Powershell 如何获取用户所属的所有组?
PowerShell的cmdlet返回特定组的成员。是否有cmdlet或属性来获取特定用户所属的所有组Powershell 如何获取用户所属的所有组?,powershell,active-directory,powershell-2.0,Powershell,Active Directory,Powershell 2.0,PowerShell的cmdlet返回特定组的成员。是否有cmdlet或属性来获取特定用户所属的所有组 我修复了我的错误:应该是获取ADGroupMember获取用户的组成员资格: $strUserName = "Primoz" $strUser = get-qaduser -SamAccountName $strUserName $strUser.memberof 看 但也可以看看Quest的 [Edit:Get-ADPrincipalGroupMembership命令自Windows 2
我修复了我的错误:应该是
获取ADGroupMember
获取用户的组成员资格:
$strUserName = "Primoz"
$strUser = get-qaduser -SamAccountName $strUserName
$strUser.memberof
看
但也可以看看Quest的
[Edit:Get-ADPrincipalGroupMembership命令自Windows 2008 R2的v2版本起包含在Powershell中。请参见下面的kstrauss答案。]
Get-Member
是用于列出.NET对象的成员的cmdlet。这与用户/组成员资格无关。您可以获得当前用户的组成员身份,如下所示:
PS> [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups |
Format-Table -auto
BinaryLength AccountDomainSid Value
------------ ---------------- -----
28 S-1-5-21-... S-1-5-21-2229937839-1383249143-3977914998-513
12 S-1-1-0
28 S-1-5-21-... S-1-5-21-2229937839-1383249143-3977914998-1010
28 S-1-5-21-... S-1-5-21-2229937839-1383249143-3977914998-1003
16 S-1-5-32-545
...
如果您需要访问任意用户的组信息,@tiagoinu建议使用Quest AD cmdlet是一种更好的方式。获取成员不是为了获取用户的组成员资格。如果要在本地系统上获取用户所属组的列表,可以通过以下方式实现:
$query = "ASSOCIATORS OF {Win32_Account.Name='DemoUser1',Domain='DomainName'} WHERE ResultRole=GroupComponent ResultClass=Win32_Account"
Get-WMIObject -Query $query | Select Name
在上面的查询中,将DemoUser1替换为所需的用户名,将DomainName替换为本地计算机名或域名。首先,导入activedirectory模块:
(GET-ADUSER –Identity USERNAME –Properties MemberOf | Select-Object MemberOf).MemberOf
import-module activedirectory
然后发出以下命令:
Get-ADGroupMember -Identity $group | foreach-object {
Write-Host $_.SamAccountName
}
这将显示指定组的成员。Get-ADPrincipalGroupMembership将执行此操作
Get-ADPrincipalGroupMembership username | select name
name
----
Domain Users
Domain Computers
Workstation Admins
Company Users
Company Developers
AutomatedProcessingTeam
更改-SearchBase的值以反映您需要从中列出用户的OU:)
这将列出该OU中的所有用户,并显示他们是哪个组的成员。我编写了一个名为Get-ADPrincipalGroupMembershipRecursive的PowerShell函数。它接受用户、计算机、组或服务帐户的DSN。它从帐户的memberOf属性检索组的初始列表,然后递归检查这些组的成员身份。缩写代码如下。满满的
Get QADUser-SamAccountName LoginID |%{$$.MemberOf}| Get QADGroup |选择名称Get ADPrincipalGroupMembership用户登录|选择名称单行,无需模块,使用当前登录用户:
(New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($env:username)))")).FindOne().GetDirectoryEntry().memberOf
感谢这篇vbs/powershell文章:这是一个比Canoas发布的更简洁的替代方案,可以为当前登录的用户获得组成员资格
