Powershell ADSI问题
[英]Powershell ADSI problems
问题描述
I'm working on a GPO powershell script that is supposed to help us cut down on our logon time. 
我正在开发一个GPO powershell脚本,该脚本应该可以帮助我们减少登录时间。 What I need to do, is pull the current username, and then check if it is a member of a group. 我需要做的是拉当前的用户名,然后检查它是否是组的成员。 The code I have right now is 我现在的代码是
$strFilter = "objectCategory=user"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://OU=OU;DC=DC;DC=DC")
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 100000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
$colProplist = "samaccountname"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
$resultsarray = @()
foreach ($objResult in $colResults)
{
$objItem = $objResult.Properties | where-object -property samaccountname -eq $env:username
$objItem.samaccountname
}
Unfortunately, even though it prints the username, I can't figure out how to see which principal group it's a member of! 不幸的是,即使它打印了用户名,我也无法弄清楚如何查看它是哪个成员组! Since this is running on client machines that don't have RSAT, I can't use the active directory cmdlets like get-adprincipalgroupmembership . 由于这是在没有RSAT的客户端计算机上运行的,因此无法使用活动目录cmdlet(如get-adprincipalgroupmembership 。 Any help? 有什么帮助吗?
1 个解决方案
解决方案1
0 已采纳 2015-05-07 18:13:26
It's a standard LDAP property. 这是标准的LDAP属性。 Just specify $colProplist = "samaccountname","memberof" . 只需指定$colProplist = "samaccountname","memberof" 。
Don't feel silly about missing it. 不要为错过它而感到愚蠢。 The MSDN AD LDAP doc is comprehensive, but not particularly usable, especially because it assumes you already understand class inheritance, and some properties have two different names and only one is ever valid and it sometimes seems to change depending on context. MSDN AD LDAP文档是综合性的,但不是特别有用,特别是因为它假定您已经了解类继承,并且某些属性具有两个不同的名称,并且只有一个是有效的,并且它有时会根据上下文而改变。 Most people prefer alternate sources like SelfADSI . 大多数人更喜欢SelfADSI之类的替代资源。
Note that that is not a recursive search, but neither is Get-ADPrincipalGroupMembership . 请注意,这不是递归搜索,也不是Get-ADPrincipalGroupMembership 。 Getting a list of all AD groups a user is a member of directly or through group membership is exactly as painful as it sounds. 获得用户直接或通过组成员身份所属的所有AD组的列表确实听起来很痛苦。 You get memberof for the user, then walk through every group and check it's memberof, and repeat that until you run out of parents, then return the unique list. 您获得该用户的memberof,然后遍历每个组并检查它的memberof,然后重复进行直到您用完父母为止,然后返回唯一列表。 It's easier with the ActiveDirectory module, but it's not painless. 使用ActiveDirectory模块更容易,但并非没有困难。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.