我正在尝试获取没有经理但在备注字段中有“批准”的AD群组。我需要报告在同一数据集中输出。
问题是,下面的脚本只返回已分配管理员的AD组,但不返回“批准”位于备注字段中的空结果。
当前输出如下所示
Group Name Managed By Managed By Email
---------- ---------- ----------------
ADGroup1 ManagerName1 ManagerName1@domain.com
我需要报告在“备注”字段中包含具有“批准”的组,该报告理想情况下如下所示。这假设ADGroup2没有分配管理器,但Approval在notes字段中。
Group Name Managed By Managed By Email
---------- ---------- ----------------
ADGroup1 ManagerName1 ManagerName1@domain.com
ADGroup2
脚本运行只是不返回“null”结果。
Get-ADGroup -Filter 'GroupCategory -eq "Security"' -Properties ManagedBy | where-object {($_.ManagedBy -gt 0 -and $_.ManagedBy -ne $null -and $_.ManagedBy -notlike "*Organization Management*") -or ($_.Notes -like "*Approval*")} |
ForEach-Object {
$managedBy = IF([string]::IsNullOrEmpty($_.managedBy)) {""} else {$_.managedBy};
$manager = (get-aduser -Identity $managedBy -Properties emailAddress);
$managerName = $manager.Name;
$managerEmail = $manager.emailAddress;
Write-Output $_; } |
Select-Object @{n='Group Name';e={$_.Name}}, @{n='Managed By';e={$managerName}}, @{n='Managed By Email';e={$managerEmail}} | Sort-Object "Managed By", "Group Name"
任何帮助都将不胜感激。
谢谢!
答案 0 :(得分:1)
支持多线字段的属性呈现为"注释"在Active Directory用户和计算机中Comment - 为了产生混淆,所述属性的LDAP显示名称为info:
$Groups = Get-ADGroup -Filter "GroupCategory -eq 'Security'" -Properties ManagedBy,info
$ApprovalGroups = $Groups |Where-Object {$_.info -like "*Approval*"}
话虽这么说,我可能会尝试将大部分条件转变为单个LDAP搜索过滤器:
$Groups = Get-ADGroup -LDAPFilter "(&(info=*Approval*)(managedBy=*)(groupType:1.2.840.113556.1.4.803:=2147483648))" | Where-Object {$_.ManagedBy -notlike "*Organization Management*"}