如何使用输入列表为AD用户列出AD组成员身份? [英] How to list AD group membership for AD users using input list?

问题描述

我是新手PS用户...正在寻求有关Powershell脚本的帮助以获取用户所属的安全组列表.

I'm fairly new PS user... Looking for some assistance with a powershell script to obtain list of security groups user is member of.

描述我所需要的:

• 我有许多用户(samaccountnames)的输入列表(txt文件).每个名字都换行了.
• 我需要脚本来在AD中搜索这些名称-整个林，而不仅仅是一个域
• 输出应看起来像"samaccountname"，并且该帐户所属的组的列表在一行中，因此我可以在excel中对其进行排序

这是我拥有的脚本:

$users = Get-Content C:\users.txt

ForEach ($User in $users) {
  $getmembership = Get-ADUser $User.Users -Properties MemberOf | Select -ExpandProperty memberof
  $getmembership | Out-File -Append c:\membership.txt 
}

但是它抛出了一个错误:

but it throws me an error:

Get-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.
At line:4 char:28
+ $getmembership = Get-ADUser <<<<  $User.Users -Properties MemberOf | Select -ExpandProperty memberof
    + CategoryInfo          : InvalidData: (:) [Get-ADUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADUser

无论如何，此脚本不会搜索整个森林.

Anyway, this script wouldn't search the whole forest.

样本输入列表:

username1
username2
username3
username4... etc

样本输出列表

username1;group1;group2;group3
username2;group1;group2;group3;group4... etc or something similar

任何帮助将不胜感激.

推荐答案

第一:按照目前的情况，$User变量没有.Users属性.在您的代码中，$User仅表示文本文件中的一行(foreach循环中的当前"行).

First: As it currently stands, the $User variable does not have a .Users property. In your code, $User simply represents one line (the "current" line in the foreach loop) from the text file.

$getmembership = Get-ADUser $User -Properties MemberOf | Select -ExpandProperty memberof

其次，我不相信您可以使用一个命令来查询整个林.您将不得不将其分解成较小的块:

Secondly, I do not believe you can query an entire forest with one command. You will have to break it down into smaller chunks:

1. 查询林中的域列表
2. 为每个域调用Get-ADUser(您可能必须通过-Credential参数指定备用凭据

1. Query forest for list of domains
2. Call Get-ADUser for each domain (you may have to specify alternate credentials via the -Credential parameter

第三次，以获取用户所属的网上论坛的列表:

Thirdly, to get a list of groups that a user is a member of:

$User = Get-ADUser -Identity trevor -Properties *;
$GroupMembership = ($user.memberof | % { (Get-ADGroup $_).Name; }) -join ';';

# Result:
Orchestrator Users Group;ConfigMgr Administrators;Service Manager Admins;Domain Admins;Schema Admins

第四:要获得所需的最终字符串格式，只需将$User.Name，分号和$GroupMembership字符串加在一起:

Fourthly: To get the final, desired string format, simply add the $User.Name, a semicolon, and the $GroupMembership string together:

$User.SamAccountName + ';' + $GroupMembership;

这篇关于如何使用输入列表为AD用户列出AD组成员身份?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！