我有名为 ADGroup1 和 ADGroup2 的 AD 组。 我知道我可以通过查询看到每个列表:
Get-ADGroupMember -Identity "ADGroup1或
Get-ADGroupMember -Identity "ADGroup2但是有人有办法让我快速找到属于这两个组的所有用户吗?
您可以通过 LDAP Filtering 获取此信息,并进行一些字符串操作以自动生成 LDAP 过滤器:
# Create a filter to get all groups in `$groups`
$groups = 'ADGroup1', 'ADGroup2'
$groupFilter = '(|'
$groups | ForEach-Object {
$groupFilter += '(samAccountName={0})' -f $_
}
$groupFilter += ')'
# create a new filter to get all objects "members of" the groups, exclusive
# change to `(|` for inclusive
$memberOfFilter = '(&'
# get the `DistinguishedName` of all groups and build the filter
(Get-ADGroup -LDAPFilter $groupFilter).DistinguishedName |
ForEach-Object { $memberOfFilter += '(memberof={0})' -f $_ }
$memberOfFilter += ')'
# use this one to find only users:
# $memberOfFilter += '(objectclass=user)(objectcategory=person))'
# instead of:
# $memberOfFilter += ')'
# or just use `Get-ADUser` instead of `Get-ADObject`
# get all objects "members of" all groups in `$groups`
Get-ADObject -LDAPFilter $memberOfFilter
圣地亚哥精彩答案的简写方式如下。
$groups = 'ADGroup1', 'ADGroup2';
$ldapFilter = "(|$(($groups | ForEach { "(memberof=$((Get-ADGroup $_).DistinguishedName))" }) -join ''))";
Get-ADObject -LDAPFilter $ldapFilter