Eu precisava criar um grande número de grupos de segurança de Domínio Local no AD, então quis criar scripts com PoSH em vez de criar manualmente cada um deles.
Estou recebendo um erro de acesso negado se eu tentar criar os grupos no PoSH, mas posso criá-los no ADUC sem problemas. A mesma coisa acontece quando se tenta adicionar membros.
Qual poderia ser o problema? Eu verifiquei o log de eventos, mas tudo que eu obtenho é acesso negado de eventos do DS (4662), sem informações adicionais.
Eu tentei em vários DCs, usando o atalho Powershell Modules for Active Directory, bem como uma sessão regular do Powershell usando o Import-Module Active-Directory.
EDIT: Abaixo está um exemplo de erro:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 28/06/2011 11:57:54 AM
Event ID: 4662
Task Category: Directory Service Access
Level: Information
Keywords: Audit Failure
User: N/A
Computer: MYDC.mydomain.com
Description:
An operation was performed on an object.
Subject :
Security ID: mydomain\user
Account Name: user
Account Domain: mydomain
Logon ID: 0x8d81c809
Object:
Object Server: DS
Object Type: group
Object Name: CN=SERVERNAME-RDP-Users,OU=SQL Servers,OU=RDP,OU=Server Login Permissions,DC=mydomain,DC=com
Handle ID: 0x0
Operation:
Operation Type: Object Access
Accesses: Write Property
Access Mask: 0x20
Properties: ---
{bc0ac240-79a9-11d0-9020-00c04fc2d4cf}
{bf9679c0-0de6-11d0-a285-00aa003049e2}
{bf967a9c-0de6-11d0-a285-00aa003049e2}
Additional Information:
Parameter 1: -
Parameter 2:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2011-06-28T01:57:54.401588800Z" />
<EventRecordID>261383903</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="684" />
<Channel>Security</Channel>
<Computer>DC1.mydomain.com</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-1580943700-3625058406-2646640161-1105</Data>
<Data Name="SubjectUserName">User</Data>
<Data Name="SubjectDomainName">mydomain</Data>
<Data Name="SubjectLogonId">0x8d81c809</Data>
<Data Name="ObjectServer">DS</Data>
<Data Name="ObjectType">%{bf967a9c-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="ObjectName">%{29c4e057-b8d3-4fa2-9f91-8dd6336897b4}</Data>
<Data Name="OperationType">Object Access</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%7685
</Data>
<Data Name="AccessMask">0x20</Data>
<Data Name="Properties">---
{bc0ac240-79a9-11d0-9020-00c04fc2d4cf}
{bf9679c0-0de6-11d0-a285-00aa003049e2}
{bf967a9c-0de6-11d0-a285-00aa003049e2}
</Data>
<Data Name="AdditionalInfo">-</Data>
<Data Name="AdditionalInfo2">
</Data>
</EventData>
</Event>