1

我需要从属于一组嵌套组的特定 OU 中查找用户(该部分已完成),并写下用户所属的组(用户可以属于多个组)现在我拥有所有用户属于组,但无法弄清楚如何从它们所属的嵌套集中列出所有组。

到目前为止我的脚本:

$GroupDN = (Get-ADGroup "Groupname").DistinguishedName

$Users   = Get-ADUser -LDAPFilter "(&(memberOf:1.2.840.113556.1.4.1941:=$GroupDN))" -SearchBase $OU | select name | Export-Csv C:\test\data.xml ```
4

1 回答 1

1

继续我的评论,并根据提供的链接:

https://duckduckgo.com/?q=powershell+%27get+user+group+membership+and+nested+groups%27&t=h_&ia=web

hit(s) --- 当然,根据需要进行调整以获得最终结果

使用 Powershell 获得 AD 嵌套组成员身份

本文帮助您使用 Powershell 查询嵌套的 AD 组成员。我们可以使用 Active Directory PowerShell cmdlet Get-ADGroupMember 获取组成员。

Get-ADGroupMember cmdlet 提供了通过传递参数 -Recursive 来获取所有嵌套组成员的选项。此 PowerShell 脚本还处理循环成员资格(无限循环)问题。

https://morgantechspace.com/2015/09/get-ad-nested-group-membership-with-powershell.html

Import-Module ActiveDirectory

function GetNestedADGroupMembership {
Param([parameter(Mandatory=$true)] $user,
  [parameter(Mandatory=$false)] $grouphash = @{})

   $groups = @(Get-ADPrincipalGroupMembership -Identity $user | select -ExpandProperty distinguishedname)
   foreach ($group in $groups) {
      if ( $grouphash[$group] -eq $null) {
         $grouphash[$group] = $true
         $group
         GetNestedADGroupMembership $group $grouphash
      }
   }
}

GetNestedADGroupMembership 'CN=Smith,OU=TestOU,DC=TestDomain,DC=com'

以及关于类似用例的 SO Q&A:

通过嵌套的 AD 组查找用户和 AD 组的关系

...或此示例用于相同的搜索,使用您已经发布的代码作为您只需传递身份的函数。

# Finding Nested AD Group Memberships 

<#
The following code finds all groups a given Active Directory user is a member of (including nested group memberships). The code requires the ActiveDirectory module.
#>

#requires -Module ActiveDirectory

function Get-NestedGroupMember
{
    param
    (
        [Parameter(Mandatory, ValueFromPipeline)]
        [string]
        $Identity
    )

    process
    {
        $user = Get-ADUser -Identity $Identity
        $userdn = $user.DistinguishedName
        $strFilter = "(member:1.2.840.113556.1.4.1941:=$userdn)"
        Get-ADGroup -LDAPFilter $strFilter -ResultPageSize 1000
    }
}

<#
To find group memberships, simply run Get-NestedGroupMember with the name of a user. The function accepts the same identity information that is accepted by Get-ADUser, so you can specify a SamAccountName, a SID, a GUID, or a distinguishedName
#>

以及图形视图

Powershell Active Directory:递归列出用户的上游嵌套组的完整层次结构 https://github.com/kunaludapi/Powershell-Active-Directory--Show-treeview-of-User-or-Group-memberof-hierarchy/blob/master /Get-ADGroupTreeViewMemberOf.txt

Powershell Active Directory:显示嵌套组成员下游层次结构的树视图 http://vcloud-lab.com/entries/active-directory/powershell-active-directory-show-treeview-of-nested-group-members-downstream-hierarchy

也可以看看:

https://activedirectorypro.com/find-nested-groups-in-active-directory

于 2021-05-08T21:26:27.377 回答