110,896
社区成员
发帖
与我相关
我的任务
分享
using System.Security.AccessControl;
string strPath = "d:\temp";
if (!Directory.Exists(strPath))
{
Directory.CreateDirectory(strPath);
}
// 重新设置目录访问权限
NTFSHelper.RemoveDirectoryAccountSecurityAll(strPath);
NTFSHelper.AddDirectorySecurity(strPath, "SYSTEM", FileSystemRights.FullControl);
NTFSHelper.AddDirectorySecurity(strPath, "Administrators", FileSystemRights.FullControl);
using System;
using System.IO;
using System.Text;
using System.Collections.Generic;
using System.Security.AccessControl;
namespace NTFS
{
public sealed class NTFSHelper
{
#region 目录权限
#region 添加权限
/// <summary>
/// 添加 指定目录 指定用户 指定的 权限
/// </summary>
/// <param name="FileName">指定目录</param>
/// <param name="Account">用户帐户</param>
/// <param name="UserRights">权限【RCFW】</param>
public static void AddDirectorySecurity(string FileName, string Account, string UserRights)
{
FileSystemRights Rights = new FileSystemRights();
if (UserRights.IndexOf("R") >= 0)
{
Rights = Rights | FileSystemRights.Read;
}
if (UserRights.IndexOf("C") >= 0)
{
Rights = Rights | FileSystemRights.ChangePermissions;
}
if (UserRights.IndexOf("F") >= 0)
{
Rights = Rights | FileSystemRights.FullControl;
}
if (UserRights.IndexOf("W") >= 0)
{
Rights = Rights | FileSystemRights.Write;
}
bool ok;
DirectoryInfo dInfo = new DirectoryInfo(FileName);
DirectorySecurity dSecurity = dInfo.GetAccessControl();
InheritanceFlags iFlags = new InheritanceFlags();
iFlags = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
FileSystemAccessRule AccessRule2 = new FileSystemAccessRule(Account, Rights, iFlags, PropagationFlags.None, AccessControlType.Allow);
dSecurity.ModifyAccessRule(AccessControlModification.Add, AccessRule2, out ok);
dInfo.SetAccessControl(dSecurity);
}
/// <summary>
/// 添加 指定目录 指定用户 指定的 权限
/// </summary>
/// <param name="FileName">指定目录</param>
/// <param name="Account">用户帐户</param>
/// <param name="Rights">Windows目录权限</param>
public static void AddDirectorySecurity(string FileName, string Account, FileSystemRights Rights)
{
bool ok;
DirectoryInfo dInfo = new DirectoryInfo(FileName);
DirectorySecurity dSecurity = dInfo.GetAccessControl();
InheritanceFlags iFlags = new InheritanceFlags();
iFlags = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
FileSystemAccessRule AccessRule2 = new FileSystemAccessRule(Account, Rights, iFlags, PropagationFlags.None, AccessControlType.Allow);
dSecurity.ModifyAccessRule(AccessControlModification.Add, AccessRule2, out ok);
dInfo.SetAccessControl(dSecurity);
}
#endregion
#region 获取目录权限
/// <summary>
/// 获取 指定目录 除Administrators和SYSTEM之外的 权限列表
/// </summary>
/// <param name="DirName"></param>
/// <returns></returns>
public static List<string> GetDirectoryAccountSecurity(string DirName)
{
List<string> dAccount = new List<string>();
DirectoryInfo dInfo = new DirectoryInfo(DirName);
if (dInfo.Exists)
{
DirectorySecurity sec = Directory.GetAccessControl(DirName, AccessControlSections.All);
foreach (FileSystemAccessRule rule in sec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)))
{
if (rule.IdentityReference.Value != @"NT AUTHORITY\SYSTEM" && rule.IdentityReference.Value != @"BUILTIN\Administrators")
dAccount.Add(rule.IdentityReference.Value);
}
}
return dAccount;
}
/// <summary>
/// 获取 指定目录 所有权限列表
/// </summary>
/// <param name="DirName"></param>
/// <returns></returns>
public static List<string> GetDirectoryAccountSecurityAll(string DirName)
{
List<string> dAccount = new List<string>();
DirectoryInfo dInfo = new DirectoryInfo(DirName);
if (dInfo.Exists)
{
DirectorySecurity sec = Directory.GetAccessControl(DirName, AccessControlSections.All);
foreach (FileSystemAccessRule rule in sec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)))
{
dAccount.Add(rule.IdentityReference.Value);
}
}
return dAccount;
}
#endregion
