我正在使用以下 Powershell cmdlet 作为脚本的一部分:
# Posted by TobyU at www.pwsh.ch on 13.09.2018
# https://www.pwsh.ch/active-directory-powershell-delegate-permission-to-reset-user-passwords-for-a-specific-organizational-unit-150.html
function Set-ResetPasswordDelegation(){
param(
[string]$OrganizationalUnit,
[string]$DelegationGroupName
)
# Configuration Parameters
$confADRight = "ExtendedRight"
$confDelegatedObjectType = "bf967aba-0de6-11d0-a285-00aa003049e2" # User Object Type GUID
$confExtendedRight = "00299570-246d-11d0-a768-00aa006e0529" # Extended Right PasswordReset GUID
# Collect and prepare Objects
$delegationGroup = Get-ADGroup -Identity $DelegationGroupName
$delegationGroupSID = [System.Security.Principal.SecurityIdentifier] $delegationGroup.SID
$delegationGroupACL = Get-Acl -Path "AD:\$OrganizationalUnit"
# Build Access Control Entry (ACE)
$aceIdentity = [System.Security.Principal.IdentityReference] $delegationGroupSID
$aceADRight = [System.DirectoryServices.ActiveDirectoryRights] $confADRight
$aceType = [System.Security.AccessControl.AccessControlType] "Allow"
$aceInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceIdentity, $aceADRight, $aceType, $confExtendedRight, $aceInheritanceType,$confDelegatedObjectType)
# Apply ACL
$delegationGroupACL.AddAccessRule($ace)
Set-Acl -Path "AD:\$OrganizationalUnit" -AclObject $delegationGroupACL
}
总而言之,上述脚本旨在委派密码重置权限,以便某个安全组(DelegationGroupName 参数)可以重置某个 OU(OrganisationalUnit 参数)内所有用户的密码。
以管理员身份运行时,此操作正常,但当我尝试以用于运行计划任务的帐户运行它时,我遇到了问题。见下文:
PS D:\Program\ocpermissions> Set-ResetPasswordDelegation -OrganizationalUnit 'OU=Test,OU=ITA,DC=kos,DC=local' 'Test PW Reset Group'
Set-Acl : This security ID may not be assigned as the owner of this object
At D:\Program\ocpermissions\PasswordResetDelegation.psm1:29 char:5
+ Set-Acl -Path "AD:\$OrganizationalUnit" -AclObject $delegationGro ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (OU=Test,OU=ITA,DC=kos,DC=local:St
ring) [Set-Acl], ADException
+ FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:ADError,Microso
ft.PowerShell.Commands.SetAclCommand
尽管我已授予用户脚本正在运行的对 OU 及其中所有对象的完全控制权,但情况仍然如此。(仅用于测试目的。)我也看不出代码正在尝试更改 OU 的所有者,因此这让我更加困惑。
奇怪的是,我在实际生产 OU 中测试这个的时候甚至没有得到同样的东西,而是得到了这个:
Set-Acl : Access is denied
At D:\Program\ocpermissions\PasswordResetDelegation.psm1:29 char:5
+ Set-Acl -Path "AD:\$OrganizationalUnit" -AclObject $delegationGro ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (OU=Externa anvä...DC=kos,DC=l
ocal:String) [Set-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:AccessDenied,Mi
crosoft.PowerShell.Commands.SetAclCommand
可能发生了什么?什么可能阻止脚本正常工作?(我应该补充一点,该脚本在具有域管理员权限的帐户下运行良好,但我真的不想在这些权限下运行计划任务。)
答案1
看来Set-Acl在这种情况下它不能正常工作。不确定到底出了什么问题,但当我改为使用Set-ADOrganizationalUnit $ou -Replace @{nTSecurityDescriptor = $ouacl}设置 ACL 时,问题就消失了。
这告诉我问题并不像我最初怀疑的那样出在 AD 权限上。
这是我尝试使用的函数的修复版本:
function Set-ResetPasswordDelegation(){
param(
[string]$OrganizationalUnit,
[string]$DelegationGroupName
)
# Configuration Parameters
$confADRight = "ExtendedRight"
$confDelegatedObjectType = "bf967aba-0de6-11d0-a285-00aa003049e2" # User Object Type GUID
$confExtendedRight = "00299570-246d-11d0-a768-00aa006e0529" # Extended Right PasswordReset GUID
# Collect and prepare Objects
$delegationGroup = Get-ADGroup -Identity $DelegationGroupName
$delegationGroupSID = [System.Security.Principal.SecurityIdentifier] $delegationGroup.SID
$ou = Get-ADOrganizationalUnit -Properties nTSecurityDescriptor $OrganizationalUnit
$ouacl = $OU.nTSecurityDescriptor
# Build Access Control Entry (ACE)
$aceIdentity = [System.Security.Principal.IdentityReference] $delegationGroupSID
$aceADRight = [System.DirectoryServices.ActiveDirectoryRights] $confADRight
$aceType = [System.Security.AccessControl.AccessControlType] "Allow"
$aceInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceIdentity, $aceADRight, $aceType, $confExtendedRight, $aceInheritanceType,$confDelegatedObjectType)
# Apply ACL
$ouacl.AddAccessRule($ace)
Set-ADOrganizationalUnit $ou -Replace @{nTSecurityDescriptor = $ouacl}
}