[英]Check Win32_group membership with powershell
I want to know if a user whom username is delivered is member of a group whom groupname is delivered. 我想知道传递用户名的用户是否是传递组名的组的成员。
$u = Get-WmiObject -Class Win32_UserAccount -Filter "Name='$username'"
$g = Get-WmiObject -Class Win32_Group -Filter "Name='$groupname'"
So I get two object with the property SID. 所以我得到两个具有属性SID的对象。
How can I check that user $u
is member of group $g
? 如何检查用户$u
是组$g
成员?
You can do this with an Associators
query ( example ). 您可以使用“ Associators
查询( 示例 )来执行此操作。 Which are notoriously slow but do work. 众所周知,它们运行缓慢但确实有效。
$u = Get-WmiObject -Class Win32_UserAccount -Filter "Name='user'"
$group = Get-WmiObject -Class Win32_Group -Filter "Name='group'" | Select-Object -ExpandProperty Caption
$u | foreach {
$query = “Associators Of {Win32_UserAccount.Domain='” `
+ $_.Domain + “',Name='” + $_.Name `
+ “'} WHERE AssocClass=Win32_GroupUser”
$memberOf = Get-WmiObject -Query $query |
select -ExpandProperty Caption
If($memberOf -contains $group){
Write-Host "$($_.Name) is a member of $group"
} Else {
Write-Host "$($_.Name) is not a member of $group"
}
}
Get the use you are looking for and group your are checking to see if the user is a member of. 获得所需的用途并将您要检查的分组以查看用户是否是该成员。 While u$
should be only one user it is still a collection with one member. 尽管u$
应该只有一个用户,但它仍然是一个成员的集合。 Pipe it into a ForEach-Object
and build the Associators
query. 将其通过管道ForEach-Object
到ForEach-Object
并构建Associators
查询。 Execute the query and return all the group captions ( domain\\groupname). 执行查询并返回所有组标题(domain \\ groupname)。 Since $memberof
is an array we can use -contains
to see if the group you are looking for is there. 由于$memberof
是一个数组,我们可以使用-contains
来查看您要查找的组是否存在。
Alternatively 另外
You could use the AD cmdlets if you have access to them and run the following 如果可以访问AD cmdlet,则可以使用它们并运行以下命令
(Get-ADUser $user -Properties memberof | Select-Object -ExpandProperty memberof) -contains (Get-ADGroup -Identity $group)
The above will return True
or False
. 上面将返回True
或False
。 You can install Ad cmdlets by using import-module activedirectory
您可以使用import-module activedirectory
安装Ad cmdlet
Continued Testing 持续测试
OpenLDAP should support this from what I gather and it's much faster then the previous WMI. 我收集的资料表明OpenLDAP应该支持这一点,并且它比以前的WMI快得多。
$search = [adsisearcher]"(&(objectcategory=user)(Name=userFullName))"
$userLDAP = $search.FindOne().Path
$userMembers = ([ADSI]$userLDAP).memberof
$search = [adsisearcher]"(&(objectcategory=group)(Name=groupname))"
$group = ($search.FindOne().Path) -replace "LDAP://"
$userMembers -contains $group
Sorry as I do not have access to OpenLDAP for testing. 抱歉,我无权访问OpenLDAP进行测试。 Do a search for a user and get the MemberOf as $userMembers
. 搜索用户,然后将MemberOf作为$userMembers
。 Then get the group into $group
. 然后将组放入$group
。 Needed to remove the LDAP prefix from the string. 需要从字符串中删除LDAP前缀。 Then just do another -Contains
again. 然后再做一次-Contains
再次-Contains
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.