PowerShell的
Get-ADGroupMember
cmdlet返回特定组的成员。是否有一个cmdlet或属性可以获取特定用户所属的所有组?Get-Member
是一个列出 .NET 对象
成员的命令。这与用户/组成员身份无关。您可以像这样获取当前用户的组成员身份:
PS> [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups |
Format-Table -auto
BinaryLength AccountDomainSid Value
------------ ---------------- -----
28 S-1-5-21-... S-1-5-21-2229937839-1383249143-3977914998-513
12 S-1-1-0
28 S-1-5-21-... S-1-5-21-2229937839-1383249143-3977914998-1010
28 S-1-5-21-... S-1-5-21-2229937839-1383249143-3977914998-1003
16 S-1-5-32-545
...
如果您需要访问任意用户组信息,则使用Quest AD cmdlets是更好的方法,@tiagoinu建议这样做。
使用:
Get-ADPrincipalGroupMembership username | select name | export-CSV username.csv
这将命令的输出导入到一个CSV文件中。
(Get-QADUser -Identity john -IncludedProperties MemberOf | Select-Object MemberOf).MemberOf
MS AD 命令
(GET-ADUSER –Identity john –Properties MemberOf | Select-Object MemberOf).MemberOf
我编写了一个名为 Get-ADPrincipalGroupMembershipRecursive 的 PowerShell 函数。它接受用户、计算机、组或服务帐户的 DSN。它从帐户的 memberOf 属性中检索初始组列表,然后递归检查这些组的成员资格。下面是简化的代码。完整的带有注释的源代码可以在此处找到。
function Get-ADPrincipalGroupMembershipRecursive( ) {
Param(
[string] $dsn,
[array]$groups = @()
)
$obj = Get-ADObject $dsn -Properties memberOf
foreach( $groupDsn in $obj.memberOf ) {
$tmpGrp = Get-ADObject $groupDsn -Properties memberOf
if( ($groups | where { $_.DistinguishedName -eq $groupDsn }).Count -eq 0 ) {
$groups += $tmpGrp
$groups = Get-ADPrincipalGroupMembershipRecursive $groupDsn $groups
}
}
return $groups
}
# Simple Example of how to use the function
$username = Read-Host -Prompt "Enter a username"
$groups = Get-ADPrincipalGroupMembershipRecursive (Get-ADUser $username).DistinguishedName
$groups | Sort-Object -Property name | Format-Table
首先,导入ActiveDirectory模块:
Import-Module ActiveDirectory
Get-ADGroupMember -Identity $group | foreach-object {
Write-Host $_.SamAccountName
}
Install-WindowsFeature RSAT-AD-PowerShell
和/或import-module activedirectory
,那么这里有一个纯粹的、预安装的PowerShell(5.1+)方法来完成它。Get-LocalGroup*
仅适用于Powershell v5.1及以上版本。"...v5.1与Windows 10周年更新一同发布于2016年8月2日,并在Windows Server 2016中发布。...[F]对于Windows 7、Windows Server 2008、Windows Server 2008 R2、Windows Server 2012和Windows Server 2012 R2,[它]在2017年1月19日发布。" (wikipedia))$username = "user002"
Get-LocalGroup | ForEach-Object {
# the usernames are returned in the string form "computername\username"
if (Get-LocalGroupMember -Group $_ | Where-Object name -like "*\$username") {
$_.name
}
}
示例输出:
Administrators
Users
这只是一行代码:
(get-aduser joe.bloggs -properties *).memberof
结束啦 :)
select -expandproperty memberof
中,可以使输出结果更易读/有用。 - Ben Thulget-aduser $username -Properties memberof | select -expand memberof
$list = 'administrator','testuser1','testuser2'
$list | `
%{
$user = $_;
get-aduser $user -Properties memberof | `
select -expand memberof | `
%{new-object PSObject -property @{User=$user;Group=$_;}} `
}
(Get-ADUser $env:username -Properties MemberOf).MemberOf | % {$_.split(",")[0].replace("CN=","")}
Domain Users
Domain Computers
Workstation Admins
Company Users
Company Developers
AutomatedProcessingTeam
$groups = get-adgroup -Filter * | sort name | select Name
$users = @{}
foreach($group in $groups) {
$groupUsers = @()
$groupUsers = Get-ADGroupMember -Identity $group.Name | Select-Object SamAccountName
$groupUsers | % {
if(!$users.ContainsKey($_.SamAccountName)){
$users[$_.SamAccountName] = @()
}
($users[$_.SamAccountName]) += ($group.Name)
}
}
net user /domain username
命令,也可以在 Get Groups in which a user is a member Using PowerShell 中查看其他方法。 - Mohamed