在本地 Active Directory 中,我想根据用户的属性(例如经理、部门、城市)维护分发列表和安全组。
最佳答案
1
不幸的是,Windows 并不提供开箱即用的功能,但它可以相对容易地作为 Powershell 脚本实现,并可以作为计划任务运行。
这是包含相应函数的文件。它被称为 AD2DL,即“Active Directory 到分发列表”,但它也适用于安全组。
AD2DL.ps1
# https://serverfault.com/questions/1161995/in-active-directory-how-to-synchronize-the-members-of-a-group-automatically-bas/1161996
function Sync-AD2DL {
param (
# Example AdGroupName: "MyGroup"
[string]$AdGroupName,
# Example filters:
# "*"
# "Department -eq 'IT'"
# "Department -like 'IT'"
# "Manager -eq 'someone' -or SamAccountName -eq 'someone'"
# "City -eq 'Berlin' -and SamAccountName -ne 'exception'"
# See below for all properties
[string]$Filter,
# Example OrganisationalUnits: @("OU=Users,dc=domain,dc=tld")
[string[]]$OrganisationalUnits
)
$expectedMembers = @()
foreach($ou in $OrganisationalUnits)
{
$matchingUsers = Get-ADUser -SearchBase $ou -Filter $filter
# Filter out accounts that are disabled:
$matchingUsers = $matchingUsers | Where { $_.Enabled }
$expectedMembers += $matchingUsers
}
# Write-Host "expectedMembers=" $currentMembers
$expectedNames = $expectedMembers | select -ExpandProperty DistinguishedName
$currentMembers = Get-ADGroupMember -Identity $AdGroupName
$currentNames = $currentMembers | select -ExpandProperty DistinguishedName
$oldLength = $currentMembers.Length
# Write-Host "currentMembers=" $currentMembers
$usersToAdd = $expectedMembers | Where-Object { $currentNames -notcontains $_.DistinguishedName }
foreach($user in $usersToAdd)
{
Write-Host "Adding " $user " to " $AdGroupName
Add-ADGroupMember -Identity $AdGroupName -Members $user.samaccountname -ErrorAction SilentlyContinue
}
$usersToRemove = $currentMembers | Where-Object { $expectedNames -notcontains $_.DistinguishedName }
foreach($user in $usersToRemove)
{
Write-Host "Removing " $user " from " $AdGroupName
Remove-ADGroupMember -Identity $AdGroupName -Members $user.samaccountname -Confirm:$false
}
$newLength = (Get-ADGroupMember -Identity $AdGroupName).Length
Write-Host $AdGroupName " Added:" $usersToAdd.Length " Removed:" $usersToRemove.Length "New size:" $newLength
}
# All user properties, for reference, retrieved with "Get-Member":
#
# AccountExpirationDate Property System.DateTime AccountExpirationDate {get;set;}
# accountExpires Property System.Int64 accountExpires {get;set;}
# AccountLockoutTime Property System.DateTime AccountLockoutTime {get;set;}
# AccountNotDelegated Property System.Boolean AccountNotDelegated {get;set;}
# AllowReversiblePasswordEncryption Property System.Boolean AllowReversiblePasswordEncryption {get;set;}
# AuthenticationPolicy Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection AuthenticationPolicy {get;set;}
# AuthenticationPolicySilo Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection AuthenticationPolicySilo {get;set;}
# BadLogonCount Property System.Int32 BadLogonCount {get;}
# badPasswordTime Property System.Int64 badPasswordTime {get;set;}
# badPwdCount Property System.Int32 badPwdCount {get;set;}
# c Property System.String c {get;set;}
# CannotChangePassword Property System.Boolean CannotChangePassword {get;set;}
# CanonicalName Property System.String CanonicalName {get;}
# Certificates Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection Certificates {get;set;}
# City Property System.String City {get;set;}
# CN Property System.String CN {get;}
# co Property System.String co {get;set;}
# codePage Property System.Int32 codePage {get;set;}
# Company Property System.String Company {get;set;}
# CompoundIdentitySupported Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection CompoundIdentitySupported {get;set;}
# Country Property System.String Country {get;set;}
# countryCode Property System.Int32 countryCode {get;set;}
# Created Property System.DateTime Created {get;}
# createTimeStamp Property System.DateTime createTimeStamp {get;}
# Deleted Property System.Boolean Deleted {get;}
# Department Property System.String Department {get;set;}
# Description Property System.String Description {get;set;}
# DisplayName Property System.String DisplayName {get;set;}
# DistinguishedName Property System.String DistinguishedName {get;set;}
# Division