处理ForeignSecurityPrincipal

时间:2015-06-11 08:16:40

标签: powershell active-directory

DomainADomainB相互信任。某些DomainB个用户是DomainA个本地域组的成员。如何在PowerShell中获取ForeignSecurityPrincipal并获取其组列表?

2 个答案:

答案 0 :(得分:2)

这简直太简单了:

    Get-ADObject -Filter {ObjectClass -eq "foreignSecurityPrincipal"} -Properties msds-principalname,memberof

其中" msds-principalname"是sAMAccountName,所以我现在可以通过sAMAccountName搜索FSP并获取其组。

答案 1 :(得分:0)

您可以通过将Get-ADObject cmdlet设置为SearchBaseCN=ForeignSecurityPrincipals,DC=domain,DC=comLDAPFilter运行(|(objectCategory=user)(objectCategory=group))来获取域中的外部安全主体列表,例如{{1 }}。然后,您可以使用http://jsfiddle.net/bzf4ru29/2获取其domain\username。然后,您通过Get-ADDomainGet-ADDomainController查询该域的DC,从那里获取用户对象,并在当前域中针对检索到的用户运行Get-ADPrincipalGroupMembership。一个例子(未经测试,因为我没有很多域的环境):

$ldf='(|(objectCategory=user)(objectCategory=group))'
$fspc=(get-addomain).ForeignSecurityPrincipalsContainer
$fsps = get-adobject -ldapfilter $ldf -searchbase $fspc
# got principals here
foreach ($fsp in $fsps) {
    $fspsid=New-Object System.Security.Principal.SecurityIdentifier($fsp.cn)
    ($fspdomain, $fspsam) = ($securityPrincipalObject.Translate([System.Security.Principal.NTAccount]).value).Split("\")
    # ^ this can throw exceptions if there's no remote user, take care
    $fspdc=(get-addomaincontroller -domainname $fspdomain -discover)[0] # taking first one
    $fspuser=get-aduser $fspsam -server $fspdc.hostname # use crossdomain DNS to resolve the DC
    $fspgroups=get-adprincipalgroupmembership $fspuser # local query
    $fspgroups # now do whatever you need with them and the $fspuser
}
相关问题
最新问题