如何在 PowerShell 中查找 Windows 安全组的所有成员、分配给变量名并输出为 CSV?

如何在 PowerShell 中查找 Windows 安全组的所有成员、分配给变量名并输出为 CSV?

我本质上并不是一个 sysAdmin/PowerShell 人员,但是在使用这个 Powershell 查询时遇到了问题。

需要将特定 Windows 安全组中的所有用户拉回来并以特定方式格式化它们(如下所示),但是在确定为什么我的安全组过滤器不起作用时遇到了一些问题,并且想知道我的过滤器设置是否存在问题。

#Snippet
$searcher.filter = "(&(memberof=CN=My Windows Security Group,OU=SecurityGroups,OU=Messaging,OU=Enterprise,DC=****,DC=****)(objectCategory=*))"
$results = $searcher.findall()

我在 PowerShell ISE 中设置了一个断点,但是在调试时 $results 不包含任何值。

我根据同事现有的脚本对此进行了建模,看起来他正在查询 DL,并且在调试时看到了 $results 值:

#---------------------------------------------------------
#DL Filter Example (works)
#---------------------------------------------------------
$Searcher.Filter = "(&(memberOf=CN=DL_TestApp_Admin,OU=Distribution Lists,OU=Messaging,OU=Enterprise,DC=dcInfo,DC=dcInfo,DC=****)(objectCategory=*))"
$results = $searcher.findall()

以下是过滤 Windows 安全组的完整 PS 脚本(由我修改)

$curdate = (Get-Date).ToString("MMddyyyy")

$baseDN = "LDAP://"
$Searcher = New-Object DirectoryServices.DirectorySearcher
$searcher.searchroot = new-object system.directoryservices.directoryentry($basedn)
#---------------------------------------------------------
#Windows Security Group Filter (doesn't work)
#---------------------------------------------------------
$searcher.filter = "(&(memberof=CN=My Windows Security Group,OU=SecurityGroups,OU=Messaging,OU=Enterprise,DC=****,DC=****)(objectCategory=*))"
$results = $searcher.findall()

    #---------------------------------------------------------
    #Build the dataset in specific format
    #---------------------------------------------------------
    $usercsv = $results | #-Object {
         New-Object -TypeName PSObject -Property @{
            "User ID" = $_.properties['samAccountName'][0]
            "User Role" = "Blah"
            "Elevated Role" = "Y"
            "Internal User" = "Y"
            "Date of Last Login" = $null
            "App Specific Info 1" = $null
            "App Specific Info 2" = $null
            "Account Creation Date" = $null
            "Last Password Change Date" = $null
            "User Email Address" = $_.properties['mail'][0]
            "User First Name" = $null
            "User Last Name" = $null
            "App Specific Info 3" = $null
            "Review Group" = $null
        }
    }

#export to csv
$usercsv | Select-Object -Property "User ID","User Role","Elevated Role","Internal User","Date of Last Login","App Specific Info 1","App Specific Info 2","Account Creation Date","Last Password Change Date","User Email Address","User First Name","User Last Name","App Specific Info 3","Review Group" | Export-Csv -NoTypeInformation  -Path "UsersListing_$curdate.csv"

Write-Host "Wrote", $results.Count, "record(s)"

#removing last CR LF
#TODO: Move this to a common function in a separate script for all     
scripts to call
$stream = [IO.File]::OpenWrite("UsersListing_$curdate.csv")
$stream.SetLength($stream.Length - 2)
$stream.Close()
$stream.Dispose()

最初,我将其编写为在 DevOps Poweshell 发布管道中运行,如下所示,以生成 csv 文件:

$Members = Get-ADGroup -Filter {Name -eq "WSG"} -Properties Member | 
Select-Object -ExpandProperty Member

$GlobalCatalog = "$((Get-ADDomainController -Discover).Name):xxxx"

