1. 技术文章
  2. Check if AD User was part of the AD Group which could be in its sub group

Check if AD User was part of the AD Group which could be in its sub group

≯℡__Kan透↙ 提交于 2019-12-18 09:47:20

问题


I would like to query a user whether he was part of the group, the issue here is.. it sometimes hard to identify whether it was part of it because he could be in many level of the group sub group.

Example if I wanted to check if user was in "All Sales Users". He could be in the subgroup of "All Sales Users" > "Sales US" > "Sales SJ" > "Prod A" > "Item B"

The issue is, there is many sub group which I had to open all to search for him. How do I know whether he was part of "All Sales Users"? Best if the query could show the hierarchy.

I tried PowerShell but it just show the memberof. Not sure how to help on this.


回答1:


A recursive Powershell implementation, assumes you have ActiveDirectory Powershell module installed. It will return Common Name for all groups user is member of, including nested so in your example all 5 groups will be returned.

function findGroup($n){
    $g = Get-ADGroup $n;
    $parents = Get-ADGroup -Filter {Members -eq $g.DistinguishedName}
    if($parents -eq $null){
        return $g.Name;
    }
    else{
        $g.Name;
        $parents | % { findGroup $_ }
    }
}

And a second function to utilise the first one:

function findUsersGroup($userName){
    $u = (Get-ADUser $userName -Properties memberof).memberof
    $u | % { findGroup $_}
}

So if you paste the above 2 functions into your powershell window you can run 

PS C:\> findUsersGroup raf

Which will return a list of groups user is a member of, including hierarchy:

insideinsidetopgroup
insidetopgroup
topgroup
othergroup



回答2:


You could try LDAP with Powershell

$strFilter = "(&(memberOf:1.2.840.113556.1.4.1941:={0})(objectCategory=person)(objectClass=user)(sAMAccountName={1}))"

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"

$colProplist = "name"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)
    {$objItem = $objResult.Properties; $objItem.name}

{0} is the nested group, it should be a Distinguished name

{1} is the user sAMAccountName you want (you could use any other user property than sAMAccountName within (sAMAccountName={1}))



来源:https://stackoverflow.com/questions/22217497/check-if-ad-user-was-part-of-the-ad-group-which-could-be-in-its-sub-group

标签
powershell
command-line
vbscript
cmd
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!