如何使用 Powershell 或其他工具(递归地)获取所有 AD 用户组? [英] How to get ALL AD user groups (recursively) with Powershell or other tools?

问题描述

我正在尝试在我正在使用的 Powershell 中获取用户所属的所有组，甚至是嵌套组(递归):

I'm trying to get ALL the groups a user is member, even the nested ones (recusively), in Powershell I'm using:

(Get-ADUser <username> -Properties MemberOf | Select-Object MemberOf).MemberOf

但它只返回用户是直接"成员的组，就像使用 AD 用户控制台时一样.我列出所有组的列表非常有用，例如gpresult -r"的输出，它显示了用户所属的所有组.

But it only returns the groups the user is a "direct" member, like you get when using the AD users console. I single list of ALL the groups is very helpful, like the output from "gpresult -r", where it shows ALL the groups the user is a member.

有没有办法从任何 AD 用户那里获取它?(不需要完全在Powershell中，也许还有另一个我还不知道的工具)

Is there a way to get it from any AD user? (Doesnt need to be exclusively in Powershell, maybe theres another tool that I dont know yet)

推荐答案

您可以使用 LDAP_MATCHING_RULE_IN_CHAIN:

Get-ADGroup -LDAPFilter "(member:1.2.840.113556.1.4.1941:=CN=User,CN=USers,DC=x)"

您可以在任何可以使用 LDAP 过滤器的地方使用它.

You can use it anywahere that you can use an LDAP filter.

示例:

$username = 'myUsername'
$dn = (Get-ADUser $username).DistinguishedName
Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $dn) | select -expand Name | sort Name

这篇关于如何使用 Powershell 或其他工具(递归地)获取所有 AD 用户组?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！