-1

我目前正在使用 Quest ActiveRoles Management 管理单元来确定运行脚本的用户是否有权在我们的 Active Directory 域中执行各种操作。我们使用组委派访问权限,因此我不会检查用户是否已被明确授予访问权限;我只是检查用户的组成员身份以确定用户是否有权访问。它工作得很好,但我想知道是否有一种更简单(更有效)的方式来做到这一点(不买东西)。我在下面提供了每个操作和我正在使用的代码的描述。感谢您提供的任何建设性建议。谢谢!

# Check for "write member" access to AD group ($shareReadGroup)
$shareReadGroup = "<AD group name>"
$shareReadGroup_SecurityMask = Get-QADObject $shareReadGroup -SecurityMask Dacl
$shareReadGroup_WriteMember_Groups = ($shareReadGroup_SecurityMask | Get-QADPermission -Rights WriteProperty -UseExtendedMatch -Inherited -SchemaDefault -Property ("member")).Account | Where-Object {$_.Type -eq "group"}
$shareReadGroup_WriteMember_GroupMembers = $shareReadGroup_WriteMember_Groups | Get-QADGroupMember -Indirect
$shareReadGroup_WriteMember_AccessGranted = $shareReadGroup_WriteMember_GroupMembers | Where-Object {$_.sAMAccountName -eq $userRunningThisScript}

# Check for "create group" access for AD OU ($readGroupOU)
$readGroupOU = "<DN of AD OU>"
$readGroupOU_SecurityMask = Get-QADObject $readGroupOU -SecurityMask Dacl
$readGroupOU_CreateGroup_Groups = ($readGroupOU_SecurityMask | Get-QADPermission -Rights CreateChild -ChildType Group -UseExtendedMatch -Inherited -SchemaDefault).Account | Where-Object {$_.Type -eq "group"}
$readGroupOU_CreateGroup_GroupMembers = $readGroupOU_CreateGroup_Groups | Get-QADGroupMember -Indirect
$readGroupOU_CreateGroup_AccessGranted = $readGroupOU_CreateGroup_GroupMembers | Where-Object {$_.sAMAccountName -eq $userRunningThisScript}

# Check for "write description, write member" access for group objects within AD OU ($readGroupOU)
$readGroupOU = "<DN of AD OU>"
$readGroupOU_SecurityMask = Get-QADObject $readGroupOU -SecurityMask Dacl
$readGroupOU_ManageGroups_Groups = ($readGroupOU_SecurityMask | Get-QADPermission -Rights WriteProperty -ChildType Group -UseExtendedMatch -Inherited -SchemaDefault -Property ("description","member")).Account | Where-Object {$_.Type -eq "group"}
$readGroupOU_ManageGroups_GroupMembers = $readGroupOU_CreateGroup_Groups | Get-QADGroupMember -Indirect
$readGroupOU_ManageGroups_AccessGranted = $readGroupOU_ManageGroups_GroupMembers | Where-Object {$_.sAMAccountName -eq $userRunningThisScript}
4

1 回答 1

0

我最终编写了一个函数来简化权限检查并让每个人都更容易理解。如果有人感兴趣,这是代码。

function Confirm-UserActiveDirectoryAccess {
    <#
        .SYNOPSIS
            Confirm that a user has the specified access to an AD object
        .DESCRIPTION
            This function simplifies the complex operation of determining whether a given user
            has a given level of access to an Active Directory object.  It assumes that all access
            rights should be considered, including inherited and schema default rights.
        .EXAMPLE
            Confirm-UserActiveDirectoryAccess -ADobject TestGroup -Rights WriteProperty -Property member
        .EXAMPLE
            Confirm-UserActiveDirectoryAccess -User TestUser -ADobject OU=TestOU,DC=domain,DC=local -Rights CreateChild -ChildType Group
        .EXAMPLE
            Confirm-UserActiveDirectoryAccess -ADobject OU=TestOU,DC=domain,DC=local -Rights WriteProperty -ChildType Group -Property description
        .PARAMETER User
            The username of the user whose access you wish to check.
            Defaults to the username of the account running the PowerShell session if not specified.
        .PARAMETER ADobject
            The DN, SID, GUID, UPN, or Domain\Name of the directory object you wish to check against.
        .PARAMETER Rights
            The rights you wish to check for (ReadProperty, WriteProperty, CreateChild, etc.).
            Refer to the -Rights property of the Get-QADPermission cmdlet for valid values.
        .PARAMETER ChildType
            Specify the child type if needing to determine permissions to children of an AD object (Group, User, Computer, etc.).
            Refer to the -ChildType property of the Get-QADPermission cmdlet for valid values.
        .PARAMETER Property
            The attribute of the AD object you wish to verify access to.
            These are the standard LDAP attribute names for a given object (sAMAccountName, member, ipPhone, etc.).
    #>
    [CmdletBinding()]
    param (
        [Parameter(Mandatory=$False)]
        [string]$User = [Environment]::UserName,

        [Parameter(Mandatory=$True,
            HelpMessage='Specify the DN, SID, GUID, UPN or Domain\Name of the directory object you want to find.')]
        [string]$ADobject,

        [Parameter(Mandatory=$True,
            HelpMessage='Exit this command and enter "Get-Help Get-QADPermission -Full", then refer to the -Rights parameter for valid values.')]
        [string]$Rights,

        [Parameter(Mandatory=$False)]
        [string]$ChildType,

        [Parameter(Mandatory=$False)]
        [string]$Property
    )

    $GetQADPermissionParams = @{
        Rights = $Rights;
        UseExtendedMatch = $True;
        Inherited = $True;
        SchemaDefault = $True;
    }

    If ($ChildType) {
        $GetQADPermissionParams += @{
            ChildType = $ChildType;
        }
    }

    If ($Property) {
        $GetQADPermissionParams += @{
            Property = $Property;
        }
    }

    $accountsWithAccess = (Get-QADObject -Identity $ADobject -SecurityMask Dacl | Get-QADPermission @GetQADPermissionParams).Account
    $userAccessGranted = $accountsWithAccess | Where-Object {$_.sAMAccountName -eq $User}
    $groupAccessGranted = $accountsWithAccess | Where-Object {$_.Type -eq "group"} | Get-QADGroupMember -Indirect | Where-Object {$_.sAMAccountName -eq $User}

    If ($userAccessGranted -or $groupAccessGranted) { Return $True }
}

$shareReadGroup_WriteMember = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $shareReadGroup -Rights WriteProperty -Property member
$readGroupOU_CreateGroup = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $readGroupOU -Rights CreateChild -ChildType Group
$readGroupOU_WriteGroupDescription = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $readGroupOU -Rights WriteProperty -ChildType Group -Property description
$readGroupOU_WriteGroupMember = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $readGroupOU -Rights WriteProperty -ChildType Group -Property member
于 2015-10-14T18:12:29.207 回答