需要将 ACE 从一个用户复制到另一个用户

tag-icon tag-icon active-directory powershell
需要将 ACE 从一个用户复制到另一个用户

目前我需要允许所有用户对两个计算机对象具有读取权限。我可以在 GUI 中手动完成此操作,但这不切实际。

当我手动添加用户时,它正在工作。

(Get-Acl -Path $userstring).access | Where-Object {$_.identityreference -like '*ise-*'}

ActiveDirectoryRights : ReadProperty, GenericExecute
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : ***************
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

ActiveDirectoryRights : ReadProperty, GenericExecute
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : ***********
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

我尝试过的代码在这里:

Set-Location ad:
$distinguishedname = (get-aduser ptest).distinguishedname

$acl = (get-acl -Path $distinguishedname).access

#$acl.access #to get access right of the OU

$computer = get-adcomputer "ise-watson"

$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID

# Create a new access control entry to allow access to the OU

$identity = [System.Security.Principal.IdentityReference] $SID

$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ReadProperty, GenericExecute"

$type = [System.Security.AccessControl.AccessControlType] "Allow"



$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"



$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType

# Add the ACE to the ACL, then set the ACL to save the changes

$acl.AddRule($ace)

Set-acl -aclobject $acl -Path $distinguishedname

This throws an error: 
Set-acl : AclObject
At line:32 char:1
+ Set-acl -aclobject $acl -Path $distinguishedname
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (System.Security...nRuleCollection:AuthorizationRuleCollection) [Set-Acl], ArgumentException
    + FullyQualifiedErrorId : SetAcl_AclObject,Microsoft.PowerShell.Commands.SetAclCommand

答案1

为什么要为每个用户应用单独的 ACE?

创建一个安全组,授予该组对相关对象的访问权限,并授予该组所需的用户访问权限,然后您就完成了 - 并且它具有未来保障。

相关内容