如何在 Powershell 中模拟 Active Directory 用户?
Posted
技术标签:
【中文标题】如何在 Powershell 中模拟 Active Directory 用户?【英文标题】:How do you impersonate an Active Directory user in Powershell? 【发布时间】:2010-09-05 22:10:18 【问题描述】:我正在尝试通过 Web 界面 (ASP.NET/C#) 运行 powershell 命令,以便在 Exchange 2007 上创建邮箱/等。当我使用 Visual Studio (Cassini) 运行页面时,页面加载正确.但是,当我在 IIS (v5.1) 上运行它时,我收到错误“未知用户名或密码错误”。我注意到的最大问题是 Powershell 是以 ASPNET 而不是我的 Active Directory 帐户登录的。如何强制我的 Powershell 会话使用另一个 Active Directory 帐户进行身份验证?
基本上,我目前的脚本看起来是这样的:
RunspaceConfiguration rc = RunspaceConfiguration.Create();
PSSnapInException snapEx = null;
rc.AddPSSnapIn("Microsoft.Exchange.Management.PowerShell.Admin", out snapEx);
Runspace runspace = RunspaceFactory.CreateRunspace(rc);
runspace.Open();
Pipeline pipeline = runspace.CreatePipeline();
using (pipeline)
pipeline.Commands.AddScript("Get-Mailbox -identity 'user.name'");
pipeline.Commands.Add("Out-String");
Collection<PSObject> results = pipeline.Invoke();
if (pipeline.Error != null && pipeline.Error.Count > 0)
foreach (object item in pipeline.Error.ReadToEnd())
resultString += "Error: " + item.ToString() + "\n";
runspace.Close();
foreach (PSObject obj in results)
resultString += obj.ToString();
return resultString;
【问题讨论】:
【参考方案1】:这是我用来模拟用户的一个类。
using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.htmlControls;
namespace orr.Tools
#region Using directives.
using System.Security.Principal;
using System.Runtime.InteropServices;
using System.ComponentModel;
#endregion
/// <summary>
/// Impersonation of a user. Allows to execute code under another
/// user context.
/// Please note that the account that instantiates the Impersonator class
/// needs to have the 'Act as part of operating system' privilege set.
/// </summary>
/// <remarks>
/// This class is based on the information in the Microsoft knowledge base
/// article http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306158
///
/// Encapsulate an instance into a using-directive like e.g.:
///
/// ...
/// using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) )
///
/// ...
/// [code that executes under the new context]
/// ...
///
/// ...
///
/// Please contact the author Uwe Keim (mailto:uwe.keim@zeta-software.de)
/// for questions regarding this class.
/// </remarks>
public class Impersonator :
IDisposable
#region Public methods.
/// <summary>
/// Constructor. Starts the impersonation with the given credentials.
/// Please note that the account that instantiates the Impersonator class
/// needs to have the 'Act as part of operating system' privilege set.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
public Impersonator(
string userName,
string domainName,
string password)
ImpersonateValidUser(userName, domainName, password);
// ------------------------------------------------------------------
#endregion
#region IDisposable member.
public void Dispose()
UndoImpersonation();
// ------------------------------------------------------------------
#endregion
#region P/Invoke.
[DllImport("advapi32.dll", SetLastError = true)]
private static extern int LogonUser(
string lpszUserName,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern int DuplicateToken(
IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
private static extern bool CloseHandle(
IntPtr handle);
private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_PROVIDER_DEFAULT = 0;
// ------------------------------------------------------------------
#endregion
#region Private member.
// ------------------------------------------------------------------
/// <summary>
/// Does the actual impersonation.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
private void ImpersonateValidUser(
string userName,
string domain,
string password)
WindowsIdentity tempWindowsIdentity = null;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
try
if (RevertToSelf())
if (LogonUser(
userName,
domain,
password,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
ref token) != 0)
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
else
throw new Win32Exception(Marshal.GetLastWin32Error());
else
throw new Win32Exception(Marshal.GetLastWin32Error());
else
throw new Win32Exception(Marshal.GetLastWin32Error());
finally
if (token != IntPtr.Zero)
CloseHandle(token);
if (tokenDuplicate != IntPtr.Zero)
CloseHandle(tokenDuplicate);
/// <summary>
/// Reverts the impersonation.
/// </summary>
private void UndoImpersonation()
if (impersonationContext != null)
impersonationContext.Undo();
private WindowsImpersonationContext impersonationContext = null;
// ------------------------------------------------------------------
#endregion
【讨论】:
【参考方案2】:在您的 ASP.NET 应用程序中,您需要模拟具有正确权限的有效 AD 帐户:
http://support.microsoft.com/kb/306158
【讨论】:
【参考方案3】:出于安全原因,Exchange 2007 不允许您模拟用户。这意味着(目前)不可能通过模拟用户来创建邮箱。为了解决这个问题,我创建了一个在 AD 用户下运行的 Web 服务,该用户有权创建电子邮件帐户等。然后您可以访问此 Web 服务以访问 Powershell。请记住添加必要的安全性,因为这可能是一个巨大的安全漏洞。
【讨论】:
【参考方案4】:你可能需要一个补丁。
发件人:http://support.microsoft.com/kb/943937
应用程序不能模拟 用户,然后运行 Windows PowerShell Exchange Server 2007 中的命令 环境
要解决此问题,请安装 Exchange 服务器的更新汇总 1 2007 服务包 1。
【讨论】:
以上是关于如何在 Powershell 中模拟 Active Directory 用户?的主要内容,如果未能解决你的问题,请参考以下文章
PowerShell 操作 Azure SQL Active Geo-Replication 实战
如何通过Powershell在域计算机上查询Active Directory而不在客户端计算机上安装RSAT工具
PowerShell:如何将 1 个用户添加到多个 Active Directory 安全组 - 具有写入权限的安全组的安全选项卡
如何显示不在特定AD组中的列表Active Directory用户
powershell 用于将Active Directory组添加到Active Directory的Powershell脚本