我试图获取域用户所属的所有组,但只筛选具有给定扩展属性的组。我设置了所有域组的扩展属性12,以更好地过滤一些查询(即基础结构-安全-电子学习(。我的查询应该只得到具有的用户组
extensionattribute12=安全
(例如(。我使用类似的东西
get-aduser -filter -Properties memberof | select name, @{ l="GroupMembership"; e={$_.memberof -join ";" } }
我得到了所有的用户组。如何按组扩展属性进行筛选?
您可以使用反向关系(组对象上的member(来查询用户所属的所有组,每个用户只需一个查询。这里使用LDAP过滤器:
$groupLabel = "Security"
Get-ADUser -Filter * |ForEach-Object {
$groups = Get-ADGroup -LDAPFilter "(&(extensionattribute12=$groupLabel)(member=$($_.DistinguishedName)))"
[pscustomobject]@{
User = $_.SamAccountName
GroupMembership = $groups.DistinguishedName -join ';'
}
}
如果您必须处理大量用户或组成员身份,您可能会发现提前检索所有满足extensionAttribute12标准的组并使用该列表过滤用户的memberOf属性会更快:
$groupLabel = "Security"
# Create a hash set and populate it with the distinguished
# names of all the groups we're looking for
$groupDNs = [System.Collections.Generic.HashSet[string]]::new(@(
Get-ADGroup -Filter "extensionAttribute12 -eq '$groupLabel'" |Select -Expand DistinguishedName
))
Get-ADUser -Filter * -Properties memberOf |ForEach-Object {
# Retrieve memberOf values and filter against the hash set
$groups = $_.memberOf |Where-Object { $groupDNs.Contains($_) }
[pscustomobject]@{
User = $_.SamAccountName
GroupMembership = $groups -join ';'
}
}
使用N+1查询
$groups = @( Get-ADGroup -Filter '(extensionattribute12 -eq "security")' )
$users = @( $groups |
ForEach-Object { Get-ADGroupMember -Identity $_ -Recursive } |
Sort-Object -Unique )
$users # All users of all groups that have EA12 = security
Get-ADUser -filter {...} -Properties memberof | select name, @{ l="GroupMembership"; e={( $_.memberof | Get-ADGroup |?{ $_.extensionattribute12 -eq 'security' }) -join ";" }} |?{ $_.GroupMembership }