PowerShell：如何將 1 個用戶添加到多個 Active Directory 安全組 - 具有寫入權限的安全組的安全選項卡

Question

我正在嘗試向 Active Directory 中的多個安全組添加 1 個 ID。 該ID只需添加到安全組的“安全選項卡”中，無需添加為成員。

我需要為此 ID 設置“寫入”權限。

無論如何在Power-Shell中執行此操作？

Answer 1

有說明這里，雖然給出了組（包括權利刪除）的用戶完全控制，並有一些其他的問題（如硬編碼的用戶名）。

我已經為您修改了該示例，僅授予GenericWrite權限，並接受用戶名作為參數。 這還假設您運行它的用戶、組和計算機都在同一個域中：

function Set-GroupSecurity {
[CmdletBinding()]
param (
 [string] $GroupName,
 [string] $UserName
)
    $dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
    $root = $dom.GetDirectoryEntry()

    $search = [System.DirectoryServices.DirectorySearcher]$root
    $search.Filter = "(&(objectclass=group)(sAMAccountName=$GroupName))"
    $search.SizeLimit = 3000
    $result = $search.FindOne()

    $object = $result.GetDirectoryEntry()

    $sec = $object.ObjectSecurity

    ## set the rights and control type
    $allow = [System.Security.AccessControl.AccessControlType]::Allow
    $read = [System.DirectoryServices.ActiveDirectoryRights]::GenericRead
    $write = [System.DirectoryServices.ActiveDirectoryRights]::GenericWrite

    ## who does this apply to
    $domname = ([ADSI]"").Name
    $who = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "$domname", $UserName

    # apply rules
    $readrule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $read, $allow
    $sec.AddAccessRule($readrule)

    $writerule = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $who, $write, $allow
    $sec.AddAccessRule($writerule)

    # tell it that we're only changing the DACL and not the owner
    $object.get_Options().SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl

    # save
    $object.CommitChanges()
}

您可以將其粘貼到 PowerShell 提示符中並按 Enter。 這將使該功能可用。 然后你可以像這樣使用它：

Set-GroupSecurity -GroupName "TstGroup1" -UserName "someone"