#region 移除目录权限
/// <summary>
/// 移除 指定目录 指定用户的 权限
/// </summary>
/// <param name="DirName"></param>
/// <param name="Account"></param>
public static void RemoveDirectoryAccountSecurity(string DirName, string Account)
{
DirectoryInfo dInfo = new DirectoryInfo(DirName);
if (dInfo.Exists)
{
System.Security.Principal.NTAccount myAccount = new System.Security.Principal.NTAccount(System.Environment.MachineName, Account);
DirectorySecurity dSecurity = dInfo.GetAccessControl();
FileSystemAccessRule AccessRule = new FileSystemAccessRule(Account, FileSystemRights.FullControl, AccessControlType.Allow);
FileSystemAccessRule AccessRule2 = new FileSystemAccessRule(Account, FileSystemRights.FullControl, AccessControlType.Deny);
InheritanceFlags iFlags = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
PropagationFlags pFlags = PropagationFlags.InheritOnly | PropagationFlags.NoPropagateInherit;
dSecurity.AccessRuleFactory(myAccount, 983551, false, iFlags, pFlags, AccessControlType.Allow);
dSecurity.RemoveAccessRuleAll(AccessRule);
dSecurity.RemoveAccessRuleAll(AccessRule2);
dInfo.SetAccessControl(dSecurity);
}
}
/// <summary>
/// 移除 指定目录 所有权限
/// </summary>
/// <param name="DirName"></param>
public static void RemoveDirectoryAccountSecurityAll(string DirName)
{
RemoveDirectoryAccountSecurityProtection(DirName);
List<string> dAccount = GetDirectoryAccountSecurityAll(DirName);
foreach (string account in dAccount)
{
RemoveDirectoryAccountSecurity(DirName, account);
}
}
/// <summary>
/// 移除 指定目录 所有继承的权限
/// </summary>
/// <param name="DirName"></param>
public static void RemoveDirectoryAccountSecurityProtection(string DirName)
{
DirectoryInfo dInfo = new DirectoryInfo(DirName);
if (dInfo.Exists)
{
DirectorySecurity dSecurity = dInfo.GetAccessControl();
dSecurity.SetAccessRuleProtection(true, false);
dSecurity.SetAuditRuleProtection(true, false);
dInfo.SetAccessControl(dSecurity);
}
}
#endregion
#endregion
#region 文件权限
/// <summary>
/// 获取 指定文件 除Administrators和SYSTEM之外的 权限列表
/// </summary>
/// <param name="fileName"></param>
/// <returns></returns>
public static List<string> GetFileAccountSecurity(string fileName)
{
List<string> fAccount = new List<string>();
FileInfo fInfo = new FileInfo(fileName);
if (fInfo.Exists)
{
FileSecurity fec = File.GetAccessControl(fileName, AccessControlSections.All);
foreach (FileSystemAccessRule rule in fec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)))
{
if (rule.IdentityReference.Value != @"NT AUTHORITY\SYSTEM" && rule.IdentityReference.Value != @"BUILTIN\Administrators")
fAccount.Add(rule.IdentityReference.Value);
}
}
return fAccount;
}
/// <summary>
/// 移除 指定文件 指定用户的 权限
/// </summary>
/// <param name="fileName"></param>
/// <param name="Account"></param>
public static void RemoveFileAccountSecurity(string fileName, string Account)
{
FileInfo fInfo = new FileInfo(fileName);
if (fInfo.Exists)
{
FileSecurity fSecurity = fInfo.GetAccessControl();
FileSystemAccessRule AccessRule = new FileSystemAccessRule(Account, FileSystemRights.FullControl, AccessControlType.Allow);
FileSystemAccessRule AccessRule2 = new FileSystemAccessRule(Account, FileSystemRights.FullControl, AccessControlType.Deny);
fSecurity.RemoveAccessRuleAll(AccessRule);
fSecurity.RemoveAccessRuleAll(AccessRule2);
fInfo.SetAccessControl(fSecurity);
}
}
#endregion
}
}
显示或者修改文件的访问控制表(ACL)
CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
[/P user:perm [...]] [/D user [...]]
filename 显示 ACL。
/T 更改当前目录及其所有子目录中
指定文件的 ACL。
/E 编辑 ACL 而不替换。
/C 在出现拒绝访问错误时继续。
/G user:perm 赋予指定用户访问权限。
Perm 可以是: R 读取
W 写入
C 更改(写入)
F 完全控制
/R user 撤销指定用户的访问权限(仅在与 /E 一起使用时合法)。
/P user:perm 替换指定用户的访问权限。
Perm 可以是: N 无
R 读取
W 写入
C 更改(写入)
F 完全控制
/D user 拒绝指定用户的访问。
在命令中可以使用通配符指定多个文件。
也可以在命令中指定多个用户。
缩写:
CI - 容器继承。
ACE 会由目录继承。
OI - 对象继承。
ACE 会由文件继承。
IO - 只继承。
ACE 不适用于当前文件/目录。