AWS 目录服务 - 访问被拒绝
AWS Directory Services - Access Denied
我正在尝试使用此模块作为 AWS 中自动化 AD 的一部分。
脚本
... Install RSAT-AD-PowerShell & xActiveDirectory ... then
Configuration DevAws
{
Import-DscResource –ModuleName PSDesiredStateConfiguration
Import-DscResource -Module xActiveDirectory
Node localhost
{
xADUser MattCanty
{
UserName = "matt.canty"
DomainName = "dev.aws"
}
}
}
DevAws
Start-DscConfiguration -Path ./DevAws -Wait -Verbose -Force
日志
Directory: C:\Users\admin\Documents\DevAws
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/18/2018 5:06 PM 1896 localhost.mof
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespace
Name' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer EC2AMAZ-75TV86U with user sid S-1-5-21-264491047-2034986546-3023887121-1105.
VERBOSE: [EC2AMAZ-75TV86U]: LCM: [ Start Set ]
VERBOSE: [EC2AMAZ-75TV86U]: LCM: [ Start Resource ] [[xADUser]MattCanty]
VERBOSE: [EC2AMAZ-75TV86U]: LCM: [ Start Test ] [[xADUser]MattCanty]
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Retrieving Active Directory user 'matt.canty' (matt.canty@dev.aws) ...
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Active Directory user 'matt.canty' (matt.canty@dev.aws) was NOT present.
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] User 'Ensure' property is NOT in the desired state. Expected 'Present', actual 'Absent'.
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] User 'Enabled' property is NOT in the desired state. Expected 'True', actual ''.
VERBOSE: [EC2AMAZ-75TV86U]: LCM: [ End Test ] [[xADUser]MattCanty] in 0.5470 seconds.
VERBOSE: [EC2AMAZ-75TV86U]: LCM: [ Start Set ] [[xADUser]MattCanty]
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Retrieving Active Directory user 'matt.canty' (matt.canty@dev.aws) ...
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Active Directory user 'matt.canty' (matt.canty@dev.aws) was NOT present.
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Adding Active Directory user 'matt.canty'.
Access is denied
+ CategoryInfo : PermissionDenied: (CN=matt.canty,O...s,DC=dev,DC=aws:) [], CimException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Management.Commands.NewADUser
+ PSComputerName : localhost
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Retrieving Active Directory user 'matt.canty' (matt.canty@dev.aws) ...
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Active Directory user 'matt.canty' (matt.canty@dev.aws) was NOT present.
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Updating user property 'Enabled' with/to 'True'.
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Updating Active Directory user 'matt.canty'.
Cannot find an object with identity: 'matt.canty' under: 'DC=dev,DC=aws'.
+ CategoryInfo : ObjectNotFound: (matt.canty:) [], CimException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.SetAD
User
+ PSComputerName : localhost
VERBOSE: [EC2AMAZ-75TV86U]: LCM: [ End Set ] [[xADUser]MattCanty] in 0.3440 seconds.
The PowerShell DSC resource '[xADUser]MattCanty' with SourceInfo 'C:\Users\admin\Documents\Run-AdDsc.ps1::17::9::xADUser' threw one or more non-terminating errors while
running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more
details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost
VERBOSE: [EC2AMAZ-75TV86U]: LCM: [ End Set ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : localhost
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 1.484 seconds
```
备注
- 我以连接到 AD 的域管理员身份登录服务器。
- 我可以手动添加用户。
- 我可以通过
New-ADUser 添加用户
我实际上想通过 CloudFormation 或 运行 命令远程执行此操作,这意味着我可能需要以某种方式合并 PSCredential。我看不出 xADUser 上的 DomainAdministratorCredential 有何帮助,因为 属性 不在 xADGroup...
上
在我开始推出自己的解决方案之前,感谢任何帮助!
谢谢
默认情况下,DSC 作为本地系统帐户执行,因此您在尝试使用外部资源(AD/FileShare 等)时将被拒绝访问
DomainAdministratorCredential 是您想要的 xADUser,来自文档:
[PSCredential] DomainAdministratorCredential (Write): User account credentials used to perform the task.
由于某些奇怪的原因,xADGroup 上的 属性 只是被称为 Credential,尽管它具有相同的目的。
[PSCredential] Credential: User account credentials used to perform the operation.
