我们正在使用此简单脚本来枚举所有特权用户:
'Domain Admins', 'Administrators', 'Enterprise Admins', 'Schema Admins', 'Server Operators', 'Backup Operators' |
ForEach-Object {$groupName = $_; Get-ADGroupMember -Identity $_ -Recursive |
Get-ADUser -Properties Name, DisplayName |
Select-Object Name, DisplayName, @{n='GroupName';e={ $groupName }}}
但是,以下错误来自“管理员”组:
Get-ADGroupMember : The operation being requested was not performed because the user has not been authenticated
At line:2 char:38
+ ForEach-Object {$groupName = $_; Get-ADGroupMember -Identity $_ -Recursive |
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Administrators:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:1244,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
我相信问题是我们有两个Active Directory域。管理员组具有来自另一个域的帐户。现在,两个域都相互信任,并且应该允许彼此访问,但是显然有些事情行不通。
理想的解决方案是弄清楚如何解决该问题(权限/ AD设置)。如果太复杂了,是否可以将查询范围限制在AD域之内?然后,我可以在每个域上运行脚本。