排查和解决组问题Troubleshoot and resolve groups issues

组创建问题故障排除Troubleshooting group creation issues

我在 Azure 门户中禁用了安全组创建,但仍可通过 Powershell 创建组 Azure 门户中的“用户可以在 Azure 门户中创建安全组”设置控制非管理员用户是否可以在访问面板或 Azure 门户中创建安全组。 I disabled security group creation in the Azure portal but groups can still be created via Powershell The User can create security groups in Azure portals setting in the Azure portal controls whether or not non-admin users can create security groups in the Access panel or the Azure portal. 它不控制是否能通过 Powershell 创建安全组。It does not control security group creation via Powershell.

若要禁止非管理员用户在 Powershell 中创建组,请执行以下操作:To disable group creation for non-admin users in Powershell:

  1. 验证是否允许非管理员用户创建组:Verify that non-admin users are allowed to create groups:

    Get-MsolCompanyInformation | Format-List UsersPermissionToCreateGroupsEnabled
    
  2. 如果它返回 UsersPermissionToCreateGroupsEnabled : True,则非管理员用户可以创建组。If it returns UsersPermissionToCreateGroupsEnabled : True, then non-admin users can create groups. 若要禁用此功能,请执行以下操作:To disable this feature:

    Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $False
    


尝试在 Powershell 中创建动态组时,收到允许的最大组数错误I received a max groups allowed error when trying to create a Dynamic Group in Powershell
如果在 Powershell 中收到消息,指示“已达到动态组策略允许的最大组数”,这意味着已达到组织中动态组数的上限。If you receive a message in Powershell indicating Dynamic group policies max allowed groups count reached, this means you have reached the max limit for Dynamic groups in your organization. 每个组织最多可以有 5,000 个动态组。The max number of Dynamic groups per organization is 5,000.

若要创建任何新的动态组,首先需要删除某些现有动态组。To create any new Dynamic groups, you'll first need to delete some existing Dynamic groups. 没有办法提高限制。There's no way to increase the limit.

组的动态成员身份疑难解答Troubleshooting dynamic memberships for groups

我在组上配置了一个规则,但该组中的成员身份未更新I configured a rule on a group but no memberships get updated in the group

  1. 验证规则中用户或设备属性的值。Verify the values for user or device attributes in the rule. 确保有满足规则的用户。Ensure there are users that satisfy the rule. 对于设备,请检查设备属性,确保任何已同步的属性都包含预期值。For devices, check the device properties to ensure any synced attributes contain the expected values.
  2. 检查成员身份处理状态以确认是否已完成。Check the membership processing status to confirm if it is complete. 可在组的“概述”页上查看成员资格处理状态和上次更新日期。You can check the membership processing status and the last updated date on the Overview page for the group.

如果一切看上去正常,请为要填充的组预留一些时间。If everything looks good, please allow some time for the group to populate. 根据 Azure AD 组织的大小,首次填充或者在更改规则后,最长可能需要 24 小时才能在组中完成填充。Depending on the size of your Azure AD organization, the group may take up to 24 hours for populating for the first time or after a rule change.

我配置了一条规则,但现在却删除了该规则的现有成员I configured a rule, but now the existing members of the rule are removed
这是预期行为。This is expected behavior. 在启用或更改某个规则时,会删除组中的现有成员。Existing members of the group are removed when a rule is enabled or changed. 评估规则后返回的用户将作为成员添加到组中。The users returned from evaluation of the rule are added as members to the group.

我在添加或更改规则后未立即看到成员身份变化,这是为什么?I don’t see membership changes instantly when I add or change a rule, why not?
专用成员身份评估定期在异步后台进程中执行。Dedicated membership evaluation is done periodically in an asynchronous background process. 该过程要花费多长时间取决于目录中的用户数,以及应用规则后创建的组的大小。How long the process takes is determined by the number of users in your directory and the size of the group created as a result of the rule. 通常,用户数较少的目录在几分钟内就能看到组成员身份变化。Typically, directories with small numbers of users will see the group membership changes in less than a few minutes. 而具有大量用户的目录可能需要 30 分钟或更长时间才能填充信息。Directories with a large number of users can take 30 minutes or longer to populate.

如何强制立即处理组?How can I force the group to be processed now?
目前没有办法自动触发要按需处理的组。Currently, there is no way to automatically trigger the group to be processed on demand. 但是,可以通过更新成员身份规则,在末尾添加空白,来手动触发重新处理。However, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end.

遇到了规则处理错误I encountered a rule processing error
下表列出了常见动态成员资格规则错误以及更正方法。The following table lists common dynamic membership rule errors and how to correct them.

规则分析器错误Rule parser error 错误用法Error usage 更正的用法Corrected usage
错误: 不支持的属性。Error: Attribute not supported. (user.invalidProperty -eq "Value")(user.invalidProperty -eq "Value") (user.department -eq "value")(user.department -eq "value")

请确保该属性在支持的属性列表中。Make sure the attribute is on the supported properties list.
错误: 不支持对属性使用运算符。Error: Operator is not supported on attribute. (user.accountEnabled -contains true)(user.accountEnabled -contains true) (user.accountEnabled -eq true)(user.accountEnabled -eq true)

属性类型不支持所使用的运算符(在此示例中,-contains 不能用于布尔类型)。The operator used is not supported for the property type (in this example, -contains cannot be used on type boolean). 请对该属性类型使用正确的运算符。Use the correct operators for the property type.
错误: 查询编译错误。Error: Query compilation error. 1. (user.department -eq "Sales") (user.department -eq "Marketing")1. (user.department -eq "Sales") (user.department -eq "Marketing")
2. (user.userPrincipalName -match "*@domain.ext")2. (user.userPrincipalName -match "*@domain.ext")
1.缺少运算符。1. Missing operator. 使用 -and 或 -or 这两个联接谓词Use -and or -or two join predicates
(user.department -eq "Sales") -or (user.department -eq "Marketing")(user.department -eq "Sales") -or (user.department -eq "Marketing")
2.与 -match 一起使用的正则表达式出错2. Error in regular expression used with -match
(user.userPrincipalName -match ".*@domain.ext")(user.userPrincipalName -match ".*@domain.ext")
或:(user.userPrincipalName -match "@domain.ext$")or alternatively: (user.userPrincipalName -match "@domain.ext$")

后续步骤Next steps

这些文章提供了有关 Azure Active Directory 的更多信息。These articles provide additional information on Azure Active Directory.