Powershell PS从组导出特定字段以及用户和用户属性的总和
需要使用以下字段从Acitve目录结构导出总体组信息,特别是OU(递归): OU | Groupname | GroupCategory | GroupScope | GroupMemberOf| GroupMembers(其他组,非用户)| TotalUsers(如果有)| UsersEnabled | Usersdisabled | UsersWithStalePass| UserSwithNoneExpirePass 我需要的每个OU的所有这些信息(递归的组层次结构) 我已经找到了几个例子,并试图整合它们,但我在输出方面遇到了一些问题。我在下面的评论中对它们进行了编码。 以下是目前的代码:Powershell PS从组导出特定字段以及用户和用户属性的总和,powershell,new-object,Powershell,New Object,需要使用以下字段从Acitve目录结构导出总体组信息,特别是OU(递归): OU | Groupname | GroupCategory | GroupScope | GroupMemberOf| GroupMembers(其他组,非用户)| TotalUsers(如果有)| UsersEnabled | Usersdisabled | UsersWithStalePass| UserSwithNoneExpirePass 我需要的每个OU的所有这些信息(递归的组层次结构) 我已经找到了几个例子
#searchbase OU
$OU="OU=Groups,OU=OUNAME,DC=DCNAME2,DC=DCNAME,DC=domain"
$group = Get-ADGroup -filter * -Properties *
$allou = (Get-ADObject -Filter {ObjectClass -eq "organizationalUnit"} -SearchBase $OU).DistinguishedName
#list all sub OUs
Foreach($ou in $allou){
$LIST = Get-ADObject -LDAPFilter "(objectClass=group)" -SearchBase $OU -SearchScope OneLevel
#begin work with each OU
$LIST | ForEach-Object {
$users=Get-ADGroupMember $_.DistinguishedName | Where ObjectClass -eq "user"
$total=($users | measure-object).count #counts right
$Enabled=($users | where {$_.Enabled} | Measure-Object).count #always shows zero (0)
$Disabled=$total-$Enabled
$NonExpirePasses=(Get-ADUser -Identity $_.DistinguishedName | where {$_.PasswordNeverExpires -ne $true} | Measure-Object).count #doesn't work
#this variant won't work either: $NonExpirePasses=($users | where {$_.PasswordNeverExpires -ne $true} | Measure-Object).count
$PassesOver90d=($users | where {$_.PasswordLastSet -lt (Get-Date).AddDays(-10)} | Measure-Object).count #the same - always shows 0
#this variant won't work either: $PassesOver90d=(Get-ADUser $_.DistinguishedName | where {$_.PasswordLastSet -lt (Get-Date).AddDays(-90)} | Measure-Object).count
$GroupCategory=Get-ADGroup $_.DistinguishedName | Select-Object GroupCategory
$GroupScope=Get-ADGroup $_.DistinguishedName | Select-Object GroupScope
$InGroups=(($_.MemberOf | %{(Get-ADGroup $_).sAMAccountName}).count -join ";")
#consolidate info in new object
New-Object psobject -Property @{
OU=$OU;
GroupName=$_.Name;
GroupCategory=$GroupCategory;
GroupScope=$GroupScope; #<<<always gives "@{GroupCategory=Security}' or @{GroupCategory=Distribution} format, and i need simple 'Security'/'Distribution'
InGroups=$InGroups; #<<<always 0
TotalUsers=$Total;
Enabled=$Enabled; #<<<always 0
Disabled=$Disabled;
PassesOver90d=$PassesOver90d; #<<<always 0
NonExpirePasses=$NonExpirePasses} | #<<<even doesn't shown (no 0),no info
#sorted output, finish
Select OU,GroupName,GroupCategory,GroupScope,InGroups,TotalUsers,Enabled,Disabled,NonExpirePasses,PassesOver90d
}
}
结果信息收集非常缓慢。如何优化代码?以下是一个似乎有效的版本:
$rootOU="OU=Groups,OU=OUNAME,DC=DCNAME2,DC=DCNAME,DC=domain"
