powershell - Powershell 内核到 powershell
问题描述
我正在运行一个安装了 Pwsh 的 Ubuntu EC2 实例,以在我们的一台服务器上远程执行 AD 命令。2sd hop 设置正确,我能够运行 AD 命令,但是在执行我的脚本时出现以下错误(脚本直接在 2sd hop 机器上工作正常):
无法识别搜索过滤器
+ CategoryInfo : NotSpecified: (:) [Get-ADUser], ADException + FullyQualifiedErrorId : ActiveDirectoryServer:8254,Microsoft.ActiveDirectory.Management.Commands.GetADUser + PSComputerName : corpmaint02
#!/usr/bin/pwsh
$employeeEmail = 'myemail@contoso.com'
$session = New-PSSession -ComputerName corpmaint02 -ConfigurationName corpmaint02 -Credential contoso\myadminaccount
Invoke-Command -Session $session -ArgumentList $employeeEmail -ScriptBlock{
Get-ADUser -Filter "EmailAddress -eq '$employeeEmail'" -Properties EmailAddress | Disable-ADAccount
Write-Host $employeeEmail has been 'disabled.'
}
Remove-PSSession -ID $session.ID
[GC]::Collect()
任何帮助,将不胜感激。
更新:新代码:
#!/usr/bin/pwsh
$cred=Get-Credential domain\myadmin
$employeeEmail = 'myemail@contoso.com'
Invoke-Command -ComputerName corpmaint02 -Credential $cred -ConfigurationName corpmaint02 -Authentication Negotiate -ArgumentList $employeeEmail -$
Get-ADUser -Filter "EmailAddress -eq '$($Args[0])'" -Properties EmailAddress | Disable-ADAccount -verbose
Write-Host $employeeEmail has been 'disabled.'
}
I modified my code as follow and it works expect for the lack of permissions to disable the account which odd because my admin account has rights to do so.
执行操作的访问权限不足
+ CategoryInfo : NotSpecified: (CN=xxxxx\domain,DC=com:ADUser) [Disable-ADAccount], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.DisableADAccount + PSComputerName : 公司维护02
提升的新代码:
#!/usr/bin/pwsh
$cred=Get-Credential domain\myadmin
$employeeEmail = 'user1@contoso.com'
Invoke-Command -ComputerName corpmaint02 -Credential $cred -ConfigurationName corpmaint02 -Authentication Negotiate -ArgumentList $employeeEmail,$cred -ScriptBlock{
$currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
$testadmin = $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
if ($testadmin -eq $false) {
Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition))
exit $LASTEXITCODE
}
Get-ADUser -Filter "EmailAddress -eq '$($Args[0])'" -Properties EmailAddress | Disable-ADAccount -verbose -Credential $Args[1]
}
Write-Host $employeeEmail 'has been disabled.'
解决方案
Invoke-Command 未以提升的权限运行,因此您可以检索数据但不能进行更改。
https://ss64.com/ps/syntax-elevate.html 如果您使用 Invoke-Command 在远程计算机上运行脚本或命令,那么即使本地会话是,它也不会运行提升。这是因为任何提升提示都将在远程计算机上的非交互式会话中发生,因此会失败。
您可以尝试在 Invoke-Command 脚本块中自我提升(来自上面的链接)
If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
{
# Relaunch as an elevated process:
Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs
exit
}
# Now running elevated so launch the script:
& "d:\long path name\script name.ps1" "Long Argument 1" "Long Argument 2"
推荐阅读
- sql - 按 HIVE UDAF 区分和分组
- c# - 同值统一的解决方案是什么?
- python - TypeError: read_csv() 在合并 csv 文件时得到了一个意外的关键字参数“sheetname”
- vb.net - 所以这是和上次一样的问题,但这次我尝试了一个数组仍然无法正常工作
- python - 让 3d Python 绘图像 Matlab 一样漂亮
- cucumber - 如何在步骤定义的“when”或“then”中打印“given”语句?
- racket - 在球拍中生成流
- c - C中的链表给出分段错误
- android - 错误:EISDIR:对目录的非法操作,读取 React Native (Android )
- python - Nsolve 不会解决