批量文件夹创建和授予权限的工作我使用下面的powershell脚本。

Import-Csv "D:\Scripts\foldernames.csv" | foreach-object {
    $username = $_.foldername 

    # foldername is the header of csv file

    $domain = “example.com”

    $folder= "D:\Users"

    $domainusername = $domain+“\”+$username

    New-Item $folder\$username –Type Directory

    Get-Acl $folder\$username  

    $acl = Get-Acl $folder\$username

    $acl.SetAccessRuleProtection($True, $False)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$domain\Domain Admins","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($domainusername,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    Set-Acl $folder\$username $acl
}

注意:您必须在csv文件中创建相同的域用户名，否则您将遇到权限问题

Windows 10中没有“c:>”和“>”

例如:

F = Full Control
/e : Edit permission and kept old permission
/p : Set new permission

/e /p用户名:F

(这也修复了错误2502和2503)

C:\Windows\Temp /e /p用户名:F

这对我来说很管用:

手动打开被拒绝访问的文件夹。 在该文件夹中选择可执行/应用程序文件。 右键点击属性->兼容性 现在查看特权级别，并检查它是否为以管理员身份运行 为所有用户单击Change Settings。

现在问题解决了。

批量文件夹创建和授予权限的工作我使用下面的powershell脚本。

Import-Csv "D:\Scripts\foldernames.csv" | foreach-object {
    $username = $_.foldername 

    # foldername is the header of csv file

    $domain = “example.com”

    $folder= "D:\Users"

    $domainusername = $domain+“\”+$username

    New-Item $folder\$username –Type Directory

    Get-Acl $folder\$username  

    $acl = Get-Acl $folder\$username

    $acl.SetAccessRuleProtection($True, $False)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$domain\Domain Admins","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($domainusername,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    Set-Acl $folder\$username $acl
}

注意:您必须在csv文件中创建相同的域用户名，否则您将遇到权限问题

损坏权限:重新获得对文件夹及其子对象的访问权

虽然这个问题的大部分答案都有一定的价值，但恕我直言，没有一个答案是完整的。下面(可能)是Windows 7的一个完美的解决方案，如果你被损坏的权限设置锁定的文件夹:

icacls "c:\folder" /remove:d /grant:r Everyone:(OI)(CI)F /T  

对于Windows 10，用户/SID必须在/remove:d选项后指定:

icacls "c:\folder" /remove:d Everyone /grant:r Everyone:(OI)(CI)F /T  

． 注:

The command is applied to the specified directory. Specifying the user "Everyone" sets the widest possible permission, as it includes every possible user. The option "/remove:d" deletes any explicit DENY settings that may exist, as those override explicit ALLOW settings: a necessary preliminary to creating a new ALLOW setting. This is only a precaution, as there is often no DENY setting present, but better safe than sorry. The option "/grant" creates a new ALLOW setting, an explicit permission that replaces (":r") any and all explicit ALLOW settings that may exist. The "F" parameter (i.e. the permission created) makes this a grant of FULL control. The "/T" parameter adds recursion, applying these changes to all current sub-objects in the specified directory (i.e. files and subfolders), as well as the folder itself. The "(OI)" and "(CI)" parameters also add recursion, applying these changes to sub-objects created subsequently. .

附录(2019/02/10)-

上面的Windows 10命令行是今天好心推荐给我的，所以就在这里。我还没有Windows 10来测试它，但是如果你有的话请尝试一下(然后请在下面发表评论)。

第一步更改只涉及删除DENY设置。可能没有任何DENY设置，所以该选项可能没有区别。我的理解是，在Windows 7上，你不需要在/remove:d后指定用户，但我可能错了!

.

附录(2019/11/21)-

用户astark建议将Everyone替换为术语*S-1-1-0，以便命令独立于语言。我只有英文版的Windows安装，所以我不能测试这个建议，但它似乎是合理的。

使用cacls命令。请看这里的信息。

CACLS文件/e /p {USERNAME}:{PERMISSION} 在那里, /p:设置新的权限 /e:编辑权限并保留旧权限，即编辑ACL而不是替换它。 {USERNAME}:用户名 {PERMISSION}:权限可以是: R -读取 W -写 C -改变(写) F -完全控制 例如，用以下命令授予Rocky完全(F)控制权(在Windows命令提示符下输入): C:> CACLS files /e /p rocky:f 输入以下命令阅读完整帮助: C:> cacls /?