1

我正在尝试将 1 个 ID 添加到 Active Directory 中的多个安全组。ID 只需要添加到安全组的“安全选项卡”中,不需要添加为成员。

我需要为此 ID 设置“写入”权限。

无论如何在Power-Shell中这样做吗?

安全选项卡

4

1 回答 1

1

此处有说明,尽管这使用户可以完全控制组(包括删除权限),并且还有一些其他问题(例如硬编码的用户名)。

我已经为您修改了该示例,只授予GenericWrite权限,并接受用户名作为参数。这还假设您运行它的用户、组和计算机都在同一个域上:

function Set-GroupSecurity {
[CmdletBinding()]
param (
 [string] $GroupName,
 [string] $UserName
)
    $dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
    $root = $dom.GetDirectoryEntry()

    $search = [System.DirectoryServices.DirectorySearcher]$root
    $search.Filter = "(&(objectclass=group)(sAMAccountName=$GroupName))"
    $search.SizeLimit = 3000
    $result = $search.FindOne()

    $object = $result.GetDirectoryEntry()

    $sec = $object.ObjectSecurity

    ## set the rights and control type
    $allow = [System.Security.AccessControl.AccessControlType]::Allow
    $read = [System.DirectoryServices.ActiveDirectoryRights]::GenericRead
    $write = [System.DirectoryServices.ActiveDirectoryRights]::GenericWrite

    ## who does this apply to
    $domname = ([ADSI]"").Name
    $who = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "$domname", $UserName

    # apply rules
    $readrule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $read, $allow
    $sec.AddAccessRule($readrule)

    $writerule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $write, $allow
    $sec.AddAccessRule($writerule)

    # tell it that we're only changing the DACL and not the owner
    $object.get_Options().SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl

    # save
    $object.CommitChanges()
}

您可以将其粘贴到 PowerShell 提示符中,然后按 Enter。这将使该功能可供使用。然后你可以像这样使用它:

Set-GroupSecurity -GroupName "TstGroup1" -UserName "someone"
于 2019-08-02T20:54:11.050 回答