列出不属于多个组之一的AD用户 [英] List AD users who do not belong to one of several groups

查看：52 发布时间：2021/4/2 19:05:26 powershell active-directory user-management

本文介绍了列出不属于多个组之一的AD用户的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

首先，我不是剧本作家，所以对于这听起来像是一个真正的新手问题，我深表歉意.

我正在尝试编写Powershell查询，以列出某个OU子树中不属于4个组中至少一个的所有用户帐户.

据我所知，您不能直接在AD User对象上查询此信息，因此您需要遍历各个组以获取成员身份，但是我不清楚如何在多个组中进行此操作./p>

我整理了一个脚本，该脚本可以找到所有用户，将它们添加到一个临时组中，如果它们属于其他四个组之一，则将其删除，但这似乎是一种可怕的处理方式，所以我希望有人有更好的解决方案.

这是我目前拥有的(别笑):-(

 导入模块ActiveDirectory$ groupname ="TempGroup"$ excludegroup1 ="Group1"$ excludegroup2 ="Group2"$ excludegroup2 ="Group4"$ excludegroup2 ="Group4"$ users = Get-ADUser -Filter * -SearchBase"ou = xxx，dc = xxx，dc = xxx" -SearchScope子树foreach($ user中的$ user){Add-ADGroupMember -Identity $ groupname -Member $ user.samaccountname -ErrorAction SilentlyContinue}$ members = Get-ADGroupMember -Identity $ groupname$ excludemembers = Get-ADGroupMember -Identity $ excludegroup1foreach($ excludemembers中的$ member){Remove-ADGroupMember -Identity $ groupname -Member $ member.samaccountname}$ members = Get-ADGroupMember -Identity $ groupname$ excludemembers = Get-ADGroupMember -Identity $ excludegroup2foreach($ excludemembers中的$ member){Remove-ADGroupMember -Identity $ groupname -Member $ member.samaccountname}$ members = Get-ADGroupMember -Identity $ groupname$ excludemembers = Get-ADGroupMember -Identity $ excludegroup3foreach($ excludemembers中的$ member){Remove-ADGroupMember -Identity $ groupname -Member $ member.samaccountname}$ members = Get-ADGroupMember -Identity $ groupname$ excludemembers = Get-ADGroupMember -Identity $ excludegroup4foreach($ excludemembers中的$ member){Remove-ADGroupMember -Identity $ groupname -Member $ member.samaccountname}

非常感谢所有帮助.

解决方案

Active Directory中的所有用户，计算机，组和联系人(可能还有其他对象)都具有名为 memberof 的属性.正如该属性的名称所暗示的那样，此属性包含该实体所属的整个林中所有组的专有名称.

鉴于此信息，您现在可以构建ldap搜索查询，以查找不是这些组中至少一个组的成员的所有实体:

(！(|(memberof = CN = Group1，dc = domain，dc = com)(memberof = CN = Group3，dc = domain，dc = com)(memberof = CN = Group3，dc = domain，dc = com)，dc = com)))

必要时还可以包括其他条件.

如果您需要首先获取这些组的专有名称，则可以在过滤器中对它们进行硬编码，或者对这些组进行常规的Powershell搜索，然后读取其专有名称.

您可以通过命令的 -LDAPFilter 使用ldap查询参数.

First up, I am not a script writer, so I apologise if this sounds like a real newbie question.

I am trying to write a Powershell query to list all user accounts within a certain OU sub-tree who do not belong to at least one of 4 groups.

As far as I can tell you cannot query this directly on the AD User object, so you need to iterate through the groups to get the membership, but I'm not clear on how to go about this across multiple groups.

I have put together a script that can find all users, add them to a temporary group and then remove them if they belong to one of the four other groups, but this looks like a horrible way to approach it, so I am hoping someone has a better solution.

Here's what I currently have (don't laugh) :-(

Import-Module ActiveDirectory
$groupname = "TempGroup"
$excludegroup1 = "Group1"
$excludegroup2 = "Group2"
$excludegroup2 = "Group4"
$excludegroup2 = "Group4"
$users = Get-ADUser -Filter * -SearchBase "ou=xxx,dc=xxx,dc=xxx" -SearchScope Subtree
foreach($user in $users)
{
  Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction SilentlyContinue
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup1
foreach($member in $excludemembers)
{
 Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup2
foreach($member in $excludemembers)
{
 Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup3
foreach($member in $excludemembers)
{
 Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup4
foreach($member in $excludemembers)
{
 Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}

All help gratefully accepted.

解决方案

All users, computers, groups and contacts (and possibly other objects) in Active Directory have a property called memberof. This property contains the distinguished names of all groups from the whole forest that this entity is a member of, as the attribute's name implies.

Given this information, you can now construct an ldap search query to find all entities that are not members of at least one of those groups:

(!(|(memberof=CN=Group1,dc=domain,dc=com)(memberof=CN=Group3,dc=domain,dc=com)(memberof=CN=Group3,dc=domain,dc=com)))

Other conditions may be included as necessary.

If you need to obtain the distinguished names of those groups first, you can either hard-code them in your filter or do a normal Powershell search for the groups and then read their distinguished names.

You can use the ldap query via the command's -LDAPFilter parameter.

这篇关于列出不属于多个组之一的AD用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

列出不属于多个组之一的AD用户 [英] List AD users who do not belong to one of several groups

问题描述

相关文章

其他开发最新文章

热门教程

热门工具

登录关闭

列出不属于多个组之一的AD用户 [英] List AD users who do not belong to one of several groups

问题描述

相关文章

其他开发最新文章

热门教程

热门工具

登录 关闭

登录关闭