Azure AD Connect:ADSyncConfig PowerShell 参考Azure AD Connect: ADSyncConfig PowerShell Reference

以下文档提供了 Azure AD Connect 附带的 ADSyncConfig.psm1 PowerShell 模块的参考信息。The following documentation provides reference information for the ADSyncConfig.psm1 PowerShell Module that is included with Azure AD Connect.

Get-ADSyncADConnectorAccountGet-ADSyncADConnectorAccount

摘要SYNOPSIS

获取在每个 AD Connector 中配置的帐户名和域Gets the account name and domain that is configured in each AD Connector

语法SYNTAX

Get-ADSyncADConnectorAccount

说明DESCRIPTION

此函数使用 AAD Connect 中显示的“Get-ADSyncConnector”cmdlet 从连接参数中检索显示 AD Connector 帐户的表。This function uses the 'Get-ADSyncConnector' cmdlet that is present in AAD Connect to retrieve from Connectivity Parameters a table showing the AD Connector(s) account.

示例EXAMPLES

示例 1EXAMPLE 1

Get-ADSyncADConnectorAccount

Get-ADSyncObjectsWithInheritanceDisabledGet-ADSyncObjectsWithInheritanceDisabled

摘要SYNOPSIS

获得已禁用权限继承的 AD 对象Gets AD objects with permission inheritance disabled

语法SYNTAX

Get-ADSyncObjectsWithInheritanceDisabled [-SearchBase] <String> [[-ObjectClass] <String>] [<CommonParameters>]

说明DESCRIPTION

从 SearchBase 参数开始在 AD 中搜索并返回按 ObjectClass 参数筛选的所有对象,这些对象具有当前禁用的 ACL 继承。Searches in AD starting from the SearchBase parameter and returns all objects, filtered by ObjectClass parameter, that have the ACL Inheritance currently disabled.

示例EXAMPLES

示例 1EXAMPLE 1

Find objects with disabled inheritance in 'Contoso' domain (by default returns 'organizationalUnit' objects only)

Get-ADSyncObjectsWithInheritanceDisabled -SearchBase 'Contoso'Get-ADSyncObjectsWithInheritanceDisabled -SearchBase 'Contoso'

示例 2EXAMPLE 2

Find 'user' objects with disabled inheritance in 'Contoso' domain

Get-ADSyncObjectsWithInheritanceDisabled -SearchBase 'Contoso' -ObjectClass 'user'Get-ADSyncObjectsWithInheritanceDisabled -SearchBase 'Contoso' -ObjectClass 'user'

示例 3EXAMPLE 3

Find all types of objects with disabled inheritance in a OU

Get-ADSyncObjectsWithInheritanceDisabled -SearchBase OU=AzureAD,DC=Contoso,DC=com -ObjectClass '*'Get-ADSyncObjectsWithInheritanceDisabled -SearchBase OU=AzureAD,DC=Contoso,DC=com -ObjectClass '*'

参数PARAMETERS

-SearchBase-SearchBase

可以是 AD 域 DistinguishedName 或 FQDN 的 LDAP 查询的 SearchBaseThe SearchBase for the LDAP query that can be an AD Domain DistinguishedName or a FQDN

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ObjectClass-ObjectClass

要搜索的对象类,可以是“*”(适用于任何对象类)、“user”、“group”、“container”等。默认情况下,此函数将搜索“organizationalUnit”对象类。The class of the objects to search that can be '*' (for any object class), 'user', 'group', 'container', etc. By default, this function will search for 'organizationalUnit' object class.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 2
Default value: OrganizationalUnit
Accept pipeline input: False
Accept wildcard characters: False

CommonParametersCommonParameters

此 cmdlet 支持以下常见参数:-Debug、-ErrorAction、-ErrorVariable、-InformationAction、-InformationVariable、-OutVariable、-OutBuffer、-PipelineVariable、-Verbose、-WarningAction 和 -WarningVariable。This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 有关详细信息,请参阅 about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216)。For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Set-ADSyncBasicReadPermissionsSet-ADSyncBasicReadPermissions

摘要SYNOPSIS

初始化 Active Directory 林和域以获取基本读取权限。Initialize your Active Directory forest and domain for basic read permissions.

