我本质上并不是一个 sysAdmin/PowerShell 人员,但是在使用这个 Powershell 查询时遇到了问题。
需要将特定 Windows 安全组中的所有用户拉回来并以特定方式格式化它们(如下所示),但是在确定为什么我的安全组过滤器不起作用时遇到了一些问题,并且想知道我的过滤器设置是否存在问题。
#Snippet
$searcher.filter = "(&(memberof=CN=My Windows Security Group,OU=SecurityGroups,OU=Messaging,OU=Enterprise,DC=****,DC=****)(objectCategory=*))"
$results = $searcher.findall()
我在 PowerShell ISE 中设置了一个断点,但是在调试时 $results 不包含任何值。
我根据同事现有的脚本对此进行了建模,看起来他正在查询 DL,并且在调试时看到了 $results 值:
#---------------------------------------------------------
#DL Filter Example (works)
#---------------------------------------------------------
$Searcher.Filter = "(&(memberOf=CN=DL_TestApp_Admin,OU=Distribution Lists,OU=Messaging,OU=Enterprise,DC=dcInfo,DC=dcInfo,DC=****)(objectCategory=*))"
$results = $searcher.findall()
以下是过滤 Windows 安全组的完整 PS 脚本(由我修改)
$curdate = (Get-Date).ToString("MMddyyyy")
$baseDN = "LDAP://"
$Searcher = New-Object DirectoryServices.DirectorySearcher
$searcher.searchroot = new-object system.directoryservices.directoryentry($basedn)
#---------------------------------------------------------
#Windows Security Group Filter (doesn't work)
#---------------------------------------------------------
$searcher.filter = "(&(memberof=CN=My Windows Security Group,OU=SecurityGroups,OU=Messaging,OU=Enterprise,DC=****,DC=****)(objectCategory=*))"
$results = $searcher.findall()
#---------------------------------------------------------
#Build the dataset in specific format
#---------------------------------------------------------
$usercsv = $results | #-Object {
New-Object -TypeName PSObject -Property @{
"User ID" = $_.properties['samAccountName'][0]
"User Role" = "Blah"
"Elevated Role" = "Y"
"Internal User" = "Y"
"Date of Last Login" = $null
"App Specific Info 1" = $null
"App Specific Info 2" = $null
"Account Creation Date" = $null
"Last Password Change Date" = $null
"User Email Address" = $_.properties['mail'][0]
"User First Name" = $null
"User Last Name" = $null
"App Specific Info 3" = $null
"Review Group" = $null
}
}
#export to csv
$usercsv | Select-Object -Property "User ID","User Role","Elevated Role","Internal User","Date of Last Login","App Specific Info 1","App Specific Info 2","Account Creation Date","Last Password Change Date","User Email Address","User First Name","User Last Name","App Specific Info 3","Review Group" | Export-Csv -NoTypeInformation -Path "UsersListing_$curdate.csv"
Write-Host "Wrote", $results.Count, "record(s)"
#removing last CR LF
#TODO: Move this to a common function in a separate script for all
scripts to call
$stream = [IO.File]::OpenWrite("UsersListing_$curdate.csv")
$stream.SetLength($stream.Length - 2)
$stream.Close()
$stream.Dispose()
最初,我将其编写为在 DevOps Poweshell 发布管道中运行,如下所示,以生成 csv 文件:
$Members = Get-ADGroup -Filter {Name -eq "WSG"} -Properties Member |
Select-Object -ExpandProperty Member
$GlobalCatalog = "$((Get-ADDomainController -Discover).Name):xxxx"
$output = Foreach ($User in $Members)
{
Get-ADUser -Identity $User -Server $GlobalCatalog -Properties CN,
EmailAddress, AccountExpirationDate, Created, HomePage, LastLogonDate,
PasswordLastSet, whenCreated | Select-Object CN,
SamAccountName,EmailAddress, AccountExpirationDate, Created, Enabled,
HomePage, LastLogonDate, Name, PasswordLastSet, UserPrincipalName,
whenCreated
}
#output csv file
$output | Export-Csv $Env:TEMP\Users.csv -NoTypeInformation
在这种情况下,输出格式并不重要,我不确定是否可以修改此查询以将结果输出为以下格式:
"User ID" = $_.properties['samAccountName'][0]
"User Role" = "Blah"
"Elevated Role" = "Y"
"Internal User" = "Y"
"Date of Last Login" = $null
"App Specific Info 1" = $null
"App Specific Info 2" = $null
"Account Creation Date" = $null
"Last Password Change Date" = $null
"User Email Address" = $_.properties['mail'][0]
"User First Name" = $null
"User Last Name" = $null
"App Specific Info 3" = $null
"Review Group" = $null
此查询的结果采用以下特定格式:
CN :
SamAccountName :
EmailAddress :
AccountExpirationDate :
Created :
Enabled :
HomePage :
LastLogonDate :
Name :
PasswordLastSet :
UserPrincipalName :
whenCreated :
在此先感谢您的帮助。
答案1
没有必要进行实际的 LDAP 搜索,因为Active Directory PowerShell 模块已在 Windows Server 2008 R2 中引入。
获取 ADGroupMember就是您要查找的内容。如果您需要有关群组成员的更多详细信息,您可以使用获取AD用户以获取您需要的任何信息。
AD PowerShell 模块会自动安装在所有域控制器上,但您可以通过启用相应的 Windows 功能将其安装在任何 Windows Server 系统上:
Install-WindowsFeature RSAT-AD-PowerShell
您还可以将其安装在 Windows 客户端系统上,作为远程服务器管理工具。
答案2
以下是为了获得我们想要的结果而开发的最终 Poweshell:
$curdate = (Get-Date).ToString("MMddyyyy")
#-------------------------------------------------------------------------------
# Get members for Windows Security Groups
#-------------------------------------------------------------------------------
$Members = Get-ADGroup -Filter {Name -eq "My AD Group"} -Properties Member | Select-Object -ExpandProperty Member
$GlobalCatalog = "$((Get-ADDomainController -Discover).Name):1234"
$results = @()
Foreach ($User in $Members)
{
$userInfo = Get-ADUser -Identity $User -Server $GlobalCatalog -Properties SamAccountName, EmailAddress, LastLogonDate
$details = [ordered] @{
"Active Directory ID" = $userInfo.SamAccountName
"User Role" = "My AD Group"
"Elevated Role" = "N"
"Internal User" = "Y"
"Date of Last Logon" = $userInfo.LastLogonDate
"Application Specific Info 1" = $null
"Application Specific Info 2" = $null
"Acct Creation Date" = $null
"Last PWD Change Date" = $null
"User Email Address" = $userInfo.EmailAddress
"User First Name" = $null
"User Last Name" = $null
"Application Specific Info 3" = $null
"Review Group" = $null
}
$results = New-Object PSObject -Property $details
}
#---------------------------------------------------------
#output results to csv
#---------------------------------------------------------
$results | Export-Csv -NoTypeInformation -Path "UsersListing_$curdate.csv"
变量名称(Active Directory ID、用户角色等)代表 CSV 文件中的列标题。
希望它能对某人有所帮助。
答案3
您需要指定一个基本 DN。这通常是域根 DN。