我试图找到一种方法,将多个 GPO(约 50 个)中的某个组的“应用策略”设置为“拒绝”,因此我正在寻找一种自动执行此操作的方法,这时我遇到了这个帖子在一个(显然)废弃的博客上有以下脚本:
$strGroup = "my group"
$strGPO = "my GPO"
$GroupObject = Get-ADGroup $strGroup
$GroupSid = new-object System.Security.Principal.SecurityIdentifier $GroupObject.SID
$GPOObject = Get-GPO $strGPO
$GPOPath = $GPOObject.path
$GPOADObject = [ADSI]"LDAP://$GPOPath"
$GPOObjSec = $GPOADObject.psbase.ObjectSecurity
$GPOACLList = $GPOObjSec.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
$extRight = [system.guid]"edacfd8f-ffb3-11d1-b41d-00a0c968f939"
$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSid,"ReadProperty, GenericExecute","Deny","None"
$ace2 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSid,"ExtendedRight","Deny",$extRight,"All"
$GPOADObject.psbase.get_objectSecurity().AddAccessRule($ace1)
$GPOADObject.psbase.get_objectSecurity().AddAccessRule($ace2)
$GPOADObject.psbase.CommitChanges()
$GPOGPTstr = "\\"+$GPOObject.DomainName+"\SYSVOL\"+$GPOObject.DomainName+"\Policies\{"+$GPOObject.Id+"}"
$acl = Get-ACL $GPOGPTstr
$acl.SetAccessRuleProtection($True, $False)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($strGroup,"ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Deny")
$acl.AddAccessRule($rule)
Set-Acl $GPOGPTstr $acl
我添加了一个foreach循环,以便从文本文件中获取我的组。除了第 14 行之外,它都可以正常工作:
$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSid,"ReadProperty, GenericExecute","Deny","None"
这将引发以下错误:
new-object : Multiple ambiguous overloads found for "ActiveDirectoryAccessRule" and the argument count: "4".
At .\denyApplyGPOtoGroup.ps1:16 char:10
+ $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSid ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-Object], MethodException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
当然,第 16 行失败$ace1了$null。尽管如此,该脚本还是可以工作的:基本上,权限正确应用于 GPC,但未应用于 GPT,这与代码和抛出的错误有关。因此,当我转到 GPMC,单击 GPO 时,我收到一条消息,提示:
“SYSVOL 文件夹中此 GPO 的权限与 Active Directory 中的权限不一致。建议这些权限保持一致。要将 SYSVOL 中的权限更改为 Active Directory 中的权限,请单击“确定”。
单击“确定”可以解决问题,但仍在寻找解决此解决方法的方法......有什么想法吗?
答案1
删除 $ace1 并删除这些行;
$GPOGPTstr = "\\"+$GPOObject.DomainName+"\SYSVOL\"+$GPOObject.DomainName+"\Policies\{"+$GPOObject.Id+"}"
$acl = Get-ACL $GPOGPTstr
$acl.SetAccessRuleProtection($True, $False)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($strGroup,"ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Deny")
$acl.AddAccessRule($rule)
Set-Acl $GPOGPTstr $acl
您要做的就是添加“拒绝应用”权限。因此,您不需要更改 Sysvol 策略文件夹上的 ACL,也不想删除“读取”权限。
$ace1 删除读取策略权限。
最终代码如下:
$strGroup = "Domain Admins"
$strGPO = "RES Workspace Manager Shell"
$GroupObject = Get-ADGroup $strGroup
$GroupSid = new-object System.Security.Principal.SecurityIdentifier $GroupObject.SID
$GPOObject = Get-GPO $strGPO
$GPOPath = $GPOObject.path
$GPOADObject = [ADSI]"LDAP://$GPOPath"
$GPOObjSec = $GPOADObject.psbase.ObjectSecurity
$GPOACLList = $GPOObjSec.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
$extRight = [system.guid]"edacfd8f-ffb3-11d1-b41d-00a0c968f939"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSid,"ExtendedRight","Deny",$extRight,"All"
$GPOADObject.psbase.get_objectSecurity().AddAccessRule($ace)
$GPOADObject.psbase.CommitChanges()