如何拒绝在活动目录中为域帐户写入 servicePrincipalName

如何拒绝在活动目录中为域帐户写入 servicePrincipalName

我无法从域帐户中删除写入 servicePrincipalName 属性。System.DirectoryServices.ActiveDirectoryAccessRule 出了点问题,我无法理解。有人能帮我理解这个问题吗?

我使用了以下代码:

Import-Module activedirectory
$Username = "test_user"
$SPNProperty = "servicePrincipalName" 
# Get the security descriptor for the user object
$SD = (Get-ADUser -Identity $Username -Properties nTSecurityDescriptor).nTSecurityDescriptor 
# Get the GUID of the servicePrincipalName attribute
$SPNSchemaObj = Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -Filter { LDAPDisplayName -eq $SPNProperty } -Properties schemaIDGUID
$SPNSchemaID = $SPNSchemaObj.schemaIDGUI
# Create a new access rule to deny the "Write Property" permission for the servicePrincipalName attribute
$AccessRule = (New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $Username, "WriteProperty", "Deny",$SPNSchemaID) 
# Add the new access rule to the security descriptor
$SD.DiscretionaryAcl.AddAccessRule($AccessRule) 
# Set the modified security descriptor on the user object
Set-ADUser -Identity $Username -Replace @{nTSecurityDescriptor = $SD}

我收到以下错误:

New-Object : Cannot find an overload for "ActiveDirectoryAccessRule" and the argument count: "6".
At line:10 char:16
+ ... cessRule = (New-Object System.DirectoryServices.ActiveDirectoryAccess ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
You cannot call a method on a null-valued expression.
At line:14 char:1
+ $SD.DiscretionaryAcl.AddAccessRule($AccessRule)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

答案1

$SPNSchemaObj.schemaIDGUID末尾应该有一个。

schemaIDGUID需要从字节转换如下:

$SPNSchemaID = $SPNSchemaObj.schemaIDGUID -as [guid]

您的ActiveDirectoryAccessRule代码缺少参数。请查看以下示例这个问题或其他构造函数这里

$ace = [System.DirectoryServices.ActiveDirectoryAccessRule]::New($identity, $adRights, $type, $objectType, $inheritanceType, $inheritedObjectType)

相关内容