语法SYNTAX

UserDomainUserDomain

Set-ADSyncBasicReadPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String>
 [-ADobjectDN <String>] [-SkipAdminSdHolders] [-WhatIf] [-Confirm] [<CommonParameters>]

DistinguishedNameDistinguishedName

Set-ADSyncBasicReadPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>] [-SkipAdminSdHolders]
 [-WhatIf] [-Confirm] [<CommonParameters>]

说明DESCRIPTION

Set-ADSyncBasicReadPermissions 函数将为 AD 同步帐户提供所需的权限,其中包括以下内容:The Set-ADSyncBasicReadPermissions Function will give required permissions to the AD synchronization account, which include the following: 1. 读取所有后代计算机对象的所有属性的属性访问权限Read Property access on all attributes for all descendant computer objects 2. 读取所有后代设备对象的所有属性的属性访问权限Read Property access on all attributes for all descendant device objects 3. 读取所有后代 foreignsecurityprincipal 对象的所有属性的属性访问权限Read Property access on all attributes for all descendant foreignsecurityprincipal objects 5. 读取所有后代用户对象的所有属性的属性访问权限Read Property access on all attributes for all descendant user objects 6. 读取所有后代 inetorgperson 对象的所有属性的属性访问权限Read Property access on all attributes for all descendant inetorgperson objects 7. 读取所有后代组对象的所有属性的属性访问权限Read Property access on all attributes for all descendant group objects 8. 读取所有后代联系人对象的所有属性的属性访问权限Read Property access on all attributes for all descendant contact objects

这些权限适用于林中的所有域。These permissions are applied to all domains in the forest. (可选)可在 ADobjectDN 参数中提供 DistinguishedName,以仅在该 AD 对象上设置这些权限(包括对子对象的继承)。Optionally you can provide a DistinguishedName in ADobjectDN parameter to set these permissions on that AD Object only (including inheritance to sub objects).

示例EXAMPLES

示例 1EXAMPLE 1

Set-ADSyncBasicReadPermissions -ADConnectorAccountName 'ADConnector' -ADConnectorAccountDomain 'Contoso.com'

示例 2EXAMPLE 2

Set-ADSyncBasicReadPermissions -ADConnectorAccountDN 'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com'

示例 3EXAMPLE 3

Set-ADSyncBasicReadPermissions -ADConnectorAccountDN 'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com' -SkipAdminSdHolders

示例 4EXAMPLE 4

Set-ADSyncBasicReadPermissions -ADConnectorAccountName 'ADConnector' -ADConnectorAccountDomain 'Contoso.com' -ADobjectDN 'OU=AzureAD,DC=Contoso,DC=com'

参数PARAMETERS

-ADConnectorAccountName-ADConnectorAccountName

Azure AD Connect 同步现在或将来用其管理目录对象的 Active Directory 帐户的名称。The Name of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: UserDomain
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADConnectorAccountDomain-ADConnectorAccountDomain

Azure AD Connect 同步现在或将来用其管理目录对象的 Active Directory 帐户的域。The Domain of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: UserDomain
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADConnectorAccountDN-ADConnectorAccountDN

Azure AD Connect 同步现在或将来用其管理目录对象的 Active Directory 帐户的 DistinguishedName。The DistinguishedName of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: DistinguishedName
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADobjectDN-ADobjectDN

用于设置权限的目标 AD 对象的 DistinguishedName(可选)DistinguishedName of the target AD object to set permissions (optional)

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SkipAdminSdHolders-SkipAdminSdHolders

可选参数,指示是否不应使用这些权限更新 AdminSDHolder 容器Optional parameter to indicate if AdminSDHolder container should not be updated with these permissions

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-WhatIf-WhatIf

显示运行该 cmdlet 时会发生什么情况。Shows what would happen if the cmdlet runs. cmdlet 未运行。The cmdlet is not run.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Confirm-Confirm

