1

我正在尝试为 Powershell 中的文件夹设置权限。我的问题是我在最近在我们的一个头域控制器上创建的活动目录帐户上设置这些权限。由于该帐户是全新的,因此尚未传播到我们的任何本地 DC。这给我带来了问题,因为我试图设置文件夹以允许该用户具有修改访问权限,而 Powershell 正在抛出“无法翻译部分或全部身份引用”。当我尝试在文件夹的 ACL 上调用 SetAccessRule 时出错。示例代码如下所示。

#I'm actually setting more details than this for the account, but I abbreviated
#the command to make it a little more readable
New-ADUser -Name "Testy Testerson" -Server Master-DC.Domain.ca

$DirectoryLocation = '\\Fileserver\SomeDirectory'

New-Item "FileSystem::$DirectoryLocation" -ItemType directory

$ACLNeedingModification = Get-ACL "FileSystem::$DirectoryLocation"

$NewACLRule = New-Object System.Security.AccessControl.FileSystemAccessRule('Domain\Testy Testerson', 'Modify', 'Allow')

$ACLNeedingModification.SetAccessRule($NewACLRule) #Error occurs here

Set-ACL "FileSystem::$DirectoryLocation" $ACLNeedingModification

现在,我的猜测是我可以通过使用用户的 SID 来做一个有点大杂烩的解决方案,然后将其插入并等待传播以完成链接。话虽如此,我更愿意找到一种方法,让我可以告诉 SetAccessRule 方法来查看特定的 DC,类似于 AD 命令。SetAccessRule 的文档关于如何解决的问题非常少,所以我想知道这里是否有人有更好的方法来完成我想要做的事情。

非常感谢您的关注!

4

1 回答 1

2

看看PowerShell: Script failed because AD objects have not replicated enough soon。我也遇到了同样的问题,我会在接下来的几天里尝试解决这个问题。如果我发现任何有用的东西,我会更新这个答案。这个http://ss64.com/ps/set-addomainmode.html可能有用,但我还不确定。

编辑:我编写了一个等待 AD 对象传播到所有域控制器的 cmdlet。

<#
.SYNOPSIS
    Wait for an AD object to propagate to all domain controllers.

.DESCRIPTION
    This cmdlet enumerates the domain controllers in the current domain and
    polls each one in turn until the specified object exists on each one. If
    the object doesn't propagate completely inside the timeout time span, the
    cmdlet will throw a System.TimeoutException.

.PARAMETER LDAPFilter
    The LDAP filter used to locate the object.

.PARAMETER Timeout
    The time span this command should wait before timing out.

.NOTES
    Author: Alex Barbur <alex@barbur.net>
#>
function Wait-ADObject
{
    [CmdletBinding(SupportsShouldProcess=$True)]
    param
    (
    [Parameter(Mandatory=$True)]
    [string]$LDAPFilter,
    [TimeSpan]$Timeout = '00:00:30'
    )

    # calculate when we should stop
    $stop = $(Get-Date) + $Timeout
    Write-Verbose "Will check until $stop"

    # iterate through the domain controllers
    $domain = Get-ADDomain
    foreach ($server in $domain.ReplicaDirectoryServers)
    {
        # wait for the object to replicate
        Write-Verbose "Checking $server"

        $object = $Null
        while($object -eq $Null)
        {
            # check if we've timed out
            $left = New-TimeSpan $(Get-Date) $stop
            if($left.TotalSeconds -lt 0)
            {
                # timeout
                throw [System.TimeoutException]"Object propagation has timed out."
            }

            # wait a bit and check again
            Start-Sleep -Milliseconds 250
            $object = Get-ADObject -LDAPFilter $LDAPFilter -Server $server
        }
    }
}

你可以像这样使用它。

Import-Module ActiveDirectory
New-ADUser -SamAccountName 'doe.1'
Wait-ADObject -LDAPFilter '(sAMAccountName=doe.1)'

希望它对某人有用。

于 2013-08-16T20:08:42.027 回答