时间戳

首页 > 解决方案 > 列出递归授予特定用户的 AD 组?

powershell - 列出递归授予特定用户的 AD 组?

问题描述

我想检查特定用户帐户或管理员组的递归 AD 组成员身份并对其进行故障排除。

这里的目标是知道哪个 AD 组被多次递归地授予脚本中的用户输入。

Param
(
    [string]$user = 'IT.Support'
)

Function Get-ADPrincipalGroupMembershipRecursive([Parameter(ValueFromPipeline = $true)]$Identity)
{
    Process
    {
        $object = Get-ADObject -Identity $Identity -Property memberOf, primaryGroupID, objectSid
        If ($object.objectClass -eq 'group')
        {
            Get-ADGroup -Identity $object -Property memberOf
        }
        Else
        {
            [void]$object.memberof.Add((Get-ADGroup -Identity ($object.objectSid -replace '^(.*?-)([0-9]+)$', ('${1}' + $object.primaryGroupID))).DistinguishedName)
        }
        $object.memberOf | Get-ADPrincipalGroupMembershipRecursive
    }
}

Function Get-CanonicalName ([string[]]$DistinguishedName)
{
    foreach ($dn in $DistinguishedName)
    {
        $d = $dn.Split(',')
        $arr = (@(($d | Where-Object { $_ -notmatch 'DC=' }) | ForEach-Object { $_.Substring(3) }))
        [array]::Reverse($arr)
        "{0}/{1}" -f (($d | Where-Object { $_ -match 'dc=' } | ForEach-Object { $_.Replace('DC=', '') }) -join '.'), ($arr -join '/')
    }
}

Get-ADUser -Identity $user |
    Get-ADPrincipalGroupMembershipRecursive |
        Sort-Object Name |
            Select Name, `
                   GroupCategory, `
                   GroupScope, `
                   @{ N = 'OU Location'; E = { Get-CanonicalName $_.DistinguishedName } },
                   @{ N = 'Parent(s)'; E = { $r = Foreach ($m in $_.memberof) { Get-CanonicalName $m }; $r -join ',' } } |
Out-GridView

但是,上面的脚本没有显示哪些 AD 组在另一个 AD 组中被多次递归地授予IT.Support用户。

例如: 输入:IT.Support 所需或例外的输出是:

Name, GroupCategory, GroupScope, OU Location, Parent (s)
Domain Admins, Security, Universal, domain.com/Production, <Direct membership>
M365 Global Admin, Security, Universal, domain.com/Production, Domain Admins
Regional1 Global Admin, Security, Universal, domain.com/Production, M365 Global Admin
Regional2 Global Admin, Security, Universal, domain.com/Production, M365 Global Admin

用户 IT.Support 是 Domain Admins 内置组的直接成员。

Group M365 Global Admin 嵌套在 Domain Admins 组下。Regional1 Global Admin 和 Regional2 Global Admin 组嵌套在 M365 Global Admin 下

因此,我知道会员路径或递归他们从哪里获得会员资格

标签: powershellactive-directorypowershell-4.0windows-scripting

解决方案

推荐阅读