使用 powershell 脚本递归列出广告组中的用户,无需使用 CmdLets
我试图在不使用 PowerShell 中的 CmdLets 的情况下列出活动目录中安全组中的每个人。我的脚本的奇怪之处在于,如果我列出整个目录,它会起作用,但如果我尝试使用 ldap 查询指定我想要列出的内容,它就不起作用。我知道我的 ldap 查询是正确的,因为我已经在另一个类似的 vbs 中使用了它并且它有效。注释行是我尝试放入查询的位置。
$strFilter = "(&(objectCategory=person)(objectClass=user))"
#$strFilter = "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Common Name,OU=User Groups,...,DC=ad,DC=domain,DC=com))" #... is just left out part of query
#$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=Common Name,OU=User Groups,...,DC=ad,DC=domain,DC=com") #... is just left out part of query
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
$colProplist = "name"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults)
{$objItem = $objResult.Properties; $objItem.name}
I'm trying to list everyone in a security group in an active directory without using CmdLets in PowerShell. The weird thing with my script is that it works if I list the entire directory but if I try and specify with an ldap query what I want to be listed it does not work. I know my ldap query is correct because I have used it in another similar vbs and it works. The commented lines are where i have tried to put in the query.
$strFilter = "(&(objectCategory=person)(objectClass=user))"
#$strFilter = "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Common Name,OU=User Groups,...,DC=ad,DC=domain,DC=com))" #... is just left out part of query
#$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=Common Name,OU=User Groups,...,DC=ad,DC=domain,DC=com") #... is just left out part of query
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
$colProplist = "name"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults)
{$objItem = $objResult.Properties; $objItem.name}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
这是在 Active-Directory 2003 SP2 和 2008 R2 中工作的内容。我使用 ADSI 和 Microsoft LDAP_MATCHING_RULE_IN_CHAIN。它递归搜索(但在一个查询中)一组中的所有用户(小心它返回来自安全和分发组的用户)
Here is something working in an Active-Directory 2003 SP2 and 2008 R2. I use ADSI and Microsoft LDAP_MATCHING_RULE_IN_CHAIN. It Search recursively (but in one query) all the users from a group (be careful it return users from security and distributions group)
这将获取域管理员组的所有成员,包括嵌套成员(需要 .NET 3.5)。
This will get all members of the domain Administrators group, including nested members (requires .NET 3.5).
只要您知道组名称,您就可以运行以下(丑陋的)准单行:
此外,由于您很少只做一个而没有另一个,我还将包括使用以下命令列出用户的所有组的方法:相同的基本方法:
这两种方法都查询您当前的域,不需要任何域资格,也不需要安装任何模块或附加库。我还发现自己时不时地在一个非常普通的环境中工作,需要最小的权限,需要在 AD 中进行搜索,我发现这两个命令对我有很大帮助。
So long as you know the group name, you can run the following (ugly) quasi-one-liner:
Also since you rarely do one without the other, I'm also going to include the way to list all groups for a user using the same basic approach:
Both of these query your current domain and do not require any domain qualification, nor do they require any modules or additional libraries be installed. I also find myself working in a pretty vanilla environment from time-to-time with minimal permissions where I need to search through AD, and I find these two commands help me with that quite a bit.