windows 有没有办法检查计算机的 AD 组成员身份?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11126060/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is there a way to check AD group membership for a computer?
提问by Ian
I am trying to check computer group membership through Powershell. I want to be able to specify a certain computer name and find which groups that computer is in but from a Powershell script. I am planning on running the script on a computer, grabbing the hostname, and then printing out what AD groups that computer is in. Is there an easy way to do this?
我正在尝试通过 Powershell 检查计算机组成员身份。我希望能够指定某个计算机名称并从 Powershell 脚本中找到该计算机所在的组。我打算在计算机上运行脚本,获取主机名,然后打印出该计算机所在的 AD 组。有没有一种简单的方法可以做到这一点?
EDIT: So the plan here is to have a computer check to see what groups it is in, then assign a printer based on which group it is in. We have many printers that only 3 to 4 people use but due to the spread out nature of the users cannot downsize the amount of printers. I was looking at group policy but did not want to create 20 different GPOs. I wanted to do this with a logon/startup script. I'm not sure if this is doable or feasible.
编辑:所以这里的计划是让计算机检查它所在的组,然后根据它所在的组分配打印机。我们有许多打印机,只有 3 到 4 人使用,但由于分布广泛的用户无法缩小打印机数量。我正在查看组策略,但不想创建 20 个不同的 GPO。我想用登录/启动脚本来做到这一点。我不确定这是否可行或可行。
Edit #2: This edit it really late to the party but I figured if anyone found this it could help. We ended up using item level targeting on User>Preferences>Control Panel>Printers objects. We made an account in AD for each group of users needing access to the printers. This worked although it did create a long logon process for the first logon of the computer. We also enabled Point-to-Print restrictions so the drivers were loaded from the servers quietly.
编辑 #2:这个编辑真的很晚了,但我想如果有人发现它会有所帮助。我们最终在用户>首选项>控制面板>打印机对象上使用了项目级定位。我们在 AD 中为需要访问打印机的每组用户创建了一个帐户。尽管它确实为计算机的第一次登录创建了一个很长的登录过程,但它确实有效。我们还启用了 Point-to-Print 限制,以便从服务器安静地加载驱动程序。
回答by Shay Levy
This will give you the group membership (group names) of the local computer (requires powershell 2.0):
这将为您提供本地计算机的组成员身份(组名)(需要 powershell 2.0):
([adsisearcher]"(&(objectCategory=computer)(cn=$env:COMPUTERNAME))").FindOne().Properties.memberof -replace '^CN=([^,]+).+$',''
回答by SaxDaddy
Apologies if I'm a bit late to the party on this but I needed to find a computer's group membership as well. After a lot of trial and error, this worked for me.
抱歉,如果我参加聚会有点晚,但我还需要找到计算机的组成员身份。经过大量的反复试验,这对我有用。
Get-ADComputer "mycomp" -Properties MemberOf | %{if ($_.MemberOf -like "*group name*") {Write-Host "found"} }
I noticed that if the string comparison is on a separate line, I needed to do the following
我注意到如果字符串比较在单独的行上,我需要执行以下操作
$g=Get-ADGroupMember -Identity "CN=myADgroup,OU=myOU,DC=corp,DC=com" -server corp.com
foreach($mbr in $g) {if($name.MemberOf -like "*mycomp*" -eq $true) {Write-Host "found"}}
Not sure but I imagine that testing the computer might be faster and easier than testing the group depending on the number of members.
不确定,但我想根据成员的数量,测试计算机可能比测试组更快、更容易。
回答by Mike Finney
the gpresult method seems to be the only way I can find that is accurate. Querying AD is not accurate since the computer may have been added to groups but not rebooted. I am sure someone could condense this but it worked well enough for what I needed to see.
gpresult 方法似乎是我能找到的唯一准确方法。查询 AD 不准确,因为计算机可能已添加到组但未重新启动。我相信有人可以浓缩这个,但它对我需要看到的东西来说效果很好。
# Get all active domain servers
$staledate = (Get-Date).AddDays(-90)
$computers = Get-ADComputer -Filter {(OperatingSystem -Like "*Server*") -and (Enabled -eq $True) -and (LastLogonDate -ge $staledate) -and (Modified -ge $staledate) -and (PasswordLastSet -ge $staledate) -and (whenChanged -ge $staledate) -and (Name -notlike "PHXVSSA101A")} | Select name -expandproperty name
$computers = $computers | Where {(Resolve-DNSName $_.name -ea 0) -and (Test-Connection -ComputerName $_.Name -Count 1 -ea 0)} | Sort
# Loop through all active domain servers
Foreach ($computer in $computers)
{
# Pull the gpresult for the current server
$Lines = gpresult /s $computer /v /SCOPE COMPUTER
# Initialize arrays
$cgroups = @()
$dgroups = @()
# Out equals false by default
$Out = $False
# Define start and end lines for the section we want
$start = "The computer is a part of the following security groups"
$end = "Resultant Set Of Policies for Computer"
# Loop through the gpresult output looking for the computer security group section
ForEach ($Line In $Lines)
{
If ($Line -match $start) {$Out = $True}
If ($Out -eq $True) {$cgroups += $Line}
If ($Line -match $end) {Break}
}
# Loop through all the gathered groups and check for Active Directory groups
ForEach ($group in $cgroups)
{
Try {
$check = Get-ADgroup $group -ErrorAction Stop
If ($check) {
$dgroups += $group
}
}
Catch {}
}
# Output server name and any Active Directory groups it is in
$computer
$dgroups
# End of computers loop
}
回答by Michael
Heres an LDAP query to find if a computer is in a group recursively:
这是一个 LDAP 查询,以递归方式查找计算机是否在组中:
(((objectClass=computer)(sAMAccountName=COMPUTERNAME$))(memberof:1.2.840.113556.1.4.1941:=DistinguishedNameOfGroup))
更多信息:http: //justanotheritblog.co.uk/2016/01/27/recursively-check-if-a-usercomputer-is-a-member-of-an-ad-group-with-powershell-2-0 /
回答by Lansberry
try running gpresult /V and check under "security GROUPS"
尝试运行 gpresult /V 并检查“安全组”
You can also try gpresult /scope computer /vunder a command prompt (elevated to admin) for more specific results
您也可以尝试gpresult /scope computer /v在命令提示符下(提升为管理员)以获得更具体的结果
