问题
In the last week, I have come across PowerShell and ActiveDirectory for the first time. I would like to be able to find a list of users that aren't Admins or Domain Admins.
So far, I know how to get all the properties for all ActiveDirectory users with the following command/statement:
Get-ADUser -Filter * -Properties *
What I would like to do is to print out just the usernames of current ActiveDirectory users - that are not Admins or Domain Admins.
Here is some pseudocode/Powershell code of what I am trying to do:
$users = Get-ADUser -Filter * -Properties *
foreach($u in $users){
if ($u isn't an administrator OR $u isn't a domain administrator){
Write-Host "User Name:" $u.Name
}
}
When I run the Get-ADUser -Filter * -Properties * command, I am seeing the MemberOf property for each user - which I'm thinking may be a clue. I have also heard of AdminCount from various sources found via Google (is there something called DomainAdminCount ?).
I have been asked specifically to not use the PowerShell extension for ActiveDirectory - even though various sources say having this extension will make it easier.
I have spent about 2 hours testing various combinations of statements, but my novice PowerShell status isn't helping me too much. I would be grateful for any assistance, and some clear explanations behind any feedback.
回答1:
That's pretty easy task and you do not need to retrieve all users first and loop:
$DomainsAdminsDn = (Get-ADGroup 'Domain Admins').DistinguishedName
Get-ADUser -Filter { -not (memberof -eq $DomainsAdminsDn) }
# OR
Get-ADUser -LDAPFilter "(!(memberof=$DomainsAdminsDn))"
You can do the same with any other group.
EDIT: Reversed queries, to return account that are not in group(s). BTW, this won't work:
Get-ADUser -Filter { memberof -ne $DomainsAdminsDn }
It will skip over all accounts that are not members of any other group than default one.
回答2:
I used a little bit of what you everyone contributed, and tweaked it. I needed to find out who wasn't apart of a group, and I only needed their name. Let me know if this helped you out.
$Internet_Users = Get-ADGroup -Filter {Name -like "Internet_Users" }
Get-ADUser -Filter { -not (memberof -eq $Internet_Users) -and (enabled -eq "True" -and objectclass -eq "user")} |Select Name | Export-CSV "C:\Users\YOURNAME\Documents\Enabled_Users_Without_Internet_Users_Group.csv"
回答3:
With some very helpful feedback from BartekB, I was able to achieve the solution below:
## This variable gets all the users that are Domain Administrators
$DomainsAdminsDn = (Get-ADGroup 'Domain Admins').DistinguishedName
## This variable gets all the users that are Administrators
$AdministratorsDn = (Get-ADGroup 'Administrators').DistinguishedName
## This line will get all the users that are not "Domain Administrators" or "Administrators"
Get-ADUser -Filter {(memberOf -ne $AdministratorsDn) -and (memberOf -ne $DomainsAdminsDn)}
For the last line, I wanted to combine the two variables to make the filtering more specific (i.e look for users that are not Administrators OR Domain Administrators). I had to spend about 10 minutes digging around for the PowerShell equivalent of the && operator - which was just as I suspected.
回答4:
Turns out that "Domain Users" is handled specially, so if you try to find people not in that group it won't work.
Based off code from: http://powershell.org/wp/forums/topic/find-users-not-in-a-group/
Import-Module ActiveDirectory
$users = Get-ADUser -Filter {Enabled -eq $true} -Properties MemberOf, PrimaryGroup
$dugDn = (Get-ADGroup "Domain Users").DistinguishedName
foreach ($user in $users)
{
Write-Verbose "Working on $($user.Name)"
$groups = $user.MemberOf, $user.PrimaryGroup
if ($groups -NotContains $dugDn)
{
Write-Host "$($user.SamAccountName) not in the domain users group"
}
}
来源:https://stackoverflow.com/questions/15353414/powershell-and-activedirectory-module-find-users-that-are-not-members-of-parti