如何解决powershell ACL复制目录更改权限
目的:获取在AD中具有“复制目录更改”权限的用户列表
我一直在尝试此powershell命令,并得到以下输出:
Get-ObjectACL -DistinguishedName "dc=hendel,dc=local" -Domain hendel.local -ResolveGUIDs |
? {($_.ObjectType -match 'replication-get') -or
($_.ActiveDirectoryRights -match 'GenericAll')}
AceType : AccessAllowed
ObjectDN : DC=hendel,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-2327505349-568064809-1496836491
InheritanceFlags : ContainerInherit
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2327505349-568064809-1496836491-519
AccessMask : 983551
AuditFlags : None
AceFlags : ContainerInherit
AceQualifier : AccessAllowed
AceType : AccessAllowed
ObjectDN : DC=hendel,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-2327505349-568064809-1496836491
InheritanceFlags : None
BinaryLength : 20
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-18
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
实际上我得到的是ObjectSID ...但是也要显示其相关的samaccountname呢?
还有没有更好的方法来获得相同的结果?
谢谢
解决方法
由于SID可以代表用户,组或计算机,因此我想为此使用Get-ADObject
。
Get-ObjectACL -DistinguishedName "dc=hendel,dc=local" -Domain hendel.local -ResolveGUIDs |
Where-Object {($_.ObjectType -match 'replication-get') -or
($_.ActiveDirectoryRights -match 'GenericAll')} |
Select-Object *,@{Name = 'SamAccountName'; Expression = {(Get-ADObject -Filter "objectSid -eq '$($_.ObjectSID)'" -Properties SamAccountName -ErrorAction SilentlyContinue).SamAccountName}}
如果您还想查看对象的类和名称,请使用ForEach-Object循环。像这样:
Get-ObjectACL -DistinguishedName "dc=hendel,dc=local" -Domain hendel.local -ResolveGUIDs |
Where-Object {($_.ObjectType -match 'replication-get') -or
($_.ActiveDirectoryRights -match 'GenericAll')} |
ForEach-Object {
$adobj = Get-ADObject -Filter "objectSid -eq '$($_.ObjectSID)'" -Properties SamAccountName,DisplayName,ObjectSid -ErrorAction SilentlyContinue
$_ | Select-Object *,@{Name = 'SamAccountName'; Expression = {$adobj.SamAccountName}},@{Name = 'DisplayName'; Expression = {$adobj.DisplayName}},@{Name = 'ObjectClass'; Expression = {$adobj.ObjectClass}}
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。