问题描述
我有一个脚本,可以创建两个组,一个装满文件夹的手,并为这些文件夹设置权限.在我的测试环境中,所有这些过程都没有问题,但在我的生产环境中,我遇到了问题.设置文件夹权限失败,因为我创建的组没有通过我的所有 8 个域控制器进行复制.可以让 PowerShell 只与一个 DC 一起工作,这样我就不必等待复制吗?我应该让脚本休眠 X 秒吗?或者有什么方法可以查看这些组是在所有 DC 上还是至少在我正在工作的 DC 上?
I have a script that creates two groups, a hand full of folders, and sets permissions on those folders. In my testing environment all of these processes work without issue but in my production environment I run into a problem. Setting the permissions on the folders fail since the groups I created have not replicated through all 8 of my domain controllers. Can have PowerShell work with only one of the DC's so I don't have to wait for the replication? Should I put the script to sleep for X seconds? Or is there some way to see if the groups are on all the DC's or at least on the one I am working?
这就是我制作组的方式:
This is how I am making the groups:
New-ADGroup -Name $Admin_GRP -path "OU=Users,OU=Sandbox,DC=test,DC=local" -GroupScope Global
New-ADGroup -Name $User_GRP -path "OU=Users,OU=Sandbox,DC=test,DC=local" -GroupScope Global
这是我对其中一个文件夹设置权限的方式:
This is how I am setting the permissions on one of the folders:
#Set permissions on root directory
$ACL = Get-Acl $PathToFolder
#For Admin
$Permission = $Admin_GRP,"Write,ReadAndExecute,Synchronize,DeleteSubdirectoriesAndFiles","Allow"
$Access_Rule = New-Object System.Security.AccessControl.FileSystemAccessRule $Permission
$ACL.AddAccessRule($Access_Rule)
$ACL | Set-Acl $PathToFolder
#For Users
$Permission = $User_GRP,"ReadAndExecute,Synchronize","Allow"
$Access_Rule = New-Object System.Security.AccessControl.FileSystemAccessRule $Permission
$ACL.AddAccessRule($Access_Rule)
$ACL | Set-Acl $PathToFolder
推荐答案
设置新组的 SID 的权限,而不是它的名称/samaccountname.
Set the permission on the SID of the new group instead of it's name/samaccountname.
这篇关于PowerShell:脚本失败,因为 AD 对象复制得不够快的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!