Question

我正在试图找出做这样的事情的逻辑：

查询特定OU中的所有AD组
查询特定OU中的所有用户
查询所有用户的群组成员资格
如果任何用户属于初始组查询中的一个或多个组，则输出该信息
如果任何用户不属于初始组查询中的任何组，也会输出该信息

我在这个网站上挖了一下，发现了一个大部分都有效的脚本，但是我仍然坚持如何将用户的组成员资格与我正在提取的原始组查询进行比较。看起来我可以使用compare-object cmdlet，但参数似乎不包含任何可以让我跟踪这两个对象共有多少组的内容。

我在网上找到的代码如下：

$groups = Get-ADGroup -Filter * | where {$_.distinguishedname -like "*,OU=TUNE_TEST_GROUPS,OU=TUNE_TEST,DC=tune,DC=priv"}
$users = Get-ADUser -Filter * | where {$_.distinguishedname -like "*,OU=TUNE_TEST_USERS,OU=TUNE_TEST,DC=tune,DC=priv"}

foreach ( $User in $Users ) {
    $userGroups =  Get-ADPrincipalGroupMembership $User
    if ( $userGroups.Count -gt 1 ) {
        "{0} is a member of the following {1} groups:" -f $User.SamAccountName, $userGroups.Count
        foreach ( $group in $userGroups ) {
            "`t{0}" -f $group.Name 
        }
    } elseif ( $userGroups.Count -lt 1 ) {
        "{0} is a member of the following {1} groups:" -f $User.SamAccountName, $userGroups.Count
        foreach ( $group in $userGroups ) {
            "`t{0}" -f $group.Name 
        }
      }
}

这个问题是我没有办法将用户组名称与第1行中的组查询名称进行比较。我也无法确定用户是否属于一个或多个组名单。我不确定我是否可以使用相同的计数方法。

Answer 1

您可以使用Compare-Object验证帐户是否是参考列表中至少一个组的成员：

foreach ( $User in $Users ) {
    $userGroups =  Get-ADPrincipalGroupMembership $User
    if (!(Compare-Object $userGroups $groups -IncludeEqual -ExcludeDifferent)) {
        "{0} doesn't belong to any reference group." -f $User.SamAccountName
    }
}

附注：使用-SearchBase参数，而不是通过可分辨名称上的通配符匹配来过滤Get-ADUser和Get-ADGroup的结果：

$groups = Get-ADGroup -Filter * -SearchBase 'OU=TUNE_TEST_GROUPS,OU=TUNE_TEST,DC=tune,DC=priv' -SearchScope Subtree
$users  = Get-ADUser -Filter * -SearchBase 'OU=TUNE_TEST_USERS,OU=TUNE_TEST,DC=tune,DC=priv' -SearchScope Subtree

Answer 2

我最终做了以下工作，它适用于我需要的东西。如果有人有兴趣，示例代码如下：

#gets a list of all groups in a given OU and stores the objects in the $groups variable
$groups = Get-ADGroup -Filter * -SearchBase 'OU=TUNE_TEST_GROUPS,OU=TUNE_TEST,DC=tune,DC=priv' -Properties name | select name

#pipe each group object into a foreach loop and output a string value of the same group name and stores it into the $groups_string variable
$groups_string = $groups | % {$_.name}

#gets a list of all users in a given OU and stores the objects in the $users variable
$users = Get-ADUser -Filter * -SearchBase 'OU=TUNE_TEST_USERS,OU=TUNE_TEST,DC=tune,DC=priv'


$results=@{
"Username" = ""
"Groupname" = ""
}

$table=@()

#iterates through every user in the $users variable and retrieves their group memberships
foreach ($user in $users) {
    #selects each group name and stores it in the $groupMembership variable
    $groupMembership = Get-ADPrincipalGroupMembership $user | select name

    #compares the names of each user's group to the baseline group name.
    $groupMembership | foreach ($_) {

        #If there is a match add the group name and the username to the $results hash table
        if ($groups_string -contains $_.name) {
            $results."Groupname" = $_.name
            $results."Username" = $user.Name

            #create a new PS object and supply the properties of the $results hash table to each object
            $objresults = New-Object psobject -Property $results

            #add each object to the $table array
            $table += $objresults
        }
    }  

}

#display/output the $table array and format it to fit 
$table | ft -AutoSize

Powershell命令用于将AD用户组成员身份与基准

2 个答案: