将 OU 权限从现有安全组复制到新安全组

我已经创建了一个 Powershell 函数Copy-DsAcl，它应该有助于执行这种 Active Directory 权限复制。使用此功能，原始答案（在线下方）可以更干净地重写为：

 Import-Module ActiveDirectory

 # Dot source the Copy-DsAcl function: https://github.com/jasonkeithscott/Copy-DsAcl
 . .\Copy-DsAcl.ps1

 # Reference objects
 $sourceGroup    = Get-ADGroup Limited_IT_Admins
 $sourceObject   = Get-ADOrganizationalUnit -Filter { Name -eq "City01" }

 # Hash for the new groups and their assigned OUs
 $targetGroups   = @{}
 $targetGroups.Add("Limited_IT_Admin_01", @("City01", "City02", "City03"))
 $targetGroups.Add("Limited_IT_Admin_02", @("City04", "City05"))
 $targetGroups.Add("Limited_IT_Admin_03", @("City06", "City07"))

 # Walk each targetGroup in the hash
 foreach ( $g in $targetGroups.GetEnumerator() ) {

     $targetGroup = Get-ADGroup $g.Name

     # Walk each $city OU and add the $targetGroup to the ACL
     foreach ( $city in $g.Value ) {

         Write-Host "Adding $($g.Name) to $city"
         $targetObject = Get-ADOrganizationalUnit -Filter { Name -eq $city }
         Copy-DsAcl $sourceGroup $sourceObject $targetGroup $targetObject

     }

 }

下面的 Powershell 应该可以满足您的要求。有几个要求：

1. 您需要 Microsoft ActiveDirectory Powershell 模块。它包含在 RSAT7 中。
2. 您需要为您的环境更新以下内容：
   1. $root- PSDrive 到您的“根”OU。您问题中的“国家”。
   2. $sourceOU- 您将从中复制 ACE 的源 OU（名称，而非 DN）。
   3. $sourceGroup- 您将复制的 ACL 中列出的组（名称，不是 DN 或域）。
   4. $targetGroups- 用于应用 ACE 的组（名称，而非 DN 或域）和 OU（名称，而非 DN）的散列。
3. 这只会复制显式 ACE，而不是继承的。也许我应该看看爬上树去抓住继承的？
4. 由于出现“拒绝访问”错误，我不得不以域管理员身份运行它。不过，我最初的 OU 代表团可能是可疑的。

通读所有这些内容后，我认为我可能应该只编写一个更通用的函数，CopyOuAcl并在完成后对其进行更新。正如现在所写的那样，它完全针对您的问题和环境。

Import-Module ActiveDirectory

$root          = "AD:\OU=Country,DC=example,DC=com"
$sourceOU       = "City01"
$sourceACL      = Get-Acl $root.Replace("AD:\", "AD:\OU=$sourceOU,")
$sourceGroup    = "Limited_IT_Admins"

# Hash for the new groups and their OUs
$targetGroups = @{}
$targetGroups.Add("Limited_IT_Admin_01", @("City01", "City02", "City03"))
$targetGroups.Add("Limited_IT_Admin_02", @("City04", "City05"))
$targetGroups.Add("Limited_IT_Admin_03", @("City06", "City07"))

# Get the uniherited ACEs for the $sourceGroup from $sourceOU
$sourceACEs = $sourceACL |
    Select-Object -ExpandProperty Access |
        Where-Object { $_.IdentityReference -match "$($sourceGroup)$" -and $_.IsInherited -eq $False }

# Walk each targetGroup in the hash
foreach ( $g in $targetGroups.GetEnumerator() ) {

    # Get the AD object for the targetGroup
    Write-Output $g.Name
    $group      = Get-ADGroup $g.Name
    $identity   = New-Object System.Security.Principal.SecurityIdentifier $group.SID

    # Could be multiple ACEs for the sourceGroup
    foreach ( $a in $sourceACEs ) {

        # From from the sourceACE for the ActiveDirectoryAccessRule constructor  
        $adRights               = $a.ActiveDirectoryRights
        $type                   = $a.AccessControlType
        $objectType             = New-Object Guid $a.ObjectType
        $inheritanceType        = $a.InheritanceType
        $inheritedObjectType    = New-Object Guid $a.InheritedObjectType

        # Create the new "copy" of the ACE using the target group. http://msdn.microsoft.com/en-us/library/w72e8e69.aspx
        $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $adRights, $type, $objectType, $inheritanceType, $inheritedObjectType    

        # Walk each city OU of the target group
        foreach ( $city in $g.Value ) {

            Write-Output "`t$city"
            # Set the $cityOU
            $cityOU = $root.Replace("AD:\", "AD:\OU=$city,")
            # Get the ACL for $cityOU
            $cityACL = Get-ACL $cityOU
            # Add it to the ACL
            $cityACL.AddAccessRule($ace)
            # Set the ACL back to the OU
            Set-ACL -AclObject $cityACL $cityOU

        }

    }

}

http://gallery.technet.microsoft.com/scriptcenter/Copying-permissions-for-d3c3b839

或者只是复制 NtSecurityDescriptor。http://blogs.msdn.com/spatdsg/archive/2007/05/24/copying-delegation-permissions-from-an-ou-to-another.aspx