需要以下 AD 脚本的指导

Question

I'm having issues trying to pull the members of the security tab of each group in AD.....can someone help pls?

Get-ADGroup -filter * -Properties name, security | select security, @{n=’Security’; e= { ( $_.Security | % { (Get-ADObject $_).Name }) -join “,” }}

Error below:

Get-ADGroup : One or more properties are invalid.
Parameter name: security
At line:1 char:1
+ Get-ADGroup -filter * -Properties security | select security, @{n=’Se ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-ADGroup], ArgumentException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

What am I missing here?

Answer 1

You can use the Get-Acl cmdlet in conjunction with the AD provider. If you're getting all of your groups, you must be using the ActiveDirectory module, so you should have the provider available as well. The provider allows you to browse through Active Directory similarly to a file system. So first thing to do is swap to that provider:

cd AD:

Then you can get your groups like you intended to:

$Groups = Get-ADGroup -filter *

Now you can loop through those and use the distinguishedName to get the ACLs for each group object. Now, there's a few ways to do this, I'm going to use Add-Member . AD Group objects like to try and make any new members ADPropertySets, so we'll be using the -force parameter to make sure it is a NoteProperty.

$Groups | ForEach-Object{
    $ACLs = Get-Acl -Path $_.distinguishedName
    Add-Member -InputObject $_ -NotePropertyName 'Security' -NotePropertyValue $ACL.Access -Force
}

Then you can just do something like $Groups|Format-Table Name,Security or something.