我试图创建一个注册表项和一些值,然后关闭继承并设置权限(其实没有权限)这是可以做到的,你所创建的键和值?
我看到很多帖子上设置继承上,但没有太大的将其关闭,并设置任何权限。我知道“你为什么要这么做?”但它的合作伙伴的要求。
下面的代码创建的对象,但似乎做什么用的权限。虽然这不是结束状态时,它什么都不做,因为继承被打开。所以,我需要的是禁用继承并设置任何权限。
$ResgistryKeyPath = "HKLM:\Software\Policies\Microsoft\Windows\RTestBob"
New-Item $ResgistryKeyPath -Force
New-ItemProperty -Path $ResgistryKeyPath -Propertytype DWORD -Name
Deny_Write -Value 1 -Force | Out-Null
$AddACL = New-Object System.Security.AccessControl.RegistryAccessRule ("Domain Admins", "FullControl", "Allow")
$AddACL = New-Object System.Security.AccessControl.RegistryAccessRule ("auth\me", "FullControl", "ObjectInherit,ContainerInherit", "None", "Allow")
这实际上就是答案,对还是错,从它的工作的主要立足点。
[void][Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')
#Set some variables
$RegistryKeyPath1 = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b"
$RegistryKeyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices"
$DisableInheritance=$true
$PreserveInheritanceIfDisabled =$True
#Create the registry keys
Try {
New-Item $RegistryKeyPath1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Write -Value 1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Read -Value 1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Execute -Value 1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath -propertyType DWORD -Name Deny_All -Value 1 -Force | Out-Null
}
Catch
{
[System.Windows.forms.MessageBox]::Show('Key exists and an error has occured. Please check the registry manually in this location','Error','OKCancel','Error') ; exit
}
Try {
#Remove Inheritance - Inheritance is removed from both keys so that if one is done the other will have to be also.
$acl = Get-Acl $RegistryKeyPath1
$acl.SetAccessRuleProtection($DisableInheritance, $preserveInheritanceIfDisabled)
Set-Acl $RegistryKeyPath1 $acl
$acl1 = Get-Acl $RegistryKeyPath
$acl1.SetAccessRuleProtection($DisableInheritance, $preserveInheritanceIfDisabled)
Set-Acl $RegistryKeyPath $acl1
#Remove Permissions
$aclPerm1 = get-acl $RegistryKeyPath1
$aclPerm1.PurgeAccessRules([System.Security.Principal.NTAccount] "Authenticated Users") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath1 $aclPerm1
$aclPerm1.PurgeAccessRules([System.Security.Principal.NTAccount] "Administrators") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath1 $aclperm1
$aclPerm = get-acl $RegistryKeyPath
$aclPerm.PurgeAccessRules([System.Security.Principal.NTAccount] "Authenticated Users") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath $aclPerm
$aclPerm.PurgeAccessRules([System.Security.Principal.NTAccount] "Administrators") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath $aclperm
[System.Windows.forms.MessageBox]::Show('Successfully Implemented!','Success','OKCancel','Information')
}
Catch
{
[System.Windows.forms.MessageBox]::Show('An error has occured. Please check the registry manually in this location','Error','OKCancel','Error')
}
@Bob:非常感谢。我花了几个小时试图找出为什么我的代码没有工作。看来,像你一样,一个新的ACL对象必须每次都使用。
我觉得这是PowerShell的一个糟糕的垃圾收集器。为什么你不能再利用的变量?
所以,这是不行的:
这是因为你重复使用相同的变量。我想这是在PowerShell中坏的垃圾收集器。
我发现,使用了大量的同样的事情变量避免更好的方法:
[void][Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')
#Set some variables
$RegistryKeyPath1 = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b"
$RegistryKeyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices"
$DisableInheritance=$true
$PreserveInheritanceIfDisabled=$true
#Create the registry keys
Try {
New-Item $RegistryKeyPath1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Write -Value 1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Read -Value 1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath1 -propertyType DWORD -Name Deny_Execute -Value 1 -Force | Out-Null
New-ItemProperty -path $RegistryKeyPath -propertyType DWORD -Name Deny_All -Value 1 -Force | Out-Null
}
Catch
{
[System.Windows.forms.MessageBox]::Show('Key exists and an error has occured. Please check the registry manually in this location','Error','OKCancel','Error') ; exit
}
Try {
#Remove Inheritance - Inheritance is removed from both keys so that if one is done the other will have to be also.
$acl = Get-Acl $RegistryKeyPath1
$acl.SetAccessRuleProtection($DisableInheritance, $preserveInheritanceIfDisabled)
Set-Acl $RegistryKeyPath1 $acl
Remove-Variable acl
$acl = Get-Acl $RegistryKeyPath
$acl.SetAccessRuleProtection($DisableInheritance, $preserveInheritanceIfDisabled)
Set-Acl $RegistryKeyPath $acl
Remove-Variable acl
#Remove Permissions
$acl = get-acl $RegistryKeyPath1
$acl.PurgeAccessRules([System.Security.Principal.NTAccount] "Authenticated Users") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath1 $acl
$acl.PurgeAccessRules([System.Security.Principal.NTAccount] "Administrators") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath1 $acl
Remove-Variable acl
$acl = get-acl $RegistryKeyPath
$acl.PurgeAccessRules([System.Security.Principal.NTAccount] "Authenticated Users") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath $acl
$acl.PurgeAccessRules([System.Security.Principal.NTAccount] "Administrators") #Administrators, SYSTEM, ALL APPLICATION PACKAGES
set-acl $RegistryKeyPath $acl
Remove-Variable acl
[System.Windows.forms.MessageBox]::Show('Successfully Implemented!','Success','OKCancel','Information')
}
Catch
{
[System.Windows.forms.MessageBox]::Show('An error has occured. Please check the registry manually in this location','Error','OKCancel','Error')
}
这是不是很好,但至少它的工作原理。这应该是地方记录。
VBS确实有在行动更好的垃圾收集器。