可以将New-ADGroup与其他objectClass属性值一起使用吗?

时间:2018-07-10 10:06:46

标签: powershell active-directory ldap

dynamicObjects是直到昨天searching for a reasonable way to make a user's group membership automatically expire才听说的事情。

我想创建一个具有自毁时间的组,以便可以授予用户临时访问权限的权限。似乎New-ADGroupNew-ADObject不支持objectClass属性的其他值,但也许我做错了。

我尝试根据MS的文档使用-OtherAttributes,将多个值传递给objectClass属性,但是它给出了字符串类型转换错误:

New-ADGroup -OtherAttributes @{'objectClass'="Group","DynamicObject";'entryTTL'=180} -Name 'Deleted in 180 Seconds' -Path $myGroupsOu -GroupScope DomainLocal


<#
New-ADGroup : Unable to cast object of type 'System.String[]' to type 'System.String'.
At line:2 char:1
+ New-ADGroup -OtherAttributes @{'objectClass'="Group","DynamicObject"; ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=Deleted in 1...dc=state,dc=sbu:String) [New-ADGroup], InvalidCastException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.InvalidCastException,Microsoft.ActiveDirectory.Management.Commands.NewADGroup

根据评论中的建议,我尝试了其他变体:

New-ADGroup -OtherAttributes @{'objectClass'=Group,DynamicObject;'entryTTL'=180} -Name 'Deleted in 180 Seconds' -Path $myGroupsOu -GroupScope DomainLocal
<#
At line:1 char:51
+ New-ADGroup -OtherAttributes @{'objectClass'=Group,DynamicObject;'ent ...
+                                                   ~
Missing argument in parameter list.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingArgument
#>

一项测试给出了一个非常有说服力的错误消息:

New-ADGroup -OtherAttributes @{'objectClass'="DynamicObject";'entryTTL'=180} -Name 'Deleted in 180 Seconds' -Path $myGroupsOu -GroupScope DomainLocal
<#
New-ADGroup : Illegal modify operation. Some aspect of the modification is not permitted
At line:1 char:1
+ New-ADGroup -OtherAttributes @{'objectClass'="DynamicObject";'entryTT ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (CN=Deleted in 1...dc=state,dc=sbu:String) [New-ADGroup], ADIllegalModifyOperationException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8311,Microsoft.ActiveDirectory.Management.Commands.NewADGroup
#>

“非法修改操作”错误提示,也许是写New-ADGroup来创建组,然后修改组以添加OtherAttributes。

我可以通过放入ADSI解决此问题:

function New-ADTemporaryGroup {
    Param (
        $name,
        $path,
        $timeToLive = 180
    )
    $container = [ADSI]"LDAP://$path"

    $newGroupObj = $container.Create('Group',"cn=$name")
    $properties = @{
        'ObjectClass'=@('DynamicObject','Group')
        'entryTTL'=$timeToLive
        'sAMAccountName'=$Name
    }
    foreach ($key in $properties.Keys) {
        if ($properties[$key].Count -gt 1) {
            $newGroupObj.putEx($properties[$key].Count,$key,$properties[$key])
        } else {
            $newGroupObj.put($key, $properties[$key])
        }
    }
    $newGroupObj.SetInfo()
}


<#
> New-ADTemporaryGroup -name 'Deleted in 180 Seconds' -path $myGroupsOu -timeToLive 180

> get-adgroup 'Deleted in 180 seconds' -Properties entryttl


DistinguishedName : CN=Deleted in 180 Seconds,OU=Groups,<redacted>
entryttl          : 874
GroupCategory     : Security
GroupScope        : Global
Name              : Deleted in 180 Seconds
ObjectClass       : group
ObjectGUID        : 234ef681-53be-4c86-a944-1ba84562e710
SamAccountName    : Deleted in 180 Seconds
SID               : S-1-5-21-1292396558-1955611682-1449083124-510723

#>

但是,如果它们可以支持AD cmdlet,我将更喜欢使用它们。有没有人有使用此用例的经验?

0 个答案:

没有答案
相关问题
最新问题