Powershell核心到Powershell
我正在运行一个安装了Pwsh的Ubuntu EC2实例,以便在我们的一台服务器上远程执行AD命令。2sd hop设置正确,我能够运行AD命令,但在执行脚本时,我遇到以下错误(脚本直接在2sd hop机器上正常工作): 无法识别搜索筛选器Powershell核心到Powershell,powershell,powershell-remoting,powershell-core,Powershell,Powershell Remoting,Powershell Core,我正在运行一个安装了Pwsh的Ubuntu EC2实例,以便在我们的一台服务器上远程执行AD命令。2sd hop设置正确,我能够运行AD命令,但在执行脚本时,我遇到以下错误(脚本直接在2sd hop机器上正常工作): 无法识别搜索筛选器 +CategoryInfo:NotSpecified:(:)[Get ADUser],ADException+FullyQualifiedErrorId:ActiveDirectoryServer:8254,Microsoft.ActiveDirectory.M
+CategoryInfo:NotSpecified:(:)[Get ADUser],ADException+FullyQualifiedErrorId:ActiveDirectoryServer:8254,Microsoft.ActiveDirectory.Management.Commands.GetADUser +PSComputerName:corpmaint2 任何帮助都将不胜感激 更新:新代码:
#!/usr/bin/pwsh
$cred=Get-Credential domain\myadmin
$employeeEmail = 'myemail@contoso.com'
Invoke-Command -ComputerName corpmaint02 -Credential $cred -ConfigurationName corpmaint02 -Authentication Negotiate -ArgumentList $employeeEmail -$
Get-ADUser -Filter "EmailAddress -eq '$($Args[0])'" -Properties EmailAddress | Disable-ADAccount -verbose
Write-Host $employeeEmail has been 'disabled.'
}
I modified my code as follow and it works expect for the lack of permissions to disable the account which odd because my admin account has rights to do so.
访问权限不足,无法执行该操作+CategoryInfo:NotSpecified:(CN=xxxxx\domain,DC=com:ADUser)[禁用ADAccount],异常
+FullyQualifiedErrorId:ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.DisableDataCount +PSComputerName:corpmaint2 要提升的新代码:
#!/usr/bin/pwsh
$cred=Get-Credential domain\myadmin
$employeeEmail = 'user1@contoso.com'
Invoke-Command -ComputerName corpmaint02 -Credential $cred -ConfigurationName corpmaint02 -Authentication Negotiate -ArgumentList $employeeEmail,$cred -ScriptBlock{
$currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
$testadmin = $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
if ($testadmin -eq $false) {
Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition))
exit $LASTEXITCODE
}
Get-ADUser -Filter "EmailAddress -eq '$($Args[0])'" -Properties EmailAddress | Disable-ADAccount -verbose -Credential $Args[1]
}
Write-Host $employeeEmail 'has been disabled.'
Invoke命令未使用提升的权限运行,因此您可以检索数据,但不能进行更改 如果使用Invoke命令在远程计算机上运行脚本或命令,则即使本地会话已启动,它也不会运行。这是因为任何提升提示都将在非交互式会话中发生在远程计算机上,因此将失败 您可以在调用命令scriptblock中尝试自提升(从上面的链接)
您是否尝试在
$employeeEmail
上使用范围修饰符?请看中的“示例9”以了解我的意思。在远程脚本块的开头使用using
,或声明param($employeeEmail)
。是,使用:或param。没有很好的文档说明。使用带有param的数组(这是另一层困难。编辑中的新代码可以工作,但即使我的管理员帐户有权禁用帐户,我也会面临权限问题。有什么建议吗?输出错误没有更改:(新代码附加在主线程中)+CategoryInfo:OpenError:(Corpmain02:String)[],PSCryptoException+FullyQualifiedErrorId:PSSessionStateBreaked
#!/usr/bin/pwsh
$cred=Get-Credential domain\myadmin
$employeeEmail = 'user1@contoso.com'
Invoke-Command -ComputerName corpmaint02 -Credential $cred -ConfigurationName corpmaint02 -Authentication Negotiate -ArgumentList $employeeEmail,$cred -ScriptBlock{
$currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
$testadmin = $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
if ($testadmin -eq $false) {
Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition))
exit $LASTEXITCODE
}
Get-ADUser -Filter "EmailAddress -eq '$($Args[0])'" -Properties EmailAddress | Disable-ADAccount -verbose -Credential $Args[1]
}
Write-Host $employeeEmail 'has been disabled.'
If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
{
# Relaunch as an elevated process:
Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs
exit
}
# Now running elevated so launch the script:
& "d:\long path name\script name.ps1" "Long Argument 1" "Long Argument 2"