通过powershell为计算机对象设置ACL_Powershell_Active Directory_Acl

通过powershell为计算机对象设置ACL

powershell active-directory

通过powershell为计算机对象设置ACL,powershell,active-directory,acl,Powershell,Active Directory,Acl,我正在尝试修改域中多台计算机的权限，以便允许它们跨域进行身份验证我的代码很简单，但我总是出错 Function Add-ADGroupACL { param([string]$Computername,[string]$Access) #Get a reference to the RootDSE of the current domain $rootdse = Get-ADRootDSE #Get a reference to the current doma

我正在尝试修改域中多台计算机的权限，以便允许它们跨域进行身份验证

我的代码很简单，但我总是出错

Function Add-ADGroupACL
{
    param([string]$Computername,[string]$Access)
    #Get a reference to the RootDSE of the current domain
    $rootdse = Get-ADRootDSE
    #Get a reference to the current domain
    $domain = Get-ADDomain
    #Create a hashtable to store the GUID value of each extended right in the forest
$extendedrightsmap = @{}
Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
"(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | 
% {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}

#Create a hashtable to store the GUID value of each schema class and attribute
$guidmap = @{}
Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
"(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | 
% {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}

    #Get the computer  object for modification on
    $Computer = Get-ADComputer -Identity $Computername

    #get the SID of the group you wish to add to the computer.
    $GroupIdentity = New-Object System.Security.Principal.SecurityIdentifier(Get-ADGroup -Identity $Access).SID

    $computersADPath = "AD:\" + $Computer.DistinguishedName
    $ComputerACL = Get-ACL $computersADPath

    #Create a new rule to add to the object
    $newAccessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
        $GroupIdentity,"ExtendedRight",
        "Allow", 
        $extendedrightsmap["Allowed To Authenticate"],
        "None")

    $newAccessRule
    #Add the rule to the ACL
    $ComputerACL.AddAccessRule($newAccessRule)
    #Set Rules to the ACL
    Set-Acl -AclObject $ComputerACL -Path $computersADPath
}

我已经发布了整个功能，使之更容易。简单地说就是这样

Add-ADGroupACL -Computername 'TestComputer' -Access 'TestGroup'

这是我一直收到的错误消息

设置Acl：此安全ID不能指定为此对象的所有者第88行字符：5 +设置Acl-AclObject$ComputerACL-Path$computersADPath + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +CategoryInfo:NotSpecified:（CN=testComputer，OU=Co…C=subdomain，DC=domain:String）[设置Acl]，异常 +FullyQualifiedErrorId:ADProvider:SetSecurityDescriptor:ADError，Microsoft.PowerShell.Commands.SetAclCommand

访问规则看起来是正确的。它表明了这一点

ActiveDirectoryRights : ExtendedRight 
InheritanceType       : None
ObjectType            : 68b1d179-0d15-4d4f-ab71-46152e79a7bc
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent 
AccessControlType     : Allow
IdentityReference     : S-1-5-21-2926237862-3770063950-2320700579-361721 
IsInherited       : False 
InheritanceFlags      : None 
PropagationFlags      : None

任何帮助都将不胜感激。

谢谢。

对于其他遇到此问题的人，这里是解决方案

基本上，Get ACL和Set ACL的工作原理是检索整个ACL。您对ACL进行编辑，然后设置ACL尝试重写整个ACL。更多信息：

因此，基本上您只需要创建一个ACE并动态地将其添加到ACL。最好使用DACL购买

代码：

用法：

Add-ADGroupACEExtendedRight -Computername "TestAsset" -Access "GroupID" -ExtendedRight "Allowed To Authenticate"

您可以在此处添加任何扩展项。有关DACL的更多信息：

Add-ADGroupACEExtendedRight -Computername "TestAsset" -Access "GroupID" -ExtendedRight "Allowed To Authenticate"