任何帮助将不胜感激! 请问,如果你不明白的东西。 我想尽可能地解释它。
我试图编辑的值是(CN = DS-Replication-Get-Changes-All)。 controlAccessRight的rightsGuid是1131f6ad-9c07-11d1-f79f-00c04fc2dcd2。 我已经使用PowerShell更新AD中的属性,但不知道如何更新configuration或模式分区中的权限。 我已经使用下面的脚本更新pipe理员权限,以便能够更改密码等…但现在我需要弄清楚如何使用configuration和模式分区。
Import-Module ActiveDirectory #Bring up an Active Directory command prompt so we can use this later on in the script cd ad: $acl = get-acl "ad:DC=corp,DC=domain,DC=net" $group = Get-ADgroup 'AD Service Administration Tasks' $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID # The following object specific ACE is to grant Group permission to change user password on all user objects under OU $objectguid = new-object Guid 00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) class $inheritedobjectguid = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user $identity = [System.Security.Principal.IdentityReference] $SID $adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight" $type = [System.Security.AccessControl.AccessControlType] "Allow" $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents" $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule$identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid $acl.AddAccessRule($ace) Set-acl -aclobject $acl "ad:DC=corp,DC=domain,DC=net" DS-Replication-Get-All-Changes扩展权限非常容易使用,因为它不适用于单个对象,而是适用于整个分区!
你只需要直接在分区的顶点(或“根”对象)上设置一次,这意味着InheritanceObjectType是完全不相关的,因为它不会被inheritance。
Import-Module ActiveDirectory $rootObjPath = "AD:\DC=corp,DC=domain,DC=net" $rootObjACL = Get-Acl $rootObjPath $group = Get-ADgroup 'AD Service Administration Tasks' $SID = New-Object System.Security.Principal.SecurityIdentifier -ArgumentList $group.SID # The following object specific ACE is to grant Group the permission to replicate all directory changes from this partition $objectGuid = New-Object Guid 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 $ADRight = [System.DirectoryServices.ActiveDirectoryRights]"ExtendedRight" $ACEType = [System.Security.AccessControl.AccessControlType]"Allow" $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $SID,$ADRight,$ACEType,$objectGuid $rootObjACL.AddAccessRule($ACE) Set-Acl $rootObjPath -AclObject $rootObjACL
不要指定“None” InheritanceFlags选项和一个空的inheritanceGUID,只要在创buildActiveDirectoryAccessRule时保留最后2个参数
同样的情况也适用于Configuration和Schema分区,只需要replace$rootObjACL的DistinguishedName $rootObjACL
要查找模式和configuration分区DN,您可以浏览AD:\ PSDrive( Get-ChildItem AD: ,也可以检查由RootDSE发布的值:
$RootDSE = [ADSI]"LDAP://RootDSE" $SchemaDN = [string]$RootDSE.schemaNamingContext $ConfigDN = [string]$RootDSE.configurationNamingContext