powershell - 不要在 Powershell 脚本中阻止特定组的用户

Question

我有一个逻辑问题，如何使脚本对非来自 IT 组的用户更安全，某些操作用户需要阻止他们的员工进入 AD。我非常接近自动化这个过程，通过与用户名、DateDisable、DateEnable 共享给他们 CSV 文件。

Get-Date

Write-Host $b

$b = (Get-Date).ToString('M"/"d"/"yyyy')



Import-Csv "I:\Clients\Block Accounts\Accounts Deactivation.csv" | ForEach-Object {
    
    $SamAccountName = $_."SamAccountName"     
    
    $dateDisable = $_."dateDisable"

    $dateEnable = $_."dateEnable"


    
    #How can I search users in group like PLKAT-NON-BLOCK-USERS and don't block users from this group by IF function. Can you tell me more about this solution. I will be grateful for some clues.

if ( Get-ADPrincipalGroupMembership -And $dateDisable -eq $b) {
        
        Get-ADUser -Identity $SamAccountName | Disable-ADAccount
        
        Write-Host "-User "$SamAccountName" Disabled"
    }

    $dateEnable = $_."dateEnable"
     
     if ( $dateEnable -eq $b) {
        
        Get-ADUser -Identity $SamAccountName | Enable-ADAccount
            
            Write-Host "-User "$SamAccountName" Enable"
        }
    
    
       }

score 0 · Accepted Answer

感谢您的帮助，但我为 AD 中的 4 个组执行了此操作，并且出于安全原因，我不得不为三个不同的项目制作三个 csv 文件。我现在将 3 个 csv 文件导入脚本。我必须创建一个循环来检查 PLKAT-NON-BLOCK-USERS 和第二个循环来检查 CSV 文件中正确组的成员。所以我创建了 PLKAT-G-ORG-Client1-Block Users Only 、 PLKAT-G-ORG-Client2-Block Users Only 、 PLKAT-G-ORG-Client3-Block Users Only 并使用第二个循环来检查其中一个用户团体。这是防止阻止用户访问其他项目的保护措施。

1.Import-Csv -Path 'I:\Clients1\Block Accounts\Accounts Deactivation.csv' | ForEach-Object { 2.Import-Csv -Path 'I:\Clients2\Block Accounts\Accounts Deactivation.csv' | ForEach-Object { 3.Import-Csv -Path 'I:\Clients3\Block Accounts\Accounts Deactivation.csv' | ForEach-对象 {

第一个循环检查 PLKAT-NON-BLOCK-USERS（IT、Backoffice 等）。

你可以告诉我这是否好或者我可以改进什么这里有代码：

$b = (Get-Date).ToString('M"/"d"/"yyyy')

$groups = 'PLKAT-G-ORG-NON Block Users'

$groupCLIENT1 = 'PLKAT-G-ORG-Client1 Block Users Only'

$groupCLIENT2 = 'PLKAT-G-ORG-Client2 Block Users Only'

$groupCLIENT3 = 'PLKAT-G-ORG-Client3 Block Users Only'





#################### Client1 ############################

Import-Csv "I:\Clients1\Block Accounts\Accounts Deactivation Test.csv" | ForEach-Object {
    
    $SamAccountName = $_."SamAccountName"     
    
    $dateDisable = $_."dateDisable"

    $dateEnable = $_."dateEnable"

    
    foreach ($group in $groups) {
        
        $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName

        If ($members -contains $SamAccountName ) {
        
            Write-Host $SamAccountName" is a member of NON Block User Group" 
            
            }

       foreach ($group in $groupCLIENT1) { 
       
       $members = Get-ADGroupMember -Identity $group1 -Recursive | Select -ExpandProperty SamAccountName       
       
        if ($members -contains $SamAccountName){

            $dateDisable -eq $b

             Get-ADUser -Identity $SamAccountName | Disable-ADAccount

        
            }
       
        }
        
     }
 

    $dateEnable = $_."dateEnable"
     
     if ( $dateEnable -eq $b) {
        
        Get-ADUser -Identity $SamAccountName | Enable-ADAccount
        
        Write-Host "-User "$SamAccountName" Enable"
    }

   }

   