Property System.String Division {get;set;}
# DoesNotRequirePreAuth Property System.Boolean DoesNotRequirePreAuth {get;set;}
# dSCorePropagationData Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection dSCorePropagationData {get;}
# EmailAddress Property System.String EmailAddress {get;set;}
# EmployeeID Property System.String EmployeeID {get;set;}
# EmployeeNumber Property System.String EmployeeNumber {get;set;}
# Enabled Property System.Boolean Enabled {get;set;}
# Fax Property System.String Fax {get;set;}
# GivenName Property System.String GivenName {get;set;}
# HomeDirectory Property System.String HomeDirectory {get;set;}
# HomedirRequired Property System.Boolean HomedirRequired {get;set;}
# HomeDrive Property System.String HomeDrive {get;set;}
# homeMDB Property System.String homeMDB {get;set;}
# HomePage Property System.String HomePage {get;set;}
# HomePhone Property System.String HomePhone {get;set;}
# Initials Property System.String Initials {get;set;}
# instanceType Property System.Int32 instanceType {get;}
# isDeleted Property System.Boolean isDeleted {get;}
# KerberosEncryptionType Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection KerberosEncryptionType {get;set;}
# l Property System.String l {get;set;}
# LastBadPasswordAttempt Property System.DateTime LastBadPasswordAttempt {get;}
# LastKnownParent Property System.String LastKnownParent {get;}
# lastLogoff Property System.Int64 lastLogoff {get;set;}
# lastLogon Property System.Int64 lastLogon {get;set;}
# LastLogonDate Property System.DateTime LastLogonDate {get;}
# lastLogonTimestamp Property System.Int64 lastLogonTimestamp {get;set;}
# legacyExchangeDN Property System.String legacyExchangeDN {get;set;}
# LockedOut Property System.Boolean LockedOut {get;set;}
# lockoutTime Property System.Int64 lockoutTime {get;set;}
# logonCount Property System.Int32 logonCount {get;set;}
# LogonWorkstations Property System.String LogonWorkstations {get;set;}
# mail Property System.String mail {get;set;}
# mailNickname Property System.String mailNickname {get;set;}
# Manager Property System.String Manager {get;set;}
# mDBUseDefaults Property System.Boolean mDBUseDefaults {get;set;}
# MemberOf Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection MemberOf {get;}
# MNSLogonAccount Property System.Boolean MNSLogonAccount {get;set;}
# MobilePhone Property System.String MobilePhone {get;set;}
# Modified Property System.DateTime Modified {get;}
# modifyTimeStamp Property System.DateTime modifyTimeStamp {get;}
# mS-DS-ConsistencyGuid Property System.Byte[] mS-DS-ConsistencyGuid {get;set;}
# msDS-SupportedEncryptionTypes Property System.Int32 msDS-SupportedEncryptionTypes {get;set;}
# msDS-User-Account-Control-Computed Property System.Int32 msDS-User-Account-Control-Computed {get;}
# msExchArchiveQuota Property System.Int64 msExchArchiveQuota {get;set;}
# msExchArchiveWarnQuota Property System.Int64 msExchArchiveWarnQuota {get;set;}
# msExchCalendarLoggingQuota Property System.Int32 msExchCalendarLoggingQuota {get;set;}
# msExchDumpsterQuota Property System.Int32 msExchDumpsterQuota {get;set;}
# msExchDumpsterWarningQuota Property System.Int32 msExchDumpsterWarningQuota {get;set;}
# msExchELCMailboxFlags Property System.Int32 msExchELCMailboxFlags {get;set;}
# msExchHomeServerName Property System.String msExchHomeServerName {get;set;}
# msExchMailboxGuid Property System.Byte[] msExchMailboxGuid {get;set;}
# msExchMailboxSecurityDescriptor Property System.DirectoryServices.ActiveDirectorySecurity msExchMailboxSecurityDescriptor {get;set;}
# msExchMobileMailboxFlags Property System.Int32 msExchMobileMailboxFlags {get;set;}
# msExchPoliciesIncluded Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection msExchPoliciesIncluded {get;set;}
# msExchRBACPolicyLink Property System.String msExchRBACPolicyLink {get;set;}
# msExchRecipientDisplayType Property System.Int32 msExchRecipientDisplayType {get;set;}
# msExchRecipientTypeDetails Property System.Int64 msExchRecipientTypeDetails {get;set;}
# msExchTextMessagingState Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection msExchTextMessagingState {get;set;}
