用于查询Active Directory的Powershell脚本
[英]Powershell Script to query Active Directory
问题描述
I am trying to query all users in multiple OUs of the same name. 
我试图查询具有相同名称的多个OU中的所有用户。 Get the SamAccountName attribute and then check for a file at a specific location with that name. 获取SamAccountName属性,然后在具有该名称的特定位置检查文件。
Here is what I have so far: 这是我到目前为止的内容:
$ous = Get-ADOrganizationalUnit -Filter "Name -eq 'Admin-User-Accounts'"
$ous | ForEach-Object {
$AccountName = Get-ADUser -Filter * -SearchBase $_.DistinguishedName |
Select SamAccountName
Test-Path "\\domain.net\SYSVOL\domain.net\IA\$AccountName.pdf"
}
If a file is not found. 如果找不到文件。 I want to add the user to a group, however here is the kicker. 我想将用户添加到组中,但是这里是踢人。 The account has to be added to the non-compliance group for the organization that the account belongs to. 必须将该帐户添加到该帐户所属组织的违规组。
IE an admin account found under: IE管理员帐户位于:
OU=Admin-User-Accounts,OU=Administration,OU=ORG1,OU=ORGS,DC=domain,DC=net
would be added to the group named 'ORG1 IA - Non-Compliant Users' located under: 将被添加到位于以下位置的名为“ ORG1 IA-不合规用户”的组中:
OU=Groups,OU=ORG1,OU=Information Assurance,OU=ORGS,DC=domain,DC=net
3 个解决方案
解决方案1
0 2019-03-14 08:48:42
Well your post is a bit confusing, and no way to really validate because I have nothing setup like this. 好吧,您的帖子有点令人困惑,也无法真正验证,因为我没有这样的设置。
Yet, querying for users in all OU or the enterprise is a common everyday thing. 但是,在所有OU或企业中查询用户是日常的日常工作。
However, an OU name, just like any other AD object name, must be unique. 但是,OU名称(与任何其他AD对象名称一样)必须是唯一的。 So, querying for the same OU name is not a thing, in a single AD forest / domain. 因此,在单个AD林/域中查询相同的OU名称不是一件容易的事。 If you meant querying every OU for the same username, then alrighty then. 如果要在每个OU中查询相同的用户名,则可以。
By stepping thru how you are explanation for your use case, that you have laid out. 通过逐步了解您对用例的说明,您已经布局好了。
(though maybe you want to edit your post to make it's more clear, well to me anyway...) (尽管也许您想编辑您的帖子以使其更清晰,无论如何对我来说...)
Using pseudo code, then trying to map that out... and with no real way to determine what you mean by several things in your post/sample. 使用伪代码,然后尝试将其映射出来……而没有真正的方法来确定帖子/示例中几件事的意思。 So, the below is a rough first example of how I'd do approach this... again this is untested, so, I leave that homework to you. 因此,以下是我将如何实现此目标的一个粗略的第一个示例……同样,这是未经测试的,因此,我将这份作业留给您。
# query all users in multiple OUs
(Get-ADOrganizationalUnit -Filter *).DistinguishedName |
ForEach{
# Collect all members of the current OU
$AccountNames = Get-ADUser -SearchBase $PSItem -Filter *
# Process each member in the current OU collection
ForEach($AccountName in $AccountNames)
{
"Processing $($AccountName.SamAccoutnName)`n"
# Initialize properties needed for processing
$UserOrg = $AccountName.DistinguishedName.split(",")[1]
$MemberCheckOU = "OU=Admin-User-Accounts,OU=Administration,OU=ORG1,OU=$UserOrg,DC=domain,DC=net"
$NonCompliantOU = "OU=Groups,OU=ORG1,OU=Information Assurance,OU=$UserOrg,DC=domain,DC=net"
# Validate user file existence for the current user
If(-Not (Test-Path -LiteralPath "\\domain.net\SYSVOL\domain.net\IA\$($AccountName.SamAccoutnName).pdf)"))
{
# if no file Process the user groupmebership modification
"Processing $($AccountName.SamAccoutnName)"
# Notify that the file was not found and processing is required
Write-Warning -Message "$($($AccountName.SamAccoutnName).pdf) not found. Process group modify actions"
# If the current user is in the MemberCheckOU, add to the NonCompliantOU
If(Get-ADPrincipalGroupMembership -Identity $($AccountName.SamAccoutnName) | Where-Object -Property DistinguishedName -Match $MemberCheckOU )
{ Add-ADGroupMember -Identity $NonCompliantOU -Members $($AccountName.SamAccoutnName) }
Else
{
# Do something else
}
