Powershell核心到powershell

Question

我正在运行一个带有Pwsh的Ubuntu EC2实例，以便在我们的服务器上远程执行AD命令。2 2sd hop的设置是正确的，并且我能够运行AD命令，但是在执行我的脚本时我得到了以下错误( script直接在2 2sd机器上工作得很好)：

搜索过滤器不能是recognized

• CategoryInfo : NotSpecified：(:) Get，ADException + FullyQualifiedErrorId : ActiveDirectoryServer:8254，Microsoft.ActiveDirectory.Management.Commands.GetADUser + PSComputerName : corpmaint02

#!/usr/bin/pwsh
$employeeEmail = 'myemail@contoso.com'
$session = New-PSSession -ComputerName corpmaint02 -ConfigurationName corpmaint02 -Credential contoso\myadminaccount
Invoke-Command -Session $session -ArgumentList $employeeEmail -ScriptBlock{
Get-ADUser -Filter "EmailAddress -eq '$employeeEmail'" -Properties EmailAddress | Disable-ADAccount
Write-Host $employeeEmail has been 'disabled.'
}
Remove-PSSession -ID $session.ID
[GC]::Collect()

任何帮助都将不胜感激。

更新:新代码：

#!/usr/bin/pwsh
$cred=Get-Credential domain\myadmin
$employeeEmail = 'myemail@contoso.com'
Invoke-Command -ComputerName corpmaint02 -Credential $cred -ConfigurationName corpmaint02 -Authentication Negotiate  -ArgumentList $employeeEmail -$
Get-ADUser -Filter "EmailAddress -eq '$($Args[0])'" -Properties EmailAddress | Disable-ADAccount -verbose
Write-Host $employeeEmail has been 'disabled.'
}
I modified my code as follow and it works expect for the lack of permissions to disable the account which odd because my admin account has rights to do so. 

无法执行operation

• CategoryInfo : NotSpecified：(CN=xxxxx\domain，DC=com:ADUser)禁用的访问权限不足-ADAccount，ADException
• FullyQualifiedErrorId : ActiveDirectoryServer:8344，Microsoft.ActiveDirectory.Management.Commands.DisableADAccount + PSComputerName : corpmaint02

要提升的新代码：

#!/usr/bin/pwsh
$cred=Get-Credential domain\myadmin
$employeeEmail = 'user1@contoso.com' 
Invoke-Command -ComputerName corpmaint02 -Credential $cred -ConfigurationName corpmaint02 -Authentication Negotiate -ArgumentList $employeeEmail,$cred -ScriptBlock{
$currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
$testadmin = $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
    if ($testadmin -eq $false) {
Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition))
    exit $LASTEXITCODE
}
Get-ADUser -Filter "EmailAddress -eq '$($Args[0])'" -Properties EmailAddress | Disable-ADAccount -verbose -Credential $Args[1]
}
Write-Host $employeeEmail 'has been disabled.'

Answer 1

Invoke-命令运行时没有提升的权限，所以您可以检索数据，但不能进行更改。

https://ss64.com/ps/syntax-elevate.html如果使用调用命令在远程计算机上运行脚本或命令，则即使本地会话处于高位，它也不会被提升。这是因为任何提示符都将发生在远程机器上的非交互式会话中，因此将失败。

您可以在调用-命令脚本块(从上面的链接)中尝试自我提升。

If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
{
  # Relaunch as an elevated process:
  Start-Process powershell.exe "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -Verb RunAs
  exit
}
# Now running elevated so launch the script:
& "d:\long path name\script name.ps1" "Long Argument 1" "Long Argument 2"