2023年12月30日发(作者:)

以前就用过这个小玩意。没怎么深入研究。

最近在写一个 通用的系统配置脚本。正好用到,才发现这玩意真是个好东西。

先来帮助文档。

Usage:

[/i:] [/p:]

[/r:]

[/sid] [/silent]

==============================================================================

= Any valid path to local or remote object

------------------------------------------------------------------------------

= {/file | /dir | /printer | /registry | /service | /share}

------------------------------------------------------------------------------

= {/deny | /grant | /set | /revoke}

------------------------------------------------------------------------------

= User/group to grant/deny permissions for, ie.

'machineuser'

------------------------------------------------------------------------------

/file = {/read | /write | /read_ex | /change | /full |

/traverse |

/list_dir | /read_attributes | /read_ea | /add_file

|

/add_subdir | /write_attributes | /write_ea |

/delete_child | /delete | /read_dacl | /write_dacl

|

/write_owner}

........................................................................

/dir = {/read | /write | /list_folder | /read_ex | /change

|

/profile | /full | /traverse | /list_dir |

/read_attributes | /read_ea | /add_file |

/add_subdir |

/write_attributes | /write_ea | /delete_child

|/delete |

/read_dacl | /write_dacl | /write_owner}

........................................................................

/printer = {/print | /man_printer | /man_docs | /full}

........................................................................

/registry = {/read | /full | /query_val | /set_val |

/create_subkey |

/enum_subkeys | /notify | /create_link | /delete |

/write_dacl | /write_owner | /read_access}

........................................................................

/service = {/read | /start_stop | /full}

........................................................................

/share = {/read | /change | /full}

------------------------------------------------------------------------------

= {cont_obj_inh | cont_inh | obj_inh | no_prop_inh |

inh_only_obj | inh_only_cont | inh_only_cont_obj}

------------------------------------------------------------------------------

= {yes | no_copy | no_dont_copy}

------------------------------------------------------------------------------

= {cont_obj | cont | obj}

(Only for reg keys and directories) Walk down the tree and set permissions

on

every key, directory and every file {cont_obj}, on every key and directory

{cont}, or on every file {obj}. Only needed on NT4 and in special cases.

------------------------------------------------------------------------------

/sid : parameter is a SID, not an account/group name.

Well-known SIDs can be used.

------------------------------------------------------------------------------

/silent : No output whatsoever is displayed if the number of

parameters passed is correct.

==============================================================================

If not specified, inheritance is always set to values which suit the cause.

Using your own settings can result in undesired permissions. Beware!

Also, 'inherit from parent' is set to 'yes' if not specified.

-O-P-T-I-O-N-S--------------------------------------------------------

-on ObjectName 赋权对象

-ot ObjectType 赋权类型 如file,reg ,

-actn Action 要操作的动作

-ace "n:Trustee;p:Permission;s:IsSID;i:Inheritance;m:Mode;w:Where"

"n:目标用户;p:许可权限;S:Y|N(如果n后面用的是SID,需要设置为Y,默认为N)"

-trst "n1:Trustee;n2:Trustee;s1:IsSID;s2:IsSID;ta:TrusteeAction;w:Where"

-dom "n1:Domain;n2:Domain;da:DomainAction;w:Where"

-ownr "n:Trustee;s:IsSID" 所有者:目标用户的用户名

-grp "n:Trustee;s:IsSID"

-rec Recursion 第归选项 (好像默认是cont_obj) 加在最后即可

-op "dacl:Protection;sacl:Protection" 继承选项 貌似后面跟 -actn

setprot才生效。 例子-op "dacl:p_nc;sacl:p_nc" -actn setprot

-rst Where 将权限传播给子对象的参数 例子 -actn rstchldrn -rst

"dacl,sacl"

-lst "f:Format;w:What;i:ListInherited;s:DisplaySID"

-bckp Filename

-log Filename

-fltr Keyword

-clr Where 清除选项的参数 例子:-actn clear -clr "dacl,sacl"

-silent

-ignoreerr

-P-A-R-A-M-E-T-E-R-S-------------------------------------------------

ObjectName: Name of the object to process (e.g. 'c:mydir') 要操作的对象 可以是ObjectType里定义的所有对象

