检查AD用户是否是可能在其子组中的AD组的一部分 [英] Check if AD User was part of the AD Group which could be in its sub group
问题描述
我想查询用户他是否是该组的一部分,这里的问题是..它有时很难确定它是否是它的一部分,因为他可以在组子组的许多级别。
例如,如果我想检查用户是否在所有销售用户。
他可以在所有销售用户>销售US>销售SJ>产品A>产品B的子组中
问题是,有很多子组,我不得不打开所有寻找他。我如何知道他是否是所有销售用户的一部分?最好如果查询可以显示层次结构。
我试过PowerShell,但它只是显示memberof。不知道如何帮助这个。
递归Powershell实现,假设你安装了ActiveDirectory Powershell模块。
它将返回所有用户都是成员的所有组的通用名称,包括嵌套,所以在您的示例中将返回所有5个组。 function findGroup($ n){
$ g = Get-ADGroup $ n;
$ parents = Get-ADGroup -Filter {Members -eq $ g.DistinguishedName}
if($ parents -eq $ null){
return $ g.Name;
}
else {
$ g.Name;
$ parents | %{findGroup $ _}
}
}
利用第一个:
function findUsersGroup($ userName){
$ u =(Get-ADUser $ userName - 属性memberof).memberof
$ u | %{findGroup $ _}
}
因此,如果您将上述2个函数powershell窗口
PS C:\> findUsersGroup raf
这将返回用户是其成员的组列表,包括层次结构:
insideinsidetopgroup
pre>
insidetopgroup
topgroup
othergroup
I would like to query a user whether he was part of the group, the issue here is.. it sometimes hard to identify whether it was part of it because he could be in many level of the group sub group.
Example if I wanted to check if user was in "All Sales Users". He could be in the subgroup of "All Sales Users" > "Sales US" > "Sales SJ" > "Prod A" > "Item B"
The issue is, there is many sub group which I had to open all to search for him. How do I know whether he was part of "All Sales Users"? Best if the query could show the hierarchy.
I tried PowerShell but it just show the memberof. Not sure how to help on this.
解决方案A recursive Powershell implementation, assumes you have ActiveDirectory Powershell module installed. It will return Common Name for all groups user is member of, including nested so in your example all 5 groups will be returned.
function findGroup($n){ $g = Get-ADGroup $n; $parents = Get-ADGroup -Filter {Members -eq $g.DistinguishedName} if($parents -eq $null){ return $g.Name; } else{ $g.Name; $parents | % { findGroup $_ } } }
And a second function to utilise the first one:
function findUsersGroup($userName){ $u = (Get-ADUser $userName -Properties memberof).memberof $u | % { findGroup $_} }
So if you paste the above 2 functions into your powershell window you can run
PS C:\> findUsersGroup raf
Which will return a list of groups user is a member of, including hierarchy:
insideinsidetopgroup insidetopgroup topgroup othergroup
这篇关于检查AD用户是否是可能在其子组中的AD组的一部分的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!