创建一个禁用目标主机上的Windows帐户的脚本。只有管​​理员才能执行此操作

时间:2017-12-21 11:27:16

标签: powershell active-directory

我想创建一个禁用Windows帐户的PowerShell脚本,目标主机名将作为参数提供。只有管​​理员才能执行此任务。

这是我尝试过的。有人可以告诉我这种方法是否正确,或者有更好的方法来做到这一点。

    param( [Parameter(Mandatory=$true)] [String] $TargetHost ,
       [Parameter(Mandatory=$true)] [String] $TargetUserName ,
       [String] $User , 
       [String] $Password)

# Set up a trap to properly exit on terminating exceptions
trap [Exception] {
    write-error $("TRAPPED: " + $_)
    exit 1
    }

function DeactivateAccount($TargetHost , $TargetUserName ,$User , $Password){

    $TargetHost = $TargetHost #Target Host on which windows account deactivation will be done.
    $TargetUserName = $TargetUserName   #User Name of Target.
    $Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() #Domain name of the localhost.
    $localHost = [System.Net.Dns]::GetHostName()
    $localIP = [System.Net.Dns]::GetHostAddresses("$localHost")

    #if TargetHost and LocalHost are same.
    if($localHost -like $TargetHost -OR $localIP -like $TargetHost) {

        if($Domain -eq [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()){
            $process = net user $TargetUsername /domain /active:no #Performs the operation on the domain controller in the computer's primary domain.
        } else {
            $process = net user $TargetUsername /active:no
        }
        Write-host " $TargetUsername account deactivated "
    }

    #If TargetHost is remote Host.
    else {
        $User = $User #Creds to perform admin function.
        $Password = $Password
        $SecurePassword = new-Object System.Security.SecureString #Convert password into secure string.
        $Password.ToCharArray() | % { $SecurePassword.AppendChar($_) }
        $Cred = New-Object -typename System.Management.Automation.PSCredential -argumentlist "$User",$securePassword

        $newSession = New-PSSession -ComputerName "$TargetHost" -credential $Cred #Used PSSession for persistent connection and credentials to Specify a user account that has permission to perform this action.

        $export_username =  Invoke-Command -Session $newSession -ScriptBlock {$username=args[1]} # Invoke-Command command uses the Session parameter(here newSession) to run the commands in same session.
        if($Domain -eq [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()){
                $process =  Invoke-Command -Session $newSession -ScriptBlock {net user $username /domain /active:no}
            } else {
                $process =  Invoke-Command -Session $newSession -ScriptBlock {net user $username /active:no}
            }
        Write-host " $TargetUsername account deactivated "
        Remove-PSSession $newSession # Closes Windows PowerShell sessions.
        }

    if(-not $?) { # Returns true if last command was successful.
        Write-Error "Windows Deactivation Failed!!"
        exit 1
    }
}

DeactivateAccount($TargetHost , $TargetUserName ,$User , $Password)

1 个答案:

答案 0 :(得分:0)

一些事情:

你打算展示一些代码来展示你的尝试但是因为你是Powershell的新手,我会让那张幻灯片:)

是您尝试禁用的本地Windows帐户还是AD帐户?出于此目的,我将假设本地。

抓住这个模块:https://gallery.technet.microsoft.com/PowerShell-Module-to-255637a3

这个家伙基本上为你想做的事做了一个模块:)

注意:如果你有Powershell 5.1+,你将不需要他们添加新cmdlet的模块来本地执行此操作。

凭据智能我不担心,Powershell无法绕过Windows安全性,它将使用运行脚本的用户的权限执行,除非您的脚本专门为命令中的其他用户提供凭据。

让我知道你是怎么过的。

相关问题
最新问题