ObjectType: Type of object:

file: Directory/file 文件

reg: Registry key 注册表

srv: Service 服务

prn: Printer 打印机

shr: Network share 网络共享

Action: Action(s) to perform:

ace: Process ACEs specified by parameter(s)

'-ace' 标记需要赋权动作

trustee: Process trustee(s) specified by

parameter(s)

'-trst'.托管人,及赋权目标用户

domain: Process domain(s) specified by parameter(s)

'-dom'.域

list: List permissions. A backup file can be

specified by parameter '-bckp'. Controlled

by

parameter '-lst'. 列出目标对象的权限明晰

restore: Restore entire security descriptors backed

up

using the list function. A file containing

the

backup has to be specified using the

parameter

'-bckp'. The listing has to be in SDDL

format. 恢复一个文件内的权限备份明细

setowner: Set the owner to trustee specified by

parameter

'-ownr'. 赋权目标

setgroup: Set the primary group to trustee specified

by

parameter '-grp'.

clear: Clear the ACL of any non-inherited ACEs.

The

parameter '-clr' controls whether to do

this for

the DACL, the SACL, or both. 删除现有所有权限,重新设置 需要配合 -clr

setprot: Set the flag 'allow inheritable

permissions from

the parent object to propagate to this

object' to

the value specified by parameter

'-op'. 改变标签“允许父项的继承权限传播到该对象”, 跟在参数 -op 后面不加的话貌似-op选项不生效。

rstchldrn: Reset permissions on all sub-objects and

enable

propagation of inherited permissions. The

parameter '-rst' controls whether to do

this for

the DACL, the SACL, or both. 将权限传播给子对象

TrusteeAction: Action to perform on trustee specified:

remtrst: Remove all ACEs belonging to trustee

specified. 删除指定用户的所有权限

repltrst: Replace trustee 'n1' by 'n2' in all ACEs.

将n2 替换n1 的所有权限

cpytrst: Copy the permissions for trustee 'n1' to

'n2'. 将n1的权限拷贝给n2

DomainAction: Action to perform on domain specified:

remdom: Remove all ACEs belonging to trustees of

domain

specified. 删除一个指定域内用户的权限

repldom: Replace trustees from domain 'n1' by

trustees with

same name from domain 'n2' in all ACEs. 域内(域间)替换权限

cpydom: Copy permissions from trustees from domain

'n1' to

trustees with same name from domain 'n2' in

all 域内(域间)拷贝权限

ACEs.

Trustee: Name or SID of trustee (user or group). Format: 可以是用户名或SID

a) [(computer | domain)]name

Where:

computer: DNS or NetBIOS name of a computer -> 'name'

must

be a local account on that computer.

domain: DNS or NetBIOS name of a domain -> 'name'

must

be a domain user or group.

name: user or group name

If no computer or domain name is given, SetACL tries to

find

a SID for 'name' in the following order:

如果没有指定计算机或域,就会自动寻找满足下列条件的用户:

1. built-in accounts and well-known SIDs 内建账户或固定SID

2. local accounts 本地账户

3. primary domain 主域

4. trusted domains 可信任域

b) SID string

Domain: Name of a domain (NetBIOS or DNS name).

Permission: Permission to set. Validity of permissions depends on

the

object type (see below). Comma separated list. 就是有效的权限

Example: 'read,write_ea,write_dacl'

IsSID: Is the trustee name a SID? 如果n后面用的是SID,需要设置为Y,默认为N

y: Yes

n: No

DisplaySID: Display trustee names as SIDs? 显示SID

y: Yes

n: No

b: Both (names and SIDs)

Inheritance: Inheritance flags for the ACE. This may be a comma

separated

list containing the following: 继承标记

so: sub-objects 子对象

sc: sub-containers 容器

np: no propagation 不继承,及当前目录

io: inherit only

Example: 'io,so'

Mode: Access mode of this ACE:

dacl: Data Access Control List 数据权限控制

sacl: System access control list 审核权限控制

a) DACL:

set: Replace all permissions for given trustee

by

those specified.

grant: Add permissions specified to existing

permissions

for given trustee.

deny: Deny permissions specified.

revoke: Remove

permissions

权限

b) SACL:

aud_succ: Add

aud_fail: Add

revoke: Remove

permissions for given trustee.

