我正在尝试找到指定用户帐户的组成员身份。一个域的用户帐户通常是其他域中的组的成员(某些域需要不同的管理员帐户)。使用get-QAQgroup,我可以单独成功搜索每个域,但是当我尝试遍历域时,我只能在我登录的域中找到结果。 #Script更改域并查找指定用户帐户的组成员身份。
$domains = "dom1.ad.state.company.com","dom2.ad.state.company.com","dom3.ad.state.company.com","dom4.ad.state.company.com","corporate.state.company.com","OddNamedDom.com"
$CRED=GET-CREDENTIAL
$userAcc = read-host "Enter domain\username for Group Membership Search"
foreach ($domain in $domains)
{
write-host "In the domain $domain "," $userAcc is a direct member of..."
Get-QADGroup -service $domain -Credential $cred -Containsmember $userAcc | select name
} #foreach domain
Connect-QADService -Service 'dom1.ad.state.company.com'
当我运行脚本时,我得到dom1的结果(我登录的域),其余的抛出以下错误。我不确定为什么"参考1:.."线指向' dom1'。我认为这可能是问题的根源。我已经复制了下面显示错误消息的Powershell输出。
In the domain dom1.ad.state.company.com dom1\brownd2.admin.dom1 is a direct member of...
Name
----
DOM1-G-ITS-DS-Company Services
DOM1PGUELFP00003-Exmerge-R
DOMPGUELFP00003-Exmerge-C
ITSPPTBOSHFS003-FSSHARE-C
Domain Users
In the domain dom2.ad.state.company.com dom1\brownd2.admin.dom1 is a direct member of...
Get-QADGroup : 0000202B: RefErr: DSID-03100742, data 0, 1 access points
ref 1: 'dom1.ad.state.company.com'
At C:\TestScripts\tGet-UserAllMemberships.ps1:24 char:6
+ Get-QADGroup -service $domain -Credential $cred -Containsmember $userAcc | ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-QADGroup], DirectoryAccessException
+ FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.DirectoryAccessException,Quest.ActiveRoles.ArsPowerShel
lSnapIn.Powershell.Cmdlets.GetGroupCmdlet
In the domain dom3.ad.state.company.com dom1\brownd2.admin.dom1 is a direct member of...
Get-QADGroup : 0000202B: RefErr: DSID-03100742, data 0, 1 access points
ref 1: 'dom1.ad.state.company.com'
At C:\TestScripts\tGet-UserAllMemberships.ps1:24 char:6
+ Get-QADGroup -service $domain -Credential $cred -Containsmember $userAcc | ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-QADGroup], DirectoryAccessException
+ FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.DirectoryAccessException,Quest.ActiveRoles.ArsPowerShel
lSnapIn.Powershell.Cmdlets.GetGroupCmdlet
我正在检查的每个域都有类似的错误集。我还没有发布错误消息的完整列表。
如果我更改了数组中域的顺序,那么一个成功域的错误和结果只会改变顺序以匹配数组。我认为它可能只是循环的第一次迭代成功。不是这样的。
我知道该帐户是Dom2中的群组成员,而不是Dom3中的任何群组。如果我从foreach循环中取出命令并为控制台中的每个域运行个体,我会得到预期的结果。基于个别结果,我曾认为这是循环中的直接示例,但我没有正确连接到域。
我可以改变什么?
答案 0 :(得分:0)
这是一个使用System.DirectoryServices.AccountManagement命名空间的解决方案,适用于来自C#代码的PowerShell。这是一种递归解决方案。在使用C#的Find Recursive Group Membership (Active Directory)中,我提供了一个递归解决方案(使用PowerShell 1.0中提供的基本ADSI),它也适用于通讯组。
# Retreiving a principal context for the administrator on the Global Catalog
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$domainContext = New-Object DirectoryServices.AccountManagement.PrincipalContext([DirectoryServices.AccountManagement.ContextType]::Domain, "VMESS01:3268" , "administrator", "adminPasswd")
# Retreive the groups
try {
$userPrincipal = [DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($domainContext, "jpb")
$groups = $userPrincipal.GetAuthorizationGroups()
foreach($group in $groups)
{
$group.name;
}
}
finally {
$pc.domainContext()
}