问题
I am attempting to Set-Acl on a Computer Object in AD. Firstly I get the ACL using:
$acl = (Get-Acl AD:\'CN=Tester1,OU=Ou1,OU=OU2,OU=OU3,DC=Contoso,DC=com').Access
Which gives me all the ACL for that computer object. I then use:
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Computername","FullControl")))
Any pointers in the right direction would be helpful. My aim is to add a computer object to the computer object 'Tester1' and give it Full Access permissions.
回答1:
ActiveDirectory isn't a filesystem. You must create a new ACE for an AD object as an ActiveDirectoryAccessRule.
$path = "AD:\CN=Tester1,OU=Ou1,OU=OU2,OU=OU3,DC=Contoso,DC=com"
$acl = Get-Acl -Path $path
$ace = New-Object Security.AccessControl.ActiveDirectoryAccessRule('DOMAIN\Computername','FullControl')
$acl.AddAccessRule($ace)
Set-Acl -Path $path -AclObject $acl
回答2:
ACE for AD objects you must create with System.DirectoryServices.ActiveDirectoryAccessRule object instead of System.Security.AccessControl.FileSystemAccessRule.
Good description and example is here: Add Object Specific ACEs using Active Directory Powershell
来源:https://stackoverflow.com/questions/31375506/set-acl-on-ad-computer-object