通过 powershell 为计算机对象设置 ACL
SET-ACL via powershell for computer object
我正在尝试修改我域中多台计算机的权限,以便允许它们进行跨域身份验证。
我的代码很简单,但我总是出错。
Function Add-ADGroupACL
{
param([string]$Computername,[string]$Access)
#Get a reference to the RootDSE of the current domain
$rootdse = Get-ADRootDSE
#Get a reference to the current domain
$domain = Get-ADDomain
#Create a hashtable to store the GUID value of each extended right in the forest
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid |
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
#Create a hashtable to store the GUID value of each schema class and attribute
$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID |
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
#Get the computer object for modification on
$Computer = Get-ADComputer -Identity $Computername
#get the SID of the group you wish to add to the computer.
$GroupIdentity = New-Object System.Security.Principal.SecurityIdentifier(Get-ADGroup -Identity $Access).SID
$computersADPath = "AD:\" + $Computer.DistinguishedName
$ComputerACL = Get-ACL $computersADPath
#Create a new rule to add to the object
$newAccessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$GroupIdentity,"ExtendedRight",
"Allow",
$extendedrightsmap["Allowed To Authenticate"],
"None")
$newAccessRule
#Add the rule to the ACL
$ComputerACL.AddAccessRule($newAccessRule)
#Set Rules to the ACL
Set-Acl -AclObject $ComputerACL -Path $computersADPath
}
为了方便起见,我已经发布了整个函数。
简单地这样称呼
Add-ADGroupACL -Computername 'TestComputer' -Access 'TestGroup'
这里是我不断收到的错误消息
Set-Acl : This security ID may not be assigned as the owner of this object
At line:88 char:5
+ Set-Acl -AclObject $ComputerACL -Path $computersADPath
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=testComputer,OU=Co...C=subdomain,DC=domain:String) [Set-Acl], ADException
+ FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:ADError,Microsoft.PowerShell.Commands.SetAclCommand
访问规则看起来是正确的。它显示了这一点。
ActiveDirectoryRights : ExtendedRight
InheritanceType : None
ObjectType : 68b1d179-0d15-4d4f-ab71-46152e79a7bc
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AccessControlType : Allow
IdentityReference : S-1-5-21-2926237862-3770063950-2320700579-361721
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
如有任何帮助,我们将不胜感激。
谢谢。
对于遇到此问题的任何其他人,这里是解决方案。
基本上,Get-ACL 和 Set-ACL 的工作原理是检索整个 ACL。您对 ACL 进行编辑,然后 Set-ACL 尝试重写整个 ACL。
更多信息:https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-control-entries
所以基本上您只需要创建一个 ACE 并将其动态添加到 ACL。最好使用 DACLS
购买
代码:
Function Add-ADGroupACEExtendedRight
{
param(
[string]$Computername = $(throw "Computer name must be specified"),
[string]$Access = $(throw "User or group in which to give acces must be specifieds"),
[string]$ExtendedRight = $(throw "Extended Right Property Name Required")
)
#Get the computer object for modification on
$Computer = Get-ADComputer -Identity $Computername
#get the SID of the group you wish to add to the computer.
$GroupIdentity = New-Object System.Security.Principal.SecurityIdentifier(Get-ADGroup -Identity $Access).SID
#Set Permissions
dsacls $Computer.DistinguishedName /G $GroupIdentity":CA;"$ExtendedRight
}
用法:
Add-ADGroupACEExtendedRight -Computername "TestAsset" -Access "GroupID" -ExtendedRight "Allowed To Authenticate"
您可以在此处添加任何扩展。
有关 DACLS 的更多信息:https://technet.microsoft.com/pt-pt/library/cc787520%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
我正在尝试修改我域中多台计算机的权限,以便允许它们进行跨域身份验证。
我的代码很简单,但我总是出错。
Function Add-ADGroupACL
{
param([string]$Computername,[string]$Access)
#Get a reference to the RootDSE of the current domain
$rootdse = Get-ADRootDSE
#Get a reference to the current domain
$domain = Get-ADDomain
#Create a hashtable to store the GUID value of each extended right in the forest
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid |
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
#Create a hashtable to store the GUID value of each schema class and attribute
$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID |
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
#Get the computer object for modification on
$Computer = Get-ADComputer -Identity $Computername
#get the SID of the group you wish to add to the computer.
$GroupIdentity = New-Object System.Security.Principal.SecurityIdentifier(Get-ADGroup -Identity $Access).SID
$computersADPath = "AD:\" + $Computer.DistinguishedName
$ComputerACL = Get-ACL $computersADPath
#Create a new rule to add to the object
$newAccessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$GroupIdentity,"ExtendedRight",
"Allow",
$extendedrightsmap["Allowed To Authenticate"],
"None")
$newAccessRule
#Add the rule to the ACL
$ComputerACL.AddAccessRule($newAccessRule)
#Set Rules to the ACL
Set-Acl -AclObject $ComputerACL -Path $computersADPath
}
为了方便起见,我已经发布了整个函数。 简单地这样称呼
Add-ADGroupACL -Computername 'TestComputer' -Access 'TestGroup'
这里是我不断收到的错误消息
Set-Acl : This security ID may not be assigned as the owner of this object At line:88 char:5 + Set-Acl -AclObject $ComputerACL -Path $computersADPath + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (CN=testComputer,OU=Co...C=subdomain,DC=domain:String) [Set-Acl], ADException + FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:ADError,Microsoft.PowerShell.Commands.SetAclCommand
访问规则看起来是正确的。它显示了这一点。
ActiveDirectoryRights : ExtendedRight
InheritanceType : None
ObjectType : 68b1d179-0d15-4d4f-ab71-46152e79a7bc
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AccessControlType : Allow
IdentityReference : S-1-5-21-2926237862-3770063950-2320700579-361721
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
如有任何帮助,我们将不胜感激。 谢谢。
对于遇到此问题的任何其他人,这里是解决方案。
基本上,Get-ACL 和 Set-ACL 的工作原理是检索整个 ACL。您对 ACL 进行编辑,然后 Set-ACL 尝试重写整个 ACL。 更多信息:https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-control-entries
所以基本上您只需要创建一个 ACE 并将其动态添加到 ACL。最好使用 DACLS
购买代码:
Function Add-ADGroupACEExtendedRight
{
param(
[string]$Computername = $(throw "Computer name must be specified"),
[string]$Access = $(throw "User or group in which to give acces must be specifieds"),
[string]$ExtendedRight = $(throw "Extended Right Property Name Required")
)
#Get the computer object for modification on
$Computer = Get-ADComputer -Identity $Computername
#get the SID of the group you wish to add to the computer.
$GroupIdentity = New-Object System.Security.Principal.SecurityIdentifier(Get-ADGroup -Identity $Access).SID
#Set Permissions
dsacls $Computer.DistinguishedName /G $GroupIdentity":CA;"$ExtendedRight
}
用法:
Add-ADGroupACEExtendedRight -Computername "TestAsset" -Access "GroupID" -ExtendedRight "Allowed To Authenticate"
您可以在此处添加任何扩展。 有关 DACLS 的更多信息:https://technet.microsoft.com/pt-pt/library/cc787520%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396