Azure AD Connect: 配置 AD DS 连接器帐户权限Azure AD Connect: Configure AD DS Connector Account Permissions

内部版本 1.1.880.0(发布于 2018 年 8 月)中引入了名为 ADSyncConfig.psm1 的 PowerShell 模块,其中包括有助于为 Azure AD Connect 部署配置正确 Active Directory 权限的 cmdlet 集合。The PowerShell Module named ADSyncConfig.psm1 was introduced with build 1.1.880.0 (released in August 2018) that includes a collection of cmdlets to help you configure the correct Active Directory permissions for your Azure AD Connect deployment.

概述Overview

对于选择要在 Azure AD Connect 中启用的每个功能,可以使用以下 PowerShell cmdlet 设置 AD DS Connector 帐户的 Active Directory 权限。The following PowerShell cmdlets can be used to setup Active Directory permissions of the AD DS Connector account, for each feature that you select to enable in Azure AD Connect. 为了防止出现任何问题,每当要使用自定义域帐户安装 Azure AD Connect 以连接林时,都应提前准备 Active Directory 权限。To prevent any issues, you should prepare Active Directory permissions in advance whenever you want to install Azure AD Connect using a custom domain account to connect to your forest. 部署 Azure AD Connect 后,此 ADSyncConfig 模块还可用于配置权限。This ADSyncConfig module can also be used to configure permissions after Azure AD Connect is deployed.

AD DS 帐户概述

对于 Azure AD Connect 快速安装,将在 Active Directory 中创建一个具有所有必需权限的自动生成的帐户 (MSOL_nnnnnnnnnn),因此除非你已阻止对组织单位或要同步到 Azure AD 的特定 Active Directory 对象的权限继承,否则无需使用此 ADSyncConfig 模块。For Azure AD Connect Express installation, an automatically generated account (MSOL_nnnnnnnnnn) is created in Active Directory with all the necessary permissions, so there’s no need to use this ADSyncConfig module unless you have blocked permissions inheritance on organizational units or on specific Active Directory objects that you want to synchronize to Azure AD.

权限摘要Permissions summary

下表提供了 AD 对象所需权限的摘要:The following table provides a summary of the permissions required on AD objects:

FeatureFeature 权限Permissions
ms DS ConsistencyGuid 功能ms-DS-ConsistencyGuid feature 针对 ms-DS-ConsistencyGuid 属性的读写权限,详见设计概念 - 使用 ms-DS-ConsistencyGuid 作为 sourceAnchorRead and Write permissions to the ms-DS-ConsistencyGuid attribute documented in Design Concepts - Using ms-DS-ConsistencyGuid as sourceAnchor.
密码哈希同步Password hash sync
  • 复制目录更改Replicate Directory Changes
  • 复制所有目录更改Replicate Directory Changes All
  • Exchange 混合部署Exchange hybrid deployment 针对用户、组和联系人的属性的读写权限,详见 Exchange 混合写回Read and Write permissions to the attributes documented in Exchange hybrid writeback for users, groups, and contacts.
    Exchange 邮件公用文件夹Exchange Mail Public Folder Exchange 邮件公用文件夹中所述的公用文件夹属性的读取权限。Read permissions to the attributes documented in Exchange Mail Public Folder for public folders.
    密码写回Password writeback 针对用户属性的读写权限,详见密码管理入门Read and Write permissions to the attributes documented in Getting started with password management for users.

    使用 ADSyncConfig PowerShell 模块Using the ADSyncConfig PowerShell Module

    ADSyncConfig 模块需要适用于 AD DS 的远程服务器管理工具 (RSAT),因为它依赖于 AD DS PowerShell 模块和工具。The ADSyncConfig module requires the Remote Server Administration Tools (RSAT) for AD DS since it depends on the AD DS PowerShell module and tools. 若要安装适用于 AD DS 的 RSAT,请使用“以管理员身份运行”打开 Windows PowerShell 窗口并执行:To install RSAT for AD DS, open a Windows PowerShell window with ‘Run As Administrator’ and execute:

    Install-WindowsFeature RSAT-AD-Tools 
    

    配置

    备注

    也可以将文件 C:\Program Files\Azure Active Directory Connect\AdSyncConfig\ADSyncConfig.psm1 复制到已安装了“适用于 AD DS 的 RSAT”的域控制器,并从该控制器使用此 PowerShell 模块。You can also copy the file C:\Program Files\Azure Active Directory Connect\AdSyncConfig\ADSyncConfig.psm1 to a Domain Controller which already has RSAT for AD DS installed and use this PowerShell module from there.

