有谁知道使用 Powershell 在 Active Directory 中查询此 UNIX 属性 msSFU30MaxUidNumber 的方法?我正在编写一个脚本,该脚本将根据需要将 Unix 属性分配给用户。我也有可用的 Quest AD Powershell 模块。
3 回答
我借用它来设置 UNIX 属性(NISdomain、GID、loginshell、UIDnumber、UID)http://danieltromp.com/2014/06/09/powershell-ad-enable-unix-attributes/。
我更新了它,因此它也更新了存储的 msSFU30MaxUidNumber。我见过的所有脚本都忘记了这一点。如果您将来使用 ADUC 设置 UNIX 属性(或者即使您再次针对另一个 OU 运行脚本),则可以防止出现重复 UID 编号的问题:
Remove-Variable -Name * -Force -ErrorAction SilentlyContinue
Import-Module ActiveDirectory
$NIS = Get-ADObject "CN=DOMAIN,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=Domain,DC=com" -Properties:* #Get NIS server information
$maxUid = $NIS.msSFU30MaxUidNumber #Get the last used User ID
$usuarios = Get-ADUser -Filter * -SearchBase "OU=NAME,OU=NAME,OU=NAME,DC=Domain,DC=com" -Properties:* #Get all users
foreach($usr in $usuarios)
{
if ($usr.mssfu30nisdomain -eq $null){
Set-ADUser -Identity "$($usr.SamAccountName)" -Replace @{mssfu30nisdomain="Domain"} #Enable NIS
Set-ADUser -Identity "$($usr.SamAccountName)" -Replace @{gidnumber="10005"} #Set Group ID
Set-ADUser -Identity "$($usr.SamAccountName)" -Replace @{loginShell="/bin/bash"} #Set Login Shell
$maxUid++ #Raise the User ID number
Set-ADUser -Identity "$($usr.SamAccountName)" -Replace @{uidnumber=$maxUid} #Set User ID number
Set-ADUser -Identity "$($usr.SamAccountName)" -Replace @{uid=$usr.SamAccountName} #Set UID
Write-Host -Backgroundcolor Green -Foregroundcolor Black $usr.SamAccountName changed #Write Changed Username to console
}
else{Write-Host -Backgroundcolor Yellow -Foregroundcolor Black $usr.SamAccountName unchanged} #Write Unchanged Username to console with a yellow background
}
$NIS | Set-ADObject -Replace @{msSFU30MaxUidNumber = $maxuid++}
$NIS | Set-ADObject -Replace @{msSFU30MaxUidNumber = $maxuid++}
似乎您可以找到迄今为止存储在msSFU30MaxUidNumber
属性 on中的最高值cn=yourYPDomain,cn=ypservers,cn=ypserv30,cn=RpcServices,cn=system,dc=dom,dc=fr
。
这是一个按原样给出的脚本:我现在无法在我的配置中对其进行测试,我只是从Microsoft Consulting France 文档(第 17 页)中找到的 VBscript 编写了一个简短的 powershell 翻译。
# Get the Yellow page domain and his attribute msSFU30MaxUidNumber
# dom.fr (dc=dom,dc=fr)is my domain
# myYPDomain is the name of my yellow Page domain
$ypDomain = New-Object System.DirectoryServices.DirectoryEntry ("LDAP://societe.fr:389/cn=myYPDomain,cn=ypservers,cn=ypserv30,cn=RpcServices,cn=system,dc=dom,dc=fr","administrateur@dom.fr","admin")
#$msSFU30MaxUidNumber = $ypDomain.Properties["msSFU30MaxUidNumber"]
$msSFU30MaxUidNumber = $ypDomain.msSFU30MaxUidNumber
# Find a given user
$dn = New-Object System.DirectoryServices.DirectoryEntry ("LDAP://societe.fr:389/dc=dom,dc=fr","administrateur@dom.fr","admin")
$dsLookFor = new-object System.DirectoryServices.DirectorySearcher($dn)
$dsLookFor.Filter = "(&(samAccountName=user1)(objectCategory=user))";
$dsLookFor.SearchScope = "subtree";
$n = $dsLookFor.PropertiesToLoad.Add("cn");
$n = $dsLookFor.PropertiesToLoad.Add("distinguishedName");
$Usr = $dsLookFor.findOne()
# Assign new value
$Usr.msSFU30MaxUidNumber = $msSFU30MaxUidNumber + 1
$Usr.SetInfo()
# Save the new Value
$ypDomain.msSFU30MaxUidNumber = $msSFU30MaxUidNumber + 1
$ypDomain.SetInfo()
由于您有可用的 Quest AD cmdlet,因此这里有一些基于 JPBlanc 的答案的快速方法。它假定您正在使用已经拥有相关 AD 属性权限的帐户运行脚本:
# The -IncludedProperties parameter is needed because msSFU30MaxUidNumber is not part of Get-QADObject's default attribute set
$ypDomain = Get-QADObject -Identity "cn=myYPDomain,cn=ypservers,cn=ypserv30,cn=RpcServices,cn=system,dc=dom,dc=fr" -IncludedProperties msSFU30MaxUidNumber
$maxUidNumber = $ypDomain.msSFU30MaxUidNumber
$newMaxUidNumber = $maxUidNumber + 1
# Sets the msSFU30UidNumber attribute for User1
Get-QADUser -samAccountName User1 | Set-QADUser -objectAttributes @{msSFU30UidNumber = $newMaxUidNumber}
# Increments the msSFU30MaxUidNumber for the YP domain.
$ypDomain | Set-QADObject -objectAttributes @{msSFU30MaxUidNumber = $newMaxUidNumber}