AD组的权限报告
我正在尝试从 AD 中拥有的某些组中获取权限表。我对 PowerShell 还很陌生,我不确定我想要的是否可能。
到目前为止,我已经能够通过使用选择我想要的组
Get-ADUser -Identity groupname
,并且我可以看到从 PowerShell 的响应中提取的信息,但是从那里我遇到了一个巨大的死胡同,将结果通过管道传输到任何可以让我看看该组的权限。
I am trying to get a table of permissions out of some groups that I have in AD. I'm pretty new to PowerShell and I'm not sure what I want is even possible.
So far I've been able to select the groups that I want by using
Get-ADUser -Identity groupname
And I can see the info pulled up in the response from PowerShell, but from there I've hit a huge dead-end with piping the result into anything that would let me see the permissions for that group.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我假设您想要组本身的权限(例如,允许谁修改组)。
您可以使用
Get-Acl< /code>(ACL 代表访问控制列表),它也用于从文件获取权限。要将其定向到 AD,请使用AD:驱动器以及 AD 对象的可分辨名称。例如:如果您不知道专有名称,则可以通过调用
Get-ADGroup获取该名称(我假设您打算使用Get-ADGroup,而不是Get-ADUser就像您在问题中提出的那样)。更多阅读此处:了解 Get-ACL 和AD驱动输出
I'm assuming you want the permissions to the group itself (for example, who is allowed to modify the group).
You can use
Get-Acl(ACL stands for Access-Control List), which is used for getting permissions from files as well. To direct it to AD, you use theAD:drive, along with the distinguished name of the AD object. For example:If you don't know the distinguished name, you can get that from your call to
Get-ADGroup(I assume you meant to useGet-ADGroup, notGet-ADUserlike you put in your question).More reading here: Understanding Get-ACL and AD Drive Output