    若要开始使用 ADSyncConfig,则需要在 Windows PowerShell 窗口中加载该模块:To start using the ADSyncConfig you need to load the module in a Windows PowerShell window:

    Import-Module "C:\Program Files\Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1" 
    

    若要检查此模块中包含的所有 cmdlet,可以键入:To check all the cmdlets included in this module you can type:

    Get-Command -Module AdSyncConfig  
    

    勾选标记

    每个 cmdlet 都具有相同的参数来输入 AD DS 连接器帐户和 AdminSDHolder 开关。Each cmdlet has the same parameters to input the AD DS Connector Account and an AdminSDHolder switch. 若要指定 AD DS 连接器帐户,可以提供帐户名称和域,或仅提供帐户可分辨名称 (DN),To specify your AD DS Connector Account, you can provide the account name and domain, or just the account Distinguished Name (DN),

    例如:e.g.:

    Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName <ADAccountName> -ADConnectorAccountDomain <ADDomainName>
    

    或;Or;

    Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN <ADAccountDN>
    

    务必将 <ADAccountName><ADDomainName><ADAccountDN> 替换为适合你的环境的值。Make sure to replace <ADAccountName>, <ADDomainName> and <ADAccountDN> with the proper values for your environment.

    如果不想修改 AdminSDHolder 容器的权限,请使用开关 -SkipAdminSdHoldersIn case you don’t want to modify permissions on the AdminSDHolder container, use the switch -SkipAdminSdHolders.

    默认情况下,所有设定的权限 cmdlet 都将尝试在林中每个域的根上设置 AD DS 权限,这意味着运行 PowerShell 会话的用户需要林中每个域的域管理员权限。By default, all the set permissions cmdlets will try to set AD DS permissions on the root of each Domain in the Forest, meaning that the user running the PowerShell session requires Domain Administrator rights on each domain in the Forest. 由于此要求,建议从林根中使用企业管理员。Because of this requirement, it is recommended to use an Enterprise Administrator from the Forest root. 如果 Azure AD Connect 部署具有多个 AD DS 连接器,则需要在具有 AD DS 连接器的每个林上运行相同的 cmdlet。If your Azure AD Connect deployment has multiple AD DS Connectors, it will be required to run the same cmdlet on each forest that has an AD DS Connector.

    还可以使用参数 -ADobjectDN(后跟要设置权限的目标对象的 DN)来设置特定 OU 或 AD DS 对象的权限。You can also set permissions on a specific OU or AD DS object by using the parameter -ADobjectDN followed by the DN of the target object where you want to set permissions. 使用目标 ADobjectDN 时,cmdlet 将仅对此对象设置权限,而不对域根或 AdminSDHolder 容器设置权限。When using a target ADobjectDN, the cmdlet will set permissions on this object only and not on the domain root or AdminSDHolder container. 若所拥有的特定 OU 或 AD DS 对象已禁用权限继承,此参数非常有用(请参阅“查找已禁用权限继承的 AD DS 对象”)This parameter can be useful when you have certain OUs or AD DS objects that have permission inheritance disabled (see Locate AD DS objects with permission inheritance disabled)

    这些常用参数的例外情况是用于对 AD DS 连接器帐户本身设置权限的 Set-ADSyncRestrictedPermissions cmdlet 以及 Set-ADSyncPasswordHashSyncPermissions cmdlet,因为密码哈希同步所需的权限仅在域根中进行了设置,所以此 cmdlet 不包含 -ObjectDN-SkipAdminSdHolders 参数。Exceptions to these common parameters are the Set-ADSyncRestrictedPermissions cmdlet which is used to set the permissions on the AD DS Connector Account itself, and the Set-ADSyncPasswordHashSyncPermissions cmdlet since the permissions required for Password Hash Sync are only set at the domain root, hence this cmdlet does not include the -ObjectDN or -SkipAdminSdHolders parameters.