}
Else
{
# Notify that the file was found and no processing required
Write-Host "$($AccountName.pdf) found. No further actions taken" -ForegroundColor Green }
}
}
解决方案2
0 2019-03-14 12:08:50
It seems that one of the variables is incorrect because PowerShell is giving me the following: 似乎其中一个变量是错误的,因为PowerShell为我提供了以下内容:
Get-ADPrincipalGroupMembership : Cannot validate argument on parameter 'Identity'. Get-ADPrincipalGroupMembership:无法验证参数'Identity'上的参数。 The argument is null or empty. 参数为null或为空。 Provide an argument that is not null or empty, and then try the command again. 提供一个不为null或为空的参数,然后重试该命令。
Okay, so here is what I have so far based on your post above Postanote: 好的,这是我到目前为止根据您在Postanote上的帖子所获得的信息:
# query all users in multiple OUs
(Get-ADOrganizationalUnit -Filter "Name -eq 'Admin-User-Accounts'") |
ForEach{
# Collect all members of the current OU
$AccountNames = Get-ADUser -SearchBase $PSItem -Filter *
# Process each member in the current OU collection
ForEach($AccountName in $AccountNames)
{
"Processing $($AccountName.SamAccoutnName)`n"
# Initialize properties needed for processing
$UserOrg = $AccountName.DistinguishedName.split(",")[1]
$MemberCheckOU = "OU=Admin-User-Accounts,OU=Administration,OU=$UserOrg,OU=ORGS,DC=domain,DC=net"
$NonCompliantOU = "OU=Groups,OU=$UserOrg,OU=Information Assurance,OU=ORGS,DC=domain,DC=net"
# Validate user file existence for the current user
If(-Not (Test-Path -LiteralPath "\\domain.net\SYSVOL\domain.net\IA\$($AccountName.SamAccoutnName).pdf)"))
{
# if no file Process the user groupmebership modification
"Processing $($AccountName.SamAccoutnName)"
# Notify that the file was not found and processing is required
Write-Warning -Message "$($($AccountName.SamAccoutnName).pdf) not found. Process group modify actions"
# If the current user is in the MemberCheckOU, add to the NonCompliantOU
If(Get-ADPrincipalGroupMembership -Identity $($AccountName.SamAccoutnName) | Where-Object -Property DistinguishedName -Match $MemberCheckOU )
{ Add-ADGroupMember -Identity "$UserOrg IA - Non-Compliant Users" -Members $($AccountName.SamAccoutnName) }
Else
{
# Do something else
}
}
Else
{
# Notify that the file was found and no processing required
Write-Host "$($AccountName.pdf) found. No further actions taken" -ForegroundColor Green }
}
}
解决方案3
0
Looking at the original script fragment: 查看原始脚本片段:
$ous = Get-ADOrganizationalUnit -Filter "Name -eq 'Admin-User-Accounts'"
$ous | ForEach-Object {
$AccountName = Get-ADUser -Filter * -SearchBase $_.DistinguishedName |
Select SamAccountName # note 1
Test-Path "\\domain.net\SYSVOL\domain.net\IA\$AccountName.pdf" # note 2
}
Note 1: Your going to end up with $accountname.accountname holding your value. 注意1:最后将以$ accountname.accountname保留您的值。 I think your going to want to expand this instead. 我认为您将想扩大它。 Note2: Powershell may be getting confused and thinking your looking for the variable $accountname.pdf 注意2:Powershell可能会感到困惑,并认为您正在寻找变量$ accountname.pdf
Instead, try this... 相反,请尝试此...
$ous = Get-ADOrganizationalUnit -Filter "Name -eq 'Admin-User-Accounts'"
$ous | ForEach-Object {
$AccountName = $(Get-ADUser -Filter * -SearchBase $_.DistinguishedName).SamAccountName
Test-Path "\\domain.net\SYSVOL\domain.net\IA\$($AccountName).pdf"
}
here, we save the value of just .SamAccountName for the query to the $AccountName, and by adding $($accountname) we make clear the variable we want, and that .pdf is not part of the variable name. 在这里,我们只将查询的.SamAccountName值保存到$ AccountName中,然后通过添加$($ accountname)来清除所需的变量,而.pdf不是变量名的一部分。
Now, note as well, this doesn't save the results anywhere, it will just flash them to screen. 现在,还请注意,这不会将结果保存在任何地方,只会将其刷新到屏幕上。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.