我的目标是使用Powershell从Windows服务器获取组成员。确定他们是AD域用户还是组,如果是组,则向下钻取到AD组以获取用户ID和全名。
到目前为止,我已经尝试过get-ciminstance win32_groupuser,然后将其提供给Get-CimAssociatedInstance -Association win32_groupuser,但是速度非常慢。我尝试了net localgroup,并将结果拆分为变量,并将其提供给get-aduser和get-adgroupmember。那行得通,但它是基于文本的合并,依赖于外部实用程序。我一直无法弄清楚如何从partcomponent输出中获取成员类型。
$localgroup = Get-ciminstance -class win32_groupuser | where { (($_.groupcomponent).name -eq "Administrators") -and (($_.groupcomponent).domain -eq "$env:computername")} | select partcomponent
foreach ($groupmember in $localgroup)
{
<#$domain = $groupmember.partcomponent.domain
$username = $groupmember.partcomponent.name#>
$account_type = ($groupmember -split " |=|""")[1]
$account_type = $account_type.trim()
$member_name = ($groupmember -split " |=|""")[6]
$member_name = $member_name.trim()
$domain = ($groupmember -split " |=|""")[12]
$domain = $domain.trim()
write-host "Domain: $domain Group Member: $member_name Account Type: $account_type"
pause
if ($domain -match "domain_1")
{
if ($account_type -match "group")
{
$userid = Get-ADGroupMember -server domain_1.com -identity "$member_name" | select samaccountname
$username = Get-ADGroupMember -server domain_1.com -identity "$member_name" | select fullname
}
elseif ($account_type -match "user")
{
$userid = Get-ADuser -server domain_1.com -identity "$member_name"| select samaccountname
$username = Get-ADuser -server domain_1.com -identity "$member_name" | select fullname
}
}
}
PartComponent
-------------
Win32_UserAccount (Name = "Administrator", Domain = "server1")
Win32_Group (Name = "Domain Admins", Domain = "domain_1")
Win32_UserAccount (Name = "_SVC_account", Domain = "domain_1")
Win32_Group (Name = "domain_group1", Domain = "domain_1")
Win32_Group (Name = "SEC_server1_LocalAdmins", Domain = "domain_1")
Win32_Group (Name = "SrvAdmins", Domain = "domain_1")
Win32_UserAccount (Name = "Admin-userid1", Domain = "domain_2")
Win32_Group (Name = "ServerAdmins", Domain = "domain_2")
答案 0 :(得分:0)
Microsoft PowerShellGallery.com上有几个模块涵盖了本地计算机/用户管理
https://www.powershellgallery.com/packages/LocalMachine/1.3
https://www.powershellgallery.com/packages/localaccount/1.6
https://www.powershellgallery.com/packages/LocalUserManagement/3.0
然后您可以使用这些结果来使用ADCmdlet…
Get-ADGroup
Get-ADGroupMember
Get-ADPrincipalGroupMembership
…使用发现的用户名或组来获取您想要的信息。
现在,如前所述,您可以直接使用ADSI。 相对于您要跟踪的每个数据点遍历示例。
至于...
我的目标是从Windows服务器获取组成员
# get host groups and group membership
$computers = $env:COMPUTERNAME # get-content computers.txt
$computers |
foreach {
$computername = $_
[ADSI]$S = "WinNT://$computername"
$S.children.where({$_.class -eq 'group'}) |
Select @{Name="Computername";Expression={$_.Parent.split("/")[-1] }},
@{Name = "Name";Expression = {$_.name.value}},
@{Name = "Members";Expression = {
[ADSI]$group = "$($_.Parent)/$($_.Name),group"
$members = $Group.psbase.Invoke("Members")
($members | ForEach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}) -join ";"
}
}
} | Format-Table -AutoSize
# Results
Computername Name Members
------------ ---- -------
LabSvr01 Access Control Assistance Operators
LabSvr01 Administrators Administrator;Domain Admins;...
LabSvr01 Backup Operators
...
LabSvr01 Event Log Readers
LabSvr01 Guests Guest
...
至于...
确定是否找到的用户是AD域成员
$computers = $env:COMPUTERNAME # get-content computers.txt
$HostGroupData = $computers |
foreach {
$computername = $_
[ADSI]$S = "WinNT://$computername"
$S.children.where({$_.class -eq 'group'}) |
Select @{Name="Computername";Expression={$_.Parent.split("/")[-1] }},
@{Name = "Name";Expression = {$_.name.value}},
@{Name = "Members";Expression = {
[ADSI]$group = "$($_.Parent)/$($_.Name),group"
$members = $Group.psbase.Invoke("Members")
($members | ForEach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}) -join ";"
}
}
}
# Validate local or domain membership
($HostGroupData.Members -split ';').Trim() |
? {$_.Length -gt 0} |
Get-ADUser -ErrorAction SilentlyContinue |
Select Name,UserPrincipalName,SID |
Format-Table -AutoSize
Name UserPrincipalName SID
---- ----------------- ---
Administrator Administrator@contoso.com S-1-5-21-...
...
Guest S-1-5-21-3...
...
至于...
确定是否找到的组是AD域组
# Validate if the discoverd group is a domain group
($HostGroupData.Name -split ';').Trim() |
? {$_.Length -gt 0} |
Get-ADGroup -ErrorAction SilentlyContinue |
Select Name,GroupCategory,GroupScope ,DistinguishedName,SID |
Format-Table -AutoSize
Name GroupCategory GroupScope DistinguishedName SID
---- ------------- ---------- ----------------- ---
Access Control Assistance Operators Security DomainLocal CN=Access ... S-1-5...
Administrators Security DomainLocal CN=Administrators... S-1-5...
Backup Operators Security DomainLocal CN=Backup Operators... S-1-5...
...