服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 模仿PowerShell的控制向导委派
Intereting Posts
阻止访问某些网站 Google Apps – SPF Softfail发送到相同的域时 有没有办法来检测和跟踪OpenLDAP的变化 Ubuntu LAMP上的php.ini-development在哪里? DNS通配符只能是logging的最左边部分吗? 数据中心备份策略 Active Directory无法委派重置的用户密码权限 如何追踪进程号码的突然增加(linux) AWS Autoscaling不启动正确的实例 我怎样才能让WAMP和一个域名在非标准的端口上工作? SQL Server 2005镜像2-1 在MediaTemple GS服务器上安装SSL证书时出错 正确地打开端口443到互联网 家用networking3台电脑(Windows和Linux) 除TFTP之外,哪些文件传输协议可用于PXE引导?

模仿PowerShell的控制向导委派

我想将TestUsers组织单位的控制权委托给用户NickA并给予以下权限:

  1. Create, delete, and manage user accounts
  2. Reset user passwords and force password change at next logon
  3. Read all user information
  4. Create, delete and manage groups
  5. Modify the membership of a group

我发现的唯一的方法是以下,但我找不到正确的权限分配: 

 $acc = Get-ADUser NickA $sid = new-object System.Security.Principal.SecurityIdentifier $acc.SID $guid = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 $ou = Get-ADOrganizationalUnit -Identity TestUsers $acl = Get-ACL -Path "AD:$($ou.DistinguishedName)" $acl.AddAccessRule($(new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"CreateChild,DeleteChild","Allow",$guid)) Set-ACL -ACLObject $acl -Path "AD:$($ou.DistinguishedName)"

我还没有用PowerShell来解决ACL构build问题,但是可以使用旧的DSACLS命令(自Windows Server 2003以来一直是RSAT的一部分)和支持工具来完成这项工作。 

 dsacls "OU=Test,DC=domain,DC=com" /I:S /G "domain\user:CA;Reset Password";user

将委派OU的DN放在引号之间,并将用户放在/ G(授予)参数之后。 /I:S参数告诉ACE仅inheritance子对象,而CA参数代表控制访问。

在TechNet或其他网站上可以find关于语法的更多信息。 如果您需要使用PowerShell,请查看更新ACL Active Directory提供程序文档 。

我终于用PowerShell做了。 感谢以下TechNet职位Exchange 2007 GUID参考和更新ACL骨架我能够将TestUsers组织单位的控制权委托给用户NickA,并授予我最初发布的权限。 

 $OU = Get-ADOrganizationalUnit -Identity "OU=TestUsers,DC=contoso,DC=private" $SID = new-object System.Security.Principal.SecurityIdentifier $(Get-ADUser "NickA").SID $GUIDUserOBJ = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 $GUIDGroupOBJ = new-object Guid bf967a9c-0de6-11d0-a285-00aa003049e2 $GUIDNull = new-object Guid 00000000-0000-0000-0000-000000000000 $ACL = Get-ACL -Path "AD:$($OU.DistinguishedName)" #Create a hashtable to store the GUID value of each schema class and attribute $ADRootDSE = Get-ADRootDSE $GUIDMap = @{} Get-ADObject -SearchBase ($ADRootDSE.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | % {$GUIDMap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID} $ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"CreateChild,DeleteChild","Allow",$GUIDUserOBJ,"ALL")) $ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"GenericAll","Allow",$GUIDNull,"Descendents",$GUIDMap["user"])) $ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"CreateChild,DeleteChild","Allow",$GUIDGroupOBJ,"ALL")) $ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"GenericAll","Allow",$GUIDNull,"Descendents",$GUIDMap["group"])) Set-ACL -ACLObject $ACL -Path "AD:$($OU.DistinguishedName)"