$output = Foreach ($User in $Members)
{
  Get-ADUser -Identity $User -Server $GlobalCatalog -Properties CN,    
  EmailAddress, AccountExpirationDate, Created, HomePage, LastLogonDate, 
  PasswordLastSet, whenCreated | Select-Object CN, 
  SamAccountName,EmailAddress, AccountExpirationDate, Created, Enabled,     
  HomePage, LastLogonDate, Name, PasswordLastSet, UserPrincipalName, 
  whenCreated 
}

#output csv file
$output | Export-Csv $Env:TEMP\Users.csv -NoTypeInformation

在这种情况下,输出格式并不重要,我不确定是否可以修改此查询以将结果输出为以下格式:

            "User ID" = $_.properties['samAccountName'][0]
            "User Role" = "Blah"
            "Elevated Role" = "Y"
            "Internal User" = "Y"
            "Date of Last Login" = $null
            "App Specific Info 1" = $null
            "App Specific Info 2" = $null
            "Account Creation Date" = $null
            "Last Password Change Date" = $null
            "User Email Address" = $_.properties['mail'][0]
            "User First Name" = $null
            "User Last Name" = $null
            "App Specific Info 3" = $null
            "Review Group" = $null

此查询的结果采用以下特定格式:

CN                    : 
SamAccountName        : 
EmailAddress          : 
AccountExpirationDate : 
Created               : 
Enabled               : 
HomePage              : 
LastLogonDate         : 
Name                  : 
PasswordLastSet       : 
UserPrincipalName     : 
whenCreated           : 

在此先感谢您的帮助。

答案1

没有必要进行实际的 LDAP 搜索,因为Active Directory PowerShell 模块已在 Windows Server 2008 R2 中引入。

获取 ADGroupMember就是您要查找的内容。如果您需要有关群组成员的更多详细信息,您可以使用获取AD用户以获取您需要的任何信息。

AD PowerShell 模块会自动安装在所有域控制器上,但您可以通过启用相应的 Windows 功能将其安装在任何 Windows Server 系统上:

Install-WindowsFeature RSAT-AD-PowerShell

您还可以将其安装在 Windows 客户端系统上,作为远程服务器管理工​​具

答案2

以下是为了获得我们想要的结果而开发的最终 Poweshell:

$curdate = (Get-Date).ToString("MMddyyyy")
#-------------------------------------------------------------------------------
# Get members for Windows Security Groups
#-------------------------------------------------------------------------------
$Members = Get-ADGroup -Filter {Name -eq "My AD Group"} -Properties Member | Select-Object -ExpandProperty Member

$GlobalCatalog = "$((Get-ADDomainController -Discover).Name):1234"
$results = @()

Foreach ($User in $Members)
{    
    $userInfo = Get-ADUser -Identity $User -Server $GlobalCatalog  -Properties SamAccountName, EmailAddress, LastLogonDate
    $details = [ordered] @{
        
        "Active Directory ID"           = $userInfo.SamAccountName
        "User Role"                     = "My AD Group"
        "Elevated Role"                 = "N"
        "Internal User"                 = "Y"
        "Date of Last Logon"            = $userInfo.LastLogonDate
        "Application Specific Info 1"   = $null
        "Application Specific Info 2"   = $null
        "Acct Creation Date"            = $null
        "Last PWD Change Date"          = $null
        "User Email Address"            = $userInfo.EmailAddress
        "User First Name"               = $null
        "User Last Name"                = $null
        "Application Specific Info 3"   = $null
        "Review Group"                  = $null

    }
    $results = New-Object PSObject -Property $details
}
#---------------------------------------------------------
#output results to csv
#---------------------------------------------------------
$results | Export-Csv -NoTypeInformation  -Path "UsersListing_$curdate.csv"

变量名称(Active Directory ID、用户角色等)代表 CSV 文件中的列标题。

希望它能对某人有所帮助。

答案3

您需要指定一个基本 DN。这通常是域根 DN。

相关内容