是否有任何方法(使用powershell)修改计算机帐户以添加具有足够权限的用户帐户以将此计算机添加到域中?使用向导时,您可以选择一个帐户来执行此操作。 此致
答案 0 :(得分:1)
是的,您可以使用Microsoft提供的ActiveDirectory模块执行此操作。我相信它可以通过RS82包安装到Server 2008 R2及更高版本。导入该模块时,它会为AD添加PSProvider,它可以与Get-Acl和Set-Acl cmdlet一起使用。
它与PowerShell中的文件系统权限非常相似,除了您需要更多信息并为规则使用不同的对象类型,MSDN可以很好地概述。
如果您有一个已应用了正确权限的示例计算机对象,请使用Get-ACL cmdlet查看访问规则的外观:
$acl = Get-Acl -Path 'AD:\CN=TESTCOMP-1,CN=Computers,DC=domain,DC=com'
$acl.Access | ft -AutoSize
您应该能够使用此数据构建访问规则对象,将它们添加到ACL,然后在路径上设置acl。
# Imagine that you already created your rule in the variable $rule1
$acl.AddAccessRule($rule1)
Set-Acl -Path 'AD:\CN=TESTCOMP-1,CN=Computers,DC=domain,DC=com' -AclObject $acl
实际充实示例:
如果我们所做的只是为用户提供将计算机帐户重新添加到域的功能,那么基于this MS KB article,您需要提供用户"重置密码" ,"读取帐户限制","写帐户限制","验证写入DNS主机名"和"验证写入服务主体名称"
每个权限都由特定的GUID引用,如下所示:
重置密码是权利GUID 00299570-246d-11d0-a768-00aa006e0529的扩展权限
帐户限制是使用权限GUID 4c164200-20c0-11d0-a768-00aa006e0529设置的属性
验证的DNS主机名写入权限GUID为72e39547-7b18-11d1-adef-00c04fd8d5cd
已验证的写入服务主体名称的权限GUID为f3a64788-5306-11d1-a9c5-0000f80367c1
我发现需要的一个权限是知识库文章中没有读取/写入userAccountControl属性的权限。只有在已从域中删除计算机帐户或以其他方式禁用计算机帐户时,才需要执行此操作。 userAccountControl的AD GUID为bf967a68-0de6-11d0-a285-00aa003049e2
如果您未添加该权限,则可能会遇到以下错误:
The join operation was not successful. This could be because an existing
computer account having name “<computer name>” was previously created using
a different set of credentials. Use a different computer name, or contact
our administrator to remove any stale conflicting account. The error was:
Access is denied.
以下是为一个人提供这些权限的示例。
Import-Module ActiveDirectory
# Just add the guids as string variables, just to make the example a little cleaner to read.
# Parsing them as actual GUID objects, so the right constructor will be called.
$accountRestrictionsGuid = [GUID]::Parse('4c164200-20c0-11d0-a768-00aa006e0529')
$resetPasswordGuid = [GUID]::Parse('00299570-246d-11d0-a768-00aa006e0529')
$dnsHostWrite = [GUID]::Parse('72e39547-7b18-11d1-adef-00c04fd8d5cd')
$userAccountControlGuid = [GUID]::Parse('bf967a68-0de6-11d0-a285-00aa003049e2')
$spnWrite = [GUID]::Parse('f3a64788-5306-11d1-a9c5-0000f80367c1')
# This will get the ACL for the specific computer account you want to allow
# a user to add back to the domain.
$computerDN = 'CN=Test,CN=Computers,DC=domain,DC=com'
$acl = Get-Acl -Path "AD:\$computerDN"
# You need to create an identity reference for each group/user you want to add permissions for.
$adAccount = New-Object System.Security.Principal.NTAccount 'domain.com','userName'
# Create and add these 4 rules for EVERY user or group you want to give these permissions.
# So, 2 users, you will have 8 rules.
# We are using the following overload for the constructor: https://msdn.microsoft.com/en-us/library/cawwkf0x(v=vs.110).aspx
# Note that no where in these rules, you are not referring to computer objects directly, but to properties of the computer objects.
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adAccount,'ReadProperty,WriteProperty','Allow',$accountRestrictionsGuid,'None'))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adAccount,'ReadProperty,WriteProperty','Allow',$userAccountControlGuid,'None'))
# The Self permission is the permission for a validated right.
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adAccount,'Self','Allow',$dnsHostWrite,'None'))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adAccount,'Self','Allow',$spnWrite,'None'))
# Note that this is a different type of object. The Reset Password right is an extended right,
# and as such we need to create an AD Extended Right Access Rule.
# The constructor we are using is https://msdn.microsoft.com/en-us/library/dfcetwbe(v=vs.110).aspx
$acl.AddAccessRule((New-Object System.DirectoryServices.ExtendedRightAccessRule $adAccount,'Allow',$resetPasswordGuid,'None'))
# Set the permissions back to the object
Set-ACl -Path "AD:\$computerDN" -AclObject $acl