    确定 AD DS 连接器帐户Determine your AD DS Connector Account

    如果已安装 Azure AD Connect 并且想要检查 Azure AD Connect 当前正在使用的 AD DS 连接器帐户,则可以执行 cmdlet:In case Azure AD Connect is already installed and you want to check what is the AD DS Connector Account currently in use by Azure AD Connect, you can execute the cmdlet:

    Get-ADSyncADConnectorAccount 
    

    查找已禁用权限继承的 AD DS 对象Locate AD DS objects with permission inheritance disabled

    如果想要检查是否存在任何已禁用权限继承的 AD DS 对象,可以运行:In case you want to check if there is any AD DS object with permission inheritance disabled, you can run:

    Get-ADSyncObjectsWithInheritanceDisabled -SearchBase '<DistinguishedName>' 
    

    默认情况下,此 cmdlet 将仅查找已禁用继承的 OU,但你可以在 -ObjectClass 参数中指定其他 AD DS 对象类或使用“*”查找所有对象类,如下所示:By default, this cmdlet will only look for OUs with disabled inheritance, but you can specify other AD DS object classes in -ObjectClass parameter or use ‘*’ for all object classes, as follows:

    Get-ADSyncObjectsWithInheritanceDisabled -SearchBase '<DistinguishedName>' -ObjectClass * 
    

    查看对象的 AD DS 权限View AD DS permissions of an object

    可以使用以下 cmdlet 来查看当前对 Active Directory 对象设置的权限列表,只需提供其 DistinguishedName 即可:You can use the cmdlet below to view the list of permissions currently set on an Active Directory object by providing its DistinguishedName:

    Show-ADSyncADObjectPermissions -ADobjectDN '<DistinguishedName>' 
    

    配置 AD DS 连接器帐户权限Configure AD DS Connector Account Permissions

    配置基础只读权限Configure Basic Read-Only Permissions

    若要在不使用任何 Azure AD Connect 功能时为 AD DS 连接器帐户设置基础只读权限,请运行:To set basic read-only permissions for the AD DS Connector account when not using any Azure AD Connect feature, run:

    Set-ADSyncBasicReadPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] [<CommonParameters>] 
    

    或;or;

    Set-ADSyncBasicReadPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>] [<CommonParameters>] 
    

    此 cmdlet 将设置以下权限:This cmdlet will set the following permissions:

    类型Type 名称Name 访问Access 应用于Applies To
    AllowAllow AD DS 连接器帐户AD DS Connector Account 读取所有属性Read all properties 后代设备对象Descendant device objects
    AllowAllow AD DS 连接器帐户AD DS Connector Account 读取所有属性Read all properties 后代 InetOrgPerson 对象Descendant InetOrgPerson objects
    AllowAllow AD DS 连接器帐户AD DS Connector Account 读取所有属性Read all properties 后代计算机对象Descendant Computer objects
    AllowAllow AD DS 连接器帐户AD DS Connector Account 读取所有属性Read all properties 后代 foreignSecurityPrincipal 对象Descendant foreignSecurityPrincipal objects
    AllowAllow AD DS 连接器帐户AD DS Connector Account 读取所有属性Read all properties 后代组对象Descendant Group objects
    AllowAllow AD DS 连接器帐户AD DS Connector Account 读取所有属性Read all properties 后代用户对象Descendant User objects
    AllowAllow AD DS 连接器帐户AD DS Connector Account 读取所有属性Read all properties 后代联系人对象Descendant Contact objects

    配置 MS-DS-Consistency-Guid 权限Configure MS-DS-Consistency-Guid Permissions

    若要在使用 ms-Ds-Consistency-Guid 属性作为源定位点(也就是“让 Azure 为我管理源定位点”选项)时为 AD DS 连接器帐户设置权限,请运行:To set permissions for the AD DS Connector account when using the ms-Ds-Consistency-Guid attribute as the source anchor (also known as “Let Azure manage the source anchor for me” option) , run:

    Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] [<CommonParameters>] 
    

    或;or;

    Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>] [<CommonParameters>] 
    

    此 cmdlet 将设置以下权限:This cmdlet will set the following permissions:

    类型Type 名称Name 访问Access 应用于Applies To
    AllowAllow AD DS 连接器帐户AD DS Connector Account 读取/写入属性Read/Write property 后代用户对象Descendant User objects

    密码哈希同步的权限Permissions for Password Hash Synchronization

    若要在使用密码哈希同步时为 AD DS 连接器帐户设置权限,请运行:To set permissions for the AD DS Connector account when using Password Hash Synchronization, run:

    Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [<CommonParameters>] 
    

    或;or;

    Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN <String> [<CommonParameters>] 
    

    此 cmdlet 将设置以下权限:This cmdlet will set the following permissions:

    类型Type 名称Name 访问Access 应用于Applies To
    AllowAllow AD DS 连接器帐户AD DS Connector Account 复制目录更改Replicating Directory Changes 仅限此对象(域根)This object only (Domain root)
    AllowAllow AD DS 连接器帐户AD DS Connector Account 复制所有目录更改Replicating Directory Changes All 仅限此对象(域根)This object only (Domain root)

    密码写回的权限Permissions for Password Writeback

    若要在使用密码写回时为 AD DS 连接器帐户设置权限,请运行:To set permissions for the AD DS Connector account when using Password Writeback, run:

    Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] [<CommonParameters>] 
    

    或;or;

    Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>] [<CommonParameters>] 
    

    此 cmdlet 将设置以下权限:This cmdlet will set the following permissions:

    类型Type 名称Name 访问Access 应用于Applies To
    AllowAllow AD DS 连接器帐户AD DS Connector Account 重置密码Reset Password 后代用户对象Descendant User objects
    AllowAllow AD DS 连接器帐户AD DS Connector Account 写入 lockoutTime 属性Write property lockoutTime 后代用户对象Descendant User objects
    AllowAllow AD DS 连接器帐户AD DS Connector Account 写入 pwdLastSet 属性Write property pwdLastSet 后代用户对象Descendant User objects

    组写回的权限Permissions for Group Writeback

    若要在使用组写回时为 AD DS 连接器帐户设置权限,请运行:To set permissions for the AD DS Connector account when using Group Writeback, run:

    Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] [<CommonParameters>] 
    

    或;or;

    Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>] [<CommonParameters>]
    

    此 cmdlet 将设置以下权限:This cmdlet will set the following permissions:

    类型Type 名称Name 访问Access 应用于Applies To
    AllowAllow AD DS 连接器帐户AD DS Connector Account 一般读取/写入Generic Read/Write 对象类型组和子对象的所有属性All attributes of object type group and subobjects
    AllowAllow AD DS 连接器帐户AD DS Connector Account 创建/删除子对象Create/Delete child object 对象类型组和子对象的所有属性All attributes of object type group and subobjects
    AllowAllow AD DS 连接器帐户AD DS Connector Account 删除/删除树对象Delete/Delete tree objects 对象类型组和子对象的所有属性All attributes of object type group and subobjects

    Exchange 混合部署的权限Permissions for Exchange Hybrid Deployment

    若要在使用 Exchange 混合部署时为 AD DS 连接器帐户设置权限,请运行:To set permissions for the AD DS Connector account when using Exchange Hybrid deployment, run:

    Set-ADSyncExchangeHybridPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] [<CommonParameters>] 
    

    或;or;

    Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>] [<CommonParameters>] 
    

    此 cmdlet 将设置以下权限:This cmdlet will set the following permissions:

    类型Type 名称Name 访问Access 应用于Applies To
    AllowAllow AD DS 连接器帐户AD DS Connector Account 读取/写入所有用户属性Read/Write all properties 后代用户对象Descendant User objects
    AllowAllow AD DS 连接器帐户AD DS Connector Account 读取/写入所有用户属性Read/Write all properties 后代 InetOrgPerson 对象Descendant InetOrgPerson objects
    AllowAllow AD DS 连接器帐户AD DS Connector Account 读取/写入所有用户属性Read/Write all properties 后代组对象Descendant Group objects
    AllowAllow AD DS 连接器帐户AD DS Connector Account 读取/写入所有用户属性Read/Write all properties 后代联系人对象Descendant Contact objects

