在PowerShell中将ForeignSecurityPrincipals解析为distinguishedName [英] resolve ForeignSecurityPrincipals to distinguishedName in PowerShell

问题描述

我有一个 ForeignSecurityPrincipals ，需要将其解析为 distinguishedName ，但不确定如何。

I have a ForeignSecurityPrincipals and need to resolve it to the distinguishedName but am not sure how.

我有以下代码来获取 NTAccount ：

$m = "CN=S-1-1-11-1111111111-1111111111-1111111111-1111111,CN=ForeignSecurityPrincipals,DC=one,DC=two,DC=company,DC=com"
$member = [ADSI]("LDAP://" + $m)
$sid = New-Object System.Security.Principal.SecurityIdentifier ($member.objectSid[0], 0)
$sid.Translate([System.Security.Principal.NTAccount]).value

推荐答案

您可以使用SID绑定到对象（然后获取 distinguishedName ），但是您至少必须知道DNS的名称。域：

You can bind to an object using the SID (and then get the distinguishedName), but you have to know at least the DNS name of the domain:

$user = [ADSI]"LDAP://$domaindns/<SID=$($sid.Value)>"

要获取域的DNS名称，您需要检查域拥有的所有信任并进行存储列表中域的DNS名称和SID。然后，您可以将用户SID的域部分与列表匹配，并获取DNS名称（用户的SID将以域的SID开头）。

To get the DNS name of the domain, you need to examine all the trusts your domain has and store the DNS name and the SID of the domain in a list. Then you can match the domain portion of the user's SID with your list and get the DNS name (a user's SID will start with the domain's SID).

此页面具有一些有关提取所有信任关系的信息，但是他最终使用的方法是WMI，根据您的权限，该方法可能不起作用。它不适合我。您可以使用ADSI进行相同操作，但我还没有完成。至少是一个起点。

This page has some info on pulling all of the trusts, but the method he ends up using is WMI, which may not work, depending on your permissions. It didn't for me. You can do the same with ADSI, but I haven't done it. It's a starting point at least.

更新：

您可以尝试一下：

$DomainSIDList = @{}

$Forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

#Get trusts from each domain in the forest -- this will include forest trusts
ForEach($Domain in $Forest.Domains) {
    $adsisearcher = New-Object system.directoryservices.directorysearcher
    $adsisearcher.SearchRoot = [ADSI]"LDAP://CN=System,$($Domain.GetDirectoryEntry().distinguishedName)"
    $adsisearcher.Filter = "(objectclass=trustedDomain)"
    ForEach($ExtDomain in $adsisearcher.FindAll()) {
        $name = $ExtDomain.Properties["name"][0]
        "Found $($name)"
        $sid = New-Object System.Security.Principal.SecurityIdentifier ($ExtDomain.Properties["securityidentifier"][0], 0)
        if (-not $DomainSIDList.Contains($sid.Value)) {
            "Adding $($sid.Value), $($name)"
            $DomainSIDList.Add($sid.Value, $name)
        }
    }
}

运行后， $ DomainSIDList 将包含受信任域的列表。它会包含林中所有您不需要的域，但这并不是什么大问题。

Once that runs, $DomainSIDList will contain a list of trusted domains. It'll contain all the domains in the forest, which you don't really need, but that's not a big deal.

这篇关于在PowerShell中将ForeignSecurityPrincipals解析为distinguishedName的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！