我正在尝试委派“所有后代对象”上的“创建所有子对象”和“删除所有子对象”权限。在 GUI 中授予权限时,ACL 如下所示:
ActiveDirectoryRights : CreateChild, DeleteChild
InheritanceType : All
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : DOMAINGROUP
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
我一直在尝试使用 System.DirectoryServices.ActiveDirectoryAccessRule 复制该 ACL
任何帮助将不胜感激
尝试过:
$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSID, "CreateChild, DeleteChild", "Allow", "All", '00000000-0000-0000-0000-000000000000'
$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSID, "CreateChild, DeleteChild", "Allow", "All", "00000000-0000-0000-0000-000000000000"
$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSID, "CreateChild, DeleteChild", "Allow", "Descendents", '00000000-0000-0000-0000-000000000000'
$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSID, "CreateChild, DeleteChild", '00000000-0000-0000-0000-000000000000', "Allow", "All", '00000000-0000-0000-0000-000000000000'
$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $GroupSID, "CreateChild, DeleteChild", "Allow", "All", '00000000-0000-0000-0000-000000000000'
$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($GroupSID, "CreateChild, DeleteChild", "Allow", '00000000-0000-0000-0000-000000000000', "Descendents")
得到:
New-Object : Multiple ambiguous overloads found for "ActiveDirectoryAccessRule" and the argument count: "5".
At line:1 char:9
+ $ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-Object], MethodException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
您的 5 个字符串参数与规则构造函数的任何重载签名都不完全匹配,但如果参数转换为正确的参数类型,可能会匹配其中的 2 个。
提供正确类型的参数将允许 PowerShell 选择正确的参数:
$ace2 = [System.DirectoryServices.ActiveDirectoryAccessRule]::new(
[System.Security.Principal.SecurityIdentifier]$GroupSID,
[System.DirectoryServices.ActiveDirectoryRights]"CreateChild, DeleteChild",
[System.Security.AccessControl.AccessControlType]::Allow,
[System.DirectoryServices.ActiveDirectorySecurityInheritance]::All,
[guid]::Empty)