Question

我有以下模块。

我已经阻止哈希表来保护敏感信息，但它有一堆定义域名控制器，域名DN，域名特定用户名等的值：

function set-domparams {
    Param(
        [Parameter(Mandatory = $true,Position=0)]
        [string]$domain,
        [Parameter(Mandatory = $true,Position=1)]
        [string[]]$username,
        [Alias("pass","p")]
        [Parameter(Mandatory = $false,Position=2)]
        $password,
        [Parameter(Mandatory = $true,Position=3)]
        [ValidateSet("Y","N")]
        [string]$cyberArk
    )

    Invoke-Expression -Command:'cmd.exe /c klist purge' | Out-Null

    function Get-Creds($domain,$user,$password) {
        if (!($password)) {$password = Read-Host "Enter $domain password" -AsSecureString}
        Invoke-Expression -Command:'cmd.exe /c klist purge' | Out-Null
        $creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username,$password
        return $creds
    }

    $doms = @{
        'domain1.com' = @{'serverDC' = "somesvalidDC.fqdn.com";'searchBase' = "DC=somesvalidDC,DC=fqdn,DC=com";'suffix' = "domain1.com"; 'TSMserver' = "127.0.0.1"; 'NetBIOS' = "domain1"; 'SCOM' = "somescomserver.com";'AdminSuffix' = "_admin"}
        'domain2.com' = @{'serverDC' = "somesvalidDC.fqdn.com";'searchBase' = "DC=somesvalidDC,DC=fqdn,DC=com";'suffix' = "domain2.com"; 'TSMserver' = "127.0.0.1"; 'NetBIOS' = "domain2"; 'SCOM' = "somescomserver.com";'AdminSuffix' = ".adm"}
    }

    if ((!$cyberArk) -or ($cyberArk -eq 'N')) {
        $global:fetchCreds = Get-Creds -domain $domain -user $username -password $password
    } else {
        $CyberArkUser = "cyberarkdom\" + $username
        $CyberArkdomain = 'cyberarkdom.int'
        $global:fetchCreds = Get-Creds -domain $CyberArkdomain -user $CyberArkUser -password $password
    }

    $global:adminsuffix = $doms.$domain.AdminSuffix
    $global:user = $doms.$domain.NetBIOS + "\" + $username + $adminsuffix
    $global:dc = $doms.$domain.serverDC
    $global:DomNBT = $doms.$domain.NetBIOS
    $global:searchbase = $doms.$domain.searchBase
    $global:suffix = $doms.$domain.suffix
    $global:TSMserver = $doms.$domain.TSMserver
    $global:scom = $doms.$domain.scom
}

我在脚本中已经多次使用它并且它可以工作，但是在尝试对新脚本中的多个域进行操作时，我目前遇到了一个奇怪的问题：

Param(
    [Parameter(Mandatory = $true)]
    [ValidateSet("Y","N")]
    [string]$cyberArk
)

$userprompt = Read-Host "Enter username"
$userpass = Read-Host "Enter $domain password" -AsSecureString

$domainlist = @('domain1.fqdn.co', 'anotherdomain.com', 'differesntforest3.com.au')

foreach ($domain in $domainlist) {
    $results = ""
    set-domparams -domain $domain -username $userprompt -password $userpass -cyberArk $cyberArk

    $results = Get-ADGroup -Server $DC -Credential $fetchCreds -Filter * |
               where {$_.Name -like "*-DelAdmin-Servers*"} |
               select Name, SamAccountName
    foreach ($result in $results) {
        [PSCustomObject]@{
            Name = $result.Name
            domain = $domain
            samaccountname = $result.SamAccountName
        }
    }
}

当域列表包含跨不同林的域（密码在域中一致）时，我收到以下错误：

Get-ADGroup : The server has rejected the client credentials.
At E:\Scripts\get-testrun.ps1:16 char:16
+ ...  $results = Get-ADGroup -Server $DC -Credential $fetchCreds -Filter * ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Get-ADGroup], AuthenticationException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.Security.Authentication.AuthenticationException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

如果单独作为任何一个域的单行运行，则模块可以正常运行并进行身份验证，返回所有全局变量并在脚本中执行查询而不会出错。

我错过了什么？

Answer 1

如评论中所述，违规行是您的Get-ADGroup。具体如下：

Get-ADGroup -Server $DC -Credential $fetchCreds -Filter *

在您的第二个当前脚本中，您无法定义$fetchCreds。如果您确实有类似的其他脚本，则可能是您要么直接分配某些内容，要么您正在使用$global:fetchCreds作为您正在准备的内容第一个脚本。

Answer 2

我意识到我正在使用的函数的逻辑存在错误。

一旦修复，它就可以很快地运行在任意数量的域上（即针对一堆不同数组的数组）。

0:1

}

当然不是最好的书面功能，但它的目的是做它的工作。

PowerShell for循环

2 个答案: