问题描述
早上好
所以我在这段代码上遇到了麻烦。我有一个gMSA设置来获取组策略对象的所有权。我已在所有域控制器上的组策略中授予gMSA权限,以“取得文件和其他对象的所有权”。拥有所有权的部分就像魅力一样。但是,该脚本的第二部分使用Set-GPPermissions设置权限,并且应该为两个组提供对域中每个GPO的访问权限,但这似乎不起作用。
Try {
[void][TokenAdjuster]
} Catch {
$AdjustTokenPrivileges = @"
using System;
using System.Runtime.InteropServices;
public class TokenAdjuster
{
[DllImport("advapi32.dll",ExactSpelling = true,SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok,bool disall,ref TokPriv1Luid newst,int len,IntPtr prev,IntPtr relen);
[DllImport("kernel32.dll",ExactSpelling = true)]
internal static extern IntPtr GetCurrentProcess();
[DllImport("advapi32.dll",SetLastError = true)]
internal static extern bool OpenProcesstoken(IntPtr h,int acc,ref IntPtr
phtok);
[DllImport("advapi32.dll",SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host,string name,ref long pluid);
[StructLayout(LayoutKind.Sequential,Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_disABLED = 0x00000000;
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool AddPrivilege(string privilege)
{
try
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = GetCurrentProcess();
IntPtr htok = IntPtr.Zero;
retVal = OpenProcesstoken(hproc,TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_ENABLED;
retVal = LookupPrivilegeValue(null,privilege,ref tp.Luid);
retVal = AdjustTokenPrivileges(htok,false,ref tp,IntPtr.Zero,IntPtr.Zero);
return retVal;
}
catch (Exception ex)
{
throw ex;
}
}
public static bool RemovePrivilege(string privilege)
{
try
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = GetCurrentProcess();
IntPtr htok = IntPtr.Zero;
retVal = OpenProcesstoken(hproc,ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_disABLED;
retVal = LookupPrivilegeValue(null,IntPtr.Zero);
return retVal;
}
catch (Exception ex)
{
throw ex;
}
}
}
"@
Add-Type $AdjustTokenPrivileges
}
#Activate necessary admin privileges to make changes without NTFS perms
[void][TokenAdjuster]::AddPrivilege("SeRestorePrivilege") #Necessary to set Owner Permissions
[void][TokenAdjuster]::AddPrivilege("SeBackupPrivilege") #Necessary to bypass Traverse Checking
[void][TokenAdjuster]::AddPrivilege("SeTakeOwnershipPrivilege") #Necessary to override FilePermissions
# Import the required modules to perform Get-ADOrganizationalUnit & Get-GPO
Import-Module ActiveDirectory,GroupPolicy
$NewOwner = (Get-ADServiceAccount SVC._DA002).SamAccountName
$NewOwnerSID =(Get-ADServiceAccount SVC._DA002).SID
$Domains = (Get-ADForest).Domains
Function zChange-GpoOwner {
Param (
[Parameter(Mandatory=$true)]
[string]$NewOwnerSamAccountName,[Parameter(Mandatory=$false)]
[string]$ServerTomakeChangeOn
)
[string]$basedn = (Get-ADDomain $Domain).distinguishedname
[string]$SearchBase = "CN=Policies,CN=System," + (Get-ADDomain $Domain).distinguishedname
$GroupPolicyObjects = Get-Adobject -Filter * -SearchBase "$SearchBase" -Server $Domain -Properties objectClass,CanonicalName | Where {$_.objectClass -eq 'groupPolicyContainer'}
ForEach($GroupPolicyObject in $GroupPolicyObjects){
$GroupPolicyObjectDN = $GroupPolicyObject.distinguishedname
#$SecurityPrincipal = new-object System.Security.Principal.NTAccount("$DomainNetBiosName","$NewOwnerSamAccountName")
#[System.Security.Principal.NTAccount]$IdentityReference = $SecurityPrincipal
if($ServerTomakeChangeOn){
$DN = $ServerTomakeChangeOn + "/" + $GroupPolicyObjectDN
}else{
$DN = $GroupPolicyObjectDN
}
$guidNull = new-object Guid 00000000-0000-0000-0000-000000000000
$Adobject = [ADSI]"LDAP://$DN"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $NewOwnerSID,"WriteDacl","Allow",$guidNull
$Adobject.ObjectSecurity.AddAccessRule($ace)
$aclObject = get-acl -Path ADDOM:$SearchBase
$aclObject.Setowner([Security.Principal.NTaccount]($NewOwnerSamAccountName))
$Adobject.CommitChanges()
set-acl -path ADDOM:$GroupPolicyObjectDN -AclObject $aclObject
#$aclObject.Setowner($IdentityReference)
}
}
# For every GPO in domain,add the "Domain Group Policy Editors" group and grant the "Edit Settings" permission.
ForEach ($Domain in $Domains){
Import-Module ActiveDirectory
New-PSDrive -Name ADDOM -PSProvider ActiveDirectory -Server $Domain -Scope Global -Root "//ROOTDSE/" | Out-Null
$DomainNetBiosName = (Get-ADDomain $Domain).NetBIOSName
$DC = (Get-ADDomainController -discover -DomainName $Domain).HostName
zChange-GpoOwner -NewOwnerSamAccountName "A1\$NewOwner" -ServerTomakeChangeOn $DC
ForEach ($GPO in Get-GPO -All -Domain $Domain) {
$GPO = $GPO.displayName
Write-Host $GPO
Set-GPPermissions "$GPO" -Replace -PermissionLevel GpoEditDeleteModifySecurity -TargetName "$DomainNetBiosName\Group Policy Rights - Full Control" -targettype Group -DomainName $Domain
Set-GPPermissions "$GPO" -Replace -PermissionLevel GpoEdit -TargetName "$DomainNetBiosName\Group Policy Rights - Edit" -targettype Group -DomainName $Domain
}
Remove-PSDrive ADDOM
}
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)