为尚未传播的用户设置权限

时间:2013-07-31 21:07:46

标签: powershell active-directory acl

我正在尝试为Powershell中的文件夹设置权限。我的问题是我在最近在我们的一个域控制器上创建的活动目录帐户上设置这些权限。由于该帐户是全新的,因此尚未传播到我们当地的任何DC。这对我来说是一个问题,因为我试图设置文件夹以允许该用户具有修改访问权限,而Powershell正在抛弃“无法翻译某些或所有身份引用”。我尝试在文件夹的ACL上调用SetAccessRule时出错。示例代码如下所示。

#I'm actually setting more details than this for the account, but I abbreviated
#the command to make it a little more readable
New-ADUser -Name "Testy Testerson" -Server Master-DC.Domain.ca

$DirectoryLocation = '\\Fileserver\SomeDirectory'

New-Item "FileSystem::$DirectoryLocation" -ItemType directory

$ACLNeedingModification = Get-ACL "FileSystem::$DirectoryLocation"

$NewACLRule = New-Object System.Security.AccessControl.FileSystemAccessRule('Domain\Testy Testerson', 'Modify', 'Allow')

$ACLNeedingModification.SetAccessRule($NewACLRule) #Error occurs here

Set-ACL "FileSystem::$DirectoryLocation" $ACLNeedingModification

现在,我的猜测是,我可以通过使用用户的SID而不是干扰并等待传播来完成链接来做一些有点大杂烩的解决方案。话虽这么说,我非常喜欢找到一种方法,允许我告诉SetAccessRule方法查看特定的DC,类似于AD命令。 SetAccessRule的文档在分辨率如何发生方面非常稀少,所以我想知道这里是否有人有更好的方法来完成我想要做的事情。

非常感谢一群人!

1 个答案:

答案 0 :(得分:1)

看看PowerShell: Script failing because AD objects have not replicated soon enough。我也有同样的问题,我会在接下来的几天里试着弄明白。如果我发现任何有用的东西,我会更新这个答案。这个http://ss64.com/ps/set-addomainmode.html可能有用,但我还不确定。

编辑:我编写了一个等待AD对象传播到所有域控制器的cmdlet。

<#
.SYNOPSIS
    Wait for an AD object to propagate to all domain controllers.

.DESCRIPTION
    This cmdlet enumerates the domain controllers in the current domain and
    polls each one in turn until the specified object exists on each one. If
    the object doesn't propagate completely inside the timeout time span, the
    cmdlet will throw a System.TimeoutException.

.PARAMETER LDAPFilter
    The LDAP filter used to locate the object.

.PARAMETER Timeout
    The time span this command should wait before timing out.

.NOTES
    Author: Alex Barbur <alex@barbur.net>
#>
function Wait-ADObject
{
    [CmdletBinding(SupportsShouldProcess=$True)]
    param
    (
    [Parameter(Mandatory=$True)]
    [string]$LDAPFilter,
    [TimeSpan]$Timeout = '00:00:30'
    )

    # calculate when we should stop
    $stop = $(Get-Date) + $Timeout
    Write-Verbose "Will check until $stop"

    # iterate through the domain controllers
    $domain = Get-ADDomain
    foreach ($server in $domain.ReplicaDirectoryServers)
    {
        # wait for the object to replicate
        Write-Verbose "Checking $server"

        $object = $Null
        while($object -eq $Null)
        {
            # check if we've timed out
            $left = New-TimeSpan $(Get-Date) $stop
            if($left.TotalSeconds -lt 0)
            {
                # timeout
                throw [System.TimeoutException]"Object propagation has timed out."
            }

            # wait a bit and check again
            Start-Sleep -Milliseconds 250
            $object = Get-ADObject -LDAPFilter $LDAPFilter -Server $server
        }
    }
}

你可以像这样使用它。

Import-Module ActiveDirectory
New-ADUser -SamAccountName 'doe.1'
Wait-ADObject -LDAPFilter '(sAMAccountName=doe.1)'

希望它对某人有用。

相关问题
最新问题