提示你在运行 cmdlet 之前进行确认。Prompts you for confirmation before running the cmdlet.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParametersCommonParameters

此 cmdlet 支持以下常见参数:-Debug、-ErrorAction、-ErrorVariable、-InformationAction、-InformationVariable、-OutVariable、-OutBuffer、-PipelineVariable、-Verbose、-WarningAction 和 -WarningVariable。This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 有关详细信息,请参阅 about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216)。For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Set-ADSyncExchangeHybridPermissionsSet-ADSyncExchangeHybridPermissions

摘要SYNOPSIS

初始化 Active Directory 林和域以获取 Exchange 混合功能。Initialize your Active Directory forest and domain for Exchange Hybrid feature.

语法SYNTAX

UserDomainUserDomain

Set-ADSyncExchangeHybridPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String>
 [-ADobjectDN <String>] [-SkipAdminSdHolders] [-WhatIf] [-Confirm] [<CommonParameters>]

DistinguishedNameDistinguishedName

Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>] [-SkipAdminSdHolders]
 [-WhatIf] [-Confirm] [<CommonParameters>]

说明DESCRIPTION

Set-ADSyncExchangeHybridPermissions 函数将为 AD 同步帐户提供所需的权限,其中包括以下内容:The Set-ADSyncExchangeHybridPermissions Function will give required permissions to the AD synchronization account, which include the following: 1. 读取/写入所有后代用户对象的所有属性的属性访问权限Read/Write Property access on all attributes for all descendant user objects 2. 读取/写入所有后代 inetorgperson 对象的所有属性的属性访问权限Read/Write Property access on all attributes for all descendant inetorgperson objects 3. 读取/写入所有后代组对象的所有属性的属性访问权限Read/Write Property access on all attributes for all descendant group objects 4. 读取/写入所有后代联系人对象的所有属性的属性访问权限Read/Write Property access on all attributes for all descendant contact objects

这些权限适用于林中的所有域。These permissions are applied to all domains in the forest. (可选)可在 ADobjectDN 参数中提供 DistinguishedName,以仅在该 AD 对象上设置这些权限(包括对子对象的继承)。Optionally you can provide a DistinguishedName in ADobjectDN parameter to set these permissions on that AD Object only (including inheritance to sub objects).

示例EXAMPLES

示例 1EXAMPLE 1

Set-ADSyncExchangeHybridPermissions -ADConnectorAccountName 'ADConnector' -ADConnectorAccountDomain 'Contoso.com'

示例 2EXAMPLE 2

Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN 'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com'

示例 3EXAMPLE 3

Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN 'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com' -SkipAdminSdHolders

示例 4EXAMPLE 4

Set-ADSyncExchangeHybridPermissions -ADConnectorAccountName 'ADConnector' -ADConnectorAccountDomain 'Contoso.com' -ADobjectDN 'OU=AzureAD,DC=Contoso,DC=com'

参数PARAMETERS

-ADConnectorAccountName-ADConnectorAccountName

Azure AD Connect 同步现在或将来用其管理目录对象的 Active Directory 帐户的名称。The Name of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: UserDomain
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADConnectorAccountDomain-ADConnectorAccountDomain

Azure AD Connect 同步现在或将来用其管理目录对象的 Active Directory 帐户的域。The Domain of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: UserDomain
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADConnectorAccountDN-ADConnectorAccountDN

Azure AD Connect 同步现在或将来用其管理目录对象的 Active Directory 帐户的 DistinguishedName。The DistinguishedName of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: DistinguishedName
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADobjectDN-ADobjectDN

用于设置权限的目标 AD 对象的 DistinguishedName(可选)DistinguishedName of the target AD object to set permissions (optional)

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SkipAdminSdHolders-SkipAdminSdHolders

可选参数,指示是否不应使用这些权限更新 AdminSDHolder 容器Optional parameter to indicate if AdminSDHolder container should not be updated with these permissions

