分配给 OU 的权限显示为特殊

编程问答 2022-06-02

问题描述

我正在尝试使用 powershell 为 OU 分配权限,下面是我想出的代码,但是当我运行它时,它为 OU 中的用户分配了特殊权限,这不允许用户编辑 OU 中的任何内容

脚本应执行以下操作; 允许用户创建和编辑用户对象, 允许更改密码 允许创建计算机

Import-Module ActiveDirectory

$rootdse = Get-ADRootDSE
$domain = Get-ADDomain
$OUn = "Test_For_Permissions-Not_Live"
$Sec = "ServiceDEsk_SecurityGroup"

$gUO = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$gCO = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
$gRP = new-object Guid 00299570-246d-11d0-a768-00aa006e0529

$guidmap = (Get-Adobject -filter "name -like '*$OUn*'" | Select-Object -expandproperty ObjectGUID)
$ou = "OU=$OUn,DC=mydomain,DC=co,DC=uk"
$oupath="AD:$ou"
$sid = [System.Security.Principal.IdentityReference] (get-adgroup $Sec).SID

#Add and change computers
$acl = Get-ACL $oupath
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ReadProperty"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inherit = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"

$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,$adRights,$type,$gco,$inherit,$guidmap
$acl.AddAccessRule($ace)
$acl|Set-ACL $oupath

#Add and change user objects
$acl = Get-ACL $oupath
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "WriteProperty"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inherit = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,$guo,$guidmap
$acl.AddAccessRule($ace)
$acl|Set-ACL $oupath

#Reset Passwords
$acl = Get-ACL $oupath
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inherit = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,$grp,$guidmap
$acl.AddAccessRule($ace)
$acl|Set-ACL $oupath

任何帮助都会很棒。

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

active-directoryactive-directory-grouppowershell