Powershell 将安全权限添加到扩展权限guid
多亏了@Mathias R.Jessen,我才走到了这一步。唯一的问题是权限没有传播到扩展属性,即使在advanced选项卡中也是如此:( 如果我进入adsi并检查扩展权限的安全选项卡,它不会显示任何关于新组拥有权限的信息…但是…如果我检查变量$rootObjACL.access,它会显示应有的权限Powershell 将安全权限添加到扩展权限guid,powershell,active-directory,Powershell,Active Directory,多亏了@Mathias R.Jessen,我才走到了这一步。唯一的问题是权限没有传播到扩展属性,即使在advanced选项卡中也是如此:( 如果我进入adsi并检查扩展权限的安全选项卡,它不会显示任何关于新组拥有权限的信息…但是…如果我检查变量$rootObjACL.access,它会显示应有的权限 ActiveDirectoryRights : ExtendedRight InheritanceType : None ObjectType : 1131f6aa
ActiveDirectoryRights : ExtendedRight
InheritanceType : None
ObjectType : 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AccessControlType : Allow
IdentityReference : NEW\Replication
IsInherited : False
InheritanceFlags : None
PropagationFlags : None**
试图找出我做错了什么。运行脚本时没有任何错误。下面是脚本
Import-Module ActiveDirectory
$rootObjPath = "AD:\CN=Configuration,DC=new,DC=domain,DC=com"
$rootObjACL = Get-Acl $rootObjPath
$group = Get-ADgroup 'Replication'
$SID = New-Object System.Security.Principal.SecurityIdentifierArgumentList $group.SID
# The following object specific ACE is to grant Group the permission DS-Replication-Get-Changes
$objectGuid = New-Object Guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
$ADRight = [System.DirectoryServices.ActiveDirectoryRights]"ExtendedRight"
$ACEType = [System.Security.AccessControl.AccessControlType]"Allow"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $SID,$ADRight,$ACEType,$objectGuid
$rootObjACL.AddAccessRule($ACE)
Set-Acl $rootObjPath -AclObject $rootObjACL