英文:
Unable to update the specified properties for on-premises mastered Directory Sync objects - Updating users manager attribute in azure ad
问题
经过详尽的搜索解决方案,我希望能获得一些指导。
我想要更新用户的经理属性,该属性在本地 AD 中已填充,但据我所知,Azure/365 不会复制这个属性。
因此,我将不得不使用以下代码手动更改它们:
Set-AzureADUserManager -ObjectId "用户ID" -RefObjectId "经理的ID"
但一旦我运行它,就会出现以下错误:
Code: Request_BadRequestMessage: 无法更新本地主控的目录同步对象或当前正在进行迁移的对象的指定属性。RequestId:HttpStatusCode: BadRequestHttpStatusDescription: Bad RequestHttpResponseStatus: Completed~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [Set-AzureADUserManager], ApiException+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.SetUserManager
我不确定出现这个问题的原因,因为用户的经理在 Azure 中与 Windows AD 同步为来源。
英文:
Having exhaustively search for a solution, I am hoping for some guidance.
I am looking to update users manager attribute which is populated in the on-prem ad but azure/365 don't replicate this as far as I know.
So as I will have to manually change them using the below code;
Set-AzureADUserManager -ObjectId "usersid" -RefObjectId "managersid"
once I run this it fails with the following error;
Code: Request_BadRequestMessage: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.RequestId:HttpStatusCode: BadRequestHttpStatusDescription: Bad RequestHttpResponseStatus: Completed~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [Set-AzureADUserManager], ApiException+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.SetUserManager
I am not sure what the issue is with this as the users manager is synced in azure with windows ad as the source.
Thanks.
答案1
得分: 0
根据文档,Manager属性已经同步。
这里的Get和Set cmdlet都需要使用-Identity和-Manager参数的DistinguishedName、ObjectGUID、ObjectSID或SamAccountName。
你可以执行以下操作:
# 设置用户的经理属性Get-ADUser -Identity "<用户>" | Set-ADUser -Manager "<经理>"
之后,你可以使用类似以下方式强制进行AD同步:
$server = 'YourAzureConnectServer'$cred = Get-Credential -Message '请输入用于AD同步的用户名和密码'$session = New-PSSession -ComputerName $server -Credential $credInvoke-Command -Session $session {if (Get-ADSyncConnectorRunStatus) {Write-Warning "同步正在进行中。请稍后重试。"}else {Write-Host "正在初始化Azure AD增量同步..." -ForegroundColor Yellowtry {Start-ADSyncSyncCycle -PolicyType Delta -ErrorAction StopWrite-Host "等待同步开始..."# 给同步连接器10秒的启动时间Start-Sleep -Seconds 10Write-Host "等待同步完成..."While(Get-ADSyncConnectorRunStatus) {Write-Host "." -NoNewlineStart-Sleep -Seconds 5}Write-HostWrite-Host "Azure AD同步已完成。" -ForegroundColor Green}catch {Write-Error $_}}}Remove-PSSession $session
你也可以使用Start-ADSyncSyncCycle -PolicyType Initial来强制进行完全属性同步。
英文:
According to the docs the Manager attribute is synchronized.
Both the Get and Set cmdlets here need either the DistinguishedName, ObjectGUID, ObjectSID or SamAccountName fot the -Identity and -Manager parameters.
You should be able to do:
# set the manager property for the userGet-ADUser -Identity "<THE USER>" | Set-ADUser -Manager "<THE MANAGER>"
After that, you can force an AD Sync using something like this:
$server = 'YourAzureConnectServer'$cred = Get-Credential -Message 'Please enter user name and password for AD Sync'$session = New-PSSession -ComputerName $server -Credential $credInvoke-Command -Session $session {if (Get-ADSyncConnectorRunStatus) {Write-Warning "A sync is already in progress. Please try again later."}else {Write-Host "Initializing Azure AD Delta Sync..." -ForegroundColor Yellowtry {Start-ADSyncSyncCycle -PolicyType Delta -ErrorAction StopWrite-Host "Waiting for Sync to start.."# give the Sync Connector 10 seconds time to start-upStart-Sleep -Seconds 10Write-Host "Waiting for Sync to finish.."While(Get-ADSyncConnectorRunStatus) {Write-Host "." -NoNewlineStart-Sleep -Seconds 5}Write-HostWrite-Host "Azure AD Sync has finished." -ForegroundColor Green}catch {Write-Error $_}}}Remove-PSSession $session
<sup>You can also force a full attribute synchronization by using Start-ADSyncSyncCycle -PolicyType Initial</sup>
答案2
得分: 0
I added a rule to sync between ad and azure and back again and this seems to have solved the problem, negating the need for the ps script.
英文:
Seems like I needed to add a sync rule to the Synchronization Rules Editor - I followed the following - [Link] (blog.kloud.com.au/2016/11/14/…) - I added a rule to sync between ad and azure and back again and this seems to have solved the problem, negating the need for the ps script. - once again thanks to @theo for your help. –
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论