none
如何让一个安全组和OU保持同步? RRS feed

  • 问题

  • DFS有个文件夹需要共享给某个OU的所有用户,共享只能给安全组,每次OU成员变化都要手动调整安全组,有没有更简单的方法?
    2016年3月16日 12:50

答案

  • 你好!

    据我所知,我们可以通过脚本的方式实现OU和组之间的成员同步。

    以下是脚本内容:

    Bind to OU objects.
    SetobjOU1 = GetObject("LDAP://ou=OU1,ou=ParentOU,dc=MyDomain,dc=com")
    SetobjOU2 = GetObject("LDAP://ou=OU2,ou=ParentOU,dc=MyDomain,dc=com")
    SetobjOU3 = GetObject("LDAP://ou=OU3,ou=ParentOU,dc=MyDomain,dc=com")

    ' Bind to group objects.
    SetobjGroup1 = GetObject("LDAP://cn=Group1,ou=ParentOU,dc=MyDomain,dc=com")
    SetobjGroup2 = GetObject("LDAP://cn=Group2,ou=ParentOU,dc=MyDomain,dc=com")
    SetobjGroup3 = GetObject("LDAP://cn=Group3,ou=ParentOU,dc=MyDomain,dc=com")

    ' Enumerate all child objects in OU1.
    ForEachobjUser InobjOU1
       
    ' Only consider user objects.
       
    If(objUser.Class = "user") Then
           
    ' Make sure user not in Group2.
           
    If(objGroup2.IsMember(objUser.ADsPath) = True) Then
                objGroup2.Remove(objUser.ADsPath)
           
    EndIf
           
    ' Make sure user not in Group3.
           
    If(objGroup3.IsMember(objUser.ADsPath) = True) Then
                objGroup3.Remove(objUser.ADsPath)
           
    EndIf
           
    ' Make sure user is in group1.
           
    If(objGroup1.IsMember(objUser.ADsPath) = False) Then
                objGroup1.Add(objUser.ADsPath)
           
    EndIf
       
    EndIf
    Next

    ' Enumerate all child objects in OU2.
    ForEachobjUser InobjOU2
       
    ' Only consider user objects.
       
    If(objUser.Class = "user") Then
           
    ' Make sure user not in Group1.
           
    If(objGroup1.IsMember(objUser.ADsPath) = True) Then
                objGroup1.Remove(objUser.ADsPath)
           
    EndIf
           
    ' Make sure user not in Group3.
           
    If(objGroup3.IsMember(objUser.ADsPath) = True) Then
                objGroup3.Remove(objUser.ADsPath)
           
    EndIf
           
    ' Make sure user is in group2.
           
    If(objGroup2.IsMember(objUser.ADsPath) = False) Then
                objGroup2.Add(objUser.ADsPath)
           
    EndIf
       
    EndIf
    Next

    ' Enumerate all child objects in OU3.
    ForEachobjUser InobjOU3
       
    ' Only consider user objects.
       
    If(objUser.Class = "user") Then
           
    ' Make sure user not in Group1.
           
    If(objGroup1.IsMember(objUser.ADsPath) = True) Then
                objGroup1.Remove(objUser.ADsPath)
           
    EndIf
           
    ' Make sure user not in Group2.
           
    If(objGroup2.IsMember(objUser.ADsPath) = True) Then
                objGroup2.Remove(objUser.ADsPath)
           
    EndIf
           
    ' Make sure user is in group3.
           
    If(objGroup3.IsMember(objUser.ADsPath) = False) Then
                objGroup3.Add(objUser.ADsPath)
           
    EndIf
       
    EndIf
    Next

    这里还有一个相似的帖子可以参考。

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/9aab3d02-414b-41df-949f-62e6c3e94493/synchronize-members-of-a-ou-and-security-group?forum=winservergen

    谢谢。


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2016年3月17日 9:59
    版主

全部回复

  • 你好!

    据我所知,我们可以通过脚本的方式实现OU和组之间的成员同步。

    以下是脚本内容:

    Bind to OU objects.
    SetobjOU1 = GetObject("LDAP://ou=OU1,ou=ParentOU,dc=MyDomain,dc=com")
    SetobjOU2 = GetObject("LDAP://ou=OU2,ou=ParentOU,dc=MyDomain,dc=com")
    SetobjOU3 = GetObject("LDAP://ou=OU3,ou=ParentOU,dc=MyDomain,dc=com")

    ' Bind to group objects.
    SetobjGroup1 = GetObject("LDAP://cn=Group1,ou=ParentOU,dc=MyDomain,dc=com")
    SetobjGroup2 = GetObject("LDAP://cn=Group2,ou=ParentOU,dc=MyDomain,dc=com")
    SetobjGroup3 = GetObject("LDAP://cn=Group3,ou=ParentOU,dc=MyDomain,dc=com")

    ' Enumerate all child objects in OU1.
    ForEachobjUser InobjOU1
       
    ' Only consider user objects.
       
    If(objUser.Class = "user") Then
           
    ' Make sure user not in Group2.
           
    If(objGroup2.IsMember(objUser.ADsPath) = True) Then
                objGroup2.Remove(objUser.ADsPath)
           
    EndIf
           
    ' Make sure user not in Group3.
           
    If(objGroup3.IsMember(objUser.ADsPath) = True) Then
                objGroup3.Remove(objUser.ADsPath)
           
    EndIf
           
    ' Make sure user is in group1.
           
    If(objGroup1.IsMember(objUser.ADsPath) = False) Then
                objGroup1.Add(objUser.ADsPath)
           
    EndIf
       
    EndIf
    Next

    ' Enumerate all child objects in OU2.
    ForEachobjUser InobjOU2
       
    ' Only consider user objects.
       
    If(objUser.Class = "user") Then
           
    ' Make sure user not in Group1.
           
    If(objGroup1.IsMember(objUser.ADsPath) = True) Then
                objGroup1.Remove(objUser.ADsPath)
           
    EndIf
           
    ' Make sure user not in Group3.
           
    If(objGroup3.IsMember(objUser.ADsPath) = True) Then
                objGroup3.Remove(objUser.ADsPath)
           
    EndIf
           
    ' Make sure user is in group2.
           
    If(objGroup2.IsMember(objUser.ADsPath) = False) Then
                objGroup2.Add(objUser.ADsPath)
           
    EndIf
       
    EndIf
    Next

    ' Enumerate all child objects in OU3.
    ForEachobjUser InobjOU3
       
    ' Only consider user objects.
       
    If(objUser.Class = "user") Then
           
    ' Make sure user not in Group1.
           
    If(objGroup1.IsMember(objUser.ADsPath) = True) Then
                objGroup1.Remove(objUser.ADsPath)
           
    EndIf
           
    ' Make sure user not in Group2.
           
    If(objGroup2.IsMember(objUser.ADsPath) = True) Then
                objGroup2.Remove(objUser.ADsPath)
           
    EndIf
           
    ' Make sure user is in group3.
           
    If(objGroup3.IsMember(objUser.ADsPath) = False) Then
                objGroup3.Add(objUser.ADsPath)
           
    EndIf
       
    EndIf
    Next

    这里还有一个相似的帖子可以参考。

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/9aab3d02-414b-41df-949f-62e6c3e94493/synchronize-members-of-a-ou-and-security-group?forum=winservergen

    谢谢。


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2016年3月17日 9:59
    版主
  • 你好!

    以上的回复解决了您的问题了吗?

    谢谢。


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2016年3月21日 2:09
    版主