：

 Path : Microsoft.PowerShell.Core\FileSystem::F:\tbd\test2 Owner : BUILTIN\Administrators Group : BELGIANRAIL\Domain Users Access : BELGIANRAIL\TestGroup Allow ReadData, ExecuteFile, Synchronize BELGIANRAIL\admaccount Allow FullControl BELGIANRAIL\InheritedGroup Allow FullControl NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl Audit : Sddl : O:BAG:DUD:AI(A;;0x100021;;;S-1-5-21-3230232255-2288239599-1684634387-61957)(A;OICIID;FA;;;S-1-5-21-3230232255-2288239599-1684634387-2072)(A;OICIID;FA;;;S-1-5-21-3230232255-228823959 9-1684634387-55095)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)

它看起来像通过UNCpath一样。但最终的结果是完全不同的，本地path工作正常！我想我可以得到本地path，并启动一个远程PS会话..这将是更容易与UNCpath虽然:)