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-WhatIf-WhatIf

显示运行该 cmdlet 时会发生什么情况。Shows what would happen if the cmdlet runs. cmdlet 未运行。The cmdlet is not run.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Confirm-Confirm

提示你在运行 cmdlet 之前进行确认。Prompts you for confirmation before running the cmdlet.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParametersCommonParameters

此 cmdlet 支持以下常见参数:-Debug、-ErrorAction、-ErrorVariable、-InformationAction、-InformationVariable、-OutVariable、-OutBuffer、-PipelineVariable、-Verbose、-WarningAction 和 -WarningVariable。This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 有关详细信息,请参阅 about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216)。For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Set-ADSyncExchangeMailPublicFolderPermissionsSet-ADSyncExchangeMailPublicFolderPermissions

摘要SYNOPSIS

初始化 Active Directory 林和域以获取 Exchange 邮件公用文件夹。Initialize your Active Directory forest and domain for Exchange Mail Public Folder feature.

语法SYNTAX

UserDomainUserDomain

Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountName <String>
 -ADConnectorAccountDomain <String> [-ADobjectDN <String>] [-SkipAdminSdHolders] [-WhatIf] [-Confirm]
 [<CommonParameters>]

DistinguishedNameDistinguishedName

Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>]
 [-SkipAdminSdHolders] [-WhatIf] [-Confirm] [<CommonParameters>]

说明DESCRIPTION

Set-ADSyncExchangeMailPublicFolderPermissions 函数将为 AD 同步帐户提供所需的权限,其中包括以下内容:The Set-ADSyncExchangeMailPublicFolderPermissions Function will give required permissions to the AD synchronization account, which include the following: 1. 读取所有后代 publicfolder 对象的所有属性的属性访问权限Read Property access on all attributes for all descendant publicfolder objects

这些权限适用于林中的所有域。These permissions are applied to all domains in the forest. (可选)可在 ADobjectDN 参数中提供 DistinguishedName,以仅在该 AD 对象上设置这些权限(包括对子对象的继承)。Optionally you can provide a DistinguishedName in ADobjectDN parameter to set these permissions on that AD Object only (including inheritance to sub objects).

示例EXAMPLES

示例 1EXAMPLE 1

Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountName 'ADConnector' -ADConnectorAccountDomain 'Contoso.com'

示例 2EXAMPLE 2

Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountDN 'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com'

示例 3EXAMPLE 3

Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountDN 'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com' -SkipAdminSdHolders

示例 4EXAMPLE 4

Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountName 'ADConnector' -ADConnectorAccountDomain 'Contoso.com' -ADobjectDN 'OU=AzureAD,DC=Contoso,DC=com'

参数PARAMETERS

-ADConnectorAccountName-ADConnectorAccountName

Azure AD Connect 同步现在或将来用其管理目录对象的 Active Directory 帐户的名称。The Name of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: UserDomain
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADConnectorAccountDomain-ADConnectorAccountDomain

Azure AD Connect 同步现在或将来用其管理目录对象的 Active Directory 帐户的域。The Domain of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: UserDomain
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADConnectorAccountDN-ADConnectorAccountDN

Azure AD Connect 同步现在或将来用其管理目录对象的 Active Directory 帐户的 DistinguishedName。The DistinguishedName of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: DistinguishedName
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADobjectDN-ADobjectDN

用于设置权限的目标 AD 对象的 DistinguishedName(可选)DistinguishedName of the target AD object to set permissions (optional)

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SkipAdminSdHolders-SkipAdminSdHolders

可选参数,指示是否不应使用这些权限更新 AdminSDHolder 容器Optional parameter to indicate if AdminSDHolder container should not be updated with these permissions

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-WhatIf-WhatIf

显示运行该 cmdlet 时会发生什么情况。Shows what would happen if the cmdlet runs. cmdlet 未运行。The cmdlet is not run.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Confirm-Confirm

提示你在运行 cmdlet 之前进行确认。Prompts you for confirmation before running the cmdlet.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParametersCommonParameters

此 cmdlet 支持以下常见参数:-Debug、-ErrorAction、-ErrorVariable、-InformationAction、-InformationVariable、-OutVariable、-OutBuffer、-PipelineVariable、-Verbose、-WarningAction 和 -WarningVariable。This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 有关详细信息,请参阅 about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216)。For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Set-ADSyncMsDsConsistencyGuidPermissionsSet-ADSyncMsDsConsistencyGuidPermissions

摘要SYNOPSIS

初始化 Active Directory 林和域以获取 mS-DS-ConsistencyGuid 功能。Initialize your Active Directory forest and domain for mS-DS-ConsistencyGuid feature.

