使用不带CmdLets的powershell脚本递归地列出广告组中的用户

Question

我正在尝试列出活动目录中的安全组中的每个人,而不使用PowerShell中的CmdLets.我的脚本的奇怪之处在于,如果我列出整个目录,但是如果我尝试使用ldap查询指定我想要列出的内容,则它无法正常工作.我知道我的ldap查询是正确的,因为我在另一个类似的vbs中使用它并且它有效.注释行是我试图放入查询的地方.

$strFilter = "(&(objectCategory=person)(objectClass=user))"
#$strFilter = "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Common Name,OU=User Groups,...,DC=ad,DC=domain,DC=com))" #... is just left out part of query

#$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=Common Name,OU=User Groups,...,DC=ad,DC=domain,DC=com") #... is just left out part of query

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"

$colProplist = "name"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)
    {$objItem = $objResult.Properties; $objItem.name}

Answer 1

以下是Active-Directory 2003 SP2和2008 R2中的工作.我使用ADSI和Microsoft LDAP_MATCHING_RULE_IN_CHAIN.它以递归方式(但在一个查询中)搜索组中的所有用户(小心它从安全性和分发组返回用户)

Clear-Host
$dn = New-Object System.DirectoryServices.DirectoryEntry ("LDAP://WM2008R2ENT:389/dc=dom,dc=fr","jpb@dom.fr","PWD")

# To find all the users member of groups "MonGrpPlusSec"  : 
# Set the base to the groups container DN; for example root DN (dc=societe,dc=fr)  
# Set the scope to subtree 
# Use the following filter : 
# (member:1.2.840.113556.1.4.1941:=CN=MonGrpPlusSec,OU=ForUser1,DC=dom,DC=fr) 

$dsLookFor = new-object System.DirectoryServices.DirectorySearcher($dn)
$dsLookFor.Filter = "(&(memberof:1.2.840.113556.1.4.1941:=CN=MonGrpPlusSec,OU=ForUser1,DC=dom,DC=fr)(objectCategory=user))"; 
$dsLookFor.SearchScope = "subtree"; 
$n = $dsLookFor.PropertiesToLoad.Add("cn"); 
$n = $dsLookFor.PropertiesToLoad.Add("distinguishedName");
$n = $dsLookFor.PropertiesToLoad.Add("sAMAccountName");

$lstUsr = $dsLookFor.findall()
foreach ($usrTmp in $lstUsr) 
{
  Write-Host $usrTmp.Properties["samaccountname"]
}

Answer 2

这将获得域Administrators组的所有成员,包括嵌套成员(需要.NET 3.5).

$Recurse = $true

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
$group=[System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($ct,'Administrators')
$group.GetMembers($Recurse)