我已经构建了一个脚本,用于查询整个林中的用户并执行以下操作:
当我针对林的根域中的GC运行此操作时,根域中的用户处理得很好。子域中的用户只处理步骤#3,但步骤#1和#2会导致错误。
编辑以进行说明:这些命令是针对根目录林中的2012域控制器运行的,该域控制器也是全局编录服务器。我将这些命令作为企业管理员运行,可以访问所有子域。使用这些相同的凭据和相同的服务器,我可以使用Active Directory用户和计算机手动进行所有这些编辑。
以下是我创建的脚本:
$csvpath = ".\users.csv"
$groupcbr = Get-ADGroup "CN=test group,OU=Test OU,DC=contoso,DC=com"
Import-CSV -Path $csvpath | Foreach-Object {
$userprincipalname = $_.userprincipalname
$activationkey = $_.activationkey
Get-ADUser -Filter {userprincipalname -like $userprincipalname} -SearchBase "DC=contoso,DC=com" -Server "ROOTGC.contoso.com:3268" | Foreach-Object {
$dn = $_.DistinguishedName
#Set default as root domain
$domain = "contoso"
$domainserver = "ROOTGC.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Test Group Users"
If ($dn -like "*DC=childdomain1*") {
$domain = "childdomain1"
$domainserver = "childgc1.childdomain1.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Test Group Users" -Server "ROOTGC.contoso.com:3268"
}
If ($dn -like "*DC=childdomain2*") {
$domain = "childdomain2"
$domainserver = "childgc2.childdomain2.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Office 365 Users" -Server "ROOTGC.contoso.com:3268"
}
Write-Host "$domain | $userprincipalname [$($_.SamAccountName)] will get $activationkey added, and put into groups: $groupscript | [$dn]"
#Set ExtensionAttribute2
SET-ADUSER -Identity $dn -replace @{ExtensionAttribute2="$activationkey"}
#Add the user to their own domain-based group
Add-ADGroupMember -Identity $groupscript -Members $_
#Add the user to the root domain's universal group
Add-ADGroupMember -Identity $groupcbr -Members $_
}
}
同样,根域中的用户处理得很好。子域中的用户在#1(设置extensionattribute2)和#2(添加其本地域组)上遇到错误。
以下是错误:
设置ExtensionAttribute2:
SET-ADUSER : A referral was returned from the server
At C:\***\Untitled1.ps1:52 char:3
+ SET-ADUSER -Identity $dn -replace @{ExtensionAttribute2="$activationkey"}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (CN=User1...contoso,DC=com:ADUser) [Set-ADUser], ADReferralException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8235,Microsoft.ActiveDirectory.Management.Commands.SetADUser
添加到本地域组:
Add-ADGroupMember : The server is unwilling to process the request
At C:\***\Untitled1.ps1:53 char:3
+ Add-ADGroupMember -Identity $groupscript -Members $_
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=ChildDomain1 Tes...contoso,DC=com:ADGroup) [Add-ADGroupMember], ADInvalidOperationException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8245,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
我到处都搜索过,但还没有找到办法解决这个问题。我尝试了以下(以及更多):
我错过了什么?请帮帮我!!我必须手动浏览我的CSV文件并设置需要设置的内容,因为它必须在今晚完成,但我将在接下来的两周内处理数千名用户。
答案 0 :(得分:3)
您运行此服务器的服务器必须具有全局编录的副本,否则将无法解析引用。或者您必须针对目标域的DC运行命令。此外,您的用户必须具有Enterprise Admin权限才能在林的其他域中创建/修改/删除对象(或者必须在目标域中进行相应的委派)。
另一个问题是,如果没有在所有相关DC上运行的Windows Server 2008 R2之前不可用的 Active Directory Web服务,则闪亮的AD cmdlet将无法运行。您可以通过自己处理外部安全主体和目录对象来解决这个问题,但是:
$fsp = New-Object Security.Principal.NTAccount('DOM1', 'username')
$sid = $fsp.Translate([Security.Principal.SecurityIdentifier]).Value
$dn = Get-ADGroup -Identity 'groupname' | select -Expand distinguishedName
$group = New-Object DirectoryServices.DirectoryEntry("LDAP://$dn")
[void]$group.member.Add("<SID=$sid>")
$group.CommitChanges()
$group.Close()
有了这样说:你确实意识到Windows Server 2003将在后天达到报废,不是吗?为什么你的DC 仍然运行那个古老的版本?