语法SYNTAX

UserDomainUserDomain

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String>
 [-ADobjectDN <String>] [-SkipAdminSdHolders] [-WhatIf] [-Confirm] [<CommonParameters>]

DistinguishedNameDistinguishedName

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>]
 [-SkipAdminSdHolders] [-WhatIf] [-Confirm] [<CommonParameters>]

说明DESCRIPTION

Set-ADSyncMsDsConsistencyGuidPermissions 函数将为 AD 同步帐户提供所需的权限,其中包括以下内容:The Set-ADSyncMsDsConsistencyGuidPermissions Function will give required permissions to the AD synchronization account, which include the following: 1. 读取/写入所有后代用户对象的 mS-DS-ConsistencyGuid 属性的属性访问权限Read/Write Property access on mS-DS-ConsistencyGuid attribute for all descendant user objects

这些权限适用于林中的所有域。These permissions are applied to all domains in the forest. (可选)可在 ADobjectDN 参数中提供 DistinguishedName,以仅在该 AD 对象上设置这些权限(包括对子对象的继承)。Optionally you can provide a DistinguishedName in ADobjectDN parameter to set these permissions on that AD Object only (including inheritance to sub objects).

示例EXAMPLES

示例 1EXAMPLE 1

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName 'ADConnector' -ADConnectorAccountDomain 'Contoso.com'

示例 2EXAMPLE 2

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN 'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com'

示例 3EXAMPLE 3

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN 'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com' -SkipAdminSdHolders

示例 4EXAMPLE 4

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName 'ADConnector' -ADConnectorAccountDomain 'Contoso.com' -ADobjectDN 'OU=AzureAD,DC=Contoso,DC=com'

参数PARAMETERS

-ADConnectorAccountName-ADConnectorAccountName

Azure AD Connect 同步现在或将来用其管理目录对象的 Active Directory 帐户的名称。The Name of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: UserDomain
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADConnectorAccountDomain-ADConnectorAccountDomain

Azure AD Connect 同步现在或将来用其管理目录对象的 Active Directory 帐户的域。The Domain of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: UserDomain
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADConnectorAccountDN-ADConnectorAccountDN

Azure AD Connect 同步现在或将来用其管理目录对象的 Active Directory 帐户的 DistinguishedName。The DistinguishedName of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: DistinguishedName
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADobjectDN-ADobjectDN

用于设置权限的目标 AD 对象的 DistinguishedName(可选)DistinguishedName of the target AD object to set permissions (optional)

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SkipAdminSdHolders-SkipAdminSdHolders

可选参数,指示是否不应使用这些权限更新 AdminSDHolder 容器Optional parameter to indicate if AdminSDHolder container should not be updated with these permissions

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-WhatIf-WhatIf

显示运行该 cmdlet 时会发生什么情况。Shows what would happen if the cmdlet runs. cmdlet 未运行。The cmdlet is not run.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Confirm-Confirm

提示你在运行 cmdlet 之前进行确认。Prompts you for confirmation before running the cmdlet.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParametersCommonParameters

此 cmdlet 支持以下常见参数:-Debug、-ErrorAction、-ErrorVariable、-InformationAction、-InformationVariable、-OutVariable、-OutBuffer、-PipelineVariable、-Verbose、-WarningAction 和 -WarningVariable。This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 有关详细信息,请参阅 about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216)。For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Set-ADSyncPasswordHashSyncPermissionsSet-ADSyncPasswordHashSyncPermissions

摘要SYNOPSIS

初始化 Active Directory 林和域以获取密码哈希同步。Initialize your Active Directory forest and domain for password hash synchronization.

