我有下面的代码,顶部有一些设置,下面的代码是从循环体中提取的:
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$DIR_SVCS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('domain')
## Other stuff...
## usersOU is set to the domain of the users (...,OU=users,dc=<domain>...)
Search-ADAccount -LockedOut -SearchBase $usersOU | Unlock-ADAccount
## Loop code...
$userID = 'myuser'
$password = 'TempPa$$w0rd'
$SecurePW = ConvertTo-SecureString ($password) -AsPlainText -Force
Set-ADAccountPassword $userID -Reset -NewPassword $SecurePW | Out-Null
if ((-Not $?) -or ($LASTEXITCODE -gt 0)) {
Throw "ERROR with Set-ADAccountPassword exit code $LASTEXITCODE on $userID"
}
if ($DIR_SVCS.ValidateCredentials($userID, $password)) {
Write-Host "Validated new account password: $userID"
} else {
Write-Host "FAILED validation of new account password: $userID"
}
这是在一组用户和密码上执行的,输出结果让我摸不着头脑:
Validated new account password: user1
FAILED validation of new account password: user2
FAILED validation of new account password: user3
Validated new account password: user4
FAILED validation of new account password: user5
...
我看不到任何迹象表明为什么这在一些人上失败了,而在另一些人上成功了。所有被修改的用户都存在于上面解锁的"$usersOU“中,但我预计在”Set-ADAccountPassword“调用之后会抛出一个错误,或者所有的验证调用都会成功...
如果能帮助我们理解这里发生的事情,我们将不胜感激!
发布于 2018-06-08 06:13:56
在多域控制器环境中从ActiveDirectory模块和.NET查询active directory时,通常会出现这种情况。这可以通过确保两者都与同一台服务器通信来缓解,最简单的方法可能是将$DIR_SVCS中的"ConnectedServer“属性与Search-ADAccount一起使用
举个例子:
Search-ADAccount -LockedOut -SearchBase $usersOU -Server $DIR_SVCS.ConnectedServer | Unlock-ADAccount
https://stackoverflow.com/questions/50749706
复制相似问题