我制定了脚本的所有部分,用于创建目录名称、根据预定义的目录结构创建目录、根据附加到硬编码名称的项目编号创建 AD 组,然后将该组添加到特定的目录。目录,并设置该组的 ACL。
我似乎无法绕过该错误:
New-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "4".
这是脚本:
$domain="DOMAIN"
$tldn="net"
$pathArr=@()
$pathArr+=$path1=Read-Host -Prompt "Enter first path"
$pathArr+=$path2=Read-Host -Prompt "Enter second path"
[int]$projectNumber=try { Read-Host -Prompt "Enter project number" } catch { Write-Host "Not a numeric value. Please try again."; exit }
[string]$mainFolder=[string]${projectNumber}+"_"+(Read-Host -Prompt "Please give the main folder name")
$projectNumberString=[string]$projectNumber
$projectName=Read-Host -Prompt "Please give the project name"
$fullProjectName="${projectNumberString}_${projectName}"
$pathArr+=$path3="$path1\$mainFolder"
$pathArr+=$path4="$path2\$mainFolder"
$pathArr+=$path5="$path3\$fullProjectName"
$pathArr+=$path6="$path4\$fullProjectName"
# Region: Create organizational units in Active Directory
# Names
$ouN1="XYZOU"
$ouN2="ABCOU"
# Paths
$ouP0="DC=$domain,DC=$tldn"
$ouP1="OU=$ouN1,$ouP0"
$ouP2="OU=$ouN2,$ouP1"
Write-Host "Checking for required origanization units..."
try
{
New-ADOrganizationalUnit -Name $ouN1 -Path $ouP1
New-ADOrganizationalUnit -Name $ouN2 -Path $ouP2
}
catch
{
Out-Null
}
Write-Host "Creating AD Group..."
[string]$group="BEST_${projectNumberString}"
$groupdomain="$domain\$group"
$ADGroupParams= @{
'Name' = "$group"
'SamAccountName' = "$group"
'GroupCategory' = "Security"
'GroupScope' = "Global"
'DisplayName' = "$group"
'Path' = "OU=MyBusinessOU,DC=$domain,DC=$tldn"
'Description' = "Test share"
}
$secgroup=New-ADGroup @ADGroupParams
# Region: Set permissions
Write-Host "Setting permissions..."
# get permissions
$acl = Get-Acl -Path $path6
# add a new permission
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Traverse","Executefile","ListDirectory","ReadData", "ReadAttributes", "ReadExtendedAttributes","CreateFiles","WriteData", 'ContainerInherit, ObjectInherit', "CreateDirectories","AppendData", "WriteAttributes", "WriteExtendedAttributes", "DeleteSubdirectoriesAndFiles", "ReadPermissions"
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”
$PropagationFlags=[System.Security.AccessControl.PropagationFlags]”None”
$AccessControl=[System.Security.AccessControl.AccessControlType]”Allow”
$permission = "$groupdomain", "$InheritanceFlags", "$PropagationFlags", "$AccessControl"
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)
# set new permissions
$acl | Set-Acl -Path $path6
再次,我尝试执行通常在 Windows 环境中的 Active Directory 中手动执行的操作
- 创建AD组
- 将组添加到共享
- 给组设置权限
- 该脚本不会将用户添加到组中
最后一步是设置权限;不幸的是,当我运行脚本、更改语法或方法(以下是几篇在线文章中的示例)并花费数小时进行此操作时,我只是没有取得任何进展。唯一的进展是它不能超载的数量从 18 个减少到 4 个。
提前谢谢你的帮助!
EDIT
我根据评论修改了脚本,指出我错过了$FileSystemAccessRights
争论。
The $permission
变量更改为:
$permission = "$groupdomain", "$FileSystemAccessRights", "$InheritanceFlags", "$PropagationFlags", "$AccessControl"
我仍然得到这个输出:
New-Object : Cannot convert argument "1", with value: "ExecuteFile Executefile ListDirectory ReadData ReadAttributes
ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData WriteAttributes
WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions", for "FileSystemAccessRule" to type
"System.Security.AccessControl.FileSystemRights": "Cannot convert value "ExecuteFile Executefile ListDirectory ReadData
ReadAttributes ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData
WriteAttributes WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions" to type
"System.Security.AccessControl.FileSystemRights". Error: "Unable to match the identifier name ExecuteFile Executefile ListDirectory
ReadData ReadAttributes ReadExtendedAttributes CreateFiles WriteData ContainerInherit, ObjectInherit CreateDirectories AppendData
WriteAttributes WriteExtendedAttributes DeleteSubdirectoriesAndFiles ReadPermissions to a valid enumerator name. Specify one of the
following enumerator names and try again: ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData,
ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes,
WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership, Synchronize,
FullControl""
EDIT
我尝试从变量中删除引号,因为似乎每个变量都已经有引号了,除了$groupdomain
,然后得到这个错误:
New-Object : Cannot convert argument "1", with value: "System.Object[]", for "FileSystemAccessRule" to type
"System.Security.AccessControl.FileSystemRights": "Cannot convert value
"ExecuteFile,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,ContainerInherit,
ObjectInherit,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions" to
type "System.Security.AccessControl.FileSystemRights". Error: "Unable to match the identifier name
ExecuteFile,Executefile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,ContainerInherit,
ObjectInherit,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles,ReadPermissions to a
valid enumerator name. Specify one of the following enumerator names and try again: ListDirectory, ReadData, WriteData,
CreateFiles, CreateDirectories, AppendData, ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile,
DeleteSubdirectoriesAndFiles, ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify,
ChangePermissions, TakeOwnership, Synchronize, FullControl""
EDIT
尝试了斯蒂芬的建议,用引号包围了整个新对象,然后得到了这个错误:
Cannot convert argument "rule", with value: "New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList
WOLF\Elite_1035 Write, Read ContainerInherit, ObjectInherit None Allow", for "SetAccessRule" to type
"System.Security.AccessControl.FileSystemAccessRule": "Cannot convert the "New-Object -TypeName
System.Security.AccessControl.FileSystemAccessRule -ArgumentList WOLF\Elite_1035 Write, Read ContainerInherit, ObjectInherit None
Allow" value of type "System.String" to type "System.Security.AccessControl.FileSystemAccessRule"."
EDIT
错误消失了,但我仍然没有看到任何组添加到$path6
.
理论上,我还可以通过这样做来添加所有权限:
$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]"Traverse,Executefile,ListDirectory,ReadData, ReadAttributes, ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,DeleteSubdirectoriesAndFiles, ReadPermissions"