Question

感谢@Mathias R. Jessen我能够做到这一点。唯一的问题是权限不会传播到扩展属性，即使在高级选项卡中:(。

如果我进入adsi并查看扩展权限的安全选项卡，它就没有显示有权拥有权限的新组...但是......如果我检查变量$ rootObjACL.access，它会显示权限，因为它们应该是。

ActiveDirectoryRights : ExtendedRight
InheritanceType       : None
ObjectType            : 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : NEW\Replication
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None**

试图找出我做错了什么。运行脚本时没有任何错误。这是下面的脚本。

Import-Module ActiveDirectory

$rootObjPath = "AD:\CN=Configuration,DC=new,DC=domain,DC=com"

$rootObjACL = Get-Acl $rootObjPath

$group = Get-ADgroup 'Replication'

$SID = New-Object System.Security.Principal.SecurityIdentifierArgumentList $group.SID

# The following object specific ACE is to grant Group the permission     DS-Replication-Get-Changes

$objectGuid = New-Object Guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2

$ADRight = [System.DirectoryServices.ActiveDirectoryRights]"ExtendedRight"

$ACEType = [System.Security.AccessControl.AccessControlType]"Allow"

$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $SID,$ADRight,$ACEType,$objectGuid

$rootObjACL.AddAccessRule($ACE)

Set-Acl $rootObjPath -AclObject $rootObjACL

为扩展权限guid添加安全权限

0 个答案: