Powershell Set-ADUser userCertificate参数类型错误 [英] Powershell Set-ADUser userCertificate parameter type error
问题描述
我有一个脚本,该脚本基本上执行以下操作:
$ user = Get-ADUser $ someUserName -Server $ someCertServer -属性*
$ user.userCertificate |%{Set-ADUser $ someUserName-证书@ {Add = $ _}}
它将证书数据从证书服务器复制到默认服务器。 $ user.userCertificate
的类型为 Microsoft.ActiveDirectory.Management.ADPropertyValueCollection
和 $ user。 userCertificate [0]
的类型为 System.Byte []
。根据文档,我可以通过 Byte []
,祝一切顺利。通过在上面的脚本中使用foreach运算符,我得到了Byte []。
但是,Powershell失败并显示错误消息
参数证书要求集合中的所有值都是同一类型
(并强调 @ {Add = $ _}
;该消息可能不是100%准确,因为我不得不将其翻译成英文)。由于使用了foreach运算符,因此只有一种类型:Byte []。该错误消息是什么意思,以及如何将证书放入ADUser对象?
我也尝试将Byte []转换为证书对象,但是它结束了并显示相同的错误消息:
$ cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2
$ cert.Import($ user.userCertificate [0])
Set-ADUser $ someUserName -Certificates @ {Add = $ cert}
我看到的第一个问题是您调用了错误的属性才能使示例工作。
$ user.userCertificate | ForEach-Object {Set-ADUser $ someUserName -Certificates @ {Add = $ _}}
该对象上有一个名为 userCertificate
的属性,其中包含 [byte []] $ c $的集合c>。为了使代码按您希望的方式工作,应使用
Certificates
。 证书
是 Security.Cryptography.X509Certificates.X509Certificate
的集合
因此,我进行了更改,从而能够将另一个用户证书添加到我自己的帐户中。
$ certUser = Get-Aduser someGuy-属性证书
$ certUser.Certificates | %{Set-ADUser ME-证书@ {Add = $ _}}
注意:更好的做法是只从AD请求您需要的属性。使用 -properties *
是浪费精力和不必要的资源
涵盖了有关处理证书的MSDN博客。
证书作为字节数组
现在我们知道 userCertificate
是字节数组的集合,也许我们可以研究如何使用它。
使用字节数组和 Set-Aduser
的证书参数时遇到问题。我遇到了错误
Set-ADUser:无法验证参数 Certificates上的参数。参数集合中的值的类型应为:'System.Security.Cryptography.X509Certificates.X509Certificate'
我确实做到了这一点,但是我必须首先将字节数组转换为cert对象,考虑到这似乎是 Certificates
属性已经是。
$ certUser.Usercertificate | ForEach-Object {
Set-ADUser ME -certificate @ {Add = [System.Security.Cryptography.X509Certificates.X509Certificate] $ _}
}
I have a script, which essentially does the following:
$user = Get-ADUser $someUserName -Server $someCertServer -Properties *
$user.userCertificate |% { Set-ADUser $someUserName -Certificates @{Add=$_} }
It copies the cert data from a cert-server to the default server. $user.userCertificate
is of type Microsoft.ActiveDirectory.Management.ADPropertyValueCollection
and $user.userCertificate[0]
is of type System.Byte[]
. According to the docs, I can pass a Byte[]
and be good to go. By using the foreach operator in the above script, I get the Byte[].
However, Powershell fails with the error message
the parameter certificates requires all values in the collection to be of the same type
(and underlines the @{Add=$_}
; the message might not be 100% accurate, since I had to translate it to English). Because of the foreach operator, there is only one type: a Byte[]. What does that error message mean and how can I shove the certificate into the ADUser object?
I also tried to convert the Byte[] to a certificate object, however it ended up with the same error message:
$cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($user.userCertificate[0])
Set-ADUser $someUserName -Certificates @{Add=$cert}
The very first issue I see is that you are calling on the wrong property for your example to work.
$user.userCertificate | ForEach-Object { Set-ADUser $someUserName -Certificates @{Add=$_}}
While there is a property called userCertificate
on that object that contains an collection of [byte[]]
. For that code to work the way you want it to you should be using Certificates
. Certificates
is an collection of Security.Cryptography.X509Certificates.X509Certificate
So making that change I was able to add another users certificate to my own account.
$certUser = Get-Aduser "someGuy" -Properties certificates
$certUser.Certificates | %{ Set-ADUser "ME" -Certificates @{Add=$_}}
Note: It is a better practice to only request the properties you need from AD. Using -properties *
is a waste of effort and needless resources
While this exact scenario is not covered there is a nice write-up on the MSDN Blogs about dealing with certs.
Cert as a byte array
Now that we know userCertificate
is a collection of byte arrays maybe we can look into how to use that.
I was having issues using the byte array with the certificate parameter for Set-Aduser
even though it is supposed to support it. I got the error
Set-ADUser : Cannot validate argument on parameter 'Certificates'. Values in the argument collection should be of Type: 'System.Security.Cryptography.X509Certificates.X509Certificate'
I did get this to work but I had to cast the byte array as a cert object first which was redundant considering this appear to be what the Certificates
property already is.
$certUser.Usercertificate | ForEach-Object{
Set-ADUser "ME" -certificate @{Add=[System.Security.Cryptography.X509Certificates.X509Certificate]$_}
}
这篇关于Powershell Set-ADUser userCertificate参数类型错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!