我正在尝试将 1 个 ID 添加到 Active Directory 中的多个安全组。ID 只需要添加到安全组的“安全选项卡”中,不需要添加为成员。
我需要为此 ID 设置“写入”权限。
无论如何在Power-Shell中这样做吗?
我正在尝试将 1 个 ID 添加到 Active Directory 中的多个安全组。ID 只需要添加到安全组的“安全选项卡”中,不需要添加为成员。
我需要为此 ID 设置“写入”权限。
无论如何在Power-Shell中这样做吗?
此处有说明,尽管这使用户可以完全控制组(包括删除权限),并且还有一些其他问题(例如硬编码的用户名)。
我已经为您修改了该示例,只授予GenericWrite
权限,并接受用户名作为参数。这还假设您运行它的用户、组和计算机都在同一个域上:
function Set-GroupSecurity {
[CmdletBinding()]
param (
[string] $GroupName,
[string] $UserName
)
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$root = $dom.GetDirectoryEntry()
$search = [System.DirectoryServices.DirectorySearcher]$root
$search.Filter = "(&(objectclass=group)(sAMAccountName=$GroupName))"
$search.SizeLimit = 3000
$result = $search.FindOne()
$object = $result.GetDirectoryEntry()
$sec = $object.ObjectSecurity
## set the rights and control type
$allow = [System.Security.AccessControl.AccessControlType]::Allow
$read = [System.DirectoryServices.ActiveDirectoryRights]::GenericRead
$write = [System.DirectoryServices.ActiveDirectoryRights]::GenericWrite
## who does this apply to
$domname = ([ADSI]"").Name
$who = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "$domname", $UserName
# apply rules
$readrule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $read, $allow
$sec.AddAccessRule($readrule)
$writerule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $write, $allow
$sec.AddAccessRule($writerule)
# tell it that we're only changing the DACL and not the owner
$object.get_Options().SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl
# save
$object.CommitChanges()
}
您可以将其粘贴到 PowerShell 提示符中,然后按 Enter。这将使该功能可供使用。然后你可以像这样使用它:
Set-GroupSecurity -GroupName "TstGroup1" -UserName "someone"