使用 powershell 委托权限
Delegate permission using powershell
我尝试编写一个脚本来委托 AD 中 OU 的权限,但是当我尝试在权限下添加这两个权限时,每次我获得 ACL 时都只有通用所有权限。看起来它们的优先级高于创建、删除。这种情况的原因是什么,我该如何解决?
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $sid, "CreateChild, DeleteChild", "Allow", $Groups, "All"
$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $sid, "GenericAll", "Allow", "Descendents", $Groups
此致
• 第二个命令,即 '$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $sid, "GenericAll", "Allow", "Descendents", $Groups' 优先于第一个命令,因为“AD Right”GenericAll 提供对该容器中所有对象的权限,并且权限的“类型”为允许,这意味着您已允许完全控制访问该活动目录容器中存在的所有对象。此外,您已将“InheritanceType”指定为 Descendents,这意味着权限将应用于嵌套在容器中的所有对象,并且这些权限将基于父 container/object 继承来应用。
• 因此,若要解决此问题,您只需指定自定义权限中的那些权限以委派给该组织单位的特定组,这些权限需要委派并期望由该组用户执行那个欧。请找到以下示例以供参考,了解如何将自定义权限委派给 Active Directory 中特定 OU 上的组:-
‘ $OrganizationalUnit = "OU=Servers,OU=SP02,OU=Delivery,$rootDN"
$ServiceUserName = "account_name"
Set-Location AD:
$Group = Get-ADuser -Identity $ServiceUserName
$GroupSID = [System.Security.Principal.SecurityIdentifier] $Group.SID
$ACL = Get-Acl -Path $OrganizationalUnit
$Identity = [System.Security.Principal.IdentityReference] $GroupSID
$Computers = [GUID]"bf967a86-0de6-11d0-a285-00aa003049e2"
$ResetPassword = [GUID]"00299570-246d-11d0-a768-00aa006e0529"
$ValidatedDNSHostName = [GUID]"72e39547-7b18-11d1-adef-00c04fd8d5cd"
$ValidatedSPN = [GUID]"f3a64788-5306-11d1-a9c5-0000f80367c1"
$AccountRestrictions = [GUID]"4c164200-20c0-11d0-a768-00aa006e0529"
$RuleCreateAndDeleteComputer = New-Object
System.DirectoryServices.ActiveDirectoryAccessRule($Identity,
"CreateChild, DeleteChild", "Allow", $Computers, "All")
$RuleResetPassword = New-Object
System.DirectoryServices.ActiveDirectoryAccessRule ($Identity,
"ExtendedRight", "Allow", $ResetPassword, "Descendents", $Computers)
$RuleValidatedDNSHostName = New-Object
System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Self",
"Allow", $ValidatedDNSHostName, "Descendents", $Computers)
$RuleValidatedSPN = New-Object
System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Self",
"Allow", $ValidatedSPN, "Descendents", $Computers)
$RuleAccountRestrictions = New-Object
System.DirectoryServices.ActiveDirectoryAccessRule ($Identity,
"ReadProperty, WriteProperty", "Allow", $AccountRestrictions,
"Descendents", $Computers)
$ACL.AddAccessRule($RuleCreateAndDeleteComputer)
$ACL.AddAccessRule($RuleResetPassword)
$ACL.AddAccessRule($RuleValidatedDNSHostName)
$ACL.AddAccessRule($RuleValidatedSPN)
$ACL.AddAccessRule($RuleAccountRestrictions)
Set-Acl -Path $OrganizationalUnit -AclObject $ACL ‘
请找到以下链接以获取更多信息:-
我尝试编写一个脚本来委托 AD 中 OU 的权限,但是当我尝试在权限下添加这两个权限时,每次我获得 ACL 时都只有通用所有权限。看起来它们的优先级高于创建、删除。这种情况的原因是什么,我该如何解决?
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $sid, "CreateChild, DeleteChild", "Allow", $Groups, "All"
$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $sid, "GenericAll", "Allow", "Descendents", $Groups
此致
• 第二个命令,即 '$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $sid, "GenericAll", "Allow", "Descendents", $Groups' 优先于第一个命令,因为“AD Right”GenericAll 提供对该容器中所有对象的权限,并且权限的“类型”为允许,这意味着您已允许完全控制访问该活动目录容器中存在的所有对象。此外,您已将“InheritanceType”指定为 Descendents,这意味着权限将应用于嵌套在容器中的所有对象,并且这些权限将基于父 container/object 继承来应用。
• 因此,若要解决此问题,您只需指定自定义权限中的那些权限以委派给该组织单位的特定组,这些权限需要委派并期望由该组用户执行那个欧。请找到以下示例以供参考,了解如何将自定义权限委派给 Active Directory 中特定 OU 上的组:-
‘ $OrganizationalUnit = "OU=Servers,OU=SP02,OU=Delivery,$rootDN"
$ServiceUserName = "account_name"
Set-Location AD:
$Group = Get-ADuser -Identity $ServiceUserName
$GroupSID = [System.Security.Principal.SecurityIdentifier] $Group.SID
$ACL = Get-Acl -Path $OrganizationalUnit
$Identity = [System.Security.Principal.IdentityReference] $GroupSID
$Computers = [GUID]"bf967a86-0de6-11d0-a285-00aa003049e2"
$ResetPassword = [GUID]"00299570-246d-11d0-a768-00aa006e0529"
$ValidatedDNSHostName = [GUID]"72e39547-7b18-11d1-adef-00c04fd8d5cd"
$ValidatedSPN = [GUID]"f3a64788-5306-11d1-a9c5-0000f80367c1"
$AccountRestrictions = [GUID]"4c164200-20c0-11d0-a768-00aa006e0529"
$RuleCreateAndDeleteComputer = New-Object
System.DirectoryServices.ActiveDirectoryAccessRule($Identity,
"CreateChild, DeleteChild", "Allow", $Computers, "All")
$RuleResetPassword = New-Object
System.DirectoryServices.ActiveDirectoryAccessRule ($Identity,
"ExtendedRight", "Allow", $ResetPassword, "Descendents", $Computers)
$RuleValidatedDNSHostName = New-Object
System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Self",
"Allow", $ValidatedDNSHostName, "Descendents", $Computers)
$RuleValidatedSPN = New-Object
System.DirectoryServices.ActiveDirectoryAccessRule ($GroupSID, "Self",
"Allow", $ValidatedSPN, "Descendents", $Computers)
$RuleAccountRestrictions = New-Object
System.DirectoryServices.ActiveDirectoryAccessRule ($Identity,
"ReadProperty, WriteProperty", "Allow", $AccountRestrictions,
"Descendents", $Computers)
$ACL.AddAccessRule($RuleCreateAndDeleteComputer)
$ACL.AddAccessRule($RuleResetPassword)
$ACL.AddAccessRule($RuleValidatedDNSHostName)
$ACL.AddAccessRule($RuleValidatedSPN)
$ACL.AddAccessRule($RuleAccountRestrictions)
Set-Acl -Path $OrganizationalUnit -AclObject $ACL ‘
请找到以下链接以获取更多信息:-