我正在查询本地域之外的AD组。当在PS中搜索组时,我得到了所有显示有SID而不是用户ID的成员。
我基本上想要的是输入用户ID,并获得用户SID链接的所有组成员身份。
以下是我已经尝试过但没有结果的。。。
Write-Host "enter user id"
$user = Read-Host
# Forrest were groups are nested
$LDAPServer = 'wwg00m.rootdom.net'
# Get SID from user
$adUsr = Get-ADUser $user -Properties SID | Select-Object SID
# Get all groups from Query in AD
$Groups = Get-ADObject -server $LDAPServer -LDAPFilter '(&(objectCategory=group)(name=*_EN))' | Select Name
# Get all Members from each group, replacing characters to get equal SID ID like $adUser
$Members = (Get-ADGroup -Identity $Groups -Server $LDAPServer -Properties Members).Members -Replace ("CN=", "") -Replace (",ForeignSecurityPrincipals,DC=wwg00m,DC=rootdom,DC=net", "")
foreach ($adUsr in $members) {
[pscustomobject]@{
GroupName = $Members.Name
}
}
根据评论中的对话,这可能会奏效。基本上,我们首先获得当前域中用户的SID,然后一旦获得它,我们就可以获得受信任域上用户的DistinguishedName,最后根据这些信息,我们可以执行LDAP查询,搜索该DN所属的所有组。
try {
# Get user input
$user = Read-Host "Enter User ID"
# Forrest were groups are nested
$LDAPServer = 'wwg00m.rootdom.net'
# Get the SID of the user in the Current Domain
$sid = Get-ADUser $user
# Get the DistinguishedName of the user in the other Domain
$dn = (Get-ADUser $sid.SID -Server $LDAPServer).DistinguishedName
# Search for all groups where this DN is a member
Get-ADGroup -LDAPFilter "(member=$dn)" -Server $LDAPServer | ForEach-Object {
# here we can combine the user's data in the Current and Trusted Domain
# change the output as needed
[pscustomobject]@{
GroupName = $_.Name
UserName = $sid.Name
UserDistinguishedName = $dn
}
}
}
catch {
# Error handling here...
Write-Error $_
}