[英]How to get all groups that a user is a member of, based on group extensionattribute
I'm tryng to get all the groups the users of a domain are member of, but filtering only the groups with a given extensionattribute .我正在尝试获取域用户所属的所有组,但仅过滤具有给定extensionattribute的组。 I set the extensionattribute12 of all the domain groups to better filter some queries (ie Infrastructure - security - elearning).
我设置所有域组的extensionattribute12以更好地过滤一些查询(即基础设施 - 安全 - 电子学习)。 My query should get only the user(s) groups with
我的查询应该只获取用户组
extensionattribute12=security
extensionattribute12=安全
(for example). (例如)。 I use something like:
我使用类似的东西:
get-aduser -filter -Properties memberof | select name, @{ l="GroupMembership"; e={$_.memberof -join ";" } }
and I get all the groups of the users.我得到了所有的用户组。 How can I filter by group extensionattribute?
如何按组扩展属性过滤?
You could use the inverse relationship ( member
on the group object) to query all the groups a user is a member of, just 1 query per user.您可以使用反向关系(组对象上的
member
)来查询用户所属的所有组,每个用户只需 1 个查询。 Here using an LDAP filter:这里使用 LDAP 过滤器:
$groupLabel = "Security"
Get-ADUser -Filter * |ForEach-Object {
$groups = Get-ADGroup -LDAPFilter "(&(extensionattribute12=$groupLabel)(member=$($_.DistinguishedName)))"
[pscustomobject]@{
User = $_.SamAccountName
GroupMembership = $groups.DistinguishedName -join ';'
}
}
If you have to process a large number of users or group memberships, you may find it faster to retrieve all the groups satisfying the extensionAttribute12
criteria up front and use that list to filter the memberOf
attribute on the users:如果您必须处理大量用户或组成员身份,您可能会发现预先检索满足
extensionAttribute12
条件的所有组并使用该列表过滤用户的memberOf
属性会更快:
$groupLabel = "Security"
# Create a hash set and populate it with the distinguished
# names of all the groups we're looking for
$groupDNs = [System.Collections.Generic.HashSet[string]]::new(@(
Get-ADGroup -Filter "extensionAttribute12 -eq '$groupLabel'" |Select -Expand DistinguishedName
))
Get-ADUser -Filter * -Properties memberOf |ForEach-Object {
# Retrieve memberOf values and filter against the hash set
$groups = $_.memberOf |Where-Object { $groupDNs.Contains($_) }
[pscustomobject]@{
User = $_.SamAccountName
GroupMembership = $groups -join ';'
}
}
Make it with N+1 queries使用 N+1 个查询
$groups = @( Get-ADGroup -Filter '(extensionattribute12 -eq "security")' )
$users = @( $groups |
ForEach-Object { Get-ADGroupMember -Identity $_ -Recursive } |
Sort-Object -Unique )
$users # All users of all groups that have EA12 = security
Get-ADUser -filter {...} -Properties memberof | select name, @{ l="GroupMembership"; e={( $_.memberof | Get-ADGroup |?{ $_.extensionattribute12 -eq 'security' }) -join ";" }} |?{ $_.GroupMembership }
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.