发表新帖
发表新帖

Listing users in ad group recursively with powershell script without CmdLets

后端 未结
关注
3 994
终归单人心
终归单人心 2020-12-11 02:19

I\'m trying to list everyone in a security group in an active directory without using CmdLets in PowerShell. The weird thing with my script is that it works if I list the en

相关标签:
3条回答
  • 终归单人心
    2020-12-11 03:05

    So long as you know the group name, you can run the following (ugly) quasi-one-liner:

    ## List Members in a Group
$groupname = 'GroupNameHere'
(New-Object System.DirectoryServices.DirectoryEntry((New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=Group)(name=$($groupname)))")).FindOne().GetDirectoryEntry().Path)).member | % { (New-Object System.DirectoryServices.DirectoryEntry("LDAP://"+$_)) } | Sort-Object sAMAccountName | SELECT @{name="User Name";expression={$_.Name}},@{name="User sAMAccountName";expression={$_.sAMAccountName}}

    Also since you rarely do one without the other, I'm also going to include the way to list all groups for a user using the same basic approach:

    ## List Groups for a Username
$username = 'UsernameHere'
(New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($username)))")).FindOne().GetDirectoryEntry().memberOf | % { (New-Object System.DirectoryServices.DirectoryEntry("LDAP://"+$_)) } | Sort-Object sAMAccountName | SELECT @{name="Group Name";expression={$_.Name}},@{name="Group sAMAccountName";expression={$_.sAMAccountName}}

    Both of these query your current domain and do not require any domain qualification, nor do they require any modules or additional libraries be installed. I also find myself working in a pretty vanilla environment from time-to-time with minimal permissions where I need to search through AD, and I find these two commands help me with that quite a bit.

    0 讨论(0)
  • 伪装坚强ぢ
    2020-12-11 03:07

    Here is something working in an Active-Directory 2003 SP2 and 2008 R2. I use ADSI and Microsoft LDAP_MATCHING_RULE_IN_CHAIN. It Search recursively (but in one query) all the users from a group (be careful it return users from security and distributions group)

    Clear-Host
$dn = New-Object System.DirectoryServices.DirectoryEntry ("LDAP://WM2008R2ENT:389/dc=dom,dc=fr","jpb@dom.fr","PWD")

# To find all the users member of groups "MonGrpPlusSec"  : 
# Set the base to the groups container DN; for example root DN (dc=societe,dc=fr)  
# Set the scope to subtree 
# Use the following filter : 
# (member:1.2.840.113556.1.4.1941:=CN=MonGrpPlusSec,OU=ForUser1,DC=dom,DC=fr) 

$dsLookFor = new-object System.DirectoryServices.DirectorySearcher($dn)
$dsLookFor.Filter = "(&(memberof:1.2.840.113556.1.4.1941:=CN=MonGrpPlusSec,OU=ForUser1,DC=dom,DC=fr)(objectCategory=user))"; 
$dsLookFor.SearchScope = "subtree"; 
$n = $dsLookFor.PropertiesToLoad.Add("cn"); 
$n = $dsLookFor.PropertiesToLoad.Add("distinguishedName");
$n = $dsLookFor.PropertiesToLoad.Add("sAMAccountName");

$lstUsr = $dsLookFor.findall()
foreach ($usrTmp in $lstUsr) 
{
  Write-Host $usrTmp.Properties["samaccountname"]
}
    0 讨论(0)
  • 臣服心动
    2020-12-11 03:12

    This will get all members of the domain Administrators group, including nested members (requires .NET 3.5).

    $Recurse = $true

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
$group=[System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($ct,'Administrators')
$group.GetMembers($Recurse)
    0 讨论(0)
 看不清?
提交回复
热议问题