[英]Insufficient access rights to perform the operation — Powershell
I am writing a simple script to copy AD group membership from one user to the other. 我正在编写一个简单的脚本,将AD组成员资格从一个用户复制到另一个用户。 I am doing it using the ActiveDirectory module only.
我只使用ActiveDirectory模块。
The script looks like it would work and does work up until I try to ad the groups to the user. 该脚本看起来会起作用,并且在我尝试将这些组添加到用户之前一直有效。
Code: 码:
import-module ActiveDirectory
$templateUser = get-ADUser user1
$targetUser = getADUser user2
$groups =get-adprincipalgroupmembership $templateUser
$groups2 = get-ADPrincipalGroupMembership $targetUser
foreach($group in $groups) {
add-adGroupMember $group $targetUser
}
Error: 错误:
Add-ADGroupMember : insufficient access rights to performt the operation
At line:9 char:18
+ FullyQualifiedErrorID : Insufficient access rights to perform the operation,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
Notes/Thoughts: 备注/思考:
I am logged in as a normal user, but I ran the powershell as a different user (my admin account). 我以普通用户身份登录,但我将powershell作为其他用户(我的管理员帐户)运行。 I am not a local admin, but I am an admin on the domain.
我不是本地管理员,但我是域名管理员。 I am able to add the user to groups if I launch the AD Tools and do it manually (I have permissions to add to those groups).
如果我启动AD工具并手动执行,我可以将用户添加到组(我有权添加到这些组)。
Edit: 编辑:
Run the powershell as admin. 以admin身份运行powershell。
以管理员身份运行powershell。
I hit this today in Server 2012. I was running the powershell as Administrator, I was a domain admin, I was a local admin, I was every kind of admin I could find. 我今天在Server 2012中点击了这个。我以管理员身份运行powershell,我是域管理员,我是本地管理员,我是我能找到的各种管理员。
I "fixed" it by using the Active Directory Users and Computers tool, adding myself as the Manager of the AD groups I was trying to add users to, and ticked the box to allow the manager to change membership. 我通过使用Active Directory用户和计算机工具“修复”它,将我自己添加为我尝试添加用户的AD组的管理员,并勾选该框以允许管理员更改成员资格。 I could then run AD-AddGroupMember happily.
然后我可以愉快地运行AD-AddGroupMember。
I ran into this problem as well using Powershell remoting to connect to a domain controller. 我也遇到了这个问题,使用Powershell远程连接到域控制器。
In my case it turned out Include inheritable permissions from this object's parent
was turned off for the specific object I couldn't change. 在我的情况下,事实证明,对于我无法更改的特定对象
Include inheritable permissions from this object's parent
已关闭。
I ran into this issue today where an automated system was using powershell scripts for various things.... It turned out to be executionpolicy. 我今天遇到了这个问题,其中一个自动化系统正在使用PowerShell脚本来处理各种事情....结果是executepolicy。 We were running our script with the ExecutionPolicy Bypass flag, and even running the command directly in powershell outside of a script wouldn't work, but once we set executionpolicy to unrestricted, everything magically worked.
我们使用ExecutionPolicy Bypass标志运行我们的脚本,甚至在脚本之外的powershell中直接运行命令也行不通,但是一旦我们将executionpolicy设置为不受限制,一切都神奇地起作用。
For us we were able to create security groups even, but not add users to groups via powershell, even though we could make the same changes in ADUC. 对我们来说,我们甚至可以创建安全组,但不能通过PowerShell将用户添加到组中,即使我们可以在ADUC中进行相同的更改。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.