[英]Remove Single IDs from local administrator group
我想從管理員組中刪除個人 ID
我有以下代碼來獲取成員並刪除它們
Get-LocalGroupMember -Name 'Administrators'
$AdminGroup = [ADSI]"WinNT://$ComputerName/Administrators,group"
$User = [ADSI]"WinNT://$DomainName/$UserName,user"
$AdminGroup.Remove($User.Path)
Write-Host "Successfull:" $ComputerName
我面臨的問題是如何識別組中的單個/個人 ID 。
下面是一個樣本 output 來自其中一個服務器,我從其中獲取了沒有個人 ID 的成員
Name SID PrincipalSource ObjectClass
---- --- --------------- -----------
AUTO1AP\csgadm# S-1-5-21-126948685-454775200-1760099607-500 Local User
ZA\ S-1-5-21-3095416536-3097367016-2845470932 ActiveDirectory Other
ZA\A-Auto$ S-1-5-21-3095416536-3097367016-2845470932-1423106 ActiveDirectory User
ZA\A-Server Administrators S-1-5-21-3095416536-3097367016-2845470932-128673 ActiveDirectory Group
ZA\A92361 S-1-5-21-3095416536-3097367016-2845470932-1423726 ActiveDirectory User
ZA\A-SAN-AUTO S-1-5-21-3095416536-3097367016-2845470932-1475616 ActiveDirectory User
ZA\Domain Admins S-1-5-21-3095416536-3097367016-2845470932-512 ActiveDirectory Group
我現在有上述數據,我想從中刪除ZA\A92361的個人帳戶(這里我知道這是個人帳戶,但實際上我需要找出並刪除)
請讓我知道這件事
雖然我仍然不清楚識別要刪除的用戶是什么意思,但我相信Get-LocalGroupMember
cmdlet 會返回識別它們所需的一切。
$ADusersToRemove = 'jdoe', 'cblossom' # example some SamAccountNames of users to remove from the group
# from these users to remove, get an array of their Security IDs
$ADsidsToRemove = $ADusersToRemove | ForEach-Object { (Get-ADUser -Identity $_ -ErrorAction SilentlyContinue).SID }
# get a list of members of the local group, AD users only
$allADMembers = Get-LocalGroupMember -Name 'Administrators' | Where-Object { $_.ObjectClass -eq 'user' -and $_.PrincipalSource -eq 'ActiveDirectory' }
# remove the wanted AD users from the group
$ADmembersToRemove = @($allADMembers | Where-Object { $ADsidsToRemove -contains $_.SID })
if ($ADmembersToRemove.Count) {
Remove-LocalGroupMember -Name 'Administrators' -Member $membersToRemove.SID
}
如果您還想刪除 LOCAL 用戶(不是 AD),您可以做類似的事情
# get an array of LocalPrincipal objects
$LocalUsersToRemove = @(Get-LocalUser -Name 'someguy', 'anotheruser' )
if ($LocalUsersToRemove.Count) {
Remove-LocalGroupMember -Name 'Administrators' -Member $LocalUsersToRemove
}
如果您說要排除服務帳戶,那么這個問題實際上是如何區分服務帳戶和普通用戶帳戶。
我不知道你是如何組織你的廣告的,但當然有幾種選擇:
svc_
或其他。Where-Object { $ADsidsToRemove -contains $_.SID -and (($_.Name -split '\\') -notlike 'svc_*')}
OU=ServiceAccounts,DC=Company,DC=com
然后你可以使用過濾器Where-Object { $ADsidsToRemove -contains $_.SID -and ((Get-ADUser -Identity $_.SID).DistinguishedName -notlike '*OU=ServiceAccounts,DC=Company,DC=com')}
Service account
Where-Object { $ADsidsToRemove -contains $_.SID -and ((Get-ADUser -Identity $_.SID -Properties Description).Description -notlike '*Service account*')}
ExtensionAttribute1=svc
Where-Object { $ADsidsToRemove -contains $_.SID -and ((Get-ADUser -Identity $_.SID -Properties ExtensionAttribute1).ExtensionAttribute1 -notlike 'svc')}
如您所見,可能性幾乎是無窮無盡的。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.