如何将AD报告的两个powershell脚本与外部安全主体结合使用

时间:2014-09-11 20:46:42

标签: security powershell active-directory auditing

我是一名DBA,负责从AD查询信息以进行安全审核。我需要创建一个报告,可以将所有AD对象放入CSV并从另一个域解析外部安全主体。我确实在域名之间有信任。我在PowerShell中使用以下脚本:http://social.technet.microsoft.com/Forums/scriptcenter/en-US/59d99252-2b1c-490e-818c-d1a645332293/powershell-ad-group-membership?forum=ITCG&prof=required 

$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]"LDAP://$D"
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.PageSize = 200
$Searcher.SearchScope = "subtree"
$Searcher.SearchRoot = "LDAP://" + $Domain.distinguishedName

# Specify attributes to retrieve.
$Searcher.PropertiesToLoad.Add("distinguishedName") > $Null
$Searcher.PropertiesToLoad.Add("sAMAccountName") > $Null

# Hash table.
$MemberList = @{}

# Retrieve all users, groups, and computers.
$Searcher.Filter = "(|(objectCategory=user)(objectCategory=group)(objectCategory=computer))"
$Results = $Searcher.FindAll()
ForEach ($Result In $Results)
{
$DN = $Result.Properties.Item("distinguishedName")
$Name = $Result.Properties.Item("sAMAccountName")
$MemberList.Add($($DN), $($Name))
}

# Filter on all groups.
$Searcher.Filter = "(objectCategory=group)"
$Searcher.PropertiesToLoad.Add("member") > $Null

$Results = $Searcher.FindAll()
ForEach ($Result In $Results)
{
$Name = $Result.Properties.Item("sAMAccountName")
$Line = """DN,$Name"""
$Members = $Result.Properties.Item("member")
ForEach ($Member In $Members)
{
    If ($MemberList.ContainsKey($Member))
    {
        # Substitute the sAMAccountName from hash table.
        $Line = $Line + ",""" + $MemberList[$Member] + """"
    }
    Else
    {
        # Use the Distinguished Name.
        $Line = $Line + ",""" + $Member + """"
    }
}
$Line
}

然后我发现了一个来自http://activelydirect.blogspot.com/2011/01/dealing-with-foreignsecurityprincipal.html#comment-form的脚本,我希望我可以将以下内容添加到第一个脚本并让他们解决。但欢迎任何意见。

$securityPrincipalObject = New-Object System.Security.Principal.SecurityIdentifier($object.cn)
    ($domain, $sAMAccountName) =    ($securityPrincipalObject.Translate([System.Security.Principal.NTAccount]).value).Split("\")

1 个答案:

答案 0 :(得分:1)

如果您的问题是第二个脚本是否可以将外部安全原则从受信任的域转换为用户名,那么是的,我使用了类似的代码来获得良好的结果。请确保传递给System.Security.Principal.SecurityIdentifier构造函数的只是FSP的SID(例如“S-1-5-21 -...”),而不是distinguishedName或“CN = S-” 1-5-21 -...“。

更新:

if ($dN.StartsWith("CN=S-"))
  {
    $SIDText = ($dN.Split(","))[0].SubString(3)
    $SID = New-Object System.Security.Principal.SecurityIdentifier $SIDText
    Write-Output $SID.Translate([System.Security.Principal.NTAccount]).Value
  }
else
  {
    Write-Output $dN
  }
相关问题
最新问题