我正在编写一个 PS 脚本,该脚本将为用户提供一个 GUI 和一些按钮,单击这些按钮可以执行一些基本任务,例如解锁帐户、启用/禁用、更改密码和终止进程/注销用户。不起作用的部分是:启用/禁用用户和更改密码。
首先,一切都可以作为域管理员运行,但我无法让用户成为域管理员,所以请不要建议这样做:)
以下是更改密码的部分:
$name = "osman"
$Searcher = [ADSISearcher]"(sAMAccountName=$Name)"
$Results = $Searcher.FindOne()
$password = "pezevenk@321"
[string]$adspath = $Results.Properties.adspath
$enable = [ADSI]$adspath
$enable.psbase.invoke("SetPassword", $password)
$enable.psbase.CommitChanges()
该错误非常普遍:
Exception calling "Invoke" with "2" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"
At line:14 char:13
+ $enable.psbase.invoke("SetPassword", $password)
现在,很明显,在我尝试这个之前我已经尝试过给予用户适当的权限:我正在运行这个的用户在 AD 中的“用户”文件夹中拥有“重置密码”和“更改密码”的权限,其中包括所有用户。
有什么方法可以准确查看我缺少什么权限?你们还能想到其他需要的东西吗?
编辑:这些是 OU 的权限:
"CN=Users,DC=domainname,DC=root,DC=com","All","User","ReadProperty, GenericExecute","Descendents","00000000-0000-0000-0000-000000000000","bf967aba-0de6-11d0-a285-00aa003049e2","InheritedObjectAceTypePresent","Allow","domainname\osman","False","ContainerInherit","InheritOnly"
"CN=Users,DC=domainname,DC=root,DC=com","Pwd-Last-Set","User","ReadProperty, WriteProperty","Descendents","bf967a0a-0de6-11d0-a285-00aa003049e2","bf967aba-0de6-11d0-a285-00aa003049e2","ObjectAceTypePresent, InheritedObjectAceTypePresent","Allow","domainname\osman","False","ContainerInherit","InheritOnly"
"CN=Users,DC=domainname,DC=root,DC=com","Lockout-Time","User","WriteProperty","Descendents","28630ebf-41d5-11d1-a9c1-0000f80367c1","bf967aba-0de6-11d0-a285-00aa003049e2","ObjectAceTypePresent, InheritedObjectAceTypePresent","Allow","domainname\osman","False","ContainerInherit","InheritOnly"
"CN=Users,DC=domainname,DC=root,DC=com","User-Account-Control","User","WriteProperty","Descendents","bf967a68-0de6-11d0-a285-00aa003049e2","bf967aba-0de6-11d0-a285-00aa003049e2","ObjectAceTypePresent, InheritedObjectAceTypePresent","Allow","domainname\osman","False","ContainerInherit","InheritOnly"
"CN=Users,DC=domainname,DC=root,DC=com","User-Force-Change-Password","User","ExtendedRight","Descendents","00299570-246d-11d0-a768-00aa006e0529","bf967aba-0de6-11d0-a285-00aa003049e2","ObjectAceTypePresent, InheritedObjectAceTypePresent","Allow","domainname\osman","False","ContainerInherit","InheritOnly"
"CN=Users,DC=domainname,DC=root,DC=com","User-Change-Password","User","ExtendedRight","Descendents","ab721a53-1e2f-11d0-9819-00aa0040529b","bf967aba-0de6-11d0-a285-00aa003049e2","ObjectAceTypePresent, InheritedObjectAceTypePresent","Allow","domainname\osman","False","ContainerInherit","InheritOnly"
"CN=Users,DC=domainname,DC=root,DC=com","User-Change-Password","User","ExtendedRight","Descendents","ab721a53-1e2f-11d0-9819-00aa0040529b","bf967aba-0de6-11d0-a285-00aa003049e2","ObjectAceTypePresent, InheritedObjectAceTypePresent","Allow","domainname\osman","True","ContainerInherit","InheritOnly"
"CN=Users,DC=domainname,DC=root,DC=com","User-Force-Change-Password","User","ExtendedRight","Descendents","00299570-246d-11d0-a768-00aa006e0529","bf967aba-0de6-11d0-a285-00aa003049e2","ObjectAceTypePresent, InheritedObjectAceTypePresent","Allow","domainname\osman","True","ContainerInherit","InheritOnly"
答案1
您可以编辑原始 AD.msc 并根据需要添加功能。
以下是一些链接:
自定义 AD 控制台
右键点击密码重置
右键点击解锁
添加附加列
答案2
据我所知,用户设置自己的密码的唯一方法是使用此命令。Set-ADAccountPassword -Identity $Name -Reset -NewPassword (ConvertTo-SecureString $Password -AsPlainText -force) -PassThru 它将提示他们输入当前密码,或者如果你省略 NewPassword,它将提示他们输入两个密码。如果您尝试授予服务台人员这些权限,请确保您没有在管理帐户上进行测试,因为他们永远无法更改管理用户的密码,他们受到属性 adminCount = 1 的保护。我已成功允许服务台人员在 ADUC 中更改密码,并在用户 OU 上具有更改密码的权限。我们最终购买了一款产品,允许用户重置自己的密码。我知道这并不能完全回答您的问题,但我希望这些信息对您有所帮助。
答案3
我注意到了这个问题:我测试的目标用户“osman”是域管理员,显然,域管理员不会继承委派(不知道为什么,据我所知没有记录)。所有其他非管理员工作正常!感谢您的所有建议。