我在这篇博文中遇到了这种方法:
一个更好的版本,它使用正则表达式去除LDAP的废话,只保留组名:
([ADSISEARCHER]"samaccountname=$($env:USERNAME)").Findone().Properties.memberof -replace '^CN=([^,]+).+$','$1'
有关使用[ADSISEARCHER]类型加速器的更多详细信息,请访问scripting guy博客:这是获取名称的最简单方法:
获取ADPrincipalGroupMembership“YourUserName”
#返回
区分名称:CN=用户,OU=测试,DC=某处
组别:保安
集团范围:全球
名称:测试组
对象类:组
对象GUID:2130ed49-24c4-4a17-88e6-dd4477d15a4c
SamAccountName:testGroup
SID:S-1-5-21-2114067515-1964795913-1973001494-71628
添加select语句以修剪响应或获取OU中的每个用户以及他们所属的每个组:
foreach($user in(get aduser-SearchScope子树-SearchBase$oupath-filter*-Properties samaccountName,MemberOf | select samaccountName)){
Get ADPrincipalGroupMembership$user.samaccountName | select name}
当它是一个简单的单行程序时,不需要长脚本
任务命令
(Get-QADUser -Identity john -IncludedProperties MemberOf | Select-Object MemberOf).MemberOf
(GET-ADUSER –Identity john –Properties MemberOf | Select-Object MemberOf).MemberOf
MS AD命令
(Get-QADUser -Identity john -IncludedProperties MemberOf | Select-Object MemberOf).MemberOf
(GET-ADUSER –Identity john –Properties MemberOf | Select-Object MemberOf).MemberOf
我发现MS AD cmd更快,但有些人更喜欢Quest
史蒂夫来自CMD的老派方式:
net user mst999 /domain
以下方法效果良好:
get-aduser $username -Properties memberof | select -expand memberof
如果您有一个用户列表:
$list = 'administrator','testuser1','testuser2'
$list | `
%{
$user = $_;
get-aduser $user -Properties memberof | `
select -expand memberof | `
%{new-object PSObject -property @{User=$user;Group=$_;}} `
}
我无法使以下内容适用于特定用户:
Get-ADPrincipalGroupMembership username
它抛出了一个我不愿意排除的错误
不过,我确实使用Get ADUser提出了一个不同的解决方案。我更喜欢它,因为如果您不知道帐户名,那么可以根据用户的实际名称使用通配符来获取它。只需填写部分用户姓名,它就会消失
#Get the groups that list of users are the member of using a wildcard search
[string]$UserNameLike = "*PartOfUsersName*" #Use * for wildcards here
[array]$AccountNames = $(Get-ADUser -Filter {Name -like $UserNameLike}).SamAccountName
ForEach ($AccountName In $AccountNames) {
Write-Host "`nGETTING GROUPS FOR" $AccountName.ToUpper() ":"
(Get-ADUser -Identity $AccountName -Properties MemberOf|select MemberOf).MemberOf|
Get-ADGroup|select Name|sort name
}
Schmeckenduegler和8DH为我提供了这一解决方案的巨大支持+1给你们两个。这只是一行:
(get-aduser joe.bloggs -properties *).memberof
结束:)使用:
Get-ADPrincipalGroupMembership username | select name | export-CSV username.csv
这会将命令的输出导入文件。要使其递归,可以使用:
<#
.SYNOPSIS
Get all the groups that a user is MemberOf.
.DESCRIPTION
This script retrieves all the groups that a user is MemberOf in a recursive way.
