Get-ADUser-查找ForeignSecurityPrincipals和subDomain的用户 [英] Get-ADUser - find both ForeignSecurityPrincipals and users of a subDomain

问题描述

我们在2个森林之间建立了（两种方式）信任关系：

We have a (2 way) trust relationship between 2 forests:

1. acme.com


2. someOtherForest.com

我们在森林acme.com中有几个子域

We have several subDomains in forest acme.com

1. domain1.acme.com


2. domain2.acme.com

我在domain1.acme.com中有一个（嵌套的）组，其中既包含domain2.acme.com中的用户，又包含来自someOtherForest.com中的foreignSecurityPrincipals。

I have (nested) groups in domain1.acme.com that contain both users in domain2.acme.com and foreignSecurityPrincipals from someOtherForest.com.

我的服务器

我一直在使用以下脚本来输出给定组的所有成员（递归） 。它将输出foreignSecurityPrincipals和domain1用户都很好，但是来自domain2的成员会出错：

I have been using the following script to output all the members from a given group (recursively). It outputs foreignSecurityPrincipals as well as domain1 users perfectly fine, but errors on members who are from domain2:

$Groups = Get-ADGroup -Properties * -Filter * -SearchBase "CN=app-users,OU=app,DC=domain1,DC=acme,DC=com"

Foreach($G In $Groups) {
    $members = Get-ADGroupMember $G -recursive | Get-ADUser -Properties Mail |Select-Object DistinguishedName,sAMAccountName, Mail | 
    Export-CSV -Path C:\output.csv -NoTypeInformation
}

如果将 -server dc1：3268 （DC的GC）添加到Get-AdUser部分，则domain2成员可以很好地输出，但是在foreignSecurityPrincipals上会出错。

If I add -server dc1:3268 (the GC of the DC) to the Get-AdUser section, then domain2 members are output fine, however it errors on foreignSecurityPrincipals.

是否可以从acme.com的所有子域中输出foreignSecurityPrincipals和成员？

Is there a way to output both foreignSecurityPrincipals and members from all subDomains of acme.com?

推荐答案

使用GC端口的方法是正确的，因为这样可以保护您的森林。

You're on the right track with using the GC port since that will take care of your forest.

但是问题仍然是外国安全负责人。 Get-ADGroupMember的文档 说，它输出代表用户，计算机或组的主要对象。因此，它仅适用于这三种类型的对象，而不适用于国外安全负责人。

But the problem is still the Foreign Security Principals. The documentation for Get-ADGroupMember says that it outputs "principal objects that represent users, computers or groups". So it'll only work for those three types of objects, not Foreign Security Principals.

这当然会使事情变得更加困难，原因有两个：

That of course makes things a little more difficult for two reasons:

1. 您无法使用-递归属性，因此您必须处理


2. 您仍然必须解决外国安全负责人。

1. You don't have the ability to use the -Recursive property, so you have to handle that manually.
2. You still have to resolve the Foreign Security Principals.

这提示我可以使用 Get-ADObject 代替。

This tipped me off that we can use Get-ADObject instead.

我很无聊，所以我为你写了这个。我们这里确实有类似的域设置，因此我能够对其进行测试。但是请记住，域是硬编码的。它假定任何外国安全主体都将在该域上，而不在其他任何域上。因此，请确保您更新了域名（3个地方）。

I was bored, so I wrote this for you. We do have a similar setup of domains here, so I was able to test it. But keep in mind that the domains are hard-coded. It assumes any foreign security principal will be on that one domain and not any other. So make sure you update the domain names (3 places).

它通过获取 objectSid 来解析外部帐户从国外安全负责人那里获取，实际上是外部域上帐户的SID，并使用该ID在该域上查找用户。

It resolves the external accounts by taking the objectSid from the Foreign Security Principal, which is actually the SID of the account on the external domain, and using that to look up the user on that domain.

function Get-Members {
    param([Microsoft.ActiveDirectory.Management.ADGroup]$group)
    $members = $group | Select-Object -ExpandProperty Members | Get-ADObject -Server dc1:3268 -Properties Mail,SamAccountName,objectSid,ObjectClass
    $returnMembers = New-Object System.Collections.ArrayList

    foreach ($member in $members) {
        if ($member.ObjectClass -eq "ForeignSecurityPrincipal") {
            $returnMembers.Add((Get-ADUser -Server someOtherForest.com $member.objectSid -Properties Mail,SamAccountName)) | Out-Null
        } elseif ($member.ObjectClass -eq "Group") {
            $nestedMembers = (Get-Members ($member | Get-ADGroup -Properties Members))
            if ($nestedMembers) {
                if ($nestedMembers.Count -gt 1) {
                    $returnMembers.AddRange($nestedMembers) | Out-Null
                } else {
                    $returnMembers.Add($nestedMembers) | Out-Null
                }
            }
        } else {
            $returnMembers.Add($member) | Out-Null
        }
    }
    return $returnMembers
}

$Groups = Get-ADGroup -Server dc1:3268 -Properties Members -Filter * -SearchBase "CN=app-users,OU=app,DC=domain1,DC=acme,DC=com"

Foreach($G In $Groups) {
    $members = Get-Members $G |Select-Object DistinguishedName,sAMAccountName, Mail | 
        Export-CSV -Path C:\output.csv -NoTypeInformation
}

这篇关于Get-ADUser-查找ForeignSecurityPrincipals和subDomain的用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！