指定所有属性时,Get-ADUser 不返回所有可能的 AD 属性 [英] Get-ADUser not returning all possible AD attributes when specifying all properties
问题描述
我遇到过使用Get-ADUser -Properties * 时未枚举特定属性的情况.例如,以下代码不会列出 msDS-UserPasswordExpiryTimeComputed 属性,即使它存在,我也可以将其指定为 -Properties 参数,让它返回,并且可以处理它的值.
I've run into a case where specific properties are not enumerated when usingGet-ADUser -Properties *. For example the following code does not list themsDS-UserPasswordExpiryTimeComputed property even though it exists and I can specify it as a-Properties argument, have it return, and can process its value.
# Does not return msDS-UserPasswordExpiryTimeComputed
Get-ADUser username -Properties *
# This works to get the msDS-UserPasswordExpiryTimeComputed attribute returned
Get-ADUser username -Properties msDS-UserPasswordExpiryTimeComputed
# If I really want all properties and this one
# I have to specify it alongside *
Get-ADUser username -Properties *, msDS-UserPasswordExpiryTimeComputed
这不仅仅是显示中省略了属性的情况,我需要明确说明 msDS-UserPasswordExpiryTimeComputed 属性,否则它在结果对象上根本不可用.
This isn't just a case of the property being omitted from the display, I need to explicitly state the msDS-UserPasswordExpiryTimeComputed property or else it simply isn't available on the resulting object.
我已经知道在大多数情况下过滤 Properties * 不是一个好主意,但我很好奇为什么 all AD DS 属性在此情况下没有被枚举这正是我要求 cmdlet 执行的操作.
I already know filtering on Properties * isn't a good idea in most cases, but I'm curious about why all AD DS attributes are not enumerated when this is precisely what I am asking the cmdlet to do.
这个问题是关于 Get-ADUser 但与 Get-ADObject cmdlet 的大多数其他行为一样,我假设这种行为扩展到大多数,如果不是全部的话.
This question is asking about Get-ADUser but like most other behaviors with the Get-ADObject cmdlets I assume this behavior extends to most, if not all, of them.
推荐答案
经过一番研究,ADObject 上有多种类型的属性 - Default, Extended 和 Constructed 就是其中的一些例子.
After doing some research, there are multiple types of attributes on an ADObject - Default, Extended, and Constructed are some examples of these.
Default 属性在所有 ADObject 查询匹配特定类型的 ADObject(ADUser 有自己的一组默认属性,ADGroup 有它自己的设置等)
Default properties are returned on all ADObject queries matching a specific type of ADObject (ADUser has its own set of default properties, ADGroup has it's own set, etc.)
Extended 属性默认不返回,而是在 ADObject 上隐式可枚举的静态属性.
Extended properties are not returned by default but are implicitly enumerable static attributes on an ADObject.
Constructed 属性不是静态属性,而是根据属于 ADObject 的其他属性的值计算的.我找不到关于此的任何信息,但我认为枚举所有 Constructed 属性可能是一项昂贵的操作,因为值是计算出来的,因此需要明确请求通过 Get-ADObject cmdlet 的 -Properties 参数.
Constructed attributes are not static properties but are calculated based on the values of other attributes belonging to an ADObject. I could not find any info on this, but I imagine that enumerating all Constructed attributes can be an expensive operation since the values are computed, and as such need to be explicitly requested via the -Properties parameter of the Get-ADObject cmdlets.
这一切似乎都与 ADObject 上的 systemFlags 属性有关,这是设置属性类型的地方.根据我的测试,需要明确指定具有 Constructed (4) 或 Non-Replicated (2) 标志的属性才能从 RSAT cmdlet 返回.
This all seems to be related to the systemFlags attribute on an ADObject, which is where the attribute types are set. From my testing, attributes with either the Constructed (4) or Non-Replicated (2) flag need to be explicitly specified to be returned from the RSAT cmdlets.
msDS-UserPasswordExpiryTimeComputed 文档
列出所有构造属性使用 LDAP 过滤器在 ADObject 上
这篇关于指定所有属性时,Get-ADUser 不返回所有可能的 AD 属性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
