Active directory Ansible-创建允许编辑成员资格的ManagedBy广告组
我可以使用win_domain_group_模块在Ansible中轻松创建组。但我需要使用此选项创建它: 设置ManagedBy选项定义需要能够管理组成员身份的用户没有问题,但我不知道如何启用此选项 我在powershell中阅读了组的属性,但它似乎不包含此选项:Active directory Ansible-创建允许编辑成员资格的ManagedBy广告组,active-directory,ansible,Active Directory,Ansible,我可以使用win_domain_group_模块在Ansible中轻松创建组。但我需要使用此选项创建它: 设置ManagedBy选项定义需要能够管理组成员身份的用户没有问题,但我不知道如何启用此选项 我在powershell中阅读了组的属性,但它似乎不包含此选项: CanonicalName, CN, Created, createTimeStamp, Deleted, Description, DisplayName, DistinguishedName, dSCorePropagation
CanonicalName, CN, Created, createTimeStamp, Deleted, Description, DisplayName, DistinguishedName, dSCorePropagationData, GroupCategory, GroupScope, groupType, HomePage, instanceType, isDeleted, LastKnownParent, ManagedBy, member, MemberOf, Members, Modified, modifyTimeStamp, Name, nTSecurityDescriptor, ObjectCategory, ObjectClass, ObjectGUID, objectSid, ProtectedFromAccidentalDeletion, SamAccountName, sAMAccountType, sDRightsEffective, SID, SIDHistory, uSNChanged, uSNCreated, whenChanged, whenCreated
无论是否启用该选项,除日期外的所有属性都是相同的。我成功地做到了这一点。
我认为问题在于,这个选项是一个安全掩码,而不是广告组的选项
通过更好的研究,我成功地将以下powershell脚本:
param(
[string]$groupname=""
)
Import-Module ActiveDirectory
if($groupname -eq ""){
Write-Host('Error. Missing $groupname parameter.')
}
$guid=[guid]'THIS GUID HAS TO BE FOUND ON YOUR AD'
$user = New-Object System.Security.Principal.NTAccount("Domain\GroupManagerAccount")
$sid=$user.translate([System.Security.Principal.SecurityIdentifier])
$ad_path_string="ad:\cn=" + $groupname + ",ou=MyOU,dc=Domain,dc=com"
$acl = Get-Acl -Path $ad_path_string
$ctrl = [System.Security.AccessControl.AccessControlType]::Allow
$rights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
$intype = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)
$acl.AddAccessRule($rule)
Set-Acl -acl $acl -path $ad_path_string
要检查正确的GUID,可以执行以下操作:
win\u domain\u group
模块创建组的my.yml中,我为我的Active Directory服务器添加了两个任务:
- name: Transfering the AD rights management script to the hosts
win_copy:
src: MyScript.ps1
dest: C:\temp\
- name: Adding the account right to edit membership on the new group in AD
win_shell: C:\temp\MyScript.ps1 -groupname MyNewGroup
become: yes
become_user: Administrateur
请注意,我的服务器是用法语安装的。如果您使用的是英语,been\u user
应该是Administrator
。所有的功劳都归于写这封信的shirl9141。我设法做到了。
我认为问题在于,这个选项是一个安全掩码,而不是广告组的选项
通过更好的研究,我成功地将以下powershell脚本:
param(
[string]$groupname=""
)
Import-Module ActiveDirectory
if($groupname -eq ""){
Write-Host('Error. Missing $groupname parameter.')
}
$guid=[guid]'THIS GUID HAS TO BE FOUND ON YOUR AD'
$user = New-Object System.Security.Principal.NTAccount("Domain\GroupManagerAccount")
$sid=$user.translate([System.Security.Principal.SecurityIdentifier])
$ad_path_string="ad:\cn=" + $groupname + ",ou=MyOU,dc=Domain,dc=com"
$acl = Get-Acl -Path $ad_path_string
$ctrl = [System.Security.AccessControl.AccessControlType]::Allow
$rights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
$intype = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)
$acl.AddAccessRule($rule)
Set-Acl -acl $acl -path $ad_path_string
要检查正确的GUID,可以执行以下操作:
win\u domain\u group
模块创建组的my.yml中,我为我的Active Directory服务器添加了两个任务:
- name: Transfering the AD rights management script to the hosts
win_copy:
src: MyScript.ps1
dest: C:\temp\
- name: Adding the account right to edit membership on the new group in AD
win_shell: C:\temp\MyScript.ps1 -groupname MyNewGroup
become: yes
become_user: Administrateur
请注意,我的服务器是用法语安装的。如果您使用的是英语,been\u user
应该是Administrator
。所有的功劳都归于写这封信的shirl9141