语法SYNTAX

UserDomainUserDomain

Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String>
 [-WhatIf] [-Confirm] [<CommonParameters>]

DistinguishedNameDistinguishedName

Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN <String> [-WhatIf] [-Confirm] [<CommonParameters>]

说明DESCRIPTION

Set-ADSyncPasswordHashSyncPermissions 函数将为 AD 同步帐户提供所需的权限,其中包括以下内容:The Set-ADSyncPasswordHashSyncPermissions Function will give required permissions to the AD synchronization account, which include the following: 1. 复制目录更改Replicating Directory Changes 2. 复制所有目录更改Replicating Directory Changes All

这些权限将授予给林中的所有域。These permissions are given to all domains in the forest.

示例EXAMPLES

示例 1EXAMPLE 1

Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName 'ADConnector' -ADConnectorAccountDomain 'Contoso.com'

示例 2EXAMPLE 2

Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN 'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com'

参数PARAMETERS

-ADConnectorAccountName-ADConnectorAccountName

将被 Azure AD Connect 同步用来管理目录中的对象的 Active Directory 帐户的名称。The Name of the Active Directory account that will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: UserDomain
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADConnectorAccountDomain-ADConnectorAccountDomain

将被 Azure AD Connect 同步用来管理目录中的对象的 Active Directory 帐户的域。The Domain of the Active Directory account that will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: UserDomain
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADConnectorAccountDN-ADConnectorAccountDN

将被 Azure AD Connect 同步用来管理目录中的对象的 Active Directory 帐户的 DistinguishedName。The DistinguishedName of the Active Directory account that will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: DistinguishedName
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-WhatIf-WhatIf

显示运行该 cmdlet 时会发生什么情况。Shows what would happen if the cmdlet runs. cmdlet 未运行。The cmdlet is not run.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Confirm-Confirm

提示你在运行 cmdlet 之前进行确认。Prompts you for confirmation before running the cmdlet.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParametersCommonParameters

此 cmdlet 支持以下常见参数:-Debug、-ErrorAction、-ErrorVariable、-InformationAction、-InformationVariable、-OutVariable、-OutBuffer、-PipelineVariable、-Verbose、-WarningAction 和 -WarningVariable。This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 有关详细信息,请参阅 about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216)。For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Set-ADSyncPasswordWritebackPermissionsSet-ADSyncPasswordWritebackPermissions

摘要SYNOPSIS

初始化 Active Directory 林和域以从 Azure AD 进行密码回写。Initialize your Active Directory forest and domain for password write-back from Azure AD.

语法SYNTAX

UserDomainUserDomain

Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String>
 [-ADobjectDN <String>] [-SkipAdminSdHolders] [-WhatIf] [-Confirm] [<CommonParameters>]

DistinguishedNameDistinguishedName

Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>]
 [-SkipAdminSdHolders] [-WhatIf] [-Confirm] [<CommonParameters>]

说明DESCRIPTION

Set-ADSyncPasswordWritebackPermissions 函数将为 AD 同步帐户提供所需的权限,其中包括以下内容:The Set-ADSyncPasswordWritebackPermissions Function will give required permissions to the AD synchronization account, which include the following: 1. 重置后代用户对象的密码Reset Password on descendant user objects 2. 写入所有后代用户对象的 lockoutTime 属性的属性访问权限Write Property access on lockoutTime attribute for all descendant user objects 3. 写入所有后代用户对象的 pwdLastSet 属性的属性访问权限Write Property access on pwdLastSet attribute for all descendant user objects

这些权限适用于林中的所有域。These permissions are applied to all domains in the forest. (可选)可在 ADobjectDN 参数中提供 DistinguishedName,以仅在该 AD 对象上设置这些权限(包括对子对象的继承)。Optionally you can provide a DistinguishedName in ADobjectDN parameter to set these permissions on that AD Object only (including inheritance to sub objects).

