Powershell命令将AD用户组成员身份与基准进行比较 [英] Powershell command to compare AD user group memberships to a baseline

问题描述

我正在尝试找出执行以下操作的逻辑：

I'm trying to figure out the logic to do something like this:

• 查询特定OU中的所有广告组


• 查询特定OU中的所有用户


• 查询所有用户的组成员身份


• 如果有任何用户属于初始组查询中的一个或多个组，输出该信息


• 如果任何用户都不属于初始组查询中的任何组，则也输出该信息

• Query all AD groups in a specific OU
• Query all the users in a specific OU
• Query all the user's group memberships
• If any user belongs to one or more groups in the initial group query, output that information
• If any user belongs to none of the groups in the initial group query, also output that information

我在该网站上进行了挖掘，发现一个脚本在大多数情况下都有效，但是我在如何比较用户的组成员身份方面陷入困境我要提取的原始组查询。看起来我可以使用compare-object cmdlet，但参数似乎不包含任何可以让我跟踪两个对象共有多少组的东西。

I've dug around on this site and found a script that works for the most part, but I'm stuck on how I can compare the user's group membership to the original group query that I'm pulling. It looks like I could use the compare-object cmdlet but the parameters don't seem to include anything that would let me keep track of how many groups the two objects have in common.

我在网上找到的代码如下：

The code I found online is below:

$groups = Get-ADGroup -Filter * | where {$_.distinguishedname -like "*,OU=TUNE_TEST_GROUPS,OU=TUNE_TEST,DC=tune,DC=priv"}
$users = Get-ADUser -Filter * | where {$_.distinguishedname -like "*,OU=TUNE_TEST_USERS,OU=TUNE_TEST,DC=tune,DC=priv"}

foreach ( $User in $Users ) {
    $userGroups =  Get-ADPrincipalGroupMembership $User
    if ( $userGroups.Count -gt 1 ) {
        "{0} is a member of the following {1} groups:" -f $User.SamAccountName, $userGroups.Count
        foreach ( $group in $userGroups ) {
            "`t{0}" -f $group.Name 
        }
    } elseif ( $userGroups.Count -lt 1 ) {
        "{0} is a member of the following {1} groups:" -f $User.SamAccountName, $userGroups.Count
        foreach ( $group in $userGroups ) {
            "`t{0}" -f $group.Name 
        }
      }
}

此问题是我无法将用户组名称与第1行中的组查询名称进行比较。我也无法确定用户属于该列表中有1个或更多组。我不确定是否可以使用相同的计数方法。

The problem with this is that I don't have a way of comparing the user group names to the names of the group query in line 1. I also can't determine that a user belongs to 1 or more groups from that list. I'm not sure if I can use the same count method.

推荐答案

您可以验证帐户是否是至少一个帐户的成员使用 比较对象 ：

You can validate that accounts are member of at least one group from your reference list by using Compare-Object:

foreach ( $User in $Users ) {
    $userGroups =  Get-ADPrincipalGroupMembership $User
    if (!(Compare-Object $userGroups $groups -IncludeEqual -ExcludeDifferent)) {
        "{0} doesn't belong to any reference group." -f $User.SamAccountName
    }
}

---

旁注：使用 -SearchBase 参数而不是过滤 Get-ADUser 的结果，然后 Get-ADGroup 通过专有名称上的通配符匹配：

---

Side note: use the -SearchBase parameter instead of filtering the results of Get-ADUser and Get-ADGroup by a wildcard match on the distinguished name:

$groups = Get-ADGroup -Filter * -SearchBase 'OU=TUNE_TEST_GROUPS,OU=TUNE_TEST,DC=tune,DC=priv' -SearchScope Subtree
$users  = Get-ADUser -Filter * -SearchBase 'OU=TUNE_TEST_USERS,OU=TUNE_TEST,DC=tune,DC=priv' -SearchScope Subtree

这篇关于Powershell命令将AD用户组成员身份与基准进行比较的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！