因此,当我将用户添加到结果中时,使用MemberOf查询AD以获取组中的用户时,不再添加任何其他结果。例如:
joe.admin位于Domain Admins和Enterprise Admins中。添加到结果$da后,也应将其添加到$eadmins。请参阅下面的代码。
###########################################################################
#
# NAME: Ad account auditing
#
###########################################################################
[CmdletBinding(DefaultParametersetName="CurrentForest")]
param
(
[Parameter(ParameterSetName="Domain",Mandatory=$true)]
[String] $Domain
)
$date = Get-Date -Format yyyy/MM/dd
$date1 = Get-Date -Format ddMMyyyy
#ipmo activedirectory
$outfile = @()
[int] $InactiveDays = 180
$da=0
$admins=0
$eadmins=0
$sadmins=0
$wsadmins=0
$itadmins=0
$sa=0
$con=0
# Connect to the specified domain if domain parameter used
if ($Domain)
{
$DomainContext = new-object System.directoryServices.ActiveDirectory.DirectoryContext("Domain",$Domain)
$ObjDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)
$PDCEmulators += $ObjDomain.PDCRoleOwner
}
elseif($PsCmdlet.ParameterSetName -match "CurrentForest")
{
$domain = [system.directoryservices.activedirectory.domain]::GetCurrentDomain()
}
Function Get-NETBiosName ( $dn, $ConfigurationNC )
{
try
{
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.SearchScope = "subtree"
$Searcher.PropertiesToLoad.Add("nETBIOSName")| Out-Null
$Searcher.SearchRoot = "LDAP://cn=Partitions,$ConfigurationNC"
$Searcher.Filter = "(nCName=$dn)"
$NetBIOSName = ($Searcher.FindOne()).Properties.Item("nETBIOSName")
Return $NetBIOSName
}
catch
{
Return $null
}
}
$ADSearcher = New-Object System.DirectoryServices.DirectorySearcher
$ADSearcher.PageSize = 100000
$ADSearcher.Filter = "(&(objectCategory=person)(objectClass=user))"
$UserProperties = @("samaccountname","whenChanged","LastLogontimestamp","CanonicalName","DistinguishedName","MemberOf","Description","mail","whenCreated","isdisabled","lastlogondate","pwdLastSet","GivenName","userAccountControl","accountExpires","ispasswordnotrequired","isPasswordNeverExpires","accountExpirationdate","isCriticalSystemObject","isPreAuthNotRequired")
$ADSearcher.PropertiesToLoad.AddRange(@($UserProperties))
# Connect to the PDC Emulator
$ObjDeDomain = [ADSI] "LDAP://$($domain)"
$ADSearcher.SearchRoot = $ObjDeDomain
# Get the domain NETBIOS name
$DomainNameString = Get-NETBiosName $objDeDomain.distinguishedName $objRootDSE.configurationNamingContext
# Collect user accounts
$getalluser = $ADSearcher.FindAll()
foreach ($getalluser1 in $getalluser)
{
$getuser1 = $getalluser1.GetDirectoryEntry()
[string]$accountExpires = $getuser1.accountExpires
#[string]$accountExpirationdate = $getuser1.accountExpirationdate
[string]$userAccountControl = $getuser1.userAccountControl
[string]$GivenName=$getuser1.GivenName
[string]$samaccountname= $getuser1.samaccountname
[string]$whenChanged= $getuser1.whenChanged
[string]$CanonicalName= $getuser1.CanonicalName
[string]$DistinguishedName= $getuser1.DistinguishedName
[string]$MemberOf= $getuser1.MemberOf
[string]$Description= $getuser1.Description
[string]$mail= $getuser1.mail
[string]$whenCreated= $getuser1.whenCreated
#[string]$PasswordNeverExpires= $getuser1.PasswordNeverExpires
if($userAccountControl -band 2 )
{
write-host "$samaccountname account is disabled"
[string]$isdisabled="Yes"
}
else
{
[string]$isdisabled="no"
}
if($userAccountControl -band 8388608 )
{
[string]$ispasswordexpired="Yes"
}
else
{
[string]$ispasswordexpired="no"
}
if($userAccountControl -band 16 )
{
[string]$islocked="Yes"
}
else
{
[string]$islocked="no"
}
If($isdisabled -like "*Yes*" -or $islocked -like "*Yes*" -or $ispasswordexpired -like "*Yes*")
{
[string]$IsInactive="Yes"
}
else
{
[string]$IsInactive="No"
}
If($MemberOf -like "*Domain Admin*")
{
$accountType = "Domain Admins"
$da+=1
}
elseIf($MemberOf -like "*Administrators*")
{
$accountType = "Administrators"
$admins+=1
}
elseIf($MemberOf -like "*Enterprise Admins*" -or $admins -or $da)
{
