任何帮助都将不胜感激!如果您不明白,请询问。我会尽我所能解释。
我尝试编辑的值是 (CN=DS-Replication-Get-Changes-All)。controlAccessRight 的 rightsGuid 是 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2。我使用 powershell 更新了 AD 中的属性,但不知道如何更新配置或架构分区中的权限。我使用下面的脚本更新了管理员的权限,使其能够更改密码等……但现在我需要弄清楚如何使用配置和架构分区。
Import-Module ActiveDirectory
#Bring up an Active Directory command prompt so we can use this later on in the script
cd ad:
$acl = get-acl "ad:DC=corp,DC=domain,DC=net"
$group = Get-ADgroup 'AD Service Administration Tasks'
$sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
# The following object specific ACE is to grant Group permission to change user password on all user objects under OU
$objectguid = new-object Guid 00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) class
$inheritedobjectguid = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule$identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:DC=corp,DC=domain,DC=net"
答案1
扩展DS-Replication-Get-All-Changes权限非常容易使用,因为它不适用于单个对象,而是适用于整个分区!
您只需要在分区的顶点(或“根”对象)上直接设置一次 - 这意味着InheritanceObjectType完全不相关,因为它无论如何都不会被继承。
Import-Module ActiveDirectory
$rootObjPath = "AD:\DC=corp,DC=domain,DC=net"
$rootObjACL = Get-Acl $rootObjPath
$group = Get-ADgroup 'AD Service Administration Tasks'
$SID = New-Object System.Security.Principal.SecurityIdentifier -ArgumentList $group.SID
# The following object specific ACE is to grant Group the permission to replicate all directory changes from this partition
$objectGuid = New-Object Guid 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
$ADRight = [System.DirectoryServices.ActiveDirectoryRights]"ExtendedRight"
$ACEType = [System.Security.AccessControl.AccessControlType]"Allow"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $SID,$ADRight,$ACEType,$objectGuid
$rootObjACL.AddAccessRule($ACE)
Set-Acl $rootObjPath -AclObject $rootObjACL
InheritanceFlags创建时,无需指定“无”选项和空的继承 guid,只需省略最后两个参数即可ActiveDirectoryAccessRule
同样的方法也适用于Configuration和Schema分区,只需将 DistinguishedName 替换为$rootObjACL
要查找架构和配置分区 DN,您可以浏览 PSDrive AD:\( Get-ChildItem AD:),也可以检查RootDSE:
$RootDSE = [ADSI]"LDAP://RootDSE"
$SchemaDN = [string]$RootDSE.schemaNamingContext
$ConfigDN = [string]$RootDSE.configurationNamingContext