    Exchange 邮件公用文件夹(预览版)的权限Permissions for Exchange Mail Public Folders (Preview)

    若要在使用 Exchange 邮件公用文件夹功能时为 AD DS 连接器帐户设置权限,请运行:To set permissions for the AD DS Connector account when using Exchange Mail Public Folders feature, run:

    Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] [<CommonParameters>] 
    

    或;or;

    Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>] [<CommonParameters>] 
    

    此 cmdlet 将设置以下权限:This cmdlet will set the following permissions:

    类型Type 名称Name 访问Access 应用于Applies To
    AllowAllow AD DS 连接器帐户AD DS Connector Account 读取所有属性Read all properties 后代 PublicFolder 对象Descendant PublicFolder objects

    限制 AD DS 连接器帐户的权限Restrict Permissions on the AD DS Connector Account

    此 PowerShell 脚本将限制以参数提供的 AD 连接器帐户的权限。This PowerShell script will tighten permissions for the AD Connector Account provided as a parameter. 限制权限操作包括以下步骤:Tightening permissions involves the following steps:

    • 在指定对象上禁用继承Disable inheritance on the specified object

    • 删除特定对象上的所有 ACE(特定于 SELF 的 ACE 除外),因为对于 SELF,我们希望默认权限保持不变。Remove all ACEs on the specific object, except ACEs specific to SELF as we want to keep the default permissions intact when it comes to SELF.

      -ADConnectorAccountDN 参数是需要限制权限的 AD 帐户。The -ADConnectorAccountDN parameter is the AD account whose permissions need to be tightened. 这通常是在 AD DS 连接器中配置的 MSOL_nnnnnnnnnnnn 域帐户(请参阅“确定 AD DS 连接器帐户”)。This is typically the MSOL_nnnnnnnnnnnn domain account that is configured in the AD DS Connector (see Determine your AD DS Connector Account). 若要指定具有必要权限以限制目标 AD 对象的 Active Directory 权限的管理员帐户,则必需使用 -Credential 参数。The -Credential parameter is necessary to specify the Administrator account that has the necessary privileges to restrict Active Directory permissions on the target AD object. 这通常为企业或域管理员。This is typically the Enterprise or Domain Administrator.

    Set-ADSyncRestrictedPermissions [-ADConnectorAccountDN] <String> [-Credential] <PSCredential> [-DisableCredentialValidation] [-WhatIf] [-Confirm] [<CommonParameters>] 
    

    例如:For Example:

    $credential = Get-Credential 
    Set-ADSyncRestrictedPermissions -ADConnectorAccountDN'CN=ADConnectorAccount,CN=Users,DC=Contoso,DC=com' -Credential $credential  
    

    此 cmdlet 将设置以下权限:This cmdlet will set the following permissions:

    类型Type 名称Name 访问Access 应用于Applies To
    允许Allow SYSTEMSYSTEM 完全控制Full Control 此对象This object
    AllowAllow 企业管理员Enterprise Admins 完全控制Full Control 此对象This object
    AllowAllow 域管理员Domain Admins 完全控制Full Control 此对象This object
    AllowAllow 管理员Administrators 完全控制Full Control 此对象This object
    AllowAllow 企业域控制器Enterprise Domain Controllers 列出内容List Contents 此对象This object
    AllowAllow 企业域控制器Enterprise Domain Controllers 读取所有属性Read All Properties 此对象This object
    AllowAllow 企业域控制器Enterprise Domain Controllers 读取权限Read Permissions 此对象This object
    AllowAllow 经过身份验证的用户Authenticated Users 列出内容List Contents 此对象This object
    AllowAllow 经过身份验证的用户Authenticated Users 读取所有属性Read All Properties 此对象This object
    AllowAllow 经过身份验证的用户Authenticated Users 读取权限Read Permissions 此对象This object

    后续步骤Next Steps