# msExchUMDtmfMap Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection msExchUMDtmfMap {get;set;}
# msExchUserAccountControl Property System.Int32 msExchUserAccountControl {get;set;}
# msExchUserCulture Property System.String msExchUserCulture {get;set;}
# msExchVersion Property System.Int64 msExchVersion {get;set;}
# msExchWhenMailboxCreated Property System.DateTime msExchWhenMailboxCreated {get;set;}
# Name Property System.String Name {get;}
# nTSecurityDescriptor Property System.DirectoryServices.ActiveDirectorySecurity nTSecurityDescriptor {get;set;}
# ObjectCategory Property System.String ObjectCategory {get;}
# ObjectClass Property System.String ObjectClass {get;set;}
# ObjectGUID Property System.Nullable`1[[System.Guid, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e0...
# objectSid Property System.Security.Principal.SecurityIdentifier objectSid {get;}
# Office Property System.String Office {get;set;}
# OfficePhone Property System.String OfficePhone {get;set;}
# Organization Property System.String Organization {get;set;}
# OtherName Property System.String OtherName {get;set;}
# PasswordExpired Property System.Boolean PasswordExpired {get;set;}
# PasswordLastSet Property System.DateTime PasswordLastSet {get;set;}
# PasswordNeverExpires Property System.Boolean PasswordNeverExpires {get;set;}
# PasswordNotRequired Property System.Boolean PasswordNotRequired {get;set;}
# POBox Property System.String POBox {get;set;}
# PostalCode Property System.String PostalCode {get;set;}
# PrimaryGroup Property System.String PrimaryGroup {get;}
# primaryGroupID Property System.Int32 primaryGroupID {get;set;}
# PrincipalsAllowedToDelegateToAccount Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection PrincipalsAllowedToDelegateToAccount {get;...
# ProfilePath Property System.String ProfilePath {get;set;}
# ProtectedFromAccidentalDeletion Property System.Boolean ProtectedFromAccidentalDeletion {get;set;}
# proxyAddresses Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection proxyAddresses {get;set;}
# pwdLastSet Property System.Int64 pwdLastSet {get;set;}
# SamAccountName Property System.String SamAccountName {get;set;}
# sAMAccountType Property System.Int32 sAMAccountType {get;set;}
# ScriptPath Property System.String ScriptPath {get;set;}
# sDRightsEffective Property System.Int32 sDRightsEffective {get;}
# ServicePrincipalNames Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection ServicePrincipalNames {get;set;}
# showInAddressBook Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection showInAddressBook {get;set;}
# SID Property System.Security.Principal.SecurityIdentifier SID {get;set;}
# SIDHistory Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection SIDHistory {get;}
# SmartcardLogonRequired Property System.Boolean SmartcardLogonRequired {get;set;}
# sn Property System.String sn {get;set;}
# st Property System.String st {get;set;}
# State Property System.String State {get;set;}
# StreetAddress Property System.String StreetAddress {get;set;}
# Surname Property System.String Surname {get;set;}
# telephoneNumber Property System.String telephoneNumber {get;set;}
# Title Property System.String Title {get;set;}
# TrustedForDelegation Property System.Boolean TrustedForDelegation {get;set;}
# TrustedToAuthForDelegation Property System.Boolean TrustedToAuthForDelegation {get;set;}
# UseDESKeyOnly Property System.Boolean UseDESKeyOnly {get;set;}
# userAccountControl Property System.Int32 userAccountControl {get;set;}
# userCertificate Property Microsoft.ActiveDirectory.Management.ADPropertyValueCollection userCertificate {get;set;}
# UserPrincipalName Property System.String UserPrincipalName {get;set;}
# uSNChanged Property System.Int64 uSNChanged {get;}
# uSNCreated Property System.Int64 uSNCreated {get;}
# whenChanged Property System.DateTime whenChanged {get;}
# whenCreated Property System.DateTime whenCreated {get;}
# wWWHomePage Property System.String wWWHomePage {get;set;}
这是主脚本。每个要同步的组都有一行。将其放在与上述脚本相同的目录中。
AD2DL-Sync-All.ps1
. $PSScriptRoot\AD2DL.ps1
$OrganisationalUnits = @(
"OU=Users,dc=domain,dc=tld"
)
Sync-AD2DL -OrganisationalUnits $OrganisationalUnits -AdGroupName 'All-Senior-Staff-Members' -filter "Title -eq 'Senior staff member'"
这是一个 BAT 帮助脚本,您可以将其作为计划任务调用,例如每天两次。将其放在同一目录中:
AD2DL-Sync-All.bat
@echo off
set ownpath=%~dp0
cd %ownpath%
powershell.exe -command "& '.\AD2DL-Sync-All.ps1'"
|
|