我經常需要從多個不同的組中刪除多個不同的用戶,並且迄今爲止一直使用dsmod命令腳本來完成它。但是,我一直在嘗試使用一些PowerShell的魔法來升級,並且可能會加快這個過程。我還需要該腳本輸出一個行動記錄,無論是成功還是失敗,一起或分開。Powershell - 從多個AD組中刪除多個AD成員
我正在使用的輸入文件是.csv,第一列中的用戶標識和第二列中的組名。我正在使用的測試輸入文件具有可分辨名稱和簡單的samaccountname代表,以便我可以看到它將如何接受輸入。另外,我們只是在同一頁面上編輯輸出錯誤以保護我們的域信息,但相信什麼是公平的代表性。
到目前爲止,我已經找到了一些我嘗試過的變體。第一個是:
$fileList = import-CSV -Delimiter ',' c:\temp\Logs\RemoveUserInput.csv
foreach($entry in $fileList)
{
$user = $entry.UserID
$group = $entry.Group
remove-adgroupmember -Identity $group -Member $user -Confirm:$false
}
這我得到的錯誤是:
PS C:\Temp\Logs> .\remove_users_from_group.ps1
remove-adgroupmember : Cannot find an object with identity:
'cn=user1,dc=domain,dc=com' under:
'DC=domain,DC=com'.
At C:\Temp\Logs\remove_users_from_group.ps1:7 char:3
+ remove-adgroupmember -Identity $group -Member $user -Confirm:$false
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (cn=user1,dc=domain,dc=c
om:ADPrincipal) [Remove-ADGroupMember], ADIdentityNotFoundException
+ FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Micros
oft.ActiveDirectory.Management.Commands.RemoveADGroupMember
remove-adgroupmember : Cannot find an object with identity: 'user1' under:
'DC=domain,DC=com'.
At C:\Temp\Logs\remove_users_from_group.ps1:7 char:3
+ remove-adgroupmember -Identity $group -Member $user -Confirm:$false
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (user1:ADPrincipal) [Remove-ADG
roupMember], ADIdentityNotFoundException
+ FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Micros
oft.ActiveDirectory.Management.Commands.RemoveADGroupMember
一位同事對劇本提供了一個變化,這表明問題的那部分可能與我們的多域林鋪,並從domain2中的組中刪除domain1中的用戶。該腳本變化如下:
Import-Module ActiveDirectory
$FileList = Import-CSV -Delimiter ',' C:\temp\Logs\RemoveUserInput.csv
# Create new ADSearcher Object – could also be done differently
$objForest = [system.directoryservices.activedirectory.forest]::GetCurrentForest()
$ForestDefaultNC = "DC="+$objForest.RootDomain.Name.Replace(".",",DC=")
$ADSearcher = New-Object System.DirectoryServices.DirectorySearcher
$ADSearcher.PageSize = 1000
foreach($entry in $FileList) {
$UserName = $entry.UserID
$GroupName = $entry.Group
$GroupFilter = "(&(objectClass=group)(Name=$GroupName))"
$ADSearcher.Filter = $GroupFilter
$ADSearcher.SearchRoot = New-Object ADSI("GC://$($ForestDefaultNC)")
$Group = $ADSearcher.FindAll()
$UserFilter = "(&(objectCategory=person)(objectClass=user)(Name=$UserName))"
$ADSearcher.Filter = $UserFilter
$ADSearcher.SearchRoot = New-Object ADSI("GC://$($ForestDefaultNC)")
$User = $ADSearcher.FindAll()
Remove-ADGroupMember -Identity $Group -Members $User
}
然後下面的錯誤是:
PS C:\Temp\Logs> .\2remove_users_from_group.ps1
Remove-ADGroupMember : Cannot bind parameter 'Identity'. Cannot convert the
"System.DirectoryServices.SearchResultCollection" value of type
"System.DirectoryServices.SearchResultCollection" to type
"Microsoft.ActiveDirectory.Management.ADGroup".
At C:\Temp\Logs\2remove_users_from_group.ps1:28 char:36
+ Remove-ADGroupMember -Identity $Group -Members $User
+ ~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Remove-ADGroupMember], Par
ameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.ActiveD
irectory.Management.Commands.RemoveADGroupMember
Remove-ADGroupMember : Cannot bind parameter 'Identity'. Cannot convert the
"System.DirectoryServices.SearchResultCollection" value of type
"System.DirectoryServices.SearchResultCollection" to type
"Microsoft.ActiveDirectory.Management.ADGroup".
At C:\Temp\Logs\2remove_users_from_group.ps1:28 char:36
+ Remove-ADGroupMember -Identity $Group -Members $User
+ ~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Remove-ADGroupMember], Par
ameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.ActiveD
irectory.Management.Commands.RemoveADGroupMember
可以提供將不勝感激的任何援助。
編輯:按照要求,以下是.csv文件的一個例子:
它非常簡單,而且很可能正是你想象:
UserID,group
"cn=user1,dc=domain,dc=com","cn=group1,dc=domain,dc=com"
user1,group1
你的csv看起來像什麼(我有一個很好的猜測)?向我們展示幾行? – Matt
你確定那些DN是正確的?用戶和組是否放置在域的根目錄中?不是通常的場景...... –
就像我在問題中所說的,我已經改變了DN的內容,僅供參考。但是,我100%確定我使用的實際文件中的信息是正確的。 – BitBeard