I've run into an issue in a script I've been writing that will call thousands of lines of input and must often create new AD groups and apply them to new folders. The issue is that often times, the AD groups aren't 'ready' to use (i.e., ready to be called in an ACL creation command) after they're created unless I call a sleep for a prohibitively long period of time due to the number of iterations the script must make and the amount of time this would add to its run. That is, if I call a 20 second sleep, it will probably work in most cases but if I have 2000 groups to create, that's over 11 hours that this operation adds to the running of this script.
我在编写的脚本中遇到了一个问题,它会调用数千行输入,并且必须经常创建新的AD组并将它们应用到新文件夹中。问题在于,AD组在创建之后并没有“准备好”使用(即,准备在ACL创建命令中调用),除非我因为过长的一段时间而打电话给睡眠脚本必须进行的迭代次数以及这将为其运行添加的时间量。也就是说,如果我打电话给20秒睡眠,它可能在大多数情况下都可以工作,但是如果我要创建2000个组,那么这个操作会增加运行这个脚本超过11个小时。
Before anyone asks, the large number of AD groups is due to a broad front-end data migration to a platform in a different domain, and is a requirement.
在有人要求之前,大量的AD组是由于广泛的前端数据迁移到不同域中的平台,并且是必需的。
I've tried entering a 'start-sleep -s 1' loop until the group is non-null before proceeding, but an 'unusable' group is not necessarily $null. I've tried entering the same type of loop and checking to see if 'Get-QADGroup' returns a SID, and only continuing when it returns an actual group name, but when immediately continuing, I've found that sometimes those groups still aren't 'available.'
我尝试进入'start-sleep -s 1'循环,直到该组在继续之前为非null,但'不可用'组不一定是$ null。我已经尝试输入相同类型的循环并检查'Get-QADGroup'是否返回SID,并且仅在它返回实际组名时继续,但是当立即继续时,我发现有时这些组仍然没有't'可用。'
I read an article somewhere that (I believe) discussed being able to do this creation directly on a Domain Controller (still via PS), though it wasn't terribly specific and even if I do have permission to do that (I'm not sure at the moment), I'd be hesitant unless I was certain of what I was doing (I'm a Data Storage Admin by trade, I just get stuck with a lot of AD management stuff).
我在某处读过一篇文章(我相信)讨论过能够直接在域控制器上进行创建(仍然是通过PS),尽管它并不是非常具体,即使我有权这样做(我不是当然确定),除非我确定自己在做什么,否则我会犹豫不决(我是一个数据存储管理员,我只是遇到了很多AD管理的东西)。
Anyway, I'm still googling and trying to work with the Windows team but was hoping someone might have come across this problem in the past where a long sleep wouldn't cut it. Thanks so much in advance for any suggestions!
无论如何,我仍在谷歌搜索并试图与Windows团队合作,但希望有人可能在过去遇到这个问题,长时间的睡眠不会削减它。非常感谢您的任何建议!
Mike
麦克风
EDIT: To add some context to this, here is what my script needs to do:
编辑:要添加一些上下文,这是我的脚本需要做的事情:
-
Take an input file consisting of an existing source folder and a corresponding new destination folder on a fresh filesystem.
在新文件系统上获取由现有源文件夹和相应的新目标文件夹组成的输入文件。
-
Create the folder on the destination side
在目标端创建文件夹
-
If the permissions of the source folder differ from its parent, create new groups in a different domain, with names based on the name of the destination folder.
如果源文件夹的权限与其父文件夹的权限不同,请在其他域中创建新组,其名称基于目标文件夹的名称。
-
Add the newly created groups to the destination folder ACLs
将新创建的组添加到目标文件夹ACL
-
Extract any and all permissions from source folder groups/accounts and add them to the destination folder's new group.
从源文件夹组/帐户中提取任何和所有权限,并将它们添加到目标文件夹的新组。
All of the logic seems to be in place, but I'm stuck waiting too long for the groups to propagate in AD after they're created.
