Powershell 在子域(跨林)中使用Set-ADUser和Add-ADGroupMember时出错
我已经构建了一个脚本,用于查询整个林中的用户,并执行以下操作:Powershell 在子域(跨林)中使用Set-ADUser和Add-ADGroupMember时出错,powershell,active-directory,Powershell,Active Directory,我已经构建了一个脚本,用于查询整个林中的用户,并执行以下操作: 设置ExtensionAttribute2 将用户添加到其自己域中的特定于域的组 将用户添加到根域中的组 当我对林的根域中的GC运行此操作时,根域中的用户得到了很好的处理。子域中的用户只处理步骤#3的文件,但步骤#1和#2会导致错误 编辑以澄清:这些命令是针对根目录林中的2012域控制器运行的,根目录林也是全局编录服务器。我以企业管理员的身份运行这些命令,可以访问所有子域。使用这些相同的凭据和相同的服务器,我可以使用Active D
$csvpath = ".\users.csv"
$groupcbr = Get-ADGroup "CN=test group,OU=Test OU,DC=contoso,DC=com"
Import-CSV -Path $csvpath | Foreach-Object {
$userprincipalname = $_.userprincipalname
$activationkey = $_.activationkey
Get-ADUser -Filter {userprincipalname -like $userprincipalname} -SearchBase "DC=contoso,DC=com" -Server "ROOTGC.contoso.com:3268" | Foreach-Object {
$dn = $_.DistinguishedName
#Set default as root domain
$domain = "contoso"
$domainserver = "ROOTGC.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Test Group Users"
If ($dn -like "*DC=childdomain1*") {
$domain = "childdomain1"
$domainserver = "childgc1.childdomain1.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Test Group Users" -Server "ROOTGC.contoso.com:3268"
}
If ($dn -like "*DC=childdomain2*") {
$domain = "childdomain2"
$domainserver = "childgc2.childdomain2.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Office 365 Users" -Server "ROOTGC.contoso.com:3268"
}
Write-Host "$domain | $userprincipalname [$($_.SamAccountName)] will get $activationkey added, and put into groups: $groupscript | [$dn]"
#Set ExtensionAttribute2
SET-ADUSER -Identity $dn -replace @{ExtensionAttribute2="$activationkey"}
#Add the user to their own domain-based group
Add-ADGroupMember -Identity $groupscript -Members $_
#Add the user to the root domain's universal group
Add-ADGroupMember -Identity $groupcbr -Members $_
}
}
同样,根域中的用户处理得很好。子域中的用户在#1(设置extensionattribute2)和#2(添加其本地域组)上出错
以下是错误:
$csvpath = ".\users.csv"
$groupcbr = Get-ADGroup "CN=test group,OU=Test OU,DC=contoso,DC=com"
Import-CSV -Path $csvpath | Foreach-Object {
$userprincipalname = $_.userprincipalname
$activationkey = $_.activationkey
Get-ADUser -Filter {userprincipalname -like $userprincipalname} -SearchBase "DC=contoso,DC=com" -Server "ROOTGC.contoso.com:3268" | Foreach-Object {
$dn = $_.DistinguishedName
#Set default as root domain
$domain = "contoso"
$domainserver = "ROOTGC.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Test Group Users"
If ($dn -like "*DC=childdomain1*") {
$domain = "childdomain1"
$domainserver = "childgc1.childdomain1.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Test Group Users" -Server "ROOTGC.contoso.com:3268"
}
If ($dn -like "*DC=childdomain2*") {
$domain = "childdomain2"
$domainserver = "childgc2.childdomain2.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Office 365 Users" -Server "ROOTGC.contoso.com:3268"
}
Write-Host "$domain | $userprincipalname [$($_.SamAccountName)] will get $activationkey added, and put into groups: $groupscript | [$dn]"
#Set ExtensionAttribute2
SET-ADUSER -Identity $dn -replace @{ExtensionAttribute2="$activationkey"}
#Add the user to their own domain-based group
Add-ADGroupMember -Identity $groupscript -Members $_
#Add the user to the root domain's universal group
Add-ADGroupMember -Identity $groupcbr -Members $_
}
}
设置ExtensionAttribute2:
SET-ADUSER : A referral was returned from the server
At C:\***\Untitled1.ps1:52 char:3
+ SET-ADUSER -Identity $dn -replace @{ExtensionAttribute2="$activationkey"}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (CN=User1...contoso,DC=com:ADUser) [Set-ADUser], ADReferralException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8235,Microsoft.ActiveDirectory.Management.Commands.SetADUser
正在添加到本地域组:
Add-ADGroupMember : The server is unwilling to process the request
At C:\***\Untitled1.ps1:53 char:3
+ Add-ADGroupMember -Identity $groupscript -Members $_
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=ChildDomain1 Tes...contoso,DC=com:ADGroup) [Add-ADGroupMember], ADInvalidOperationException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8245,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
我找遍了所有的地方,但还没有找到任何办法来解决这个问题。我尝试了以下(以及更多):
我错过了什么?请帮帮我!!我不得不手动查看我的CSV文件,并设置需要设置的内容,因为它必须在今晚完成,但我将在未来两周内处理数千名用户 运行此操作的服务器必须具有全局编录的副本,否则它将无法解析引用。或者必须对目标域的DC运行该命令。此外,您的用户必须具有企业管理员权限,才能在林的其他域中创建/修改/删除对象(或者必须在目标域中进行适当的委派) 另一个问题是,如果没有Active Directory Web服务,Shining AD cmdlet将无法工作。Active Directory Web服务在Windows Server 2008 R2之前不可用,在所有涉及的DC上运行。您可以通过自己处理外部安全主体和目录对象来解决这个问题,不过:
$fsp = New-Object Security.Principal.NTAccount('DOM1', 'username')
$sid = $fsp.Translate([Security.Principal.SecurityIdentifier]).Value
$dn = Get-ADGroup -Identity 'groupname' | select -Expand distinguishedName
$group = New-Object DirectoryServices.DirectoryEntry("LDAP://$dn")
[void]$group.member.Add("<SID=$sid>")
$group.CommitChanges()
$group.Close()
$fsp=newobjectsecurity.Principal.NTAccount('DOM1','username'))
$sid=$fsp.Translate([Security.Principal.SecurityIdentifier]).Value
$dn=Get-ADGroup-Identity“groupname”| select-Expand DiscriminatedName
$group=新对象DirectoryServices.DirectoryEntry(“LDAP://$dn”)
[void]$group.member.Add(“”)
$group.CommitChanges()
$group.Close()
话虽如此,您确实意识到Windows Server 2003将在后天结束,不是吗?为什么您的DC仍在运行那个古董版本?正如我在原始帖子中指定的,我正在根目录林中的一个全局目录服务器上运行这个版本。我正在以企业管理员帐户的身份运行此程序。我可以在服务器上使用ADUC手动进行所有修改,我正在为所有域运行这些命令,因此这不是权限问题。关于2003年,是的,我知道。我们正在将用户迁移到2012根域以消除子域。您还有其他建议吗?我已经用尽了很多选择,你发布的内容与我无关,因为我拥有所有适当的权限,等等。是的,我尝试过。它以非常复杂的方式工作,并表明这不是权限问题。它与通过全局目录向子域写入“Set ADUser”或“Add ADGroupMember”等命令有关。可以使用一些复杂的方法(如上面的方法)和其他方法(如set-adobject$Group1.differentiedName-Add@{“member”=$User1.differentiedName})来完成。这是一个已知的Microsoft IssueBotom行:我发布的内容完全相关。很高兴我们弄清楚了。