目前我需要允许所有用户对两个计算机对象具有读取权限。我可以在 GUI 中手动完成此操作,但这不切实际。
当我手动添加用户时,它正在工作。
(Get-Acl -Path $userstring).access | Where-Object {$_.identityreference -like '*ise-*'}
ActiveDirectoryRights : ReadProperty, GenericExecute
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : ***************
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
ActiveDirectoryRights : ReadProperty, GenericExecute
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : ***********
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
我尝试过的代码在这里:
Set-Location ad:
$distinguishedname = (get-aduser ptest).distinguishedname
$acl = (get-acl -Path $distinguishedname).access
#$acl.access #to get access right of the OU
$computer = get-adcomputer "ise-watson"
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
# Create a new access control entry to allow access to the OU
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ReadProperty, GenericExecute"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
# Add the ACE to the ACL, then set the ACL to save the changes
$acl.AddRule($ace)
Set-acl -aclobject $acl -Path $distinguishedname
This throws an error:
Set-acl : AclObject
At line:32 char:1
+ Set-acl -aclobject $acl -Path $distinguishedname
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.Security...nRuleCollection:AuthorizationRuleCollection) [Set-Acl], ArgumentException
+ FullyQualifiedErrorId : SetAcl_AclObject,Microsoft.PowerShell.Commands.SetAclCommand
答案1
为什么要为每个用户应用单独的 ACE?
创建一个安全组,授予该组对相关对象的访问权限,并授予该组所需的用户访问权限,然后您就完成了 - 并且它具有未来保障。