文章目录
- 问题描叙
- 根因
- 解決方法:
问题描叙
通過委派方式授予被委派用戶full control 权限后,部分用户unlock是灰色显示:
根因
对比能正常unlock与无法unlock的用户,发现繼承無法unlock的用戶沒有"enable inheritance"
解決方法:
- 找出inheritance被disabled的用户
- 为这些用户enable inheritance
# Find all users with inheritance disabled (adminCount = 1) and enable inheritance
Get-ADUser -Filter * -Properties adminCount | Where-Object {
$_.adminCount -eq 1
} |foreach-object {
# Get the user’s distinguished name
$userdn=$_.distinguishedname
$acl=get-acl -path "AD:$userdn"
$acl.SetAccessRuleProtection($false,$true)
set-acl -path "AD:$userdn" -aclobject $acl
# Optionally, reset adminCount to 0
set-aduser -identity $_ -clear admincount
write-output "Enabled ineritance for user: $($userdn)"
}