Unable to update the specified properties for on-premises mastered Directory Sync objects – Updating users manager attribute in azure ad

huangapple
go评论86阅读模式
英文:

Unable to update the specified properties for on-premises mastered Directory Sync objects - Updating users manager attribute in azure ad

问题

经过详尽的搜索解决方案,我希望能获得一些指导。

我想要更新用户的经理属性,该属性在本地 AD 中已填充,但据我所知,Azure/365 不会复制这个属性。

因此,我将不得不使用以下代码手动更改它们:

Set-AzureADUserManager -ObjectId "用户ID" -RefObjectId "经理的ID"

但一旦我运行它,就会出现以下错误:

Code: Request_BadRequest
Message: 无法更新本地主控的目录同步对象或当前正在进行迁移的对象的指定属性。
RequestId: 
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Set-AzureADUserManager], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.SetUserManager

我不确定出现这个问题的原因,因为用户的经理在 Azure 中与 Windows AD 同步为来源。

英文:

Having exhaustively search for a solution, I am hoping for some guidance.

I am looking to update users manager attribute which is populated in the on-prem ad but azure/365 don't replicate this as far as I know.

So as I will have to manually change them using the below code;

Set-AzureADUserManager -ObjectId "usersid" -RefObjectId "managersid"

once I run this it fails with the following error;

Code: Request_BadRequest
Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.
RequestId: 
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : NotSpecified: (:) [Set-AzureADUserManager], ApiException
   + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.SetUserManager

I am not sure what the issue is with this as the users manager is synced in azure with windows ad as the source.

Thanks.

答案1

得分: 0

根据文档Manager属性已经同步。

这里的GetSet cmdlet都需要使用-Identity-Manager参数的DistinguishedNameObjectGUIDObjectSIDSamAccountName

你可以执行以下操作:

# 设置用户的经理属性
Get-ADUser -Identity "<用户>" | Set-ADUser -Manager "<经理>"

之后,你可以使用类似以下方式强制进行AD同步:

$server  = 'YourAzureConnectServer'
$cred    = Get-Credential -Message '请输入用于AD同步的用户名和密码'
$session = New-PSSession -ComputerName $server -Credential $cred

Invoke-Command -Session $session {
    if (Get-ADSyncConnectorRunStatus) {
        Write-Warning "同步正在进行中。请稍后重试。"
    }
    else {
        Write-Host "正在初始化Azure AD增量同步..." -ForegroundColor Yellow
        try {
            Start-ADSyncSyncCycle -PolicyType Delta -ErrorAction Stop

            Write-Host "等待同步开始..."
            # 给同步连接器10秒的启动时间
            Start-Sleep -Seconds 10

            Write-Host "等待同步完成..."
            While(Get-ADSyncConnectorRunStatus) {
                Write-Host "." -NoNewline
                Start-Sleep -Seconds 5
            }
            Write-Host
            Write-Host "Azure AD同步已完成。" -ForegroundColor Green
        }
        catch {
            Write-Error $_
        }
    }
}

Remove-PSSession $session

你也可以使用Start-ADSyncSyncCycle -PolicyType Initial来强制进行完全属性同步。

英文:

According to the docs the Manager attribute is synchronized.

Both the Get and Set cmdlets here need either the DistinguishedName, ObjectGUID, ObjectSID or SamAccountName fot the -Identity and -Manager parameters.

You should be able to do:

# set the manager property for the user
Get-ADUser -Identity &quot;&lt;THE USER&gt;&quot; | Set-ADUser -Manager &quot;&lt;THE MANAGER&gt;&quot;

After that, you can force an AD Sync using something like this:

$server  = &#39;YourAzureConnectServer&#39;
$cred    = Get-Credential -Message &#39;Please enter user name and password for AD Sync&#39;
$session = New-PSSession -ComputerName $server -Credential $cred

Invoke-Command -Session $session {
    if (Get-ADSyncConnectorRunStatus) {
        Write-Warning &quot;A sync is already in progress. Please try again later.&quot;
    }
    else {
        Write-Host &quot;Initializing Azure AD Delta Sync...&quot; -ForegroundColor Yellow
        try {
            Start-ADSyncSyncCycle -PolicyType Delta -ErrorAction Stop
        
            Write-Host &quot;Waiting for Sync to start..&quot;
            # give the Sync Connector 10 seconds time to start-up
            Start-Sleep -Seconds 10

            Write-Host &quot;Waiting for Sync to finish..&quot;
            While(Get-ADSyncConnectorRunStatus) {
                Write-Host &quot;.&quot; -NoNewline
                Start-Sleep -Seconds 5
            }
            Write-Host
            Write-Host &quot;Azure AD Sync has finished.&quot; -ForegroundColor Green
        }
        catch {
            Write-Error $_
        }
    }
}

Remove-PSSession $session

<sup>You can also force a full attribute synchronization by using Start-ADSyncSyncCycle -PolicyType Initial</sup>

答案2

得分: 0

I added a rule to sync between ad and azure and back again and this seems to have solved the problem, negating the need for the ps script.

英文:

Seems like I needed to add a sync rule to the Synchronization Rules Editor - I followed the following - [Link] (blog.kloud.com.au/2016/11/14/…) - I added a rule to sync between ad and azure and back again and this seems to have solved the problem, negating the need for the ps script. - once again thanks to @theo for your help. –

huangapple
  • 本文由 发表于 2020年1月3日 21:50:35
  • 转载请务必保留本文链接:https://go.coder-hub.com/59579747.html
  • active-directory
  • azure-active-directory
  • office365
  • powershell
  • windows-server-2012
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定