Where: Apply

list):

dacl

sacl

dacl,sacl

Recursion: Recursion settings, depends on object type:

根据对象类型

a) file:

no: No recursion.

cont: Recurse,

应用到目录

重新设置所有权限

添加权限

拒绝设置

permissions specified from existing

for given trustee. 删除指定的an audit success ACE. 开启审核成功记an audit failure ACE. 开启审核失败记permissions specified from existing

settings to DACL, SACL, or both (comma separated

递归设置,文件

不递归

and process directories only. 仅

obj: Recurse, and process files only. 仅应用到文件

cont_obj: Recurse, and process directories and files.

应用于目录与权限

b) reg: 注册表

no: Do not recurse. 不递归

yes: Do Recurse. 递归

Protection: Controls the flag 'allow inheritable permissions from

the

parent object to propagate to this object':

nc: Do not change the current setting.

设置

np: Object

parent.

p_c: Object is protected, ACEs from parent are

copied.

p_nc: Object is protected, ACEs from parent are

not

copied.

Format: Which list format to use:

sddl: Standardized

this

format can be restored.

csv: SetACL's csv format.

tab: SetACL's tabular format.

What: Which

the

listing.

块的安全描述

d: DACL

s: SACL

o: Owner

g: Primary group

Example: 'd,s'

不改变is not protected, i.e. inherits from

继承父目录权限

继承目录路权限,并添加权限

不继承父目录权限,及将标签取消

SDDL format. Only listings in

components of security descriptors to include in

(comma separated list): 备份文件里包含哪些模

ListInherited: List inherited permissions?

y: Yes

n: No

Filename: Name of a (unicode) file used for list/backup/restore

operations or logging.

Keyword: Keyword to filter object names by. Names containing this

keyword are not processed.

-R-E-M-A-R-K-S--------------------------------------------------------

Required parameters (all others are optional):

-on (Object name)

-ot (Object type)

Parameters that may be specified more than once:

-actn (Action)

-ace (Access control entry)

-trst (Trustee)

-dom (Domain)

-fltr (Filter keyword) 包含关键字

Only actions specified by parameter(s) '-actn' are actually performed,

regardless of the other options set.

order in which multiple actions are processed:

1. restore

2. clear

3. trustee

4. domain

5. ace, setowner, setgroup, setprot

6. rstchldrn

7. list

-V-A-L-I-D--P-E-R-M-I-S-S-I-O-N-S-------------------------------------

a) Standard permission sets (combinations of specific permissions)

Files / Directories:

read: Read

write: Write

list_folder: List folder

read_ex: Read, execute

change: Change

profile: = change + write_dacl

full: Full access

Printers:

print: Print

man_printer: Manage printer

man_docs: Manage documents

full: Full access

Registry:

read: Read

full: Full access

Service:

read: Read

start_stop: Start / Stop

full: Full access

Share:

read: Read

change: Change

full: Full access

b) Specific permissions

Files / Directories:

traverse: Traverse folder / execute file

list_dir: List folder / read data

read_attr: Read attributes

read_ea: Read extended attributes

add_file: Create files / write data

add_subdir: Create folders / append data

write_attr: Write attributes

write_ea: Write extended attributes

del_child: Delete subfolders and files

delete: Delete

read_dacl: Read permissions

write_dacl: Write permissions

write_owner: Take ownership

Registry:

query_val: Query value

set_val: Set value

create_subkey: Create subkeys

enum_subkeys: Enumerate subkeys

notify: Notify

create_link: Create link

delete: Delete

write_dacl: Write permissions

write_owner: Take ownership

read_access: Read control

本文发布于:2023-12-30,感谢您对本站的认可!
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
本文标签:权限对象用户设置

发布评论

评论列表(有0条评论)

    最近发表

    福州电脑网_福州电脑维修_福州电脑之家_福州iThome

    福州电脑网_福州电脑维修_福州电脑之家_福州iThome

    福州电脑维修网(fzithome.com)专业的电脑维修,笔记本维修,上门维修各种电脑,笔记本,平板等,快速上门.电脑知识频道内容覆盖:计算机资讯,电脑基础应用知识,各种电脑故障维修学习,电脑外设产品维修维护,病毒,软件,硬件,常识.

      相关推荐

      标签列表