使用 Powershell 脚本,我如何向此计算机对象授予“读取所有属性”和“创建计算机对象”权限:mylab.com/Computers/Cluster1。应针对此容器授予权限:mylab.com/Computers。最终结果是“Cluster1”计算机对象应该能够读取所有属性并在其主“计算机”容器中创建计算机对象。
答案1
设法弄清楚了:
/* Get the GUID that corresponds to Computer objects */
$ComputerGUID = [GUID](Get-ADObject -Filter 'DistinguishedName -eq "CN=Computer,CN=Schema,CN=Configuration,DC=mylab,DC=com"' -SearchBase (Get-ADRootDSE).schemaNamingContext -prop schemaIDGUID).schemaIDGUID
$Path = [ADSI]"LDAP://CN=Computers,DC=mylab,DC=com"
$ntaccount = New-Object System.Security.Principal.NTAccount("mylab\cluster1$")
$IdentityReference = $ntaccount.Translate([System.Security.Principal.SecurityIdentifier])
$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"CreateChild","Allow",$ComputerGUID,"All",$([GUID]::Empty))
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)
$Perms = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"ReadProperty","Allow",$([GUID]::Empty),"All",$([GUID]::Empty))
$Path.psbase.ObjectSecurity.AddAccessRule($Perms)
$Path.psbase.commitchanges()
/* Check the results */
(Get-Acl "ad:\CN=Computers,DC=mylab,DC=com").Access | where-object { $_.IdentityReference -eq 'MYLAB\Cluster1$' }
/* Check the returned ObjectType GUID is Computer */
$RawGuid = ([guid]'bf967a86-0de6-11d0-a285-00aa003049e2').toByteArray();
Get-ADObject -Filter {schemaIDGUID -eq $rawGuid} -SearchBase (Get-ADRootDSE).schemaNamingContext -prop schemaIDGUID | Select-Object Name,@{Name='schemaIDGUID';Expression={[guid]$_.schemaIDGUID}}