WinNT://提供程序何时查询Active Directory?或如何获取本地组成员的SID(如果它是域帐户) [英] When does WinNT:// provider query Active Directory? Or how to get SID of local group member if it is domain account

问题描述

好的，所以我将WinNT提供程序与DirectoryEntry类结合使用，以通过 Members 属性枚举本地组的成员.

Okay so I am using the WinNT provider with a DirectoryEntry class to enumerate the members of a local group, through the Members property.

如果该成员是本地帐户，则大概也会从本地计算机上的SAM中读取DirectoryEntry.

If the member is a local account, the DirectoryEntry will also be read from the SAM on the local machine presumably.

但是，如果成员是域帐户，当我访问DirectoryEntry对象的属性时，提供程序是否将对Active Directory执行查询?

If the member is a Domain Account however, will the provider perform a query to Active Directory when I access the properties of the DirectoryEntry object?

有没有办法区分这两种情况?例如，检查DirectoryEntry上的属性以查看它是要从本地计算机SAM中获取属性，还是查询域控制器以读取Active Directory?

Is there a way to differentiate the two scenarios? For example check a property on the DirectoryEntry to see if it is going to get the properties from the local machine SAM, or by querying a domain controller to read Active Directory?

是否有一种方法可以获取成员的名称(甚至只是SID)，而无需查询Active Directory?

Is there a way to get the name (or even just the SID) of the member without querying Active Directory?

我正在尝试枚举大量服务器上的本地组，并且如果它们包含许多域用户帐户，也不想重蹈覆辙.

I'm trying to enumerate the local groups on a large number of servers and don't want to be hammering the domain controller, if they contain many domain user accounts.

推荐答案

您可以查询Win32_GroupUser，而这根本不会影响AD.然后，您只需执行一些字符串解析即可获取用户名，用户类型(用户/组)和源(本地/域).

You could query Win32_GroupUser, and that shouldn't hit AD at all. Then you just have to do a little string parsing to get the user name, user type (user/group), and source (local/domain).

$Servers = 'Server1.domain.com','Server2.domain.com'
$GMembers = ForEach($Server in $Servers){
    $BaseName=$Server.split('.')[0]
    Get-WmiObject -ComputerName $Server -Query "SELECT * FROM win32_GroupUser WHERE GroupComponent = ""Win32_Group.Domain='$BaseName',Name='Administrators'"""
}
$GMembers | 
    ?{$_.PartComponent -match '\\\\(.+?)\\.+?Win32_(.+?)\.Domain="(.+?)",Name="(.+?)"'}|
    %{
        [PSCustomObject]@{
            Server=$Matches[1]
            Domain=$Matches[3]
            Account=$Matches[4]
            AccountType=$Matches[2]
        }
    }

这篇关于WinNT://提供程序何时查询Active Directory?或如何获取本地组成员的SID(如果它是域帐户)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！