如何使用Powershell脚本在Active Directory中设置用户帐户标志WORKSTATION_TRUST_ACCOUNT?
[英]How to set user account flag WORKSTATION_TRUST_ACCOUNT in Active Directory using powershell script?
问题描述
I am trying to set WORKSTATION_TRUST_ACCOUNT (0x1000) flag using a PowerShell command 
我正在尝试使用PowerShell命令设置WORKSTATION_TRUST_ACCOUNT (0x1000)标志
https://support.microsoft.com/en-us/kb/305144 https://support.microsoft.com/en-us/kb/305144
I searched and found the Set-ADAccountControl command.. https://technet.microsoft.com/en-us/library/ee617249.aspx 我搜索,发现Set-ADAccountControl命令.. https://technet.microsoft.com/en-us/library/ee617249.aspx
But in MSDN it is not written how to set 0x1000 . 但是在MSDN中,没有写如何设置0x1000 。
How to set WORKSTATION_TRUST_ACCOUNT flag using PowerShell command? 如何使用PowerShell命令设置WORKSTATION_TRUST_ACCOUNT标志?
They have following flags: 它们具有以下标志:
AccountNotDelegated
AllowReversiblePasswordEncryption
AuthType
CannotChangePassword
Credential
DoesNotRequirePreAuth
Enabled
HomedirRequired
MNSLogonAccount
Partition
PassThru
PasswordNeverExpires
PasswordNotRequired
Server
TrustedForDelegation
TrustedToAuthForDelegation
UseDESKeyOnly
Confirm
WhatIf
EDIT : 编辑:
C# code
following is my C# code which is throwing error access denied.
const int iFlag = 0x1000;
string sCommonName = "CN=" + sMachineName;
DirectoryEntry deComputer = deOU.Children.Add(sCommonName, "computer");
deComputer.Properties["sAMAccountName"].Value = sMachineName + "$";
deComputer.CommitChanges();
deComputer.Properties["userAccountControl"].Value = iFlag;
deComputer.CommitChanges(); // access denied exception.
1 个解决方案
解决方案1
1 2015-12-11 06:03:08
Here is another way to do it: 这是另一种方法:
$accountName = "userLogin"
$adsiSearcher = New-Object DirectoryServices.DirectorySearcher [ADSI]$null
$adsiSearcher.filter = "(&(objectClass=user)(sAMAccountName=$accountName))"
$adsiSearcherResult = $adsiSearcher.FindOne()
$user = $adsiSearcherResult.GetDirectoryEntry()
if(($user.UserAccountControl[0] -band 4096) -ne 0) {
"WORKSTATION_TRUST_ACCOUNT (0x1000 4096) is set for $accountName"
} else {
"WORKSTATION_TRUST_ACCOUNT (0x1000 4096) is NOT set for $accountName"
# Add the useraccountdisabled flag (decimal value 4096)
$user.userAccountControl[0] += 4096
# Save the new value in the user object
$user.SetInfo()
"WORKSTATION_TRUST_ACCOUNT (0x1000 4096) has been added for $accountName"
}
Source: https://knowledge.zomers.eu/PowerShell/Pages/How-to-control-UserAccountControl-Active-Directory-flags-with-PowerShell.aspx 来源: https : //knowledge.zomers.eu/PowerShell/Pages/How-to-control-UserAccountControl-Active-Directory-flags-with-PowerShell.aspx
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.