使用不带 CmdLets 的 powershell 脚本递归列出广告组中的用户 [英] Listing users in ad group recursively with powershell script without CmdLets

问题描述

我试图在不使用 PowerShell 中的 CmdLets 的情况下列出活动目录中安全组中的每个人.我的脚本的奇怪之处在于，如果我列出整个目录，它就可以工作，但是如果我尝试使用 ldap 查询指定要列出的内容，则它不起作用.我知道我的 ldap 查询是正确的，因为我在另一个类似的 vbs 中使用过它并且它有效.注释行是我试图放入查询的地方.

I'm trying to list everyone in a security group in an active directory without using CmdLets in PowerShell. The weird thing with my script is that it works if I list the entire directory but if I try and specify with an ldap query what I want to be listed it does not work. I know my ldap query is correct because I have used it in another similar vbs and it works. The commented lines are where i have tried to put in the query.

$strFilter = "(&(objectCategory=person)(objectClass=user))"
#$strFilter = "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Common Name,OU=User Groups,...,DC=ad,DC=domain,DC=com))" #... is just left out part of query

#$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=Common Name,OU=User Groups,...,DC=ad,DC=domain,DC=com") #... is just left out part of query

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"

$colProplist = "name"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)
    {$objItem = $objResult.Properties; $objItem.name}

推荐答案

这里有一些在 Active-Directory 2003 SP2 和 2008 R2 中工作的东西.我使用 ADSI 和 Microsoft LDAP_MATCHING_RULE_IN_CHAIN.它递归地(但在一个查询中)搜索一个组中的所有用户(小心它从安全和分发组返回用户)

Here is something working in an Active-Directory 2003 SP2 and 2008 R2. I use ADSI and Microsoft LDAP_MATCHING_RULE_IN_CHAIN. It Search recursively (but in one query) all the users from a group (be careful it return users from security and distributions group)

Clear-Host
$dn = New-Object System.DirectoryServices.DirectoryEntry ("LDAP://WM2008R2ENT:389/dc=dom,dc=fr","jpb@dom.fr","PWD")

# To find all the users member of groups "MonGrpPlusSec"  : 
# Set the base to the groups container DN; for example root DN (dc=societe,dc=fr)  
# Set the scope to subtree 
# Use the following filter : 
# (member:1.2.840.113556.1.4.1941:=CN=MonGrpPlusSec,OU=ForUser1,DC=dom,DC=fr) 

$dsLookFor = new-object System.DirectoryServices.DirectorySearcher($dn)
$dsLookFor.Filter = "(&(memberof:1.2.840.113556.1.4.1941:=CN=MonGrpPlusSec,OU=ForUser1,DC=dom,DC=fr)(objectCategory=user))"; 
$dsLookFor.SearchScope = "subtree"; 
$n = $dsLookFor.PropertiesToLoad.Add("cn"); 
$n = $dsLookFor.PropertiesToLoad.Add("distinguishedName");
$n = $dsLookFor.PropertiesToLoad.Add("sAMAccountName");

$lstUsr = $dsLookFor.findall()
foreach ($usrTmp in $lstUsr) 
{
  Write-Host $usrTmp.Properties["samaccountname"]
}

这篇关于使用不带 CmdLets 的 powershell 脚本递归列出广告组中的用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！