的PowerShell：删除一个目录下的所有权限的所有用户

Question

我必须删除一个目录（及其子目录和文件）的所有普通用户（即非管理员）的所有权限。

我试图在PowerShell中以下，但什么都没有发生：

New-Item "C:\Test" -type Directory 
$acl=get-acl "C:\Test" 
$inherit=[system.security.accesscontrol.InheritanceFlags]"ContainerInherit,ObjectInherit" 
$propagation=[system.security.accesscontrol.Propagation]"None" 
$ar=New-Object system.security.accesscontrol.FileSystemAccessRule("Users","FullControl",$inherit,$propagation,"Allow") 
$acl.RemoveAccessRuleAll($ar) 
Set-Acl "C:\Test" $acl 

如果我尝试用$env:computername\Users（而不是仅仅Users）我得到以下错误： Exception calling "RemoveAccessRuleAll" with "1" argument(s): "Some or all identity references could not be translated.“

什么身份是否必须通过才能识别所有用户？

Answer 1

首先您是否真的尝试：

$($env:computername\Users) 

你可以尝试：

$(WinNT://WORKGROUP/$env:computername/Utilisateurs) 

，看一下：

$obj = [ADSI]"WinNT://$env:COMPUTERNAME" 
$obj.children | where {$_.name -eq "users"} | fl * 

Answer 2

这将做到这一点：

function AddNTFSPermissions($path, $object, $permission) { 
    $FileSystemRights = [System.Security.AccessControl.FileSystemRights]$permission 
    $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit" 
    $PropagationFlag = [System.Security.AccessControl.PropagationFlags]"None" 
    $AccessControlType =[System.Security.AccessControl.AccessControlType]::Allow 
    $Account = New-Object System.Security.Principal.NTAccount($object) 
    $FileSystemAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Account, $FileSystemRights, $InheritanceFlag, $PropagationFlag, $AccessControlType) 
    $DirectorySecurity = Get-ACL $path 
    $DirectorySecurity.AddAccessRule($FileSystemAccessRule) 
    Set-ACL $path -AclObject $DirectorySecurity 
} 

function RemoveNTFSPermissions($path, $object, $permission) { 
    $FileSystemRights = [System.Security.AccessControl.FileSystemRights]$permission 
    $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit" 
    $PropagationFlag = [System.Security.AccessControl.PropagationFlags]"None" 
    $AccessControlType =[System.Security.AccessControl.AccessControlType]::Allow 
    $Account = New-Object System.Security.Principal.NTAccount($object) 
    $FileSystemAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Account, $FileSystemRights, $InheritanceFlag, $PropagationFlag, $AccessControlType) 
    $DirectorySecurity = Get-ACL $path 
    $DirectorySecurity.RemoveAccessRuleAll($FileSystemAccessRule) 
    Set-ACL $path -AclObject $DirectorySecurity 
} 

function RemoveInheritance($path) { 
    $isProtected = $true 
    $preserveInheritance = $true 
    $DirectorySecurity = Get-ACL $path 
    $DirectorySecurity.SetAccessRuleProtection($isProtected, $preserveInheritance) 
    Set-ACL $path -AclObject $DirectorySecurity 
} 

# Create folder 
$Path = "C:\Test" 
New-Item $Path -Type Directory 

# Remove permissions 
RemoveInheritance $Path 
RemoveNTFSPermissions $Path "Authenticated Users" "Modify, ChangePermissions" 
RemoveNTFSPermissions $Path "Users" "Modify, ChangePermissions"