我想要做的事情:我想将用户“octo”添加为“Key Admins”的成员。之后,我想将“Key Admins”添加到 AdminSDHolder,并为“Key Admins”的 msDS-KeyCredentialLink 属性设置写入和读取权限。我已经编写了一个 PowerShell 脚本来实现这一点,但在运行它时遇到了当前错误。
我正在尝试使用 PowerShell 在 Active Directory 中设置 AdminSDHolder 对象的权限。但是,在创建 System.DirectoryServices.ActiveDirectoryAccessRule 类的实例时遇到错误。这是我使用的代码:
function Set-KeyCredentialLinkPermissions {
param (
[Parameter(Mandatory = $true)]
[string] $groupName,
[Parameter(Mandatory = $true)]
[string] $userToAdd
)
# Add the user to the group
try {
Add-ADGroupMember -Identity $groupName -Members $userToAdd
Write-Output "$userToAdd was successfully added to the $groupName group."
} catch {
Write-Error "An error occurred while adding the user to the group: $_"
return
}
# Get the DistinguishedName of the AdminSDHolder object
$adminSDHolderDN = (Get-ADObject -Filter { Name -eq "AdminSDHolder" } -Properties DistinguishedName).DistinguishedName
try {
# Connect to the AdminSDHolder object
$adsi = [ADSI]"LDAP://$adminSDHolderDN"
# Get the ObjectSID of the group
$groupSID = (Get-ADGroup -Identity $groupName -Properties ObjectSID).ObjectSID
# Convert the SID to string format
$identityReference = $groupSID.Value
# GUID for msDS-KeyCredentialLink attribute
$guidKeyCredentialLink = "2f68b1d6-f5ae-4cb6-b34f-8108b3409d6b" # msDS-KeyCredentialLink GUID
# Get the current ACL
$acl = $adsi.ObjectSecurity
# Optionally clear existing rules (to leave only msDS-KeyCredentialLink permissions)
$acl.Access | Where-Object { $_.IdentityReference -eq $identityReference } | ForEach-Object {
$acl.RemoveAccessRule($_)
}
# Create new access rules
$writeRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$identityReference,
[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,
[System.Security.AccessControl.AccessControlType]::Allow,
[System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendants,
$guidKeyCredentialLink)
$readRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$identityReference,
[System.DirectoryServices.ActiveDirectoryRights]::ReadProperty,
[System.Security.AccessControl.AccessControlType]::Allow,
[System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendants,
$guidKeyCredentialLink)
# Set general read permission (for descendant user objects)
$readAllRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$identityReference,
[System.DirectoryServices.ActiveDirectoryRights]::GenericRead,
[System.Security.AccessControl.AccessControlType]::Allow,
[System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendants,
[guid]::Empty.ToString())
# Add access rules and commit changes
$acl.AddAccessRule($writeRule)
$acl.AddAccessRule($readRule)
$acl.AddAccessRule($readAllRule)
$adsi.ObjectSecurity = $acl
$adsi.CommitChanges()
Write-Output "Permissions for msDS-KeyCredentialLink were successfully set on the AdminSDHolder object."
} catch {
Write-Error "An error occurred while setting msDS-KeyCredentialLink permissions on the AdminSDHolder object: $_"
}
}
# Run the function
Set-KeyCredentialLinkPermissions -groupName "Key Admins" -userToAdd "octo"
但是,运行代码时出现以下错误:
Set-KeyCredentialLinkPermissions: C:\Users\Administrator\Desktop\msDS-KeyCredentialLink.ps1:80
Line |
80 | Set-KeyCredentialLinkPermissions -groupName "Key Admins" -userToAdd " …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| AdminSDHolder nesnesinde msDS-KeyCredentialLink izinleri ayarlanirken bir hata olustu: Cannot find an overload
| for "ActiveDirectoryAccessRule" and the argument count: "5".
我创建了一个 PowerShell 脚本来实现以下目标:
将用户“octo”添加到“Key Admins”组。
将“Key Admins”组添加到 AdminSDHolder 对象。
为“Key Admins”组的 msDS-KeyCredentialLink 属性设置写入和读取权限。