堆栈内存溢出
  简体   繁体   English

WinNT://提供程序何时查询Active Directory? 或者如果是域帐户,如何获取本地组成员的SID

[英]When does WinNT:// provider query Active Directory? Or how to get SID of local group member if it is domain account

 原文  2019-05-16 15:02:54       c#/ .net/ active-directory/ ldap/ directoryentry

问题描述

Okay so I am using the WinNT provider with a DirectoryEntry class to enumerate the members of a local group, through the Members property. 好的,所以我将WinNT提供程序与DirectoryEntry类一起使用,通过Members属性来枚举本地组的成员

If the member is a local account, the DirectoryEntry will also be read from the SAM on the local machine presumably. 如果成员是本地帐户,则大概也会从本地计算机上的SAM中读取DirectoryEntry。

If the member is a Domain Account however, will the provider perform a query to Active Directory when I access the properties of the DirectoryEntry object? 但是,如果成员是域帐户,当我访问DirectoryEntry对象的属性时,提供程序是否将对Active Directory执行查询?

Is there a way to differentiate the two scenarios? 有没有办法区分这两种情况? For example check a property on the DirectoryEntry to see if it is going to get the properties from the local machine SAM, or by querying a domain controller to read Active Directory? 例如,检查DirectoryEntry上的属性以查看它是要从本地计算机SAM中获取属性,还是查询域控制器以读取Active Directory?

Is there a way to get the name (or even just the SID) of the member without querying Active Directory? 有没有一种方法可以获取成员的名称(甚至只是SID) 而无需查询Active Directory?

I'm trying to enumerate the local groups on a large number of servers and don't want to be hammering the domain controller, if they contain many domain user accounts. 我正在尝试枚举大量服务器上的本地组,并且如果它们包含许多域用户帐户,则不想重击域控制器。

1 个解决方案

解决方案1
 1 已采纳  2019-05-16 19:44:27

You could query Win32_GroupUser, and that shouldn't hit AD at all. 您可以查询Win32_GroupUser,这根本不会打AD。 Then you just have to do a little string parsing to get the user name, user type (user/group), and source (local/domain). 然后,您只需要进行一些字符串解析即可获取用户名,用户类型(用户/组)和源(本地/域)。 

$Servers = 'Server1.domain.com','Server2.domain.com'
$GMembers = ForEach($Server in $Servers){
    $BaseName=$Server.split('.')[0]
    Get-WmiObject -ComputerName $Server -Query "SELECT * FROM win32_GroupUser WHERE GroupComponent = ""Win32_Group.Domain='$BaseName',Name='Administrators'"""
}
$GMembers | 
    ?{$_.PartComponent -match '\\\\(.+?)\\.+?Win32_(.+?)\.Domain="(.+?)",Name="(.+?)"'}|
    %{
        [PSCustomObject]@{
            Server=$Matches[1]
            Domain=$Matches[3]
            Account=$Matches[4]
            AccountType=$Matches[2]
        }
    }

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何获取属于本地系统组的域用户 SID - how to get domain user SID which is part of local system group 一旦我在Active Directory中获得用户组,如何获取组的SID? - How to get SID of a group once i get groups of a user in Active Directory? 如何使用c#.net从他在winnt文件夹(本地用户和组)或活动目录(域下)中创建的pc中列出用户 - how to list out users from pc either he created in winnt folder(local users and groups) or active directory( under domain) using c#.net 如何检查Active Directory组是否是另一个Active Directory组的成员 - How to check if an Active Directory group is a member of a another Active Directory group Active Directory:从SID获取RID - Active Directory: Get RID from SID 活动目录-通过用户SID获取计算机IP - Active directory - Get computer IP by user SID 为什么通过WinNT协议删除本地组会导致NotImplementedException? - Why does removing a local group via WinNT protocol results in a NotImplementedException? 查询活动目录的帐号 - Account to query the active directory 在我们的域外或在 azure 上发布时如何使用 Active Directory 连接字符串成员资格提供程序 - How to use Active Directory connection string membership provider when it is published outside our domain or on azure 检查用户是否为组成员时,如何解决“无法解析成员的SID”错误? - How to overcome the “The member's SID could not be resolved” error when checking if user is a member of group?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM