Powershell Set-ADUser userCertificate参数类型错误 [英] Powershell Set-ADUser userCertificate parameter type error

问题描述

我有一个脚本，该脚本基本上执行以下操作：

  $ user = Get-ADUser $ someUserName -Server $ someCertServer -属性* 
 $ user.userCertificate |％{Set-ADUser $ someUserName-证书@ {Add = $ _}} 
  

它将证书数据从证书服务器复制到默认服务器。 $ user.userCertificate 的类型为 Microsoft.ActiveDirectory.Management.ADPropertyValueCollection 和 $ user。 userCertificate [0] 的类型为 System.Byte [] 。根据文档，我可以通过 Byte [] ，祝一切顺利。通过在上面的脚本中使用foreach运算符，我得到了Byte []。

但是，Powershell失败并显示错误消息

参数证书要求集合中的所有值都是同一类型

（并强调 @ {Add = $ _} ；该消息可能不是100％准确，因为我不得不将其翻译成英文）。由于使用了foreach运算符，因此只有一种类型：Byte []。该错误消息是什么意思，以及如何将证书放入ADUser对象？

我也尝试将Byte []转换为证书对象，但是它结束了并显示相同的错误消息：

  $ cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 
 $ cert.Import（$ user.userCertificate [0]）
 Set-ADUser $ someUserName -Certificates @ {Add = $ cert} 
  

解决方案

我看到的第一个问题是您调用了错误的属性才能使示例工作。

  $ user.userCertificate | ForEach-Object {Set-ADUser $ someUserName -Certificates @ {Add = $ _}} 
  

该对象上有一个名为 userCertificate 的属性，其中包含 [byte []] 。为了使代码按您希望的方式工作，应使用 Certificates 。 证书是 Security.Cryptography.X509Certificates.X509Certificate

的集合

因此，我进行了更改，从而能够将另一个用户证书添加到我自己的帐户中。

  $ certUser = Get-Aduser someGuy-属性证书
 $ certUser.Certificates | ％{Set-ADUser ME-证书@ {Add = $ _}} 
  

^{注意：更好的做法是只从AD请求您需要的属性。使用 -properties * 是浪费精力和不必要的资源}

涵盖了有关处理证书的MSDN博客。

---

证书作为字节数组

现在我们知道 userCertificate 是字节数组的集合，也许我们可以研究如何使用它。

使用字节数组和 Set-Aduser 的证书参数时遇到问题。我遇到了错误

  Set-ADUser：无法验证参数 Certificates上的参数。参数集合中的值的类型应为：'System.Security.Cryptography.X509Certificates.X509Certificate'
  

我确实做到了这一点，但是我必须首先将字节数组转换为cert对象，考虑到这似乎是 Certificates 属性已经是。

  $ certUser.Usercertificate | ForEach-Object {
 Set-ADUser ME -certificate @ {Add = [System.Security.Cryptography.X509Certificates.X509Certificate] $ _} 
} 
  




I have a script, which essentially does the following:

$user = Get-ADUser $someUserName -Server $someCertServer -Properties *
$user.userCertificate |% { Set-ADUser $someUserName -Certificates @{Add=$_} }

It copies the cert data from a cert-server to the default server. $user.userCertificate is of type Microsoft.ActiveDirectory.Management.ADPropertyValueCollection and $user.userCertificate[0] is of type System.Byte[]. According to the docs, I can pass a Byte[] and be good to go. By using the foreach operator in the above script, I get the Byte[].

However, Powershell fails with the error message

the parameter certificates requires all values in the collection to be of the same type

(and underlines the @{Add=$_}; the message might not be 100% accurate, since I had to translate it to English). Because of the foreach operator, there is only one type: a Byte[]. What does that error message mean and how can I shove the certificate into the ADUser object?

I also tried to convert the Byte[] to a certificate object, however it ended up with the same error message:

$cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($user.userCertificate[0])
Set-ADUser $someUserName -Certificates @{Add=$cert}

解决方案

The very first issue I see is that you are calling on the wrong property for your example to work.

$user.userCertificate | ForEach-Object { Set-ADUser $someUserName -Certificates @{Add=$_}}

While there is a property called userCertificate on that object that contains an collection of [byte[]]. For that code to work the way you want it to you should be using Certificates. Certificates is an collection of Security.Cryptography.X509Certificates.X509Certificate

So making that change I was able to add another users certificate to my own account.

$certUser = Get-Aduser "someGuy" -Properties certificates
$certUser.Certificates | %{ Set-ADUser "ME" -Certificates @{Add=$_}}

^{Note: It is a better practice to only request the properties you need from AD. Using -properties * is a waste of effort and needless resources}

While this exact scenario is not covered there is a nice write-up on the MSDN Blogs about dealing with certs.

---

Cert as a byte array

Now that we know userCertificate is a collection of byte arrays maybe we can look into how to use that.

I was having issues using the byte array with the certificate parameter for Set-Aduser even though it is supposed to support it. I got the error

Set-ADUser : Cannot validate argument on parameter 'Certificates'. Values in the argument collection should be of Type: 'System.Security.Cryptography.X509Certificates.X509Certificate' 

I did get this to work but I had to cast the byte array as a cert object first which was redundant considering this appear to be what the Certificates property already is.

$certUser.Usercertificate | ForEach-Object{
    Set-ADUser "ME" -certificate @{Add=[System.Security.Cryptography.X509Certificates.X509Certificate]$_}
}

这篇关于Powershell Set-ADUser userCertificate参数类型错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！