对于通讯组,我可以设置参数pipe理器可以使用ADUC mmc 更新成员列表 ,但是我找不到如何使用PowerShell来完成。 而且,即使是Manager可以更新成员列表属性,在ADUC中设置,在PowerShell列表中为Get-QADGroup ManagerCanUpdateMembershipList属性仍设置为false 。
在AD 2003环境中,这是一个两步骤的过程:
Add-QADPermission -Identity -Account -Rights WriteProperty -Property“Member”-ApplyTo'ThisObjectOnly'
Set-QADGroup -ManagedBy
第一个命令将设置必要的权限并且function正常,但是如果在ADUC中的Managed By字段中没有指定用户帐户,则该字段将保持为空,并且该框不会被检查。 第二个命令填充该字段,并且当两个条件都满足时,该框将被检查。
请记住,在Group属性中归档的ManagerCanUpdateMembershipList仍然在没有Active Roles Server的AD环境中读取为FALSE。 该字段显然是Active Roles Server的专有字段。
我有一篇博客文章解释了如何使用ActiveDirectory模块和ADSI做到这一点,你可以在这里find它,如果你只是想要的代码:
<# .Synopsis Sets manager property on AD group and grants change membership rights. .DESCRIPTION Sets manager property on AD group and grants change membership rights. This is done by manipulating properties directly on the DirectoryEntry object obtained with ADSI. This sets the managedBy property and adds an ACE to the DACL allowing said manager to modify group membership. .EXAMPLE Set-GroupManager -ManagerDN "CN=some manager,OU=All Users,DC=Initech,DC=com" -GroupDN "CN=TPS Reports Dir,OU=All Groups,DC=Initech,DC=com" .EXAMPLE (Get-AdGroup -Filter {Name -like "sharehost - *"}).DistinguishedName | % {Set-GroupManager "CN=some manager,OU=All Users,DC=Initech,DC=com" $_} #> function Set-GroupManager { param ( [Parameter(Mandatory=$true, ValueFromPipeline=$false, ValueFromPipelinebyPropertyName=$True, Position=0)] [string]$ManagerDN, [Parameter(Mandatory=$true, ValueFromPipeline=$false, ValueFromPipelinebyPropertyName=$True, Position=1)] [string]$GroupDN ) try { Import-Module ActiveDirectory -NoClobber $mgr = [ADSI]"LDAP://$ManagerDN"; $identityRef = (Get-ADUser -Filter {DistinguishedName -like $ManagerDN}).SID.Value $sid = New-Object System.Security.Principal.SecurityIdentifier ($identityRef); $adRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, ` [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty, ` [System.Security.AccessControl.AccessControlType]::Allow, ` [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2"); $grp = [ADSI]"LDAP://$GroupDN"; $grp.InvokeSet("managedBy", @("$ManagerDN")); $grp.CommitChanges(); # Taken from here: http://blogs.msdn.com/b/dsadsi/archive/2013/07/09/setting-active-directory-object-permissions-using-powershell-and-system-directoryservices.aspx [System.DirectoryServices.DirectoryEntryConfiguration]$SecOptions = $grp.get_Options(); $SecOptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Dacl' $grp.get_ObjectSecurity().AddAccessRule($adRule); $grp.CommitChanges(); } catch { throw } } 它可以在这里find
你的问题引起了我的兴趣,我用谷歌来find一个答案…我没有使用PoSh的Quest cmdlet的经验。
New-QADGroup的说明说使用ManagerCanUpdateMembershipList参数需要连接到ActiveRoles服务器