如何使用输入列表为AD用户列出AD组成员身份? [英] How to list AD group membership for AD users using input list?
问题描述
我是新手PS用户...正在寻求有关Powershell脚本的帮助以获取用户所属的安全组列表.
I'm fairly new PS user... Looking for some assistance with a powershell script to obtain list of security groups user is member of.
描述我所需要的:
- 我有许多用户(samaccountnames)的输入列表(txt文件).每个名字都换行了.
- 我需要脚本来在AD中搜索这些名称-整个林,而不仅仅是一个域
- 输出应看起来像"samaccountname",并且该帐户所属的组的列表在一行中,因此我可以在excel中对其进行排序
这是我拥有的脚本:
$users = Get-Content C:\users.txt
ForEach ($User in $users) {
$getmembership = Get-ADUser $User.Users -Properties MemberOf | Select -ExpandProperty memberof
$getmembership | Out-File -Append c:\membership.txt
}
但是它抛出了一个错误:
but it throws me an error:
Get-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.
At line:4 char:28
+ $getmembership = Get-ADUser <<<< $User.Users -Properties MemberOf | Select -ExpandProperty memberof
+ CategoryInfo : InvalidData: (:) [Get-ADUser], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADUser
无论如何,此脚本不会搜索整个森林.
Anyway, this script wouldn't search the whole forest.
样本输入列表:
username1
username2
username3
username4... etc
样本输出列表
username1;group1;group2;group3
username2;group1;group2;group3;group4... etc or something similar
任何帮助将不胜感激.
推荐答案
第一:按照目前的情况,$User
变量没有.Users
属性.在您的代码中,$User
仅表示文本文件中的一行(foreach循环中的当前"行).
First: As it currently stands, the $User
variable does not have a .Users
property. In your code, $User
simply represents one line (the "current" line in the foreach loop) from the text file.
$getmembership = Get-ADUser $User -Properties MemberOf | Select -ExpandProperty memberof
其次,我不相信您可以使用一个命令来查询整个林.您将不得不将其分解成较小的块:
Secondly, I do not believe you can query an entire forest with one command. You will have to break it down into smaller chunks:
- 查询林中的域列表
- 为每个域调用
Get-ADUser
(您可能必须通过-Credential
参数指定备用凭据
- Query forest for list of domains
- Call
Get-ADUser
for each domain (you may have to specify alternate credentials via the-Credential
parameter
第三次,以获取用户所属的网上论坛的列表:
Thirdly, to get a list of groups that a user is a member of:
$User = Get-ADUser -Identity trevor -Properties *;
$GroupMembership = ($user.memberof | % { (Get-ADGroup $_).Name; }) -join ';';
# Result:
Orchestrator Users Group;ConfigMgr Administrators;Service Manager Admins;Domain Admins;Schema Admins
第四:要获得所需的最终字符串格式,只需将$User.Name
,分号和$GroupMembership
字符串加在一起:
Fourthly: To get the final, desired string format, simply add the $User.Name
, a semicolon, and the $GroupMembership
string together:
$User.SamAccountName + ';' + $GroupMembership;
这篇关于如何使用输入列表为AD用户列出AD组成员身份?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!