我正在尝试使用此模块作为 AWS 中自动化 AD 的一部分。
脚本
... Install RSAT-AD-PowerShell & xActiveDirectory ... then
Configuration DevAws
{
Import-DscResource –ModuleName PSDesiredStateConfiguration
Import-DscResource -Module xActiveDirectory
Node localhost
{
xADUser MattCanty
{
UserName = "matt.canty"
DomainName = "dev.aws"
}
}
}
DevAws
Start-DscConfiguration -Path ./DevAws -Wait -Verbose -Force
日志
Directory: C:\Users\admin\Documents\DevAws
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/18/2018 5:06 PM 1896 localhost.mof
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespace
Name' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer EC2AMAZ-75TV86U with user sid S-1-5-21-264491047-2034986546-3023887121-1105.
VERBOSE: [EC2AMAZ-75TV86U]: LCM: [ Start Set ]
VERBOSE: [EC2AMAZ-75TV86U]: LCM: [ Start Resource ] [[xADUser]MattCanty]
VERBOSE: [EC2AMAZ-75TV86U]: LCM: [ Start Test ] [[xADUser]MattCanty]
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Retrieving Active Directory user 'matt.canty' (matt.canty@dev.aws) ...
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Active Directory user 'matt.canty' (matt.canty@dev.aws) was NOT present.
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] User 'Ensure' property is NOT in the desired state. Expected 'Present', actual 'Absent'.
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] User 'Enabled' property is NOT in the desired state. Expected 'True', actual ''.
VERBOSE: [EC2AMAZ-75TV86U]: LCM: [ End Test ] [[xADUser]MattCanty] in 0.5470 seconds.
VERBOSE: [EC2AMAZ-75TV86U]: LCM: [ Start Set ] [[xADUser]MattCanty]
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Retrieving Active Directory user 'matt.canty' (matt.canty@dev.aws) ...
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Active Directory user 'matt.canty' (matt.canty@dev.aws) was NOT present.
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Adding Active Directory user 'matt.canty'.
Access is denied
+ CategoryInfo : PermissionDenied: (CN=matt.canty,O...s,DC=dev,DC=aws:) [], CimException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Management.Commands.NewADUser
+ PSComputerName : localhost
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Retrieving Active Directory user 'matt.canty' (matt.canty@dev.aws) ...
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Active Directory user 'matt.canty' (matt.canty@dev.aws) was NOT present.
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Updating user property 'Enabled' with/to 'True'.
VERBOSE: [EC2AMAZ-75TV86U]: [[xADUser]MattCanty] Updating Active Directory user 'matt.canty'.
Cannot find an object with identity: 'matt.canty' under: 'DC=dev,DC=aws'.
+ CategoryInfo : ObjectNotFound: (matt.canty:) [], CimException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.SetAD
User
+ PSComputerName : localhost
VERBOSE: [EC2AMAZ-75TV86U]: LCM: [ End Set ] [[xADUser]MattCanty] in 0.3440 seconds.
The PowerShell DSC resource '[xADUser]MattCanty' with SourceInfo 'C:\Users\admin\Documents\Run-AdDsc.ps1::17::9::xADUser' threw one or more non-terminating errors while
running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more
details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost
VERBOSE: [EC2AMAZ-75TV86U]: LCM: [ End Set ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : localhost
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 1.484 seconds
```
备注
- 我以连接到 AD 的域管理员身份登录服务器。
- 我可以手动添加用户。
- 我可以通过
New-ADUser 添加用户
我实际上想通过 CloudFormation 或 运行 命令远程执行此操作,这意味着我可能需要以某种方式合并 PSCredential。我看不出 xADUser 上的 DomainAdministratorCredential 有何帮助,因为 属性 不在 xADGroup...
在我开始推出自己的解决方案之前,感谢任何帮助!
谢谢
默认情况下,DSC 作为本地系统帐户执行,因此您在尝试使用外部资源(AD/FileShare 等)时将被拒绝访问
DomainAdministratorCredential 是您想要的 xADUser,来自文档:
[PSCredential] DomainAdministratorCredential (Write): User account credentials used to perform the task.
由于某些奇怪的原因,xADGroup 上的 属性 只是被称为 Credential,尽管它具有相同的目的。
[PSCredential] Credential: User account credentials used to perform the operation.