我正在学习 PowerShell,并希望通过从服务台应用程序发送的 webhook 自动禁用 AD 帐户,但它还需要跨三个域搜索以检查已attribute1设置为相同的辅助帐户EmployeeID。
我正在努力将数组发现传递给管道,因为我没有收到错误但帐户没有禁用/移动 OU,或者出现不匹配错误:
param
(
[Parameter(Mandatory=$false)]
[object] $WebhookData
)
Import-Module ActiveDirectory
#define useful constants
$date = Get-Date -UFormat "%d.%m.%y"
$monthyear = get-date -UFormat "%Y-%m"
$exactdate = Get-Date -UFormat "%d.%m.%y @ %H.%M.%S"
$year = get-date -UFormat "%Y"
#$scriptdir = Split-Path -Parent -Path $MyInvocation.MyCommand.Definition
$errorlog = "D:\errors $exactdate .txt"
$shortdomains = "domain1","domain2","domain3"
$domain1disabledou = "OU=$monthyear,OU=$year,OU=Disabled,DC=domain1,DC=com"
$domain2disabledou = "OU,$monthyear,OU=$year,OU=Disabled,DC=domain2,DC=com"
$domain3disabledou = "OU=$monthyear,OU=$year,OU=Disabled,DC=domain3,DC=com"
$domain1server = "dc1.domain1.com"
$domain2server = "dc2.domain2.com"
$domain3server = "dc3.domain3.com"
#pull user from POST request body
$user = ($webhookdata.RequestBody | ConvertFrom-Json).Workflow.RequestedBy
$dn = $user.Ext_AcfUserDistinguishedNameTf #this is the distinguishedname of the account sent via webhook
$dn1 = $user.attribute1 #this is the employeeid supplied by webhook
#getting the accounts
$array = @()
$dcs = "dc1.domain1.com","dc2.domain2.com","dc3.domain3.com"
foreach ($dc in $dcs){
$array += get-aduser -filter {Employeeid -eq "$dn1" -or Extensionattribute1 -eq "$dn1" } -
Properties Distinguishedname -server $dc }
$array = $array | select distinguishedname
switch -Regex ($array.distinguishedname)
{
'DC=dc1,DC=domain1,DC=com$'
{
#setup for domain1 users
$targetou = $domain1disabledou
$server = $domain1server
$cred = Get-AutomationPSCredential -Name "domain1cred"
break
}
'DC=dc2,DC=domain2,DC=com$'
{
#setup for domain2 users
$targetou = $domain2disabledou
$server = $domain2server
$cred = Get-AutomationPSCredential -Name "domain2cred"
break
}
'DC=dc3,DC=domain3,DC=com'
{
#setup for domain3 users
$targetou = $domain3disabledou
$server = $domain3server
$cred = Get-AutomationPSCredential -Name "domain3cred"
break
}
default
{
write-output "No match"
exit
}
}
$array = @()
$dcs = "dc1.domain1.com","dc2.domain2.com","dc3.domain3.com"
foreach ($dc in $dcs){
$array += get-aduser -filter {Employeeid -eq "$dn1" -or Extensionattribute1 -eq "$dn1" } -Properties * -server $dc }
$aduser = get-aduser -identity $array.samaccountname -server $server -credential $cred -properties *
$ou = $aduser.CanonicalName -split '/'
$ou = $ou[0..($ou.Count – 2)] -join '/'
foreach ($user in $aduser) set-aduser -identity $user.samaccountname -server $server -credential $cred -Enabled $false -Replace @{info="Former OU - $ou"}
if($ou -notlike "*Disabled*")
{
$aduser | Move-ADObject -TargetPath $targetou -Server $server -Credential $cred
}
else
{
#payload
$payload = @{
"text" = "user already in disabled OU"
"username" = "$dn"
"employeeID" = "$dn1"}
}
{
Invoke-WebRequest -UseBasicParsing `
-Body (ConvertTo-Json -Compress -InputObject $payload) `
-Method Post `
-Uri "https://return webhook url
}
我必须添加第二个数组来更改身份,aduser因为我认为禁用使用samaccountname.