Move-ADObject:访问被拒绝

时间:2016-06-14 08:26:27

标签: powershell active-directory

我有一个应该作为服务帐户运行的脚本 取消选中“防止意外删除”不是问题,因为选中或取消选中我收到错误: Move-ADObject:访问被拒绝。该脚本禁用用户/ PC并创建新OU 服务帐户不应作为“域管理员”运行。目前它只是“域用户”。显然,当我以管理员身份运行时,一切正常,但该脚本是否作为服务帐户运行?

Import-Module ActiveDirectory
##################################################
## Deactivate User and Move to another OU##
##################################################
$SAM = "KZerr"
$Path = "dc=aaa,dc=local"
$OUToSearchTheUser = "OU=Users," + $Path;

Disable-ADAccount -Identity $SAM

# Shows the disabled account
Search-ADAccount -AccountDisabled | ?{$_.SamAccountName -like $SAM}

########## CHECK IF OU EXITS, IF NOT CREATE ONE ##########
$OU = GET-ADOrganizationalUnit -Filter 'Name -like "DeactivatedUsers"' -SearchBase $OUToSearchTheUser
if($OU -eq $null){
 $NEWOU = NEW-ADOrganizationalUnit "DeactivatedUsers" –path $OUToSearchTheUser
}

#New-ADOrganizationalUnit -name DeactivatedUsers –path $OUToSearchTheUser
$UserNewPath = "ou=DeactivatedUsers,ou=Users," + $Path
Get-ADUser $SAM| Move-ADObject -TargetPath $UserNewPath

##################################################
            ##Deactivate Client Account ##
##################################################
$COMPUTERNAME = "TST1360"
$OUToSearchTheComputer = "OU=PC," + $Path;

Get-ADComputer -Identity $COMPUTERNAME | Disable-ADAccount 
# Shows the disabled account
Search-ADAccount -AccountDisabled | ?{$_.Name -like $COMPUTERNAME}

New-ADOrganizationalUnit -name DeactivatedComputers –path $OUToSearchTheComputer
$ComputerNewPath = "ou=DeactivatedComputers," + $OUToSearchTheComputer 
Get-ADComputer $COMPUTERNAME| Move-ADObject -TargetPath $ComputerNewPath

1 个答案:

答案 0 :(得分:0)

用户和PC具有:后代用户对象和后代计算机对象。 问题是,我不得不选择“此文件夹和子文件夹权限”。