在 AD 中,如何从工作站本身获取工作站所属的组?

tag-icon tag-icon windows-server-2008 windows-server-2003 active-directory
在 AD 中,如何从工作站本身获取工作站所属的组?

如果我在域控制器(在 Active Directory 中)查找“XPSP3-A”工作站属于哪些组,我会这样做:

dsquery computer "CN=XPSP3-A,CN=Computers,DC=pvk,DC=local" -name XPSP3-A | dsget computer -memberof

并收到以下信息:

"CN=Sec Group 001,OU=OU1,DC=pvk,DC=local" 
"CN=Domain Computers,CN=Users,DC=pvk,DC=local"

但是如何从“XPSP3-A”工作站执行相同操作?

答案1

注意,接下来是糟糕的 VBS。这是直接从我编写的用于部署用户快捷方式的旧 VBS 脚本中摘录的,基本上未经测试等。它不显示组的 DN,但应该可以实现。

Option Explicit

Dim elem, UserGroupDict, ComputerGroupDict, currentDomain, currentUser, strComputerName, uCN, cCN
Dim objShell, oRoot, oDomain, fqDomain, objNetwork, objUser, objComputer, objFSO
Dim WshShell, WshNetwork

Set UserGroupDict = CreateObject("Scripting.Dictionary")
UserGroupDict.CompareMode = vbTextCompare

Set ComputerGroupDict = CreateObject("Scripting.Dictionary")
ComputerGroupDict.CompareMode = vbTextCompare

Set objShell = WScript.CreateObject( "WScript.Shell" )

'Obtain FQDN
Set oRoot = GetObject("LDAP://rootDSE")
Set oDomain = GetObject("LDAP://" & oRoot.Get("defaultNamingContext"))
fqDomain = oRoot.Get("defaultNamingContext")

'Obtain netbios username, computername and domainname
Set objNetwork = CreateObject("Wscript.Network")
currentDomain = objNetwork.UserDomain
currentUser = objNetwork.UserName
strComputerName = objNetwork.ComputerName

'Find user DistingishedName and bind to user object
uCN = findDN
Set objUser=GetObject("LDAP://" & uCN) 

'Find computers DistingishedName and bind to computer object
cCN = findDNComputer
Set objComputer=GetObject("LDAP://" & cCN) 

Set WshShell = WScript.CreateObject("WScript.Shell")
Set WshNetwork = WScript.CreateObject("WScript.Network")
Set objFSO = CreateObject("Scripting.FileSystemObject")

'Get the users group memberships
EnumUserGroups()
'Get the computers group memberships
EnumComputerGroups()

MsgBox("User DN: " + uCN)

MsgBox("Computer DN: " + cCN)

MsgBox("User Groups")

For Each elem In UserGroupDict
MsgBox elem
Next

MsgBox("Computer Groups")

For Each elem In ComputerGroupDict
MsgBox elem
Next

'=========================
'FUNCTIONS
'=========================

'Function to find groups to which user is a *DIRECT* member of.
Function EnumUserGroups() 
    Dim colGroups, objGroup

    Set colGroups = objUser.Groups
    For Each objGroup In colGroups
        If Not CBool(UserGroupDict.Exists(objGroup.CN)) Then
            UserGroupDict.Add objGroup.CN, "-"
            GetNested(objGroup)
        End If
    Next
End Function

'Searches groups recursively to enumerate nested groups
Function GetNested(objGroup) 
    Dim colMembers, strMember, strPath, objNestedGroup

    On Error Resume Next
    colMembers = objGroup.GetEx("memberOf")
    For Each strMember In colMembers
        If Not strMember = "" Then
            strPath = "LDAP://" & strMember
            Set objNestedGroup = GetObject(strPath)
            If Not CBool(UserGroupDict.Exists(objNestedGroup.CN)) Then
                UserGroupDict.Add objNestedGroup.CN, "-"
                GetNested(objNestedGroup)
            End If
        End If
    Next

    Set objNestedGroup = Nothing

End Function

'Function to find groups to which computer is a *DIRECT* member of.
Function EnumComputerGroups() 
    Dim colGroups, objGroup

    Set colGroups = objComputer.Groups
    For Each objGroup In colGroups
        If Not CBool(ComputerGroupDict.Exists(objGroup.CN)) Then
            ComputerGroupDict.Add objGroup.CN, "-"
            GetNestedComputer(objGroup)
        End If
    Next
End Function

'Searches groups recursively to enumerate nested groups
Function GetNestedComputer(objGroup)
    Dim colMembers, strMember, strPath, objNestedGroup

    On Error Resume Next
    colMembers = objGroup.GetEx("memberOf")
    For Each strMember In colMembers
        If Not strMember = "" Then
            strPath = "LDAP://" & strMember
            Set objNestedGroup = GetObject(strPath)
            If Not CBool(ComputerGroupDict.Exists(objNestedGroup.CN)) Then
                ComputerGroupDict.Add objNestedGroup.CN, "-"
                GetNested(objNestedGroup)
            End If
        End If
    Next
End Function

'Funtion to find DistinguishedName of User Object using sAMAccountName
Function findDN 
    Dim objConnection, objCommand, objRecordSet

    Set objConnection = CreateObject("ADODB.Connection")
    objConnection.Open "Provider=ADsDSOObject;"

    Set objCommand = CreateObject("ADODB.Command")
    objCommand.ActiveConnection = objConnection

    objCommand.CommandText = _
    "<LDAP://" & fqDomain & ">;(&(objectCategory=" & "User" & ")" & _
    "(samAccountName=" & currentUser & "));samAccountName,distinguishedName;subtree"

    Set objRecordSet = objCommand.Execute

    If objRecordset.RecordCount = 0 Then
        MsgBox("Error: Couldn't get User Groups. Exiting")
        WScript.Quit(0)
    Else
        findDN = objRecordSet.Fields("distinguishedName").Value
        objConnection.Close
    End If
End Function

'Funtion to find DistinguishedName of Computer Object using name
Function findDNComputer 
    Dim objConnection, objCommand, objRecordSet

    Set objConnection = CreateObject("ADODB.Connection")
    objConnection.Open "Provider=ADsDSOObject;"

    Set objCommand = CreateObject("ADODB.Command")
    objCommand.ActiveConnection = objConnection

    objCommand.CommandText = _
    "<LDAP://" & fqDomain & ">;(&(objectCategory=" & "Computer" & ")" & _
    "(name=" & strComputerName & "));samAccountName,distinguishedName;subtree"

    Set objRecordSet = objCommand.Execute

    If objRecordset.RecordCount = 0 Then
        MsgBox("Error: Couldn't get Computer Groups. Exiting")
        WScript.Quit(0)
    Else
        findDNComputer = objRecordSet.Fields("distinguishedName").Value
        objConnection.Close
    End If
End Function

答案2

您也可以从工作站执行完全相同的命令。您可以从 DC 获取 dsquery 和 dsget 可执行文件,也可以安装 RSAT 或 2003 Admin Toolkit。两者都包含它。

答案3

使用 PowerShell 执行此操作。VBS 已经过时,PowerShell 才是新热点。 以下是链接请参阅 TechNet 文章,其中讨论了如何编写所有这些代码。其中还有很多关于 VBS 到 PS 转换的有用信息。

相关内容