1. 技术文章
  2. Check if the user is a member of a list of AD groups

Check if the user is a member of a list of AD groups

末鹿安然 提交于 2020-03-22 04:06:34

问题


$groups = 'group1', 'group2'....

I need to check if the user is in a specific AD group and echo the group name if he is not ; can I do it in the pipeline?

I have googled a lot and cannot find anything, maybe I am too bad at Google search in English :).

$groups |
    Get-QADGroupMember |
    Get-QADUser -SamAccountName 'lalala' | ForEach-Object {
        if ($_.SamAccountName -ne $null) {
            Write-Host "ok"
        } else {
            Write-Host 'not ok'
        }
    }

How can I display: not ok. user is not ingroup_name?


回答1:


The question is why do you want to use the pipeline when just looping through the results is so easy?

To check if a user is a member of a list of groups:

$user = "TestUsername"
$groups = 'Domain Users', 'Domain Admins'

foreach ($group in $groups) {
    $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName

    If ($members -contains $user) {
        Write-Host "$user is a member of $group"
    } Else {
        Write-Host "$user is not a member of $group"
    }
}

And for multiple users:

$users = "TestUsername1", "TestUsername2", "TestUsername3"
$groups = 'Domain Users', 'Domain Admins'

foreach ($user in $users) {
    foreach ($group in $groups) {
        $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName

        If ($members -contains $user) {
            Write-Host "$user is a member of $group"
        } Else {
            Write-Host "$user is not a member of $group"
        }
    }
}



回答2:


If your server doesn't have the Active Directory PowerShell feature installed on it, you can use this method. Here I'm checking if a domain group is part of the local administrators group on the server, but you can just change the GroupPrincipal to UserPrincipal and supply the username if you want to check if a user belongs to a group. Also, if the group is a domain group, then use the $domainContext for both FindByIdentity calls.

function Test-DomainGroupIsMemberOfLocalAdministrators([string] $domainName, [string] $domainGroupName)
{
    Add-Type -AssemblyName 'System.DirectoryServices.AccountManagement'
    $domainContext = [System.DirectoryServices.AccountManagement.PrincipalContext]::new([System.DirectoryServices.AccountManagement.ContextType]::Domain, $domainName)
    $localMachineContext = [System.DirectoryServices.AccountManagement.PrincipalContext]::new([System.DirectoryServices.AccountManagement.ContextType]::Machine)
    $domainGroup = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($domainContext, $domainGroupName)
    $localAdministratorsGroup = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($localMachineContext, "Administrators")

    if($domainGroup -ne $null)
    {
        if ($domainGroup.IsMemberOf($localAdministratorsGroup))
        {
            return $true
        }
    }
    return $false
}


来源:https://stackoverflow.com/questions/46295416/check-if-the-user-is-a-member-of-a-list-of-ad-groups

标签
powershell
active-directory
quest
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!