主页 / server / 问题 / 789216
Accepted
user01230
Asked: 2016-07-12 12:05:56 +0800 CST

使用 PowerShell 模拟控制向导的委派

  • 772

我想将TestUsers组织单位的控制权委托给用户NickA并为其授予以下权限:

  1. Create, delete, and manage user accounts
  2. Reset user passwords and force password change at next logon
  3. Read all user information
  4. Create, delete and manage groups
  5. Modify the membership of a group

我找到的唯一方法如下,但我找不到要分配的正确权限:

$acc  = Get-ADUser NickA
$sid  = new-object System.Security.Principal.SecurityIdentifier $acc.SID
$guid = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 
$ou   = Get-ADOrganizationalUnit -Identity TestUsers
$acl  = Get-ACL -Path "AD:$($ou.DistinguishedName)"
$acl.AddAccessRule($(new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"CreateChild,DeleteChild","Allow",$guid))
Set-ACL -ACLObject $acl -Path "AD:$($ou.DistinguishedName)"
powershell delegation windows-server-2012-r2

2 个回答

  1. 我还没有解决使用 PowerShell 构建 ACL 的问题,但这可以使用自 Windows Server 2003 以来一直是 RSAT 和支持工具一部分的旧 DSACLS 命令来完成。

    dsacls "OU=Test,DC=domain,DC=com" /I:S /G "domain\user:CA;Reset Password";user

    将委派 OU 的 DN 放在引号之间,并将用户放在 /G(授予)参数之后。该/I:S参数告诉 ACE 仅继承子对象,该CA参数代表控制访问。

    可以在TechNet或其他站点上找到有关语法的更多信息。如果您需要使用 PowerShell,请查看更新 ACL Active Directory Provider 文档

    • 1
  2. Best Answer

    我终于用 PowerShell 做到了。感谢以下 TechNet 帖子Exchange 2007 GUID 参考更新 ACL 骨架,我能够将 TestUsers 组织单位的控制权委托给用户 NickA 并授予我最初发布的权限。

    $OU   = Get-ADOrganizationalUnit -Identity "OU=TestUsers,DC=contoso,DC=private"
$SID  = new-object System.Security.Principal.SecurityIdentifier $(Get-ADUser "NickA").SID
$GUIDUserOBJ  = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$GUIDGroupOBJ = new-object Guid bf967a9c-0de6-11d0-a285-00aa003049e2
$GUIDNull     = new-object Guid 00000000-0000-0000-0000-000000000000 

$ACL  = Get-ACL -Path "AD:$($OU.DistinguishedName)"

#Create a hashtable to store the GUID value of each schema class and attribute
$ADRootDSE = Get-ADRootDSE
$GUIDMap = @{}
Get-ADObject -SearchBase ($ADRootDSE.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | % {$GUIDMap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

$ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"CreateChild,DeleteChild","Allow",$GUIDUserOBJ,"ALL"))
$ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"GenericAll","Allow",$GUIDNull,"Descendents",$GUIDMap["user"]))
$ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"CreateChild,DeleteChild","Allow",$GUIDGroupOBJ,"ALL"))
$ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"GenericAll","Allow",$GUIDNull,"Descendents",$GUIDMap["group"]))

Set-ACL -ACLObject $ACL -Path "AD:$($OU.DistinguishedName)"
    • 1

相关问题