示例EXAMPLES

示例 1EXAMPLE 1

Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName 'ADConnector' -ADConnectorAccountDomain 'Contoso.com'

示例 2EXAMPLE 2

Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountDN 'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com'

示例 3EXAMPLE 3

Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountDN 'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com' -SkipAdminSdHolders

示例 4EXAMPLE 4

Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName 'ADConnector' -ADConnectorAccountDomain 'Contoso.com' -ADobjectDN 'OU=AzureAD,DC=Contoso,DC=com'

参数PARAMETERS

-ADConnectorAccountName-ADConnectorAccountName

Azure AD Connect 同步现在或将来用其管理目录对象的 Active Directory 帐户的名称。The Name of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: UserDomain
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADConnectorAccountDomain-ADConnectorAccountDomain

Azure AD Connect 同步现在或将来用其管理目录对象的 Active Directory 帐户的域。The Domain of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: UserDomain
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADConnectorAccountDN-ADConnectorAccountDN

Azure AD Connect 同步现在或将来用其管理目录对象的 Active Directory 帐户的 DistinguishedName。The DistinguishedName of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in the directory.

Type: String
Parameter Sets: DistinguishedName
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ADobjectDN-ADobjectDN

用于设置权限的目标 AD 对象的 DistinguishedName(可选)DistinguishedName of the target AD object to set permissions (optional)

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SkipAdminSdHolders-SkipAdminSdHolders

可选参数,指示是否不应使用这些权限更新 AdminSDHolder 容器Optional parameter to indicate if AdminSDHolder container should not be updated with these permissions

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-WhatIf-WhatIf

显示运行该 cmdlet 时会发生什么情况。Shows what would happen if the cmdlet runs. cmdlet 未运行。The cmdlet is not run.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Confirm-Confirm

提示你在运行 cmdlet 之前进行确认。Prompts you for confirmation before running the cmdlet.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParametersCommonParameters

此 cmdlet 支持以下常见参数:-Debug、-ErrorAction、-ErrorVariable、-InformationAction、-InformationVariable、-OutVariable、-OutBuffer、-PipelineVariable、-Verbose、-WarningAction 和 -WarningVariable。This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 有关详细信息,请参阅 about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216)。For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Set-ADSyncRestrictedPermissionsSet-ADSyncRestrictedPermissions

摘要SYNOPSIS

加强 AD 对象的权限,否则该对象不包含在任何受 AD 保护的安全组中。Tighten permissions on an AD object that is not otherwise included in any AD protected security group. 典型示例是由 AAD Connect 自动创建的 AD Connect 帐户 (MSOL)。A typical example is the AD Connect account (MSOL) created by AAD Connect automatically. 此帐户具有所有域的复制权限,但由于不受保护,因此很容易受到入侵。This account has replicate permissions on all domains, however can be easily compromised as it is not protected.

语法SYNTAX

Set-ADSyncRestrictedPermissions [-ADConnectorAccountDN] <String> [-Credential] <PSCredential>
 [-DisableCredentialValidation] [-WhatIf] [-Confirm] [<CommonParameters>]

说明DESCRIPTION

Set-ADSyncRestrictedPermissions 函数将增强所提供帐户的权限。The Set-ADSyncRestrictedPermissions Function will tighten permissions oo the account provided. 限制权限操作包括以下步骤:Tightening permissions involves the following steps: 1. 禁用指定对象上的继承Disable inheritance on the specified object 2. 删除特定对象上的所有 ACE,但特定于 SELF 的 ACE 除外。Remove all ACEs on the specific object, except ACEs specific to SELF. 我们希望在处理 SELF 时默认权限保持不变。We want to keep the default permissions intact when it comes to SELF. 3. 分配以下特定权限:Assign these specific permissions:

    Type    Name                                        Access              Applies To
    =============================================================================================
    Allow   SYSTEM                                      Full Control        This object
    Allow   Enterprise Admins                           Full Control        This object
    Allow   Domain Admins                               Full Control        This object
    Allow   Administrators                              Full Control        This object

