确定用户是否有权在Active Directory中执行某些操作的最简单方法

时间:2015-10-12 19:52:15

标签: powershell permissions active-directory quest

我目前正在使用Quest ActiveRoles管理管理单元来确定运行脚本的用户是否有权在我们的Active Directory域中执行各种操作。我们使用组委派访问权限,因此我不会检查用户是否已被明确授予访问权限;我只检查用户的组成员身份以确定用户是否有权访问。它工作得很好,但我想知道是否有更简单(更有效)的方法(不买东西)。我在下面提供了每个操作和我正在使用的代码的描述。我感谢您提供的任何建设性建议。谢谢!

# Check for "write member" access to AD group ($shareReadGroup)
$shareReadGroup = "<AD group name>"
$shareReadGroup_SecurityMask = Get-QADObject $shareReadGroup -SecurityMask Dacl
$shareReadGroup_WriteMember_Groups = ($shareReadGroup_SecurityMask | Get-QADPermission -Rights WriteProperty -UseExtendedMatch -Inherited -SchemaDefault -Property ("member")).Account | Where-Object {$_.Type -eq "group"}
$shareReadGroup_WriteMember_GroupMembers = $shareReadGroup_WriteMember_Groups | Get-QADGroupMember -Indirect
$shareReadGroup_WriteMember_AccessGranted = $shareReadGroup_WriteMember_GroupMembers | Where-Object {$_.sAMAccountName -eq $userRunningThisScript}

# Check for "create group" access for AD OU ($readGroupOU)
$readGroupOU = "<DN of AD OU>"
$readGroupOU_SecurityMask = Get-QADObject $readGroupOU -SecurityMask Dacl
$readGroupOU_CreateGroup_Groups = ($readGroupOU_SecurityMask | Get-QADPermission -Rights CreateChild -ChildType Group -UseExtendedMatch -Inherited -SchemaDefault).Account | Where-Object {$_.Type -eq "group"}
$readGroupOU_CreateGroup_GroupMembers = $readGroupOU_CreateGroup_Groups | Get-QADGroupMember -Indirect
$readGroupOU_CreateGroup_AccessGranted = $readGroupOU_CreateGroup_GroupMembers | Where-Object {$_.sAMAccountName -eq $userRunningThisScript}

# Check for "write description, write member" access for group objects within AD OU ($readGroupOU)
$readGroupOU = "<DN of AD OU>"
$readGroupOU_SecurityMask = Get-QADObject $readGroupOU -SecurityMask Dacl
$readGroupOU_ManageGroups_Groups = ($readGroupOU_SecurityMask | Get-QADPermission -Rights WriteProperty -ChildType Group -UseExtendedMatch -Inherited -SchemaDefault -Property ("description","member")).Account | Where-Object {$_.Type -eq "group"}
$readGroupOU_ManageGroups_GroupMembers = $readGroupOU_CreateGroup_Groups | Get-QADGroupMember -Indirect
$readGroupOU_ManageGroups_AccessGranted = $readGroupOU_ManageGroups_GroupMembers | Where-Object {$_.sAMAccountName -eq $userRunningThisScript}

1 个答案:

答案 0 :(得分:0)

我最终编写了一个函数来简化权限检查,让每个人都更容易理解。如果有人有兴趣,这是代码。

function Confirm-UserActiveDirectoryAccess {
    <#
        .SYNOPSIS
            Confirm that a user has the specified access to an AD object
        .DESCRIPTION
            This function simplifies the complex operation of determining whether a given user
            has a given level of access to an Active Directory object.  It assumes that all access
            rights should be considered, including inherited and schema default rights.
        .EXAMPLE
            Confirm-UserActiveDirectoryAccess -ADobject TestGroup -Rights WriteProperty -Property member
        .EXAMPLE
            Confirm-UserActiveDirectoryAccess -User TestUser -ADobject OU=TestOU,DC=domain,DC=local -Rights CreateChild -ChildType Group
        .EXAMPLE
            Confirm-UserActiveDirectoryAccess -ADobject OU=TestOU,DC=domain,DC=local -Rights WriteProperty -ChildType Group -Property description
        .PARAMETER User
            The username of the user whose access you wish to check.
            Defaults to the username of the account running the PowerShell session if not specified.
        .PARAMETER ADobject
            The DN, SID, GUID, UPN, or Domain\Name of the directory object you wish to check against.
        .PARAMETER Rights
            The rights you wish to check for (ReadProperty, WriteProperty, CreateChild, etc.).
            Refer to the -Rights property of the Get-QADPermission cmdlet for valid values.
        .PARAMETER ChildType
            Specify the child type if needing to determine permissions to children of an AD object (Group, User, Computer, etc.).
            Refer to the -ChildType property of the Get-QADPermission cmdlet for valid values.
        .PARAMETER Property
            The attribute of the AD object you wish to verify access to.
            These are the standard LDAP attribute names for a given object (sAMAccountName, member, ipPhone, etc.).
    #>
    [CmdletBinding()]
    param (
        [Parameter(Mandatory=$False)]
        [string]$User = [Environment]::UserName,

        [Parameter(Mandatory=$True,
            HelpMessage='Specify the DN, SID, GUID, UPN or Domain\Name of the directory object you want to find.')]
        [string]$ADobject,

        [Parameter(Mandatory=$True,
            HelpMessage='Exit this command and enter "Get-Help Get-QADPermission -Full", then refer to the -Rights parameter for valid values.')]
        [string]$Rights,

        [Parameter(Mandatory=$False)]
        [string]$ChildType,

        [Parameter(Mandatory=$False)]
        [string]$Property
    )

    $GetQADPermissionParams = @{
        Rights = $Rights;
        UseExtendedMatch = $True;
        Inherited = $True;
        SchemaDefault = $True;
    }

    If ($ChildType) {
        $GetQADPermissionParams += @{
            ChildType = $ChildType;
        }
    }

    If ($Property) {
        $GetQADPermissionParams += @{
            Property = $Property;
        }
    }

    $accountsWithAccess = (Get-QADObject -Identity $ADobject -SecurityMask Dacl | Get-QADPermission @GetQADPermissionParams).Account
    $userAccessGranted = $accountsWithAccess | Where-Object {$_.sAMAccountName -eq $User}
    $groupAccessGranted = $accountsWithAccess | Where-Object {$_.Type -eq "group"} | Get-QADGroupMember -Indirect | Where-Object {$_.sAMAccountName -eq $User}

    If ($userAccessGranted -or $groupAccessGranted) { Return $True }
}

$shareReadGroup_WriteMember = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $shareReadGroup -Rights WriteProperty -Property member
$readGroupOU_CreateGroup = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $readGroupOU -Rights CreateChild -ChildType Group
$readGroupOU_WriteGroupDescription = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $readGroupOU -Rights WriteProperty -ChildType Group -Property description
$readGroupOU_WriteGroupMember = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $readGroupOU -Rights WriteProperty -ChildType Group -Property member