$everyOU = (Get-ADObject -Filter {ObjectClass -eq "organizationalUnit"} -SearchBase $rootOU)
$everyOU | ForEach-Object {
Get-ADGroup -Filter {Name -like "*"} -SearchBase $_.DistinguishedName -SearchScope OneLevel -Properties * |
ForEach-Object {
$users = Get-ADGroupMember $_.DistinguishedName |
Where ObjectClass -eq "user" | ForEach-Object {Get-ADUser $_.SamAccountName -Property PasswordLastSet, PasswordNeverExpires}
$total = @($users).Count
$enabled = ($users | Where-Object Enabled -eq $true | Measure-Object).Count
$disabled = $total - $enabled
$NonExpirePasses = @($users | Where-Object PasswordNeverExpires -ne $true).Count
$PassesOver90d = @($users | Where-Object PasswordLastSet -lt (Get-Date).AddDays(-10)).Count
$GroupCategory = Get-ADGroup $_.DistinguishedName | Select-Object GroupCategory
$GroupScope = Get-ADGroup $_.DistinguishedName | Select-Object GroupScope
$InGroups = ($_.MemberOf).Count
[PsCustomObject]@{
OU=$_.DistinguishedName
GroupName=$_.Name
GroupCategory=$GroupCategory.GroupCategory
GroupScope=$GroupScope.GroupScope
InGroups=$InGroups
TotalUsers=$Total
Enabled=$Enabled
Disabled=$Disabled
PassesOver90d=$PassesOver90d
NonExpirePasses=$NonExpirePasses
}
}
} | Format-Table GroupName,GroupCategory,GroupScope,InGroups,TotalUsers,Enabled,Disabled,PassesOver90d,NonExpirePasses,OU -AutoSize
这里有什么问题?太好了,非常感谢你,boxdog!它起作用了!除了一些小错误(可能是对我的帐户的安全权限限制),如“+FullyQualifiedErrorId:ActiveDirectoryServer:8251,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember”。
$rootOU="OU=Groups,OU=OUNAME,DC=DCNAME2,DC=DCNAME,DC=domain"
$everyOU = (Get-ADObject -Filter {ObjectClass -eq "organizationalUnit"} -SearchBase $rootOU)
$everyOU | ForEach-Object {
Get-ADGroup -Filter {Name -like "*"} -SearchBase $_.DistinguishedName -SearchScope OneLevel -Properties * |
ForEach-Object {
$users = Get-ADGroupMember $_.DistinguishedName |
Where ObjectClass -eq "user" | ForEach-Object {Get-ADUser $_.SamAccountName -Property PasswordLastSet, PasswordNeverExpires}
$total = @($users).Count
$enabled = ($users | Where-Object Enabled -eq $true | Measure-Object).Count
$disabled = $total - $enabled
$NonExpirePasses = @($users | Where-Object PasswordNeverExpires -ne $true).Count
$PassesOver90d = @($users | Where-Object PasswordLastSet -lt (Get-Date).AddDays(-10)).Count
$GroupCategory = Get-ADGroup $_.DistinguishedName | Select-Object GroupCategory
$GroupScope = Get-ADGroup $_.DistinguishedName | Select-Object GroupScope
$InGroups = ($_.MemberOf).Count
[PsCustomObject]@{
OU=$_.DistinguishedName
GroupName=$_.Name
GroupCategory=$GroupCategory.GroupCategory
GroupScope=$GroupScope.GroupScope
InGroups=$InGroups
TotalUsers=$Total
Enabled=$Enabled
Disabled=$Disabled
PassesOver90d=$PassesOver90d
NonExpirePasses=$NonExpirePasses
}
}
} | Format-Table GroupName,GroupCategory,GroupScope,InGroups,TotalUsers,Enabled,Disabled,PassesOver90d,NonExpirePasses,OU -AutoSize