DirectoryServices 过滤器和方法
我正在尝试从 AD 获取 OU/DC 中所有用户的列表。
这就是我想到的:
$erroractionpreference = "SilentlyContinue"
function Get-GroupMembers {
$filter = "(&(objectCategory=person)(objectClass=user))"
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.Filter = $filter
$colResults = $objSearcher.FindAll()
foreach ($member in $colResults) {
$member
}
}
get-GroupMembers
如果我将过滤器更改为
$filter = "(&(objectCategory=person)(objectClass=user)("OU=Admin Accounts,DC=admin"))
“无返回”。这是为什么?
我还想显示某些值(如果帐户处于活动状态或禁用状态等),但如果我将 $member 传输到 gm,我什么也得不到。
任何帮助将不胜感激。
I'm trying to get a list of all users in an OU/DC from AD.
This is what I came up with:
$erroractionpreference = "SilentlyContinue"
function Get-GroupMembers {
$filter = "(&(objectCategory=person)(objectClass=user))"
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.Filter = $filter
$colResults = $objSearcher.FindAll()
foreach ($member in $colResults) {
$member
}
}
get-GroupMembers
If I change the filter to
$filter = "(&(objectCategory=person)(objectClass=user)("OU=Admin Accounts,DC=admin"))
Nothing returns. Why is this?
I would also like to display certain values (if the accounts is active or disabled etc) but if I pipe $member to gm, I get nothing.
Any help would be greatly appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
如果要搜索特定的 OU,可以将其设置为搜索器对象的根:
您还可以控制搜索范围。以下是与您最相关的两个选项:
除非您覆盖搜索根和范围,否则您将默认对当前域的根执行子树搜索。您可以在此 TechNet 文章中找到更多详细信息:
编辑: 正如 uSlackr 所指出的,您的 DC 分量确实看起来很可疑。我在示例中保留了它,但无论您使用什么方法,不完整/格式错误的基本对象名称都会破坏您的搜索。
If you want to search a specific OU, you can set it as the root of your searcher object:
You can also control the scope of your search. Here are the two most relevant options for you:
Unless you override the search root and scope, you'll get the default of performing a SubTree search against the root of your current domain. You can find more detailed information in this TechNet article:
Edit: As uSlackr noted, your DC component does look fishy. I left it intact for my example, but an incomplete/malformed base object name will botch your search regardless of the method you use.
直流分量不完整。它应该看起来像这样:
但是 dc=admin,dc=com 应该从本示例中的 AD 域名“admin.com”转换而来,这看起来不太正确
。使用 Microsoft AD cmdlet 会更容易。
有关下载和使用 cmdlet 的信息,请访问 TechNet
The DC component is not complete. It should look something like this:
but the dc=admin,dc=com should translate from the AD domainname in this example "admin.com" which doesn't seem right
This is much easier with the Microsoft AD cmdlets.
Information on downloading and using the cmdlets is available on TechNet
您可以尝试使用适用于 ActiveDirectory 的 Quest ActiveRolesManagement Shell,可从此处下载:
http://www.quest.com/downloads/
该软件包是免费软件,是通过 powershell 进行 Active Directory 管理的更准确的 cmdlet。
You can try use the Quest ActiveRolesManagement Shell for ActiveDirectory downloadable from here:
http://www.quest.com/downloads/
The package is freeware and is the more accurate cmdlets for Active Directory management from powershell.