主页 / server / 问题 / 734452
Accepted
curropar
Asked: 2015-11-07 04:59:04 +0800 CST

使用 Powershell 拒绝 GPO 权限时出错

  • 772

我试图找到一种方法为几个 GPO(大约 50 个)中的某个组设置“应用策略”为“拒绝”,所以当我一个(显然)使用以下脚本放弃了博客:

$strGroup = "my group" 
$strGPO = "my GPO"

$GroupObject = Get-ADGroup $strGroup 
$GroupSid = new-object System.Security.Principal.SecurityIdentifier $GroupObject.SID 
$GPOObject = Get-GPO $strGPO

$GPOPath = $GPOObject.path 
$GPOADObject = [ADSI]"LDAP://$GPOPath" 
$GPOObjSec = $GPOADObject.psbase.ObjectSecurity 
$GPOACLList = $GPOObjSec.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])

$extRight = [system.guid]"edacfd8f-ffb3-11d1-b41d-00a0c968f939" 
$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSid,"ReadProperty, GenericExecute","Deny","None" 
$ace2 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSid,"ExtendedRight","Deny",$extRight,"All" 
$GPOADObject.psbase.get_objectSecurity().AddAccessRule($ace1) 
$GPOADObject.psbase.get_objectSecurity().AddAccessRule($ace2) 
$GPOADObject.psbase.CommitChanges()

$GPOGPTstr = "\\"+$GPOObject.DomainName+"\SYSVOL\"+$GPOObject.DomainName+"\Policies\{"+$GPOObject.Id+"}" 
$acl = Get-ACL $GPOGPTstr

$acl.SetAccessRuleProtection($True, $False) 
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($strGroup,"ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Deny") 
$acl.AddAccessRule($rule) 
Set-Acl $GPOGPTstr $acl

我已经添加了一个foreach循环,以从文本文件中获取我的组。它可以工作,除了第 14 行:

$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSid,"ReadProperty, GenericExecute","Deny","None"

这会引发以下错误:

new-object : Multiple ambiguous overloads found for "ActiveDirectoryAccessRule" and the argument count: "4".
At .\denyApplyGPOtoGroup.ps1:16 char:10
+     $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSid ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

当然,第 16 行失败,$ace1就像$null. 尽管如此,脚本还是有效的:基本上,权限被正确地应用到 GPC,而不是 GPT,这对代码和抛出的错误是有意义的。所以当我去 GPMC,点击 GPO,我收到一条消息说:

“SYSVOL 文件夹中此 GPO 的权限与 Active Directory 中的权限不一致。建议这些权限保持一致。要将 SYSVOL 中的权限更改为 Active Directory 中的权限,请单击“确定”。”

单击“确定”可修复混乱,但仍在寻找解决此变通办法的方法……有什么想法吗?

group-policy

1 个回答

  1. Best Answer

    删除 $ace1 并删除这些行;

    $GPOGPTstr = "\\"+$GPOObject.DomainName+"\SYSVOL\"+$GPOObject.DomainName+"\Policies\{"+$GPOObject.Id+"}" 
$acl = Get-ACL $GPOGPTstr

$acl.SetAccessRuleProtection($True, $False) 
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($strGroup,"ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Deny") 
$acl.AddAccessRule($rule) 
Set-Acl $GPOGPTstr $acl

    您只需要添加拒绝应用权限即可。因此,您无需更改 Sysvol 策略文件夹上的 ACL,也不想删除读取权限。

    $ace1 删除读取策略权限。

    最终代码是这样的:

    $strGroup = "Domain Admins" 
$strGPO = "RES Workspace Manager Shell"

$GroupObject = Get-ADGroup $strGroup 
$GroupSid = new-object System.Security.Principal.SecurityIdentifier $GroupObject.SID 
$GPOObject = Get-GPO $strGPO

$GPOPath = $GPOObject.path 
$GPOADObject = [ADSI]"LDAP://$GPOPath" 
$GPOObjSec = $GPOADObject.psbase.ObjectSecurity 
$GPOACLList = $GPOObjSec.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])

$extRight = [system.guid]"edacfd8f-ffb3-11d1-b41d-00a0c968f939" 

$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSid,"ExtendedRight","Deny",$extRight,"All" 

$GPOADObject.psbase.get_objectSecurity().AddAccessRule($ace) 
$GPOADObject.psbase.CommitChanges()
    • 2

相关问题