Powershell连接和搜索多个域_Powershell_Active Directory_Quest

Powershell连接和搜索多个域

powershell active-directory

Powershell连接和搜索多个域,powershell,active-directory,quest,Powershell,Active Directory,Quest,我正在尝试查找指定用户帐户的组成员身份。一个域的用户帐户通常是其他域中组的成员（某些域需要不同的管理员帐户）。使用get QAQgroup，我可以成功地单独搜索每个域，但当我尝试在域中循环时，我只能在我登录的域中找到结果。 #用于更改域并查找指定用户帐户的组成员身份的脚本 $domains = "dom1.ad.state.company.com","dom2.ad.state.company.com","dom3.ad.state.company.com","dom4.ad.state.com

我正在尝试查找指定用户帐户的组成员身份。一个域的用户帐户通常是其他域中组的成员（某些域需要不同的管理员帐户）。使用get QAQgroup，我可以成功地单独搜索每个域，但当我尝试在域中循环时，我只能在我登录的域中找到结果。 #用于更改域并查找指定用户帐户的组成员身份的脚本

$domains = "dom1.ad.state.company.com","dom2.ad.state.company.com","dom3.ad.state.company.com","dom4.ad.state.company.com","corporate.state.company.com","OddNamedDom.com"
$CRED=GET-CREDENTIAL
$userAcc = read-host "Enter domain\username for Group Membership Search"

foreach ($domain in $domains)
  {
     write-host "In the domain $domain "," $userAcc is a direct member of..."
     Get-QADGroup -service $domain -Credential $cred -Containsmember $userAcc | select name
  } #foreach domain

Connect-QADService -Service 'dom1.ad.state.company.com'

当我运行脚本时，我得到dom1（我登录的域）的结果，其余的抛出以下错误。我不知道为什么“ref1:…”行指向“dom1”。我认为这可能是问题的根源。我已复制了下面显示错误消息的Powershell输出

In the domain dom1.ad.state.company.com   dom1\brownd2.admin.dom1 is a direct member of...

Name                                                                                                                                            
----                                                                                                                                        
DOM1-G-ITS-DS-Company Services                                                                                                                 
DOM1PGUELFP00003-Exmerge-R                                                                                                                   
DOMPGUELFP00003-Exmerge-C                                                                                                                   
ITSPPTBOSHFS003-FSSHARE-C                                                                                                                   
Domain Users                                                                                                                                

In the domain dom2.ad.state.company.com   dom1\brownd2.admin.dom1 is a direct member of...
Get-QADGroup : 0000202B: RefErr: DSID-03100742, data 0, 1 access points
    ref 1: 'dom1.ad.state.company.com'
At C:\TestScripts\tGet-UserAllMemberships.ps1:24 char:6
+      Get-QADGroup -service $domain -Credential $cred -Containsmember $userAcc |  ...
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-QADGroup], DirectoryAccessException
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.DirectoryAccessException,Quest.ActiveRoles.ArsPowerShel 
   lSnapIn.Powershell.Cmdlets.GetGroupCmdlet

In the domain dom3.ad.state.company.com   dom1\brownd2.admin.dom1 is a direct member of...
Get-QADGroup : 0000202B: RefErr: DSID-03100742, data 0, 1 access points
    ref 1: 'dom1.ad.state.company.com'
At C:\TestScripts\tGet-UserAllMemberships.ps1:24 char:6
+      Get-QADGroup -service $domain -Credential $cred -Containsmember $userAcc |  ...
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-QADGroup], DirectoryAccessException
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.DirectoryAccessException,Quest.ActiveRoles.ArsPowerShel 
   lSnapIn.Powershell.Cmdlets.GetGroupCmdlet

我正在检查的每个域都有一组类似的错误。我还没有发布错误消息的完整列表

In the domain dom1.ad.state.company.com   dom1\brownd2.admin.dom1 is a direct member of...

Name                                                                                                                                            
----                                                                                                                                        
DOM1-G-ITS-DS-Company Services                                                                                                                 
DOM1PGUELFP00003-Exmerge-R                                                                                                                   
DOMPGUELFP00003-Exmerge-C                                                                                                                   
ITSPPTBOSHFS003-FSSHARE-C                                                                                                                   
Domain Users                                                                                                                                

In the domain dom2.ad.state.company.com   dom1\brownd2.admin.dom1 is a direct member of...
Get-QADGroup : 0000202B: RefErr: DSID-03100742, data 0, 1 access points
    ref 1: 'dom1.ad.state.company.com'
At C:\TestScripts\tGet-UserAllMemberships.ps1:24 char:6
+      Get-QADGroup -service $domain -Credential $cred -Containsmember $userAcc |  ...
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-QADGroup], DirectoryAccessException
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.DirectoryAccessException,Quest.ActiveRoles.ArsPowerShel 
   lSnapIn.Powershell.Cmdlets.GetGroupCmdlet

In the domain dom3.ad.state.company.com   dom1\brownd2.admin.dom1 is a direct member of...
Get-QADGroup : 0000202B: RefErr: DSID-03100742, data 0, 1 access points
    ref 1: 'dom1.ad.state.company.com'
At C:\TestScripts\tGet-UserAllMemberships.ps1:24 char:6
+      Get-QADGroup -service $domain -Credential $cred -Containsmember $userAcc |  ...
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-QADGroup], DirectoryAccessException
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.DirectoryAccessException,Quest.ActiveRoles.ArsPowerShel 
   lSnapIn.Powershell.Cmdlets.GetGroupCmdlet

如果我更改数组中域的顺序，则一个成功域的错误和结果只会更改顺序以匹配数组。我认为它可能会在循环的第一次迭代中成功。但情况并非如此

我知道该帐户是Dom2中组的成员，而不是Dom3中任何组的成员。如果我将这些命令从foreach循环中取出，并在控制台中为每个域分别运行，那么我确实会得到预期的结果。基于单独的结果，我认为这将是一个在循环中直接执行的示例，但我没有正确地连接到域

我可以更改什么？

这里有一个使用命名空间的解决方案，它根据C代码改编为PowerShell。这是一种递归解决方案。在使用C#时，我给出了一个递归解决方案（使用PowerShell 1.0提供的基本ADSI），该解决方案也适用于通讯组

# Retreiving a principal context for the administrator on the Global Catalog
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$domainContext = New-Object DirectoryServices.AccountManagement.PrincipalContext([DirectoryServices.AccountManagement.ContextType]::Domain, "VMESS01:3268" , "administrator", "adminPasswd")
# Retreive the groups
try {
  $userPrincipal = [DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($domainContext, "jpb")
  $groups = $userPrincipal.GetAuthorizationGroups()
  foreach($group in $groups)
  {
    $group.name;
  }
}
finally {
    $pc.domainContext()
}

你的PowerShell版本是什么？所有域都在同一个林中吗？您是否考虑使用全局编录？PuthBar是版本4。是的，都在同一个林中，有一个父（根）域和几个子域。至于全局目录，我不确定如何使用它应用解决方案。