我正在尝试从“badpwdcount”属性中获取值。问题是为了获得准确的值,我应该向PDC(主域控制器)查询。目前,我正在使用PowerShell来解决LDAP搜索问题。问题:是否有机会通过LDAP搜索从PDC获取值?
例如:
$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]"LDAP://$D"
$ADSearch = New-Object System.DirectoryServices.DirectorySearcher
$ADSearch.SearchRoot ="LDAP://$Domain
这将搜索当前域。如何从PDC获取值?
答案 0 :(得分:1)
每个域控制器都会使服务器的PDC Emulator FSMO角色更新其计数(如果超过最大数量,则可以锁定帐户),不能轻松跟踪总数,so we have to query each domain controller separately表示该数字
# Import active directory modules
import-module activedirectory;
# Get all domain controllers
$dcs = get-adcomputer -filter * -searchbase "ou=domain controllers,dc=kamal,dc=local";
# Get all users - change "-filter {enabled -eq $true}" to a username to get just one user
$users = get-aduser -filter {enabled -eq $true} | sort name;
# Loop through all users found
foreach ($user in $users) {
$badpwdcount = 0;
# Loop through each domain controller
foreach ($dc in $dcs) {
$newuser = get-aduser $user.samaccountname -server $dc.name -properties badpwdcount;
# Increment bad password count
$badpwdcount = $badpwdcount + $newuser.badpwdcount;
}
# Highlight account if bad password count is greater than 0
if ($badpwdcount -gt 0) {
$outline = "******* " + $user.name + " - Badpwdcount: " + $badpwdcount + " *******";
}
else {
$outline = $user.name + " - Badpwdcount: " + $badpwdcount;
}
write-host $outline;
}
答案 1 :(得分:0)
$Domain = $Domain.PdcRoleOwner