背景介绍:
蛋疼客户Windows 2008 R2移除IUSR_LCHAS028针对文件夹和文件的写权限。如下:
File "C:\INETPUB\WWWROOT\ESP\js\tiny_mce\plugins\searchreplace\langs". User IUSR_LCHAS028 has wrong permissions: Full access. Must have no Write access.
一共好几千条的记录。。。
可以通过使用图形界面的权限管理来完成,但teamlead非要使用命令和脚本来实现(显得高大上?)
Boss发话了,只能开搞了...........
去Google上搜了下,有相关资料。。。使用命令icacls来实现。
=======================我是分割线===========================
写了个批处理脚本,如下:
::#+-------------------------------------------------------------------+ ::#| = : = : = : = : = : = : = : = : = : = : = : = : = : = : = : = : = | ::#|{>/-------------------------------------------------------------\<}| ::#|: | Author: Anson Liu ::#| :| Email: [email protected]/[email protected] ::#| :| Date: 4:00:00 PM 1/15/2015 ::#| :| ::#| :| ::#|: | Purpose: ::#| :| Backup, Remove, Restore the permission for folder and file. ::#|: | ::#|: | ::#| :| /^(o.o)^\ Version: 1 ::#|{>\-------------------------------------------------------------/<}| ::#| = : = : = : = : = : = : = : = : = : = : = : = : = : = : = : = : = | ::#+-------------------------------------------------------------------+ cls @ECHO OFF CLS color 0a ::set variable for path set PATH=C:\win\ ::change to the target path according your environment set BACK_PERMISSION=c:\ ::change to the location for backup permission GOTO MENU :MENU ECHO. ECHO. =-=-=-=-=Manage the permission for folder and file=-=-=-=-= ECHO. ECHO. 1 Backup the permission ECHO. ECHO. 2 Remove the permission ECHO. ECHO. 3 Restore the permission ECHO. ECHO. 4 Exit ECHO. ECHO. ECHO. echo. Choose the number: set /p ID= if "%id%"=="1" goto cmd1 if "%id%"=="2" goto cmd2 if "%id%"=="3" goto cmd3 IF "%id%"=="4" exit PAUSE :cmd1 echo Backup the permission c:\windows\system32\icacls.exe %PATH%* /save %bACK_PERMISSION%\win_backuppemission.txt /T goto MENU :cmd2 echo Remove the permission c:\windows\system32\icacls.exe %PATH% /remove chris /T GOTO MENU :cmd3 echo Restore the permission c:\windows\system32\icacls.exe %PATH% /restore %bACK_PERMISSION%\win_backuppemission.txt GOTO MENU
注意
::set variable
set PATH=C:\win\ 设置为需要移除的文件夹
set BACK_PERMISSION=c:\ 这个为权限备份位置
c:\windows\system32\icacls.exe %PATH%* /save %bACK_PERMISSION%\win_backuppemission.txt /T
这条命令备份win文件夹及下面子文件夹和文件的权限。
c:\windows\system32\icacls.exe %PATH% /remove chris /T
此条命令是移除Chris针对win文件夹,子文件夹及文件的所有权限。
c:\windows\system32\icacls.exe %PATH% /restore %bACK_PERMISSION%\win_backuppemission.txt
还原用户Chris对win文件夹,子文件夹及文件的权限。
======================other knowledge=======================
Using iCACLS
To edit a file you must already have the "Change" ACL (or be the file's owner)
To use the iCACLS command to change the permissions of a file requires "FULL Control" (or be the file's owner)
File "Ownership" will always override all ACL's - you always have Full Control over files that you create.
Inherited folder permissions are displayed as:
OI - Object inherit - This folder and files. (no inheritance to subfolders) CI - Container inherit - This folder and subfolders. IO - Inherit only - The ACE does not apply to the current file/directory These can also be combined as folllows: (OI)(CI) This folder, subfolders, and files. (OI)(CI)(IO) Subfolders and files only. (CI)(IO) Subfolders only. (OI) (IO) Files only.
So BUILTIN\Administrators:(OI)(CI)F means that both files and Subdirectories will inherit 'F' (Fullcontrol)
similarly (CI)R means Directories will inherit 'R' (Read folders only = List permission)
When cacls is applied to the current folder only there is no inheritance and so no output.
reference:
http://www.bingd.com/blog/html/ICACLS.htm
http://ss64.com/nt/icacls.html
http://www.bingd.com/blog/html/ICACLS.htm