PowerShell:如何将 1 个用户添加到多个 Active Directory 安全组 - 具有写入权限的安全组的安全选项卡
PowerShell: How to add 1 user to multiple Active Directory Security Groups - Security tab of the security group with write permission
我正在尝试将 1 个 ID 添加到 Active Directory 中的多个安全组。
ID只需要添加到安全组的"Security Tab",不需要添加为成员
我需要为这个ID设置"write"权限。
在 Power-Shell 中有没有办法做到这一点?
有说明 here,尽管它给予用户对组的完全控制权(包括删除权),但还有一些其他问题(如硬编码用户名)。
我已为您修改了该示例,仅授予 GenericWrite 权限,并接受用户名作为参数。这还假定您 运行 所在的用户、组和计算机都在同一个域中:
function Set-GroupSecurity {
[CmdletBinding()]
param (
[string] $GroupName,
[string] $UserName
)
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$root = $dom.GetDirectoryEntry()
$search = [System.DirectoryServices.DirectorySearcher]$root
$search.Filter = "(&(objectclass=group)(sAMAccountName=$GroupName))"
$search.SizeLimit = 3000
$result = $search.FindOne()
$object = $result.GetDirectoryEntry()
$sec = $object.ObjectSecurity
## set the rights and control type
$allow = [System.Security.AccessControl.AccessControlType]::Allow
$read = [System.DirectoryServices.ActiveDirectoryRights]::GenericRead
$write = [System.DirectoryServices.ActiveDirectoryRights]::GenericWrite
## who does this apply to
$domname = ([ADSI]"").Name
$who = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "$domname", $UserName
# apply rules
$readrule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $read, $allow
$sec.AddAccessRule($readrule)
$writerule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $write, $allow
$sec.AddAccessRule($writerule)
# tell it that we're only changing the DACL and not the owner
$object.get_Options().SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl
# save
$object.CommitChanges()
}
您可以将其粘贴到 PowerShell 提示符中并按回车键。这将使该功能可供使用。然后你可以这样使用它:
Set-GroupSecurity -GroupName "TstGroup1" -UserName "someone"
我正在尝试将 1 个 ID 添加到 Active Directory 中的多个安全组。 ID只需要添加到安全组的"Security Tab",不需要添加为成员
我需要为这个ID设置"write"权限。
在 Power-Shell 中有没有办法做到这一点?
有说明 here,尽管它给予用户对组的完全控制权(包括删除权),但还有一些其他问题(如硬编码用户名)。
我已为您修改了该示例,仅授予 GenericWrite 权限,并接受用户名作为参数。这还假定您 运行 所在的用户、组和计算机都在同一个域中:
function Set-GroupSecurity {
[CmdletBinding()]
param (
[string] $GroupName,
[string] $UserName
)
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$root = $dom.GetDirectoryEntry()
$search = [System.DirectoryServices.DirectorySearcher]$root
$search.Filter = "(&(objectclass=group)(sAMAccountName=$GroupName))"
$search.SizeLimit = 3000
$result = $search.FindOne()
$object = $result.GetDirectoryEntry()
$sec = $object.ObjectSecurity
## set the rights and control type
$allow = [System.Security.AccessControl.AccessControlType]::Allow
$read = [System.DirectoryServices.ActiveDirectoryRights]::GenericRead
$write = [System.DirectoryServices.ActiveDirectoryRights]::GenericWrite
## who does this apply to
$domname = ([ADSI]"").Name
$who = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "$domname", $UserName
# apply rules
$readrule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $read, $allow
$sec.AddAccessRule($readrule)
$writerule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $write, $allow
$sec.AddAccessRule($writerule)
# tell it that we're only changing the DACL and not the owner
$object.get_Options().SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl
# save
$object.CommitChanges()
}
您可以将其粘贴到 PowerShell 提示符中并按回车键。这将使该功能可供使用。然后你可以这样使用它:
Set-GroupSecurity -GroupName "TstGroup1" -UserName "someone"