WinNT://提供程序何时查询Active Directory?或如何获取本地组成员的SID(如果它是域帐户) [英] When does WinNT:// provider query Active Directory? Or how to get SID of local group member if it is domain account
问题描述
好的,所以我将WinNT提供程序与DirectoryEntry类结合使用,以通过 Members 属性枚举本地组的成员.
Okay so I am using the WinNT provider with a DirectoryEntry class to enumerate the members of a local group, through the Members property.
如果该成员是本地帐户,则大概也会从本地计算机上的SAM中读取DirectoryEntry.
If the member is a local account, the DirectoryEntry will also be read from the SAM on the local machine presumably.
但是,如果成员是域帐户,当我访问DirectoryEntry对象的属性时,提供程序是否将对Active Directory执行查询?
If the member is a Domain Account however, will the provider perform a query to Active Directory when I access the properties of the DirectoryEntry object?
有没有办法区分这两种情况?例如,检查DirectoryEntry上的属性以查看它是要从本地计算机SAM中获取属性,还是查询域控制器以读取Active Directory?
Is there a way to differentiate the two scenarios? For example check a property on the DirectoryEntry to see if it is going to get the properties from the local machine SAM, or by querying a domain controller to read Active Directory?
是否有一种方法可以获取成员的名称(甚至只是SID),而无需查询Active Directory?
Is there a way to get the name (or even just the SID) of the member without querying Active Directory?
我正在尝试枚举大量服务器上的本地组,并且如果它们包含许多域用户帐户,也不想重蹈覆辙.
I'm trying to enumerate the local groups on a large number of servers and don't want to be hammering the domain controller, if they contain many domain user accounts.
推荐答案
您可以查询Win32_GroupUser,而这根本不会影响AD.然后,您只需执行一些字符串解析即可获取用户名,用户类型(用户/组)和源(本地/域).
You could query Win32_GroupUser, and that shouldn't hit AD at all. Then you just have to do a little string parsing to get the user name, user type (user/group), and source (local/domain).
$Servers = 'Server1.domain.com','Server2.domain.com'
$GMembers = ForEach($Server in $Servers){
$BaseName=$Server.split('.')[0]
Get-WmiObject -ComputerName $Server -Query "SELECT * FROM win32_GroupUser WHERE GroupComponent = ""Win32_Group.Domain='$BaseName',Name='Administrators'"""
}
$GMembers |
?{$_.PartComponent -match '\\\\(.+?)\\.+?Win32_(.+?)\.Domain="(.+?)",Name="(.+?)"'}|
%{
[PSCustomObject]@{
Server=$Matches[1]
Domain=$Matches[3]
Account=$Matches[4]
AccountType=$Matches[2]
}
}
这篇关于WinNT://提供程序何时查询Active Directory?或如何获取本地组成员的SID(如果它是域帐户)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!