0

需要使用以下字段从 Acitve Directory 结构中导出整体组信息,特别是 OU(递归):

欧 | 组名 | 集团类别 | 组范围 | 集团成员 | GroupMembers(其他组,不是用户)| 用户总数(如果有)| 用户启用 | 用户禁用 | UsersWithStalePass | UsersWithNonexpirePass

我需要每个 OU 的所有这些信息(组层次结构,递归)。

我找到了几个例子并试图巩固它们,但我在输出方面遇到了一些麻烦。我在下面的评论中对它们进行了编码。这是现在的代码:

    #searchbase OU
    $OU="OU=Groups,OU=OUNAME,DC=DCNAME2,DC=DCNAME,DC=domain"

    $group = Get-ADGroup -filter * -Properties *
    $allou = (Get-ADObject -Filter {ObjectClass -eq "organizationalUnit"} -SearchBase $OU).DistinguishedName

    #list all sub OUs
    Foreach($ou in $allou){
    $LIST = Get-ADObject -LDAPFilter "(objectClass=group)" -SearchBase $OU -SearchScope OneLevel

    #begin work with each OU
    $LIST | ForEach-Object {
            $users=Get-ADGroupMember $_.DistinguishedName | Where ObjectClass -eq "user"
            $total=($users | measure-object).count #counts right
            $Enabled=($users | where {$_.Enabled} | Measure-Object).count #always shows zero (0)
            $Disabled=$total-$Enabled
            $NonExpirePasses=(Get-ADUser -Identity $_.DistinguishedName | where {$_.PasswordNeverExpires -ne $true} | Measure-Object).count #doesn't work
#this variant won't work either: $NonExpirePasses=($users | where {$_.PasswordNeverExpires -ne $true} | Measure-Object).count
            $PassesOver90d=($users | where {$_.PasswordLastSet -lt (Get-Date).AddDays(-10)} | Measure-Object).count #the same - always shows 0
#this variant won't work either: $PassesOver90d=(Get-ADUser $_.DistinguishedName | where {$_.PasswordLastSet -lt (Get-Date).AddDays(-90)} | Measure-Object).count
            $GroupCategory=Get-ADGroup $_.DistinguishedName | Select-Object GroupCategory
            $GroupScope=Get-ADGroup $_.DistinguishedName | Select-Object GroupScope
            $InGroups=(($_.MemberOf | %{(Get-ADGroup $_).sAMAccountName}).count -join ";")
            #consolidate info in new object

    New-Object psobject -Property @{
        OU=$OU;
        GroupName=$_.Name;
        GroupCategory=$GroupCategory;
        GroupScope=$GroupScope; #<<<always gives "@{GroupCategory=Security}' or @{GroupCategory=Distribution} format, and i need simple 'Security'/'Distribution'
        InGroups=$InGroups; #<<<always 0
        TotalUsers=$Total;
        Enabled=$Enabled; #<<<always 0
        Disabled=$Disabled;
        PassesOver90d=$PassesOver90d; #<<<always 0
        NonExpirePasses=$NonExpirePasses} | #<<<even doesn't shown (no 0),no info

    #sorted output, finish
       Select OU,GroupName,GroupCategory,GroupScope,InGroups,TotalUsers,Enabled,Disabled,NonExpirePasses,PassesOver90d
             }
            }

这是示例输出(除了 Get_ADUser 命令中的 Identity 出现红色错误):

OU              : OU=SD,OU=Distribution Groups,OU=Groups,OU=OUNAME,DC=DCNAME2,DC=DCNAME,DC=domain
GroupName       : BT23_USERS
GroupCategory   : @{GroupCategory=Security}
GroupScope      : @{GroupScope=Universal}
TotalUsers      : 15
Enabled         : 0
Disabled        : 15
NonExpirePasses :
PassesOver90d   : 0

结果信息收集得很慢。如何优化代码?

4

1 回答 1

0

这是一个似乎有效的版本:

$rootOU="OU=Groups,OU=OUNAME,DC=DCNAME2,DC=DCNAME,DC=domain"

$everyOU = (Get-ADObject -Filter {ObjectClass -eq "organizationalUnit"} -SearchBase $rootOU)

$everyOU | ForEach-Object {
    Get-ADGroup -Filter {Name -like "*"} -SearchBase $_.DistinguishedName -SearchScope OneLevel -Properties * |
            ForEach-Object {
                $users = Get-ADGroupMember $_.DistinguishedName | 
                            Where ObjectClass -eq "user" | ForEach-Object {Get-ADUser $_.SamAccountName -Property PasswordLastSet, PasswordNeverExpires}

                $total = @($users).Count
                $enabled = ($users | Where-Object Enabled -eq $true | Measure-Object).Count
                $disabled = $total - $enabled
                $NonExpirePasses = @($users | Where-Object PasswordNeverExpires -ne $true).Count
                $PassesOver90d = @($users | Where-Object PasswordLastSet -lt (Get-Date).AddDays(-10)).Count
                $GroupCategory = Get-ADGroup $_.DistinguishedName | Select-Object GroupCategory
                $GroupScope = Get-ADGroup $_.DistinguishedName | Select-Object GroupScope
                $InGroups = ($_.MemberOf).Count

                [PsCustomObject]@{
                    OU=$_.DistinguishedName
                    GroupName=$_.Name
                    GroupCategory=$GroupCategory.GroupCategory
                    GroupScope=$GroupScope.GroupScope
                    InGroups=$InGroups
                    TotalUsers=$Total
                    Enabled=$Enabled
                    Disabled=$Disabled
                    PassesOver90d=$PassesOver90d
                    NonExpirePasses=$NonExpirePasses
                }
        }
    } | Format-Table GroupName,GroupCategory,GroupScope,InGroups,TotalUsers,Enabled,Disabled,PassesOver90d,NonExpirePasses,OU -AutoSize
于 2018-06-07T10:20:09.100 回答