$accountType = "Enterprise Admins"
$eadmins+=1
}
elseIf($MemberOf -like "*Schema Admins*")
{
$accountType = "Schema Admins"
$sadmins+=1
}
elseIf($MemberOf -like "*IT.Support.Staff*")
{
$accountType = "IT.Support.Staff"
$itadmins+=1
}
elseIf($MemberOf -like "*WSAdmin*")
{
$accountType = "WSAdmins"
$wsadmins+=1
}
elseIf($Description -like "Built-in*")
{
$accountType = "System Accounts"
$sa+=1
}
elseIf($MemberOf -like "*Consultant*" -or $MemberOf -like "*Consultants*" -or $DistinguishedName -like "*OU=Consultants*" -or $DistinguishedName -like "*OU=Vendor Accounts*")
{
$accountType = "Consultants"
$con+=1
}
else
{
$accountType = "Non privileged account"
$npa+=1
}
$object = new-object psobject
$object | add-member -membertype noteproperty -Name "ObjectType" -Value $accountType
$object | add-member -membertype noteproperty -Name "SamAccountName" -Value $samaccountname
$object | add-member -membertype noteproperty -Name "IsInactive" -Value $IsInactive
$object | add-member -membertype noteproperty -Name "IsLocked" -Value $islocked
$object | add-member -membertype noteproperty -Name "IsPasswordExpired" -Value $ispasswordexpired
$object | add-member -membertype noteproperty -Name "PasswordNeverExpires" -Value $PasswordNeverExpires
$object | add-member -membertype noteproperty -Name "pwdLastSet" -Value $pwdLastSet
$object | add-member -membertype noteproperty -Name "UserAccountControl" -Value $userAccountControl
$object | add-member -membertype noteproperty -Name "GivenName" -Value $GivenName
$object | add-member -membertype noteproperty -Name "Mail" -Value $mail
$object | add-member -membertype noteproperty -Name "WhenCreated" -Value $whenCreated
$object | add-member -membertype noteproperty -Name "Domain" -Value "$domain"
$object | add-member -membertype noteproperty -Name "WhenChanged" -Value $whenChanged
$object | add-member -membertype noteproperty -Name "isdisabled" -Value $isdisabled
$object | add-member -membertype noteproperty -Name "DistinguishedName" -Value $DistinguishedName
$object | add-member -membertype noteproperty -Name "MemberOf" -Value $memberof
$object | add-member -membertype noteproperty -Name "Description" -Value $Description
$outfile+=$object
$isPreAuthNotRequired=""
$isCriticalSystemObject=""
$passwordnotrequired = ""
$PasswordNeverExpires = ""
$accountExpires = ""
$accountExpirationdate = ""
$accountExpires = ""
$userAccountControl = ""
$GivenName=""
$lastlogontimestamp1= ""
$lastlogontimestamp = ""
$samaccountname= ""
$whenChanged= ""
$CanonicalName= ""
$DistinguishedName= ""
$MemberOf= ""
$Description= ""
$mail= ""
$whenCreated= ""
$isdisabled= ""
$LastLogon= ""
$pwdLastSet= ""
$IsInactive=""
$accountType=""
$getuser1=""
}
Write-host "Domain Admins = $da"
Write-host "Administrators = $admins"
Write-host "Enterprise Admins = $eadmins"
Write-host "Schema Admins = $sadmins"
Write-host "WSAdmins = $wsadmins"
Write-host "IT.Support.Staff = $itadmins"
Write-host "System Accounts = $SA"
Write-host "Consultants = $con"
Write-host "Non privileged account = $npa"
$da=0
$admins=0
$eadmins=0
$sadmins=0
$wsadmins=0
$itadmins=0
$sa=0
$con=0
$outfile |Export-Csv ".\$domain-AdaccountAudit-$date1.csv" -NoTypeInformation
Rename-Item ".\$domain-AdaccountAudit-$date1.csv" ".\$date1.csv"
Import-Csv ".\$date1.csv" | Group-Object -Property "ObjectType" |
Foreach-Object {$path=$_.name+".csv" ; $_.group |
Export-Csv -Path $path -NoTypeInformation}
答案 0 :(得分:0)
正如评论中所述,else组中的各个区块是互斥的(正如elseif建议的那样)。
使用单个if语句替换if($MemberOf -like "*Domain Admin*")
{
$accountType = "Domain Admins"
$da+=1
}
if($MemberOf -like "*Administrators*")
{
$accountType = "Administrators"
$admins+=1
}
# etc...
块:
switch或者,使用switch($MemberOf){
"*Domain Admin*" {
$accountType = "Domain Admins"
$da+=1
}
"*Administrators*" {
$accountType = "Administrators"
$admins+=1
}
# etc...
}
:
$accountType每次条件匹配时,data: {
param1: $scope.type
}
变量都会被覆盖,但是你的脚本不清楚你想要如何处理它。