目前,我们有一个名为:Limited_IT_Admins的安全组,它具有特殊的权限(仅限于某些他们可以执行的任务),在国家OU内的〜7个城市OU中。
[Country] <- top level OU [City01] [City02] [City03] [City04] [City05] [City06] [City07] 但是,现在我必须把这个安全小组分成三个小组。 来自Limited_IT_Admin组的用户将被分成三个独立的新组。 用户将需要与Limited_IT_Admins相同的访问权限,但只能在其各自的OU上访问。
Limited_IT_Admin_01 - User01 City01, City02, City03 Limited_IT_Admin_02 - User02 City04, City05 Limited_IT_Admin_03 - User03 City06, City07
而不必尝试重新创build在安全组上设置的所有特殊权限,有没有更简单的方法来将Limited_IT_Admins的权限复制到三个新组?
我已经创build了一个Powershell函数Copy-DsAcl ,它应该有助于执行这种Active Directory权限复制。 使用这个函数,原来的答案(在该行的下面)可能被重写得更干净如下:
Import-Module ActiveDirectory # Dot source the Copy-DsAcl function: https://github.com/jasonkeithscott/Copy-DsAcl . .\Copy-DsAcl.ps1 # Reference objects $sourceGroup = Get-ADGroup Limited_IT_Admins $sourceObject = Get-ADOrganizationalUnit -Filter { Name -eq "City01" } # Hash for the new groups and their assigned OUs $targetGroups = @{} $targetGroups.Add("Limited_IT_Admin_01", @("City01", "City02", "City03")) $targetGroups.Add("Limited_IT_Admin_02", @("City04", "City05")) $targetGroups.Add("Limited_IT_Admin_03", @("City06", "City07")) # Walk each targetGroup in the hash foreach ( $g in $targetGroups.GetEnumerator() ) { $targetGroup = Get-ADGroup $g.Name # Walk each $city OU and add the $targetGroup to the ACL foreach ( $city in $g.Value ) { Write-Host "Adding $($g.Name) to $city" $targetObject = Get-ADOrganizationalUnit -Filter { Name -eq $city } Copy-DsAcl $sourceGroup $sourceObject $targetGroup $targetObject } }
下面的Powershell应该做你所问的。 有几个要求:
$root – PSDrive到你的“根”OU。 在你的问题“国家”。 $sourceOU – 您将从中复制ACE的源OU(名称,不是DN)。 $sourceGroup – 您将复制的ACL中列出的组(名称,不是DN或域)。 $targetGroups – 用于应用ACE的组(名称,不是DN或域)和OU(名称,不是DN)的散列。 读完所有这些,我认为我应该写一个更通用的函数CopyOuAcl ,并在完成时更新它。 正如现在所写,这完全是针对你的问题和环境的。
Import-Module ActiveDirectory $root = "AD:\OU=Country,DC=example,DC=com" $sourceOU = "City01" $sourceACL = Get-Acl $root.Replace("AD:\", "AD:\OU=$sourceOU,") $sourceGroup = "Limited_IT_Admins" # Hash for the new groups and their OUs $targetGroups = @{} $targetGroups.Add("Limited_IT_Admin_01", @("City01", "City02", "City03")) $targetGroups.Add("Limited_IT_Admin_02", @("City04", "City05")) $targetGroups.Add("Limited_IT_Admin_03", @("City06", "City07")) # Get the uniherited ACEs for the $sourceGroup from $sourceOU $sourceACEs = $sourceACL | Select-Object -ExpandProperty Access | Where-Object { $_.IdentityReference -match "$($sourceGroup)$" -and $_.IsInherited -eq $False } # Walk each targetGroup in the hash foreach ( $g in $targetGroups.GetEnumerator() ) { # Get the AD object for the targetGroup Write-Output $g.Name $group = Get-ADGroup $g.Name $identity = New-Object System.Security.Principal.SecurityIdentifier $group.SID # Could be multiple ACEs for the sourceGroup foreach ( $a in $sourceACEs ) { # From from the sourceACE for the ActiveDirectoryAccessRule constructor $adRights = $a.ActiveDirectoryRights $type = $a.AccessControlType $objectType = New-Object Guid $a.ObjectType $inheritanceType = $a.InheritanceType $inheritedObjectType = New-Object Guid $a.InheritedObjectType # Create the new "copy" of the ACE using the target group. http://msdn.microsoft.com/en-us/library/w72e8e69.aspx $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $adRights, $type, $objectType, $inheritanceType, $inheritedObjectType # Walk each city OU of the target group foreach ( $city in $g.Value ) { Write-Output "`t$city" # Set the $cityOU $cityOU = $root.Replace("AD:\", "AD:\OU=$city,") # Get the ACL for $cityOU $cityACL = Get-ACL $cityOU # Add it to the ACL $cityACL.AddAccessRule($ace) # Set the ACL back to the OU Set-ACL -AclObject $cityACL $cityOU } } }