    Allow   Enterprise Domain Controllers               List Contents
                                                        Read All Properties
                                                        Read Permissions    This object

    Allow   Authenticated Users                         List Contents
                                                        Read All Properties
                                                        Read Permissions    This object

示例EXAMPLES

示例 1EXAMPLE 1

Set-ADSyncRestrictedPermissions -ADConnectorAccountDN "CN=TestAccount1,CN=Users,DC=Contoso,DC=com" -Credential $(Get-Credential)

参数PARAMETERS

-ADConnectorAccountDN-ADConnectorAccountDN

需要加强其权限的 Active Directory 帐户的 DistinguishedName。DistinguishedName of the Active Directory account whose permissions need to be tightened. 这通常是 MSOL_nnnnnnnnnn 帐户或 AD Connector 中配置的自定义域帐户。This is typically the MSOL_nnnnnnnnnn account or a custom domain account that is configured in your AD Connector.

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Credential-Credential

管理员凭据,拥有限制 ADConnectorAccountDN 帐户权限的必要特权。Administrator credential that has the necessary privileges to restrict the permissions on the ADConnectorAccountDN account. 这通常是企业管理员或域管理员。This is typically the Enterprise or Domain administrator. 使用管理员帐户的完全限定域名来避免帐户查找失败。Use the fully qualified domain name of the administrator account to avoid account lookup failures. 示例:CONTOSO\adminExample: CONTOSO\admin

Type: PSCredential
Parameter Sets: (All)
Aliases:

Required: True
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-DisableCredentialValidation-DisableCredentialValidation

使用 DisableCredentialValidation 时,该函数不会检查 -Credential 中提供的凭据在 AD 中是否有效以及所提供的帐户是否具有必要的特权来限制 ADConnectorAccountDN 帐户权限。When DisableCredentialValidation is used, the function will not check if the credentials provided in -Credential are valid in AD and if the account provided has the necessary privileges to restrict the permissions on the ADConnectorAccountDN account.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-WhatIf-WhatIf

显示运行该 cmdlet 时会发生什么情况。Shows what would happen if the cmdlet runs. cmdlet 未运行。The cmdlet is not run.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Confirm-Confirm

提示你在运行 cmdlet 之前进行确认。Prompts you for confirmation before running the cmdlet.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParametersCommonParameters

此 cmdlet 支持以下常见参数:-Debug、-ErrorAction、-ErrorVariable、-InformationAction、-InformationVariable、-OutVariable、-OutBuffer、-PipelineVariable、-Verbose、-WarningAction 和 -WarningVariable。This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 有关详细信息,请参阅 about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216)。For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Show-ADSyncADObjectPermissionsShow-ADSyncADObjectPermissions

摘要SYNOPSIS

显示指定 AD 对象的权限。Shows permissions of a specified AD object.

语法SYNTAX

Show-ADSyncADObjectPermissions [-ADobjectDN] <String> [<CommonParameters>]

说明DESCRIPTION

此函数返回当前为参数 -ADobjectDN 中提供的给定 AD 对象设置的所有 AD 权限。This function returns all the AD permissions currently set for a given AD object provided in the parameter -ADobjectDN. ADobjectDN 必须以 DistinguishedName 格式提供。The ADobjectDN must be provided in a DistinguishedName format.

示例EXAMPLES

示例 1EXAMPLE 1

Show-ADSyncADObjectPermissions -ADobjectDN 'OU=AzureAD,DC=Contoso,DC=com'

参数PARAMETERS

-ADobjectDN-ADobjectDN

{{填写 ADobjectDN 说明}}{{Fill ADobjectDN Description}}

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParametersCommonParameters

此 cmdlet 支持以下常见参数:-Debug、-ErrorAction、-ErrorVariable、-InformationAction、-InformationVariable、-OutVariable、-OutBuffer、-PipelineVariable、-Verbose、-WarningAction 和 -WarningVariable。This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. 有关详细信息,请参阅 about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216)。For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).