.PARAMETER SamAccountName
The name of the user you want to check #>
Param (
[String]$SamAccountName = 'test',
$DomainUsersGroup = 'CN=Domain Users,CN=Users,DC=domain,DC=net'
)
Function Get-ADMemberOf {
Param (
[Parameter(ValueFromPipeline)]
[PSObject[]]$Group,
[String]$DomainUsersGroup = 'CN=Domain Users,CN=Users,DC=grouphc,DC=net'
)
Process {
foreach ($G in $Group) {
$G | Get-ADGroup | Select -ExpandProperty Name
Get-ADGroup $G -Properties MemberOf| Select-Object Memberof | ForEach-Object {
Get-ADMemberOf $_.Memberof
}
}
}
}
$Groups = Get-ADUser $SamAccountName -Properties MemberOf | Select-Object -ExpandProperty MemberOf
$Groups += $DomainUsersGroup
$Groups | Get-ADMemberOf | Select -Unique | Sort-Object
Param(
[String]$SamAccountName='test',
$DomainUsersGroup='CN=Domain用户,CN=Users,DC=Domain,DC=net'
)
函数Get ADMemberOf{
Param(
[参数(ValueFromPipeline)]
[PSObject[]]$Group,
[String]$DomainUsersGroup='CN=域用户,CN=用户,DC=grouphc,DC=net'
)
过程{
foreach($G在$Group中){
$G |获取ADGroup |选择-ExpandProperty名称
获取ADGroup$G-Properties MemberOf | Select Object MemberOf | ForEach Object{
获取ADMemberOf$\u0.Memberof
}
}
}
}
$Groups=Get ADUser$SamAccountName-Properties MemberOf | Select Object-ExpandProperty MemberOf
$Groups+=$DomainUsersGroup
$Groups | Get admmemberof | Select-Unique |排序对象
几乎所有上述解决方案都使用了ActiveDiRecordy
模块,该模块在大多数情况下默认情况下可能不可用
我用了下面的方法。有点间接,但符合我的目的
列出所有可用的组
获取WmiObject-类Win32\u组
然后列出用户所属的组
[System.Security.Principal.WindowsIdentity]::GetCurrent().Groups
然后可以通过检查SID
来进行比较。这适用于已登录的用户。如果我错了,请纠正我。对PowerShell来说是全新的,但为了工作承诺,必须完成这项工作 具有用户输入和奇特的输出格式:
[CmdletBinding(SupportsShouldProcess=$True)]
Param(
[Parameter(Mandatory = $True)]
[String]$UserName
)
Import-Module ActiveDirectory
If ($UserName) {
$UserName = $UserName.ToUpper().Trim()
$Res = (Get-ADPrincipalGroupMembership $UserName | Measure-Object).Count
If ($Res -GT 0) {
Write-Output "`n"
Write-Output "$UserName AD Group Membership:"
Write-Output "==========================================================="
Get-ADPrincipalGroupMembership $UserName | Select-Object -Property Name, GroupScope, GroupCategory | Sort-Object -Property Name | FT -A
}
}
如果您没有权限咨询其他成员组,但您确实有权限咨询组成员,则可以执行以下操作来构建用户有权访问的映射
<#
.SYNOPSIS
Get all the groups that a user is MemberOf.
.DESCRIPTION
This script retrieves all the groups that a user is MemberOf in a recursive way.
.PARAMETER SamAccountName
The name of the user you want to check #>
Param (
[String]$SamAccountName = 'test',
$DomainUsersGroup = 'CN=Domain Users,CN=Users,DC=domain,DC=net'
)
Function Get-ADMemberOf {
Param (
[Parameter(ValueFromPipeline)]
[PSObject[]]$Group,
[String]$DomainUsersGroup = 'CN=Domain Users,CN=Users,DC=grouphc,DC=net'
)
Process {
foreach ($G in $Group) {
$G | Get-ADGroup | Select -ExpandProperty Name
Get-ADGroup $G -Properties MemberOf| Select-Object Memberof | ForEach-Object {
Get-ADMemberOf $_.Memberof
}
}
}
}
$Groups = Get-ADUser $SamAccountName -Properties MemberOf | Select-Object -ExpandProperty MemberOf
$Groups += $DomainUsersGroup
$Groups | Get-ADMemberOf | Select -Unique | Sort-Object
[CmdletBinding(SupportsShouldProcess=$True)]
Param(
[Parameter(Mandatory = $True)]
[String]$UserName
)
Import-Module ActiveDirectory
If ($UserName) {
$UserName = $UserName.ToUpper().Trim()
$Res = (Get-ADPrincipalGroupMembership $UserName | Measure-Object).Count
If ($Res -GT 0) {
Write-Output "`n"
Write-Output "$UserName AD Group Membership:"
Write-Output "==========================================================="
Get-ADPrincipalGroupMembership $UserName | Select-Object -Property Name, GroupScope, GroupCategory | Sort-Object -Property Name | FT -A
}
}
$groups = get-adgroup -Filter * | sort name | select Name
$users = @{}
foreach($group in $groups) {
$groupUsers = @()
$groupUsers = Get-ADGroupMember -Identity $group.Name | Select-Object SamAccountName
$groupUsers | % {
if(!$users.ContainsKey($_.SamAccountName)){
$users[$_.SamAccountName] = @()
}
($users[$_.SamAccountName]) += ($group.Name)
}
}
Get-ADUser -Filter * |`
ForEach-Object { `
$FileName = $_.SamAccountName + ".csv" ; `
$FileName ; `
Get-ADPrincipalGroupMembership $_ | `
Select-Object -Property SamAccountName, name, GroupScope, GroupCategory | `
Sort-Object -Property SamAccountName | `
Export-Csv -Path $FileName -Encoding ASCII ; `
}
Get-ADGroup -Filter * | `
Select-Object -Property Name, DistinguishedName, GroupScope, GroupCategory | `
Sort-Object -Property GroupScope, GroupCategory, Name | `
Export-Csv -Path ADGroupsNew.csv -Encoding ASCII
$MyCSV = Import-Csv -Path .\ADGroupsNew.csv -Encoding ASCII
$MyCSV | `
ForEach-Object { `
$FN = $_.GroupScope + ", " + $_.GroupCategory + ", " + $_.Name + ".txt" ; `
$FN ; `
Get-ADGroupMember -Identity $_.DistinguishedName | `
Out-File -FilePath $FN -Encoding ASCII ; $FN=""; `
}
$id = [Security.Principal.WindowsIdentity]::GetCurrent()
$groups = $id.Groups | foreach-object {$_.Translate([Security.Principal.NTAccount])}
$groups | select *
[array] $script:groupsdns = @()
function Get-ADPrincipalGroupMembershipRecursive()
{
Param( [string] $dn, [int] $level = 0, [array] $groups = @() )
#if(($groupsdns | where { $_.DistinguishedName -eq $dn }).Count -ne 0 ) { return $groups } # dependency on next statement
#$groupsdns += (Get-ADObject $dn -Properties MemberOf) # Get-ADObject cannot find an object with identity
if ($script:groupsdns.Contains($dn)) { return $groups }
$script:groupsdns += $dn
$mo = $Null
$mo = Get-ADObject $dn -Properties MemberOf # Get-ADObject cannot find an object with identity
$group = ($dn + " (" + $level.ToString())
if ($mo -eq $Null) { $group += "!" }
$group += ")"
$groups += $group
foreach( $groupdn in $mo.MemberOf )
{
$groups = Get-ADPrincipalGroupMembershipRecursive -dn $groupdn -level ($level+1) -groups $groups
}
if ($level -le 0)
{
$primarygroupdn = (Get-ADUser -Identity $dn -Properties PrimaryGroup).PrimaryGroup
$groups = Get-ADPrincipalGroupMembershipRecursive -dn $primarygroupdn -level ($level+1) -groups $groups
}
return $groups
}
$adusergroups = Get-ADPrincipalGroupMembershipRecursive -dn $aduser.DistinguishedName
$adusergroups | ft -AutoSize | `
Out-File -Width 512 Get-ADPrincipalGroupMembershipRecursive.txt #-Append #-Wrap # | Sort-Object -Property Name
Get-ADPrincipalGroupMembership username | Format-Table -auto
Get-ADPrincipalGroupMembership username | select name, GroupScope, GroupCategory
$username = "user002"
Get-LocalGroup | ForEach-Object {
# the usernames are returned in the string form "computername\username"
if (Get-LocalGroupMember -Group $_ | Where-Object name -like "*\$username") {
$_.name
}
}
Administrators
Users