none
[论坛FAQ] 如何使用Windows PowerShell管理域内的组和用户 RRS feed

  • 常规讨论

  • Windows PowerShell可以很方便地帮助我们管理域内的用户和组,我们可以使用ADSI Adapter或者AD module里的命令来实现。

    (注意:如果你想在Windows客户端上使用AD Module,则需要在Windows客户端上安装相应的远程服务器管理工具(RSATRemote Server Administration Tools)。)

    下面我们将分别介绍怎样用ADSI Adapter以及AD module来管理域内的用户和组。

    使用ADSI Adapter管理域内的用户(Users)和组(Groups

    1: 在本地计算机上新建用户,并将所新建的用户加入本地组:

    PowerShell脚本:

    import-csv D:\usersinfo.csv | foreach{ #loop every user in csv file

    $server=[adsi]"WinNT://$env:computername"

    $user=$server.Create("User",$_.user)  #create a new local user

    $user.SetPassword($_.password)  #set password to every user

    $user.SetInfo()

     

    # add extra info

    $user.Put('Description',$_.description)  #add description info

    $user.SetInfo()

     

    # add user to local group

    $group = $_.group

    $group=[adsi]"WinNT://$env:computername/$group"  #get the local group

    $group.Add($user.path)  #add the new created user to group

    }

    注释:

    输入的用户信息储存在.csvExcel文件里,存储的格式如下图内“import-csv D:\usersinfo.csv”的结果所示。

    运行结果:

    1

    此外,有关使用ADSI来管理用户和组的方法,请参考以下文档:

    Hey, Scripting Guy! How Can I Use Windows PowerShell to Add a Domain User to a Local Group?

    http://blogs.technet.com/b/heyscriptingguy/archive/2008/03/11/how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group.aspx

    Working with Active Directory using PowerShell ADSI adapter

    http://social.technet.microsoft.com/wiki/contents/articles/4231.working-with-active-directory-using-powershell-adsi-adapter.aspx

    使用Active Directory Module来管理域内成员

    关于AD module内所有命令,请参考下面链接:

    http://technet.microsoft.com/en-us/library/hh852274(v=wps.620).aspx

    2:列出域内组所有成员包括所有用户,组以及计算机对象:

    Function Get-GroupHierarchy ($searchGroup)

    {

    $groupMember = get-adgroupmember $searchGroup | sort-object objectClass -descending  #list all members in this group and sort the members by "user" or "group"

       foreach ($member in $groupMember)

        {

          if ($member.objectclass -eq "user")

          {                                       

          $userinfo = get-aduser $member.samaccountname -Properties *

          }

          if ($member.objectclass -eq "group")

          {

          $groupinfo = get-adgroup $member}

          if ($member.objectclass -eq "Computer")

          {

          $computer = Get-ADComputer $member

          }          

                $Properties = [Ordered]@{"Group name" = $searchGroup;"SubGroup Name"=$groupinfo.name;UserName=$userinfo.samaccountname;"Computermember" = $computer.Name;"UserCreatedtime"=$Userinfo.whenCreated}

                $userinfo = ""   

                $groupinfo = ""

                $computer = ""

                New-Object  PSObject -Property  $Properties  #used to reformat the output by customed properties          

               

        if ($member.ObjectClass -eq "group")

            {Get-GroupHierarchy $member.name} #get nested group members

    }

    }

    然后我们可以调用以上的Function来获得组成员:

    Import-Module ActiveDirectory

     $ADGroups = "newtest","Domain Computers"

     $array=@()

     foreach ($AdGroup in $AdGroups)

     {

     $array+=Get-GroupHierarchy $Adgroup

     }

    这是以上脚本的输出结果:

    2

    另外,对于在域内如何大批量新建用户,我们可以在TechNet Script Center搜索可用的脚本:

    Bulk Create Active Directory Users From CSV Input

    https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Bulk-Create-0927c0c0

    PowerShell: Create Active Directory Users Based On Excel Input

    https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Create-Active-7e6a3978

    Problem : New-ADUser is not working as expected to populate a password coming from a CSV file (the account stays disabled) here is the example and the reason:

    http://blogs.technet.com/b/samdrey/archive/2011/09/26/bulk-populate-an-ad-using-a-csv-file-and-new-aduser-including-passwords.aspx


    Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

    2015年1月14日 9:01
    版主