如何在Powershell中使用AdsiSearcher查询安全策略?
[英]How to query Security Policy with AdsiSearcher in powershell?
问题描述
I am trying to find all servers that set TrustedForDelegation : True , I am able to find all servers using ([adsisearcher]"ObjectCategory=Computer").Findall().properties but I can't see any of the security policy properties. 
我正在尝试查找设置TrustedForDelegation : True所有服务器TrustedForDelegation : True ,我能够使用([adsisearcher]"ObjectCategory=Computer").Findall().properties查找所有服务器,但看不到任何安全策略属性。 How would I go about viewing filtering for security policy properties? 如何查看安全策略属性的过滤?
Btw the reason I am using AdsiSearcher is because I don't have the Active Directory module available to import. 顺便说一句,我使用AdsiSearcher的原因是因为我没有可用于导入的Active Directory模块。
1 个解决方案
解决方案1
1 已采纳 2019-07-17 16:44:21
The Trusted for Delegation permission is stored in the userAccountControl attribute in AD, which is a bit field , meaning that the value indicates several flags that can be on or off. 委托委派权限存储在AD的userAccountControl属性中,该属性是一个bit字段 ,这意味着该值指示可以打开或关闭的几个标志。 The full list is here . 完整列表在这里 。
Adding this to your query is a little tricky. 将此添加到您的查询有点棘手。 It requires a bitwise AND comparison to see if a specific flag is turned on. 它需要按位与进行比较,以查看是否打开了特定标志。 AD allows this through a matching rule OID called LDAP_MATCHING_RULE_BIT_AND . AD通过名为LDAP_MATCHING_RULE_BIT_AND的匹配规则OID允许此LDAP_MATCHING_RULE_BIT_AND 。
You would use it in an LDAP query like this: 您可以在LDAP查询中使用它,如下所示:
(userAccountControl:1.2.840.113556.1.4.803:=524288)
So your code to find all computers with the Trusted for Delegation permissions would look something like this: 因此,用于查找所有具有“受信任的委派”权限的计算机的代码如下所示:
([adsisearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))").Findall()
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.