我有以下模块。
我已经模糊了哈希表以保护敏感信息,但它有一堆定义域控制器、域 DN、域特定用户名等的值:
function set-domparams {
Param(
[Parameter(Mandatory = $true,Position=0)]
[string]$domain,
[Parameter(Mandatory = $true,Position=1)]
[string[]]$username,
[Alias("pass","p")]
[Parameter(Mandatory = $false,Position=2)]
$password,
[Parameter(Mandatory = $true,Position=3)]
[ValidateSet("Y","N")]
[string]$cyberArk
)
Invoke-Expression -Command:'cmd.exe /c klist purge' | Out-Null
function Get-Creds($domain,$user,$password) {
if (!($password)) {$password = Read-Host "Enter $domain password" -AsSecureString}
Invoke-Expression -Command:'cmd.exe /c klist purge' | Out-Null
$creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username,$password
return $creds
}
$doms = @{
'domain1.com' = @{'serverDC' = "somesvalidDC.fqdn.com";'searchBase' = "DC=somesvalidDC,DC=fqdn,DC=com";'suffix' = "domain1.com"; 'TSMserver' = "127.0.0.1"; 'NetBIOS' = "domain1"; 'SCOM' = "somescomserver.com";'AdminSuffix' = "_admin"}
'domain2.com' = @{'serverDC' = "somesvalidDC.fqdn.com";'searchBase' = "DC=somesvalidDC,DC=fqdn,DC=com";'suffix' = "domain2.com"; 'TSMserver' = "127.0.0.1"; 'NetBIOS' = "domain2"; 'SCOM' = "somescomserver.com";'AdminSuffix' = ".adm"}
}
if ((!$cyberArk) -or ($cyberArk -eq 'N')) {
$global:fetchCreds = Get-Creds -domain $domain -user $username -password $password
} else {
$CyberArkUser = "cyberarkdom" + $username
$CyberArkdomain = 'cyberarkdom.int'
$global:fetchCreds = Get-Creds -domain $CyberArkdomain -user $CyberArkUser -password $password
}
$global:adminsuffix = $doms.$domain.AdminSuffix
$global:user = $doms.$domain.NetBIOS + "" + $username + $adminsuffix
$global:dc = $doms.$domain.serverDC
$global:DomNBT = $doms.$domain.NetBIOS
$global:searchbase = $doms.$domain.searchBase
$global:suffix = $doms.$domain.suffix
$global:TSMserver = $doms.$domain.TSMserver
$global:scom = $doms.$domain.scom
}
我已经在脚本中多次使用它并且它有效,但是目前在新脚本中尝试对多个域进行操作时遇到了一个奇怪的问题:
Param(
[Parameter(Mandatory = $true)]
[ValidateSet("Y","N")]
[string]$cyberArk
)
$userprompt = Read-Host "Enter username"
$userpass = Read-Host "Enter $domain password" -AsSecureString
$domainlist = @('domain1.fqdn.co', 'anotherdomain.com', 'differesntforest3.com.au')
foreach ($domain in $domainlist) {
$results = ""
set-domparams -domain $domain -username $userprompt -password $userpass -cyberArk $cyberArk
$results = Get-ADGroup -Server $DC -Credential $fetchCreds -Filter * |
where {$_.Name -like "*-DelAdmin-Servers*"} |
select Name, SamAccountName
foreach ($result in $results) {
[PSCustomObject]@{
Name = $result.Name
domain = $domain
samaccountname = $result.SamAccountName
}
}
}
当域列表包含跨不同林的域时,我收到以下错误(密码在域之间是一致的):
获取广告组:服务器已拒绝客户端凭据。 at E:\Scripts\get-testrun.ps1:16 char:16 + ... $results = 获取广告组 -服务器$DC -凭据$fetchCreds -过滤器 * ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 类别信息 : 安全错误: (:) [获取广告组], 身份验证异常 + 完全限定错误 ID : ActiveDirectoryCmdlet:System.Security.Authentication.AuthenticationException,Microsoft.ActiveDirectory.Management.Command.GetADGroup
如果单独针对这些域中的任何一个作为一行运行,则模块可以正常工作并进行身份验证,返回所有全局变量并在脚本中执行查询而不会出错。
我错过了什么?
如评论中所述,违规行是您Get-ADGroup。具体如下:
Get-ADGroup -Server $DC -Credential $fetchCreds -Filter *
在第二个当前脚本中,您没有定义$fetchCreds。 如果您确实有类似的其他脚本,则很可能您要么直接分配某些内容,要么正在使用$global:fetchCreds因为这是您的第一个脚本中准备的内容。
我意识到我正在使用的函数的逻辑有错误。
一旦修复,它就可以愉快地针对任意数量的域运行(即针对一堆不同数组的数组)。
function set-domparams {
Param(
[Parameter(Mandatory = $true,Position=0)]
[string]$domain,
[Parameter(Mandatory = $true,Position=1)]
[string[]]$username,
[Alias("pass","p")]
[Parameter(Mandatory = $false,Position=2)]
$password,
[Parameter(Mandatory = $true,Position=3)]
[ValidateSet("Y","N")]
[string]$cyberArk
)
function Get-Creds($domain,$user,$password) {
Invoke-Expression -Command:'cmd.exe /c klist purge' | Out-Null
If (!($password)) {$password = Read-Host "Enter $domain password" -AsSecureString}
$creds = new-object -typename System.Management.Automation.PSCredential -argumentlist $user,$password
return $creds
}
$doms = @{
'domain1.com' = @{'serverDC' = "somesvalidDC.fqdn.com";'searchBase' = "DC=somesvalidDC,DC=fqdn,DC=com";'suffix' = "domain1.com"; 'TSMserver' = "127.0.0.1"; 'NetBIOS' = "domain1"; 'SCOM' = "somescomserver.com";'AdminSuffix' = "_admin"}
'domain2.com' = @{'serverDC' = "somesvalidDC.fqdn.com";'searchBase' = "DC=somesvalidDC,DC=fqdn,DC=com";'suffix' = "domain2.com"; 'TSMserver' = "127.0.0.1"; 'NetBIOS' = "domain2"; 'SCOM' = "somescomserver.com";'AdminSuffix' = ".adm"}
}
$global:adminsuffix = $doms.$domain.AdminSuffix
$global:dc = $doms.$domain.serverDC
$global:DomNBT = $doms.$domain.NetBIOS
$global:searchbase = $doms.$domain.searchBase
$global:suffix = $doms.$domain.suffix
$global:TSMserver = $doms.$domain.TSMserver
$global:scom = $doms.$domain.scom
If ((!$cyberArk) -or ($cyberArk -eq 'N')) {
$global:user = $doms.$domain.NetBIOS + "" + $username + $adminsuffix
$global:fetchCreds = Get-Creds -domain $domain -user $user -password $password
}
Else {
$global:User = "corpau" + $username
$CyberArkdomain = 'corpau.wbcau.westpac.com.au'
$global:fetchCreds = Get-Creds -domain $CyberArkdomain -user $user -password $password
}
}
当然,无论如何都不是最好的书面功能,但可以完成它的设计目的。