1
我有一個應該作爲服務帳戶運行的腳本。
取消選中「防止意外刪除」不是問題,因爲已選中或未選中我得到錯誤:Move-ADObject:訪問被拒絕。該腳本禁用用戶/ PC並創建新的OU。
服務帳戶不應該作爲「域管理員」運行。目前它只有「域用戶」。很明顯,當我以管理員身份運行時,所有工作都可以正常運行,但是腳本是否以服務帳戶的形式運行?Move-ADObject:訪問被拒絕
Import-Module ActiveDirectory
##################################################
## Deactivate User and Move to another OU##
##################################################
$SAM = "KZerr"
$Path = "dc=aaa,dc=local"
$OUToSearchTheUser = "OU=Users," + $Path;
Disable-ADAccount -Identity $SAM
# Shows the disabled account
Search-ADAccount -AccountDisabled | ?{$_.SamAccountName -like $SAM}
########## CHECK IF OU EXITS, IF NOT CREATE ONE ##########
$OU = GET-ADOrganizationalUnit -Filter 'Name -like "DeactivatedUsers"' -SearchBase $OUToSearchTheUser
if($OU -eq $null){
$NEWOU = NEW-ADOrganizationalUnit "DeactivatedUsers" –path $OUToSearchTheUser
}
#New-ADOrganizationalUnit -name DeactivatedUsers –path $OUToSearchTheUser
$UserNewPath = "ou=DeactivatedUsers,ou=Users," + $Path
Get-ADUser $SAM| Move-ADObject -TargetPath $UserNewPath
##################################################
##Deactivate Client Account ##
##################################################
$COMPUTERNAME = "TST1360"
$OUToSearchTheComputer = "OU=PC," + $Path;
Get-ADComputer -Identity $COMPUTERNAME | Disable-ADAccount
# Shows the disabled account
Search-ADAccount -AccountDisabled | ?{$_.Name -like $COMPUTERNAME}
New-ADOrganizationalUnit -name DeactivatedComputers –path $OUToSearchTheComputer
$ComputerNewPath = "ou=DeactivatedComputers," + $OUToSearchTheComputer
Get-ADComputer $COMPUTERNAME| Move-ADObject -TargetPath $ComputerNewPath
服務帳戶是否在「TargetPath」OU上具有「創建子對象」權限? –
是的。創建並刪除子對象 – frhling1