使用 PowerShell 模拟控制委派向导

tag-icon tag-icon powershell windows-server-2012-r2 delegation
使用 PowerShell 模拟控制委派向导

我想将TestUsers组织部门的控制权委托给某个用户NickA,并授予其以下权限:

  1. Create, delete, and manage user accounts
  2. Reset user passwords and force password change at next logon
  3. Read all user information
  4. Create, delete and manage groups
  5. Modify the membership of a group

我发现的唯一方法如下,但我找不到要分配的正确权限:

$acc  = Get-ADUser NickA
$sid  = new-object System.Security.Principal.SecurityIdentifier $acc.SID
$guid = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2 
$ou   = Get-ADOrganizationalUnit -Identity TestUsers
$acl  = Get-ACL -Path "AD:$($ou.DistinguishedName)"
$acl.AddAccessRule($(new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"CreateChild,DeleteChild","Allow",$guid))
Set-ACL -ACLObject $acl -Path "AD:$($ou.DistinguishedName)"

答案1

我还没有使用 PowerShell 解决 ACL 构建问题,但这可以使用自 Windows Server 2003 以来一直是 RSAT 和支持工具一部分的旧 DSACLS 命令来完成。

dsacls "OU=Test,DC=domain,DC=com" /I:S /G "domain\user:CA;Reset Password";user

将委派的 OU 的 DN 放在引号之间,并将用户放在 /G(授予)参数后面。该/I:S参数告诉 ACE 仅为子对象继承,参数CA代表控制访问。

有关语法的更多信息,请参阅科技网或其他网站。如果您需要使用 PowerShell,请查看更新 ACL Active Directory 提供程序文档

答案2

我最终使用 PowerShell 完成了此操作。感谢以下 TechNet 帖子Exchange 2007 GUID 参考更新 ACL 框架我能够将 TestUsers 组织单位的控制权委托给用户 NickA,并授予我最初发布的权限。

$OU   = Get-ADOrganizationalUnit -Identity "OU=TestUsers,DC=contoso,DC=private"
$SID  = new-object System.Security.Principal.SecurityIdentifier $(Get-ADUser "NickA").SID
$GUIDUserOBJ  = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$GUIDGroupOBJ = new-object Guid bf967a9c-0de6-11d0-a285-00aa003049e2
$GUIDNull     = new-object Guid 00000000-0000-0000-0000-000000000000 

$ACL  = Get-ACL -Path "AD:$($OU.DistinguishedName)"

#Create a hashtable to store the GUID value of each schema class and attribute
$ADRootDSE = Get-ADRootDSE
$GUIDMap = @{}
Get-ADObject -SearchBase ($ADRootDSE.SchemaNamingContext) -LDAPFilter "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | % {$GUIDMap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

$ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"CreateChild,DeleteChild","Allow",$GUIDUserOBJ,"ALL"))
$ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"GenericAll","Allow",$GUIDNull,"Descendents",$GUIDMap["user"]))
$ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"CreateChild,DeleteChild","Allow",$GUIDGroupOBJ,"ALL"))
$ACL.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"GenericAll","Allow",$GUIDNull,"Descendents",$GUIDMap["group"]))

Set-ACL -ACLObject $ACL -Path "AD:$($OU.DistinguishedName)"

相关内容