使用Powershell检查Win32_group成员资格
[英]Check Win32_group membership with powershell
问题描述
I want to know if a user whom username is delivered is member of a group whom groupname is delivered. 
我想知道传递用户名的用户是否是传递组名的组的成员。
$u = Get-WmiObject -Class Win32_UserAccount -Filter "Name='$username'"
$g = Get-WmiObject -Class Win32_Group -Filter "Name='$groupname'"
So I get two object with the property SID. 所以我得到两个具有属性SID的对象。
How can I check that user $u is member of group $g ? 如何检查用户$u是组$g成员?
1 个解决方案
解决方案1
1 2014-10-15 13:58:08
You can do this with an Associators query ( example ). 您可以使用“ Associators查询( 示例 )来执行此操作。 Which are notoriously slow but do work. 众所周知,它们运行缓慢但确实有效。
$u = Get-WmiObject -Class Win32_UserAccount -Filter "Name='user'"
$group = Get-WmiObject -Class Win32_Group -Filter "Name='group'" | Select-Object -ExpandProperty Caption
$u | foreach {
$query = “Associators Of {Win32_UserAccount.Domain='” `
+ $_.Domain + “',Name='” + $_.Name `
+ “'} WHERE AssocClass=Win32_GroupUser”
$memberOf = Get-WmiObject -Query $query |
select -ExpandProperty Caption
If($memberOf -contains $group){
Write-Host "$($_.Name) is a member of $group"
} Else {
Write-Host "$($_.Name) is not a member of $group"
}
}
Get the use you are looking for and group your are checking to see if the user is a member of. 获得所需的用途并将您要检查的分组以查看用户是否是该成员。 While u$ should be only one user it is still a collection with one member. 尽管u$应该只有一个用户,但它仍然是一个成员的集合。 Pipe it into a ForEach-Object and build the Associators query. 将其通过管道ForEach-Object到ForEach-Object并构建Associators查询。 Execute the query and return all the group captions ( domain\\groupname). 执行查询并返回所有组标题(domain \\ groupname)。 Since $memberof is an array we can use -contains to see if the group you are looking for is there. 由于$memberof是一个数组,我们可以使用-contains来查看您要查找的组是否存在。
Alternatively 另外
You could use the AD cmdlets if you have access to them and run the following 如果可以访问AD cmdlet,则可以使用它们并运行以下命令
(Get-ADUser $user -Properties memberof | Select-Object -ExpandProperty memberof) -contains (Get-ADGroup -Identity $group)
The above will return True or False . 上面将返回True或False 。 You can install Ad cmdlets by using import-module activedirectory 您可以使用import-module activedirectory安装Ad cmdlet
Continued Testing 持续测试
OpenLDAP should support this from what I gather and it's much faster then the previous WMI. 我收集的资料表明OpenLDAP应该支持这一点,并且它比以前的WMI快得多。
$search = [adsisearcher]"(&(objectcategory=user)(Name=userFullName))"
$userLDAP = $search.FindOne().Path
$userMembers = ([ADSI]$userLDAP).memberof
$search = [adsisearcher]"(&(objectcategory=group)(Name=groupname))"
$group = ($search.FindOne().Path) -replace "LDAP://"
$userMembers -contains $group
Sorry as I do not have access to OpenLDAP for testing. 抱歉,我无权访问OpenLDAP进行测试。 Do a search for a user and get the MemberOf as $userMembers . 搜索用户,然后将MemberOf作为$userMembers 。 Then get the group into $group . 然后将组放入$group 。 Needed to remove the LDAP prefix from the string. 需要从字符串中删除LDAP前缀。 Then just do another -Contains again. 然后再做一次-Contains再次-Contains 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.