我正在尝试使用PowerShell(没有Quest或Exchange CmdLets)来检查是否标记了活动目录组对象上的“Manager可以更新成员资格列表”框。
到目前为止,我发现了一个非常接近的blog article,但它只是使用.NET设置值。其他帖子使用LDAP和dsacls来设置此值。
我唯一想要的是读取这个值,以获得$True
或$False
。但我并不擅长.NET,所以任何帮助都非常感激。
更新:
以下.NET代码用于创建规则:
$Rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, `
[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty, `
[System.Security.AccessControl.AccessControlType]::Allow, `
[Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2")
这使我相信应该可以读取[System.DirectoryServices.ActiveDirectoryRights]
和/或[System.Security.AccessControl.AccessControlType]
以查看是否设置了此值。
有谁知道如何做到这一点?
最后我想出来了,对于其他任何感兴趣的人来说,这对我来说都是诀窍:
Function Test-ADGroupManagerCanUpdateHC {
<#
.SYNOPSIS
Test a group in AD to see if it has 'Manager can update membership list' enabled or not.
.DESCRIPTION
Test a group in AD to see if it has 'Manager can update membership list' enabled or not.
In case it is enabled (checked) we will return an object, in case it's not the output will
be false and nothing will be returned.
.PARAMETER DistinguishedName
The distinguished name of the object.
Ex: 'CN=Yellow babanas,OU=Groups,OU=FRUITS,OU=WORLD,DC=domain,DC=com'
.PARAMETER UseLDAP
In case this switch is used we use 'LDAP' and the active directory module isn't required.
.EXAMPLE
Test-ADGroupManagerCanUpdateHC 'CN=Yellow babanas,OU=Groups,OU=FRUITS,OU=WORLD,DC=domain,DC=com'
When there no output, then the user defined in 'ManagedBy' can not update the membership list.
#>
[CmdLetBinding()]
Param (
[Parameter(Mandatory,ValueFromPipeline)]
[String]$DistinguishedName,
[Switch]$UseLDAP
)
Begin {
Function Convert-SidToNTAccountHC {
Param (
[String]$IdentityReference
)
Try {
$Sid = New-Object System.Security.Principal.SecurityIdentifier($IdentityReference)
$Sid.Translate([System.Security.Principal.NTAccount])
}
Catch {
# User's SID can't be translated as he is probably deleted
$Global:Error.Remove($Global:Error[0])
}
}
}
Process {
Try {
foreach ($D in $DistinguishedName) {
if ($UseLDAP) {
$ADObject = [ADSI]"LDAP://$D"
$Acl = $ADObject.PSBase.ObjectSecurity
$AclRules = $Acl.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
}
else {
$AclRules = (Get-Acl -Path AD:$D).GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
}
$Objects = foreach($A in $AclRules) {
[PSCustomObject]@{
'DistinguishedName' = $D
'ActiveDirectoryRights' = $A.ActiveDirectoryRights
'ObjectType' = $A.ObjectType
'InheritedObjectType' = $A.InheritedObjectType
'AccessControlType' = $A.AccessControlType
'IdentityReference' = $A.IdentityReference
'NTAccount' = Convert-SidToNTAccountHC $A.IdentityReference
}
}
$Result = $Objects | where {($_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2') -and
($_.InheritedObjectType -eq 'bf967a9c-0de6-11d0-a285-00aa003049e2') -and
($_.ActiveDirectoryRights -like '*WriteProperty*') -and
($_.AccessControlType -eq 'Allow') -and
($_.NTAccount)}
if ($Result) {
Write-Verbose "Manager can update the membership list of group '$D'"
$Result
}
else {
Write-Verbose "Manager can not update the membership list of group '$D'"
}
}
}
Catch {
throw "Testing for 'Manager can update membership list' on '$D' failed: $_"
}
}
}
我在几个小组上进行了测试,看起来效果很好。如果你看到我可能错过的东西,请告诉我。
我制作了一个脚本,用于选择一组组,检查并导出它。查看您的更改的注释。
Import-Module ActiveDirectory
<# If you want to select all Distribution Groups uncomment this and comment row 4
add-pssnapin Microsoft.Exchange.Management.PowerShell.E2010 #For Exchange 2010
groups = Get-DistributionGroup -ResultSize Unlimited
#>
$groups = Get-Group -RecipientTypeDetails UniversalDistributionGroup # !! Change to the groups you need
$output = @()
$ManagerCanUpdate = ""
Function Test-ADGroupManagerCanUpdateHC {
Begin {
Function Convert-SidToNTAccountHC {
Param (
[String]$IdentityReference
)
Try {
$Sid = New-Object System.Security.Principal.SecurityIdentifier($IdentityReference)
$Sid.Translate([System.Security.Principal.NTAccount])
}
Catch {
$Global:Error.Remove($Global:Error[0])
}
}
}
Process {
$AclRules = (Get-Acl AD:$DistinguishedName).GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
$Objects = foreach($A in $AclRules) {
[PSCustomObject]@{
'DistinguishedName' = $DistinguishedName
'ActiveDirectoryRights' = $A.ActiveDirectoryRights
'ObjectType' = $A.ObjectType
'InheritedObjectType' = $A.InheritedObjectType
'AccessControlType' = $A.AccessControlType
'IdentityReference' = $A.IdentityReference
'NTAccount' = Convert-SidToNTAccountHC $A.IdentityReference
}
}
$Result = $Objects | where {($_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2') -and
($_.NTAccount -eq $ManagedByLogin) -and
($_.ActiveDirectoryRights -like '*WriteProperty*') -and
($_.AccessControlType -eq 'Allow')}
if ($Result) {
$obj.ManagerCanUpdate = "True"
Write-Host "Manager can update the membership list of group '$DistinguishedName'"
}
else {
$obj.ManagerCanUpdate = "False"
Write-Host "Manager can not update the membership list of group '$DistinguishedName'"
} }
}
foreach ($value in $groups){
$obj = "" | select "Name","OU","ManagedBy","ManagerCanUpdate" # !! - Change if you need other attributes - !!
$DistinguishedName = $value.DistinguishedName
$obj.Name = $value.Name
$obj.OU = $value.OrganizationalUnit
$ADGroup = [ADSI]"LDAP://$DistinguishedName"
$ManagedBy = $ADGroup.Properties["managedBy"]
if ($ManagedBY -ne ''){
$ManagedByUser = [ADSI]"LDAP://$ManagedBy"
$ManagedByLogin = "YourDomain\" + $ManagedByUser.Properties["sAMAccountName"] # !! - Change to your domain (Should look like: DM\username) !! -
Test-ADGroupManagerCanUpdateHC
$obj.ManagedBy = $ManagedByLogin
}
else {
$obj.ManagedBy = "N/A"
$obj.ManagerCanUpdate = "N/A"
}
$output += $obj
$obj = $null
$groups = $null
$ManagerCanUpdate = $null
}
$output | export-csv -Path Your_Path\output.csv -NoTypeInformation # !! Change Path !!