我试图find一种方法来在几个GPO(大约50)中为某个组设置“应用策略”来“拒绝”,所以我正在寻找一个自动执行的方法,当我遇到这个post时, aparently)用以下脚本废弃的博客:
$strGroup = "my group" $strGPO = "my GPO" $GroupObject = Get-ADGroup $strGroup $GroupSid = new-object System.Security.Principal.SecurityIdentifier $GroupObject.SID $GPOObject = Get-GPO $strGPO $GPOPath = $GPOObject.path $GPOADObject = [ADSI]"LDAP://$GPOPath" $GPOObjSec = $GPOADObject.psbase.ObjectSecurity $GPOACLList = $GPOObjSec.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier]) $extRight = [system.guid]"edacfd8f-ffb3-11d1-b41d-00a0c968f939" $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSid,"ReadProperty, GenericExecute","Deny","None" $ace2 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSid,"ExtendedRight","Deny",$extRight,"All" $GPOADObject.psbase.get_objectSecurity().AddAccessRule($ace1) $GPOADObject.psbase.get_objectSecurity().AddAccessRule($ace2) $GPOADObject.psbase.CommitChanges() $GPOGPTstr = "\\"+$GPOObject.DomainName+"\SYSVOL\"+$GPOObject.DomainName+"\Policies\{"+$GPOObject.Id+"}" $acl = Get-ACL $GPOGPTstr $acl.SetAccessRuleProtection($True, $False) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($strGroup,"ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Deny") $acl.AddAccessRule($rule) Set-Acl $GPOGPTstr $acl 我已经添加了一个foreach循环,从文本文件中获取我的组。 它工作,除了第14行:
$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSid,"ReadProperty, GenericExecute","Deny","None"
这会引发以下错误:
new-object : Multiple ambiguous overloads found for "ActiveDirectoryAccessRule" and the argument count: "4". At .\denyApplyGPOtoGroup.ps1:16 char:10 + $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSid ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [New-Object], MethodException + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
当然,第16行失败,因为$ace1是$null 。 尽pipe如此,脚本types的工作:基本上,权限正确地应用到GPC,而不是对GPT,这是有意义的代码和错误抛出。 所以当我去GPMC的时候,点击GPO,我收到一条消息:
“SYSVOL文件夹中此GPO的权限与Active Directory中的权限不一致。 build议这些权限是一致的。 要将SYSVOL中的权限更改为Active Directory中的权限,请单击“确定”。
点击确定可以解决这个问题,但仍然在寻找解决方法,尽pipe…任何想法?
删除$ ace1并删除这些行;
$GPOGPTstr = "\\"+$GPOObject.DomainName+"\SYSVOL\"+$GPOObject.DomainName+"\Policies\{"+$GPOObject.Id+"}" $acl = Get-ACL $GPOGPTstr $acl.SetAccessRuleProtection($True, $False) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($strGroup,"ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Deny") $acl.AddAccessRule($rule) Set-Acl $GPOGPTstr $acl
所有你想要的是添加拒绝应用权利。 因此,您不需要更改Sysvol策略文件夹中的ACL,也不想删除读取权限。
$ ace1删除了读取策略权限。
最终的代码是这样的:
$strGroup = "Domain Admins" $strGPO = "RES Workspace Manager Shell" $GroupObject = Get-ADGroup $strGroup $GroupSid = new-object System.Security.Principal.SecurityIdentifier $GroupObject.SID $GPOObject = Get-GPO $strGPO $GPOPath = $GPOObject.path $GPOADObject = [ADSI]"LDAP://$GPOPath" $GPOObjSec = $GPOADObject.psbase.ObjectSecurity $GPOACLList = $GPOObjSec.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier]) $extRight = [system.guid]"edacfd8f-ffb3-11d1-b41d-00a0c968f939" $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSid,"ExtendedRight","Deny",$extRight,"All" $GPOADObject.psbase.get_objectSecurity().AddAccessRule($ace) $GPOADObject.psbase.CommitChanges()