英文:
Unable to update the specified properties for on-premises mastered Directory Sync objects - Updating users manager attribute in azure ad
问题
经过详尽的搜索解决方案,我希望能获得一些指导。
我想要更新用户的经理属性,该属性在本地 AD 中已填充,但据我所知,Azure/365 不会复制这个属性。
因此,我将不得不使用以下代码手动更改它们:
Set-AzureADUserManager -ObjectId "用户ID" -RefObjectId "经理的ID"
但一旦我运行它,就会出现以下错误:
Code: Request_BadRequest
Message: 无法更新本地主控的目录同步对象或当前正在进行迁移的对象的指定属性。
RequestId:
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-AzureADUserManager], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.SetUserManager
我不确定出现这个问题的原因,因为用户的经理在 Azure 中与 Windows AD 同步为来源。
英文:
Having exhaustively search for a solution, I am hoping for some guidance.
I am looking to update users manager attribute which is populated in the on-prem ad but azure/365 don't replicate this as far as I know.
So as I will have to manually change them using the below code;
Set-AzureADUserManager -ObjectId "usersid" -RefObjectId "managersid"
once I run this it fails with the following error;
Code: Request_BadRequest
Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.
RequestId:
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-AzureADUserManager], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.SetUserManager
I am not sure what the issue is with this as the users manager is synced in azure with windows ad as the source.
Thanks.
答案1
得分: 0
根据文档,Manager
属性已经同步。
这里的Get
和Set
cmdlet都需要使用-Identity
和-Manager
参数的DistinguishedName
、ObjectGUID
、ObjectSID
或SamAccountName
。
你可以执行以下操作:
# 设置用户的经理属性
Get-ADUser -Identity "<用户>" | Set-ADUser -Manager "<经理>"
之后,你可以使用类似以下方式强制进行AD同步:
$server = 'YourAzureConnectServer'
$cred = Get-Credential -Message '请输入用于AD同步的用户名和密码'
$session = New-PSSession -ComputerName $server -Credential $cred
Invoke-Command -Session $session {
if (Get-ADSyncConnectorRunStatus) {
Write-Warning "同步正在进行中。请稍后重试。"
}
else {
Write-Host "正在初始化Azure AD增量同步..." -ForegroundColor Yellow
try {
Start-ADSyncSyncCycle -PolicyType Delta -ErrorAction Stop
Write-Host "等待同步开始..."
# 给同步连接器10秒的启动时间
Start-Sleep -Seconds 10
Write-Host "等待同步完成..."
While(Get-ADSyncConnectorRunStatus) {
Write-Host "." -NoNewline
Start-Sleep -Seconds 5
}
Write-Host
Write-Host "Azure AD同步已完成。" -ForegroundColor Green
}
catch {
Write-Error $_
}
}
}
Remove-PSSession $session
你也可以使用Start-ADSyncSyncCycle -PolicyType Initial
来强制进行完全属性同步。
英文:
According to the docs the Manager
attribute is synchronized.
Both the Get
and Set
cmdlets here need either the DistinguishedName
, ObjectGUID
, ObjectSID
or SamAccountName
fot the -Identity
and -Manager
parameters.
You should be able to do:
# set the manager property for the user
Get-ADUser -Identity "<THE USER>" | Set-ADUser -Manager "<THE MANAGER>"
After that, you can force an AD Sync using something like this:
$server = 'YourAzureConnectServer'
$cred = Get-Credential -Message 'Please enter user name and password for AD Sync'
$session = New-PSSession -ComputerName $server -Credential $cred
Invoke-Command -Session $session {
if (Get-ADSyncConnectorRunStatus) {
Write-Warning "A sync is already in progress. Please try again later."
}
else {
Write-Host "Initializing Azure AD Delta Sync..." -ForegroundColor Yellow
try {
Start-ADSyncSyncCycle -PolicyType Delta -ErrorAction Stop
Write-Host "Waiting for Sync to start.."
# give the Sync Connector 10 seconds time to start-up
Start-Sleep -Seconds 10
Write-Host "Waiting for Sync to finish.."
While(Get-ADSyncConnectorRunStatus) {
Write-Host "." -NoNewline
Start-Sleep -Seconds 5
}
Write-Host
Write-Host "Azure AD Sync has finished." -ForegroundColor Green
}
catch {
Write-Error $_
}
}
}
Remove-PSSession $session
<sup>You can also force a full attribute synchronization by using Start-ADSyncSyncCycle -PolicyType Initial
</sup>
答案2
得分: 0
I added a rule to sync between ad and azure and back again and this seems to have solved the problem, negating the need for the ps script.
英文:
Seems like I needed to add a sync rule to the Synchronization Rules Editor - I followed the following - [Link] (blog.kloud.com.au/2016/11/14/…) - I added a rule to sync between ad and azure and back again and this seems to have solved the problem, negating the need for the ps script. - once again thanks to @theo for your help. –
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论