所有的逻辑似乎都已到位,但是我在等待太长时间才能让这些组在创建后在AD中传播。
1 个解决方案
#1
0
The easiest way I see it is to create the new folder then add the group to the new domain then apply the group to the folder permissions and apply the ACLs. The best way to create the groups is with powershell.
我看到的最简单的方法是创建新文件夹,然后将组添加到新域,然后将该组应用于文件夹权限并应用ACL。创建组的最佳方法是使用PowerShell。
I had a similar issue in which I was creating the groups and applying ACLs faster then the new group could be replicated on our domain.
我有一个类似的问题,我正在创建组并更快地应用ACL,然后可以在我们的域上复制新组。
The way I solved it was to create the folder then create the groups in AD with new-QADGroup. and I took the results of the new-QAD group and plugged that in a variable then when I assigned the group to the folder I used that variable to assign the groups SID directly to the folder and set ACLs. This allowed me to create the permissions on the folder immediately before the group fully replicated. Once it did replicate the SIDs on the folder and on the AD group would match and the group would then properly give permissions on the folder. Here is the code I used:
我解决它的方法是创建文件夹,然后在AD中使用new-QADGroup创建组。然后我获取了新QAD组的结果并将其插入变量中,然后当我将组分配给文件夹时,我使用该变量将组SID直接分配给文件夹并设置ACL。这使我可以在完全复制组之前立即在文件夹上创建权限。一旦它复制了文件夹上的SID,并且AD组将匹配,然后该组将正确地授予该文件夹的权限。这是我使用的代码:
$newGroupObject = New-QADGroup -ParentContainer $ParentOU -Name $newGroupName -SamAccountName $newGroupName -GroupType 'Security' -GroupScope 'Global' -Description $ShareDesc
$newGroupSid = New-object System.Security.Principal.SecurityIdentifier($newGroupObject.sid)
$Acl = Get-ACL $newFolderPath
$newAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($newGroupSid ,"Modify","ContainerInherit,Objectinherit","none","Allow")
$Acl.AddAccessRule($newAccessRule)
Set-Acl $newFolderPath $Acl
Hope this helps!
希望这可以帮助!
#1
0
The easiest way I see it is to create the new folder then add the group to the new domain then apply the group to the folder permissions and apply the ACLs. The best way to create the groups is with powershell.
我看到的最简单的方法是创建新文件夹,然后将组添加到新域,然后将该组应用于文件夹权限并应用ACL。创建组的最佳方法是使用PowerShell。
I had a similar issue in which I was creating the groups and applying ACLs faster then the new group could be replicated on our domain.
我有一个类似的问题,我正在创建组并更快地应用ACL,然后可以在我们的域上复制新组。
The way I solved it was to create the folder then create the groups in AD with new-QADGroup. and I took the results of the new-QAD group and plugged that in a variable then when I assigned the group to the folder I used that variable to assign the groups SID directly to the folder and set ACLs. This allowed me to create the permissions on the folder immediately before the group fully replicated. Once it did replicate the SIDs on the folder and on the AD group would match and the group would then properly give permissions on the folder. Here is the code I used:
我解决它的方法是创建文件夹,然后在AD中使用new-QADGroup创建组。然后我获取了新QAD组的结果并将其插入变量中,然后当我将组分配给文件夹时,我使用该变量将组SID直接分配给文件夹并设置ACL。这使我可以在完全复制组之前立即在文件夹上创建权限。一旦它复制了文件夹上的SID,并且AD组将匹配,然后该组将正确地授予该文件夹的权限。这是我使用的代码:
$newGroupObject = New-QADGroup -ParentContainer $ParentOU -Name $newGroupName -SamAccountName $newGroupName -GroupType 'Security' -GroupScope 'Global' -Description $ShareDesc
$newGroupSid = New-object System.Security.Principal.SecurityIdentifier($newGroupObject.sid)
$Acl = Get-ACL $newFolderPath
$newAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($newGroupSid ,"Modify","ContainerInherit,Objectinherit","none","Allow")
$Acl.AddAccessRule($newAccessRule)
Set-Acl $newFolderPath $Acl
Hope this helps!
希望这可以帮助!