[英]PowerShell Import CSV to add Active Directory Security Groups
[英]PowerShell: How to add 1 user to multiple Active Directory Security Groups - Security tab of the security group with write permission
我正在嘗試向 Active Directory 中的多個安全組添加 1 個 ID。 該ID只需添加到安全組的“安全選項卡”中,無需添加為成員。
我需要為此 ID 設置“寫入”權限。
無論如何在Power-Shell中執行此操作?
有說明這里,雖然給出了組(包括權利刪除)的用戶完全控制,並有一些其他的問題(如硬編碼的用戶名)。
我已經為您修改了該示例,僅授予GenericWrite
權限,並接受用戶名作為參數。 這還假設您運行它的用戶、組和計算機都在同一個域中:
function Set-GroupSecurity {
[CmdletBinding()]
param (
[string] $GroupName,
[string] $UserName
)
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$root = $dom.GetDirectoryEntry()
$search = [System.DirectoryServices.DirectorySearcher]$root
$search.Filter = "(&(objectclass=group)(sAMAccountName=$GroupName))"
$search.SizeLimit = 3000
$result = $search.FindOne()
$object = $result.GetDirectoryEntry()
$sec = $object.ObjectSecurity
## set the rights and control type
$allow = [System.Security.AccessControl.AccessControlType]::Allow
$read = [System.DirectoryServices.ActiveDirectoryRights]::GenericRead
$write = [System.DirectoryServices.ActiveDirectoryRights]::GenericWrite
## who does this apply to
$domname = ([ADSI]"").Name
$who = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "$domname", $UserName
# apply rules
$readrule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $read, $allow
$sec.AddAccessRule($readrule)
$writerule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $write, $allow
$sec.AddAccessRule($writerule)
# tell it that we're only changing the DACL and not the owner
$object.get_Options().SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl
# save
$object.CommitChanges()
}
您可以將其粘貼到 PowerShell 提示符中並按 Enter。 這將使該功能可用。 然后你可以像這樣使用它:
Set-GroupSecurity -GroupName "TstGroup1" -UserName "someone"
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.