buyiyang

第三条尝试改为

Start /wait /b CMD /c SetACL -on "%ff%" -ot reg -actn mod -ace "n:Administrators;p:full"
复制代码

buyiyang

因为administrators的权限是继承而来的，所以无法更改，要先将权限改为显式权限然后才能更改

SetACL -on "%ff%" -ot reg -actn setprot -op "dacl:p_c;sacl:p_c" -actn ace -ace "n:Administrators;p:full;m:set;i:so,sc"
复制代码

说明如下：

Protection
Controls the flag ‘allow inheritable permissions from the parent object to propagate to this object’:
nc
Do not change the current setting.
np
Object is not protected, i.e. inherits from parent.
p_c
Object is protected, ACEs from parent are copied.
p_nc
Object is protected, ACEs from parent are not copied
复制代码

buyiyang

回复 8# Shuye


    恢复

SetACL -on "%ff%" -ot reg -actn setprot -op "dacl:np;sacl:np" -actn clear -clr "dacl,sacl"
复制代码

buyiyang

你的新需求应该要先取消父项中Administrators的propagate

SetACL -on "父项" -ot reg -actn setowner -ownr "n:Administrators" -actn ace -ace "n:Administrators;p:read;i:np"
SetACL -on "%ff%" -ot reg -actn ace -ace "n:Administrators;p:full;m:grant;i:so,sc"
复制代码

恢复

SetACL -on "父项" -ot reg -actn ace -ace "n:Administrators;p:read;i:so,sc" -actn rstchldrn -rst "dacl,sacl"
复制代码

buyiyang

回复 13# Shuye


    因为子项继承的主体无法修改或删除，要么直接禁用子项的从父项继承（取消子项的所有主体的继承关系），要么从父项修改每个主体的propagation