PowerShell:获取广告组成员并忽略 ForeignSecurityPrincipals 帐户 [英] PowerShell: get-adgroupmember and ignore ForeignSecurityPrincipals account

问题描述

目标是获取组成员并忽略 ForeignSecurityPrincipal 帐户(不删除，只是忽略).该组zzapsdba_c"具有 ForeignSecurityPrincipal 帐户，导致 get-adgroupmember 出错.注意:我需要一个使用 Microsoft Powershell cmdlet 的解决方案.我已经有了使用 get-qadgroupmember(Quest/dell powershell cmdlet)的替代解决方案，我不想使用它，因为它不是原生的.

The objective is to get the group members and ignore the ForeignSecurityPrincipal account (no deletion, just ignore). this group 'zzapsdba_c' has ForeignSecurityPrincipal account which it caused get-adgroupmember to error out. Note: I would need a solution using Microsoft Powershell cmdlets. I already have alternative solution using get-qadgroupmember (Quest/dell powershell cmdlets) which I do not wish to use because it is not native.

我使用的是 powershell，v4.0

I am using powershell, v4.0

这是我失败的代码.

get-adgroupmember zzapsdba_c -server nw

这里是错误:get-adgroupmember :发生了未指定的错误在行:1 字符:1+ get-adgroupmember zzapsdba_c -server nw+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (zzapsdba_c:ADGroup) [Get-ADGroupMember], ADException+ FullQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

here is the error: get-adgroupmember : An unspecified error has occurred At line:1 char:1 + get-adgroupmember zzapsdba_c -server nw + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (zzapsdba_c:ADGroup) [Get-ADGroupMember], ADException + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

推荐答案

您应该能够通过使用获取 members 属性并查找这些专有名称来获取组的成员.像这样:

You should be able to get the members of the group by using getting the members attribute and looking up those distinguishednames. Like this:

Get-ADGroup -Identity zzapsdba_c -Properties Members -Server nw | Select-Object -ExpandProperty Members | Get-ADObject -Server nw

我倾向于通常使用它，因为除非您更改域控制器上的默认 ADWS 配置，否则 Get-AdGroupMember 也可能会遇到包含 1000 多个成员的组的问题.

I tend to use this normally as Get-AdGroupMember can also have problems with groups containing more than 1000 members unless you change the default ADWS configuration on the Domain Controllers.

如果您仍然不想忽略 ForeignSecurityPrincipal 对象，那么这应该可行.

If you still wan't to ignore the ForeignSecurityPrincipal objects then this should work.

Get-ADGroup -Identity zzapsdba_c -Properties Members -Server nw | Select-Object -ExpandProperty Members | Get-ADObject -Server nw | Where-Object { $_.ObjectClass -ne "ForeignSecurityPrincipal" }

这篇关于PowerShell:获取广告组成员并忽略 ForeignSecurityPrincipals 帐户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！