使用联系人DN更新AD用户对象管理器属性

时间:2017-07-05 20:59:19

标签: powershell active-directory

合并后我有两个森林。一些人的经理住在对面的森林里。为了解决这个问题,我们在每个森林中为相对森林的所有用户提供了联系人。我正在尝试根据csv导入更新多个用户的manager属性,我在管理员电子邮件地址上进行匹配。我的脚本可以匹配管理员联系人的DN,但由于某种原因,不会将其添加到广告userobject manager属性,说明它无法找到明显存在的对象的DN。

如果我使用ldap过滤器运行一个简单的get-adobject,它将返回管理员联系人的DN:

PS C:\temp> Get-ADObject -ldapfilter "(&(objectclass=contact)(name=$fname*)(name=*$lname))" -SearchBase "OU=station,OU=CONTACTS,DC=workplace,DC=COM" |select distinguishedname

distinguishedname                                        
-----------------                                        
CN=Nick Hill,OU=station,OU=Contacts,DC=workplace,DC=com

但是,尝试将此DN添加到用户管理器属性时,下面的脚本会出错。令人困惑的是它声称根据上述命令无法找到的DN。

以下脚本错误:

set-aduser : Identity info provided in the extended attribute: 'Manager' could not be resolved. Reason: 'Cannot find an object with identity: 'CN=Nick Hill,OU=station,OU=Contacts,DC=workplace,DC=com' under: 'DC=workplace,DC=com'.'.

$users = import-csv test1.csv

FOREACH ($user in $users)
 {
    $username = $user.UserName
    $employeeid = $user.employeeid
    $city = $user.city
    $country = $user.country
    $department = $user.department
    $division = $user.division
    $office = $user.location
    $state = $user.state
    $postalcode = $user.postal_code
    $manageremail = $user.manageremail
    $manager = get-aduser -f "mail -eq '$($manageremail)'"

    FUNCTION LocalManager 
    {
     get-aduser -f {mail -eq $username} |set-aduser -Manager $manager
    }

    FUNCTION RemoteManager 
    {
     $data = $manageremail.split("@")
     $name = $data[0]
     $namesplit = $name.split(".")
     $fname = $namesplit[0]
     $lname = $namesplit[1]
     $rmanager = Get-ADObject -SearchBase 'OU=station,OU=Contacts,DC=workplace,DC=com' -ldapfilter "(&(objectclass=contact)(name=$fname*)(name=*$lname))" 
     get-aduser -f {mail -eq $username} |set-aduser -Manager "$rmanager"
    }


    IF ($manager -eq $null)
    {
     RemoteManager
    }
    Else
    {
     Localmanager
    }

 }

1 个答案:

答案 0 :(得分:0)

我在自己的脚本上遇到类似的错误,无法处理跨域用户群。我已经导出了一些旧的decom'd用户帐户并导入它们(带有适当的通用信息)来填充我们的测试/开发环境。

不幸的是,当我尝试使用不同域中的管理员在AD中创建这些帐户作为新用户时,我发现以下问题:

  

Set-ADUser:服务器不愿意处理请求   在行:1个字符:1   + Set-ADUser -Identity $ user.SamAccountName -Manager $ user.Manager -Ser ...   + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~       + CategoryInfo:InvalidOperation:(user.name:ADUser)[Set-ADUser],> ADInvalidOperationException       + FullyQualifiedErrorId:> ActiveDirectoryServer:8245,Microsoft.ActiveDirectory.Management.Commands.SetADUser

所以这是为了设置用户使用经理的DN。 

function create-testaccts {

[CmdletBinding()]
param(
    [Parameter(Mandatory=$True,Position=1)]
    [string] $rootPath ,

    [Parameter(Mandatory=$True,Position=2)]
    [string] $userList ,

    [Parameter(Mandatory=$True,Position=3)]
    [string] $pw ,

    [Parameter(Mandatory=$True,Position=4)]
    [string] $OU = $(throw "Please specify a query.")

    )

$newUsers = import-csv $userList
$password = $pw | ConvertTo-SecureString -AsPlainText -Force

foreach ($user in $newUsers){

    $profPath = $rootpath + $user.samaccountname

    try {
        write-host -fore Cyan "Creating the user profile path - $profPath"
        new-item $profPath -ItemType Directory -Force -ErrorAction stop | Out-Null
    }# END OF TRY
    Catch [System.Management.Automation.ActionPreferenceStopException] {
        write-host -fore Yellow "caught a StopExecution Exception - Home directory creation " 
        $error[0]
    }# END OF CATCH

    try {
        Write-Host -Fore Cyan "Creating the user object in AD -" $user.Name 
        # Name              - Name
        # Givenname         - Firstname
        # Surname           - Lastname
        # Password          - AccountPassword Specific to new-aduser
        # SamAccountName    - same in both command/attribute name used userlogon and samaccount
        # Manager           - same in both command/attribute name
        # ProfilePath       - same in both command/attribute name
        # HomeDirectory     - same in both command/attribute name
        # HomeDrive         - same in both command/attribute name
        # Enabled           - False - same in both command/attribute name
        # UserPrincipalName - same in both command/attribute name
        # Server

        $name = $user.Name

        New-ADUser -Name "$name" `
                    -GivenName $user.givenname `
                    -Surname $user.surname `
                    -DisplayName $user.displayname `
                    -SamAccountName $user.SamAccountName `
                    -Path $ou `
                    -AccountPassword $Password `
                    -ProfilePath $user.profilepath `
                    -HomeDirectory $user.HomeDirectory `
                    -HomeDrive $user.homedrive `
                    -Enabled $False `
                    -UserPrincipalName $user.UserPrincipalName `
                    -Server domain.local `
                    -Credential $creds `
                    -ErrorAction Stop

                    #-Manager $user.Manager `
    }# END OF TRY
    Catch [System.Management.Automation.ActionPreferenceStopException] {
        Write-Host -fore Yellow "caught a StopExecution Exception - Account Creation" 
        $error[0]
    }# END OF CATCH

}#END FOREACH NEW USERS
} #END OF FUNCTION (CREATE-TESTACCTS)

当我尝试将其与受信任的域一起使用时,由于在本地域中找不到管理器DN,它将失败。我尝试了多种方法,但似乎无法找出它为什么这样做而且似乎不会链。

但是我找到了一个解决方法,我可以创建没有mgr字段的用户,然后使用以下链接/命令设置用户:

https://social.technet.microsoft.com/Forums/office/en-US/ade19ad5-ecfd-48af-987b-5958983676b6/active-directory-update-the-manager-field-when-the-manager-is-in-a-different-domain?forum=ITCG 

Set-ADUser -Identity $ADUser_Domain1 -Credential $DomainAdmin_Domain1 -Server $Domain1 -Replace @{manager = $ManagerDN_Domain2}

这有效,我不知道为什么替换有效,但似乎需要传递凭据。我甚至试过通过域2凭证。

总体而言,这非常令人困惑,我觉得如果本地会话凭证在域之间具有权限,它应该能够毫无问题地查找它。任何其他帮助或解释都非常有帮助!

相关问题
最新问题