以下は、信頼できるドメイン全体でグループ内の再帰メンバーを呼び出す方法に関する私のスクリプトです。私が助けを必要としているのは、これを単一のグループの検索から複数のグループへの変換です。
行$objGrp = [ADSI]"LDAP://CN=Administrators,CN=Builtin,DC=domain,DC=com"
で、検索したいグループに手動で変更する必要があります。代わりに、このスクリプトでグループのリストを含むテキスト ファイルを呼び出すようにしたいと考えています。
たとえば、テキスト ファイルには
CN=Administrators,CN=Builtin,DC=domain,DC=com
CN=domain admins,CN=users,DC=domain,DC=com
CN=enterprise admins,CN=users,DC=domain,DC=com
これを行うには、何を追加/変更する必要がありますか?
# Script begins
#
# Bind to the AD group
$objGrp = [ADSI]"LDAP://CN=Administrators,CN=Builtin,DC=domain,DC=com"
#[ADSI]"LDAP://CN=Administrators,CN=Builtin,DC=domain,DC=com"
#
$Global:GroupMembers = @()
# Function to read the group members - nested members
Function GetGroupMember($objGrp)
{
# Enumerate the group members
foreach($member in $objGrp.member)
{
# Bind to the each user using DN
$strTemp = "LDAP://" + $member
$objTemp = [ADSI]$strTemp
# Check for AD Group object based on objectCategory
$strCat = [System.String]$objTemp.objectCategory
#foreign object
$res = $strCat.StartsWith("CN=Foreign-Security-Principal")
#$strCat
If($res -eq $True)
{
# bind to the foreign object
$strTemp = "LDAP://" + $member
$tempObj = [ADSI]$strTemp
# convert binary SID to bindable string SID
$objBin = $tempObj.objectSID.Item(0)
$objSID = New-Object System.Security.Principal.SecurityIdentifier($objBin,0)
$srchDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://dc=domain,dc=com")
$dirSrchObj = New-Object System.DirectoryServices.DirectorySearcher($srchDomain)
#$objSID.Value
[System.Environment]::NewLine
$dirSrchObj.Filter = "((objectSID=" + $objSID.Value + "))"
# Search scope to sub-level
$dirSrchObj.SearchScope = "Subtree"
$dirSrchObj.PageSize = 1
# Array of result collection - users
$srchResArr = $dirSrchObj.FindOne()
"======================================="
If ($srchResArr -ne $NULL)
{
# bind to the object
#$strTem = [System.String]$srchResArr.ToString()
$objEntry = $srchResArr.GetDirectoryEntry()
# read and compare the object category for group object
[System.String]$strTemp1 = $objEntry.objectcategory
$res1 = $strTemp1.StartsWith("CN=Group")
if($res1 -eq $True)
{
#enumerate the group members
Write-Host "The members of foreign group " $objEntry.Name "are: "
Foreach($obj in $objEntry.member)
{
$strTemp2 = "LDAP://" + $obj
$objTemp2 = [ADSI]$strTemp2
[System.String]$strTemp3 = $objTemp2.objectCategory
$res2 = $strTemp3.StartsWith("CN=Group")
if($res2 -eq $True)
{
GetGroupMember($objTemp2)
}
Else
{
$objTemp2.distinguishedName
$Global:GroupMembers += $objTemp2.distinguishedName
}
}
}
Else
{
"Foreign user object: "
$objEntry.distinguishedName
$Global:GroupMembers += $objEntry.distinguishedName
}
}
"======================================="
[System.Environment]::NewLine
}
Else
{
$flag = $strCat.StartsWith("CN=Group")
# If it is a Group object then call this method (recursive)
If($flag -eq $TRUE)
{
Write-Host "++++++++++++++++++++++Recursive Call to Enumerate" $objTemp.distinguishedName
GetGroupMember($objTemp)
Write-Host "---------------------- End Recursive Call to Enumerate" $objTemp.distinguishedName
}
# If user object then display its DN
if($flag -eq $False)
{
$objTemp.distinguishedName
$Global:GroupMembers += $objTemp.distinguishedName
#$objTemp.sAMAccountname
}
}
}
}
#
GetGroupMember $objGrp
""
""
"Final List:"
$Global:GroupMembers | sort -uniq | out-file c:\temp\test.csv