###################### Client2  ###########################################

   Import-Csv "I:\Clients2\Block Accounts\Accounts Deactivation Test.csv" | ForEach-Object {
    
    $SamAccountName = $_."SamAccountName"     
    
    $dateDisable = $_."dateDisable"

    $dateEnable = $_."dateEnable"

    
     foreach ($group in $groups) {
        
        $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName

        If ($members -contains $SamAccountName ) {
        
            Write-Host $SamAccountName" is a member of NON Block User Group" 
            
            }

       foreach ($group in $groupCLIENT2) { 
       
       $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName       
       
        if ($members -contains $SamAccountName){

            $dateDisable -eq $b

             Get-ADUser -Identity $SamAccountName | Disable-ADAccount

              Write-Host "-User "$SamAccountName" Disabled"
        
            }
       
        }
        
     }

    $dateEnable = $_."dateEnable"
     
     if ( $dateEnable -eq $b) {
        
        Get-ADUser -Identity $SamAccountName | Enable-ADAccount
        
        Write-Host "-User "$SamAccountName" Enable"
    }
    
    }

   ##################### Client3 #################

Import-Csv "I:\Clients3\Block Accounts\Accounts Deactivation Test.csv" | ForEach-Object {
    
    $SamAccountName = $_."SamAccountName"     
    
    $dateDisable = $_."dateDisable"

    $dateEnable = $_."dateEnable"

    
     foreach ($group in $groups) {
        
        $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName

        If ($members -contains $SamAccountName ) {
        
            Write-Host $SamAccountName" is a member of NON Block User Group" 
            
            }

       foreach ($group in $groupCLIENT3) { 
       
       $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName       
       
        if ($members -contains $SamAccountName){

            $dateDisable -eq $b

             Get-ADUser -Identity $SamAccountName | Disable-ADAccount

              Write-Host "-User "$SamAccountName" Disabled"
        
            }
       
        }
        
     }
        

    $dateEnable = $_."dateEnable"
     
     if ( $dateEnable -eq $b) {
        
        Get-ADUser -Identity $SamAccountName | Enable-ADAccount
        
        Write-Host "-User "$SamAccountName" Enable"
    }
    

}

score 0 · Accepted Answer

在脚本的顶部，您可以PLKAT-NON-BLOCK-USERS首先获取组中所有用户的列表。
然后在代码中检查您正在迭代的用户是否是该组的成员，如果是，请不要禁用该用户。

就像是：

# get an array of SamAccountNames for users you do not wish to disable
$noDisable = (Get-ADGroupMember -Identity 'PLKAT-NON-BLOCK-USERS' -Recursive | Where-Object { $_.objectClass -eq 'user' }).SamAccountName

$refDate = (Get-Date).ToString('M"/"d"/"yyyy')
Import-Csv -Path 'I:\Clients\Block Accounts\Accounts Deactivation.csv' | ForEach-Object {
    if ($noDisable -contains $_.SamAccountName) {
        Write-Host "User '$($_.SamAccountName)' is member of group 'PLKAT-NON-BLOCK-USERS'. Skipped."
        continue  # skip this one and proceed with the next user
    }

    # try and get the AD user object
    $user = Get-ADUser -Filter "SamAccountName -eq '$($_.SamAccountName)'" -ErrorAction SilentlyContinue
    if ($user) {
        if ($_.dateEnable -eq $refDate) {
            $user | Enable-ADAccount
            Write-Host "User '$($_.SamAccountName)' Enabled"            }
        elseif ($_.dateDisable -eq $refDate) {
            $user | Disable-ADAccount
            Write-Host "User '$($_.SamAccountName)' Disabled"
        }
    }
    else {
        Write-Warning "User '$($_.SamAccountName)' does not exist.."
    }
}

powershell - 不要在 Powershell 脚本中阻止特定组的用户

2 回答 2

Related

Reference