Powershell連接和搜索多個域

Question

我正在嘗試查找指定用戶帳戶的組成員資格。一個域的用戶帳戶通常是其他域中的一個組的成員（某些域需要不同的管理員帳戶）。使用get-QAQgroup，我可以單獨成功搜索每個域，但是當我嘗試遍歷域時，我只能在我登錄的域中找到結果。 ＃用於更改域並查找指定用戶帳戶的組成員資格的腳本。

$domains = "dom1.ad.state.company.com","dom2.ad.state.company.com","dom3.ad.state.company.com","dom4.ad.state.company.com","corporate.state.company.com","OddNamedDom.com" 
$CRED=GET-CREDENTIAL 
$userAcc = read-host "Enter domain\username for Group Membership Search" 

foreach ($domain in $domains) 
    { 
    write-host "In the domain $domain "," $userAcc is a direct member of..." 
    Get-QADGroup -service $domain -Credential $cred -Containsmember $userAcc | select name 
    } #foreach domain 

Connect-QADService -Service 'dom1.ad.state.company.com' 

當我運行該腳本時，我得到了dom1（我登錄的域）的結果，其餘的拋出以下錯誤。我不知道爲什麼「Ref 1：..」這行代碼是指向「dom1」。我認爲這可能是問題的根源。我已經複製下面顯示錯誤消息的Powershell輸出。

In the domain dom1.ad.state.company.com dom1\brownd2.admin.dom1 is a direct member of... 

Name                                    
----                                   
DOM1-G-ITS-DS-Company Services                             
DOM1PGUELFP00003-Exmerge-R                             
DOMPGUELFP00003-Exmerge-C                             
ITSPPTBOSHFS003-FSSHARE-C                             
Domain Users                                 

In the domain dom2.ad.state.company.com dom1\brownd2.admin.dom1 is a direct member of... 
Get-QADGroup : 0000202B: RefErr: DSID-03100742, data 0, 1 access points 
    ref 1: 'dom1.ad.state.company.com' 
At C:\TestScripts\tGet-UserAllMemberships.ps1:24 char:6 
+  Get-QADGroup -service $domain -Credential $cred -Containsmember $userAcc | ... 
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
    + CategoryInfo   : NotSpecified: (:) [Get-QADGroup], DirectoryAccessException 
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.DirectoryAccessException,Quest.ActiveRoles.ArsPowerShel 
    lSnapIn.Powershell.Cmdlets.GetGroupCmdlet 

In the domain dom3.ad.state.company.com dom1\brownd2.admin.dom1 is a direct member of... 
Get-QADGroup : 0000202B: RefErr: DSID-03100742, data 0, 1 access points 
    ref 1: 'dom1.ad.state.company.com' 
At C:\TestScripts\tGet-UserAllMemberships.ps1:24 char:6 
+  Get-QADGroup -service $domain -Credential $cred -Containsmember $userAcc | ... 
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
    + CategoryInfo   : NotSpecified: (:) [Get-QADGroup], DirectoryAccessException 
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.DirectoryAccessException,Quest.ActiveRoles.ArsPowerShel 
    lSnapIn.Powershell.Cmdlets.GetGroupCmdlet 

對於我檢查的每個域，都有一組類似的錯誤。我沒有發佈錯誤消息的完整列表。

如果我更改數組中的域的順序，那麼錯誤和一個成功域的結果只是改變順序以匹配數組。我認爲這可能僅僅是第一次循環的成功。不是這樣。

我知道該帳戶是Dom2中的組的成員，而不是Dom3中的任何組。如果我將這些命令從foreach循環中取出併爲控制檯中的每個域運行單獨的命令，我會得到預期的結果。根據個人的結果，我認爲這將是一個循環中直接示例，但我沒有正確連接到域。

我能改變什麼？

Answer 1

這是一個使用System.DirectoryServices.AccountManagement命名空間的解決方案，適用於C＃代碼中的PowerShell。這是一種遞歸解決方案。在使用C＃的Find Recursive Group Membership (Active Directory)中，我給出了一個遞歸解決方案（使用可從PowerShell 1.0中獲得的基本ADSI），該解決方案也適用於通訊組。

# Retreiving a principal context for the administrator on the Global Catalog 
Add-Type -AssemblyName System.DirectoryServices.AccountManagement 
$domainContext = New-Object DirectoryServices.AccountManagement.PrincipalContext([DirectoryServices.AccountManagement.ContextType]::Domain, "VMESS01:3268" , "administrator", "adminPasswd") 
# Retreive the groups 
try { 
    $userPrincipal = [DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($domainContext, "jpb") 
    $groups = $userPrincipal.GetAuthorizationGroups() 
    foreach($group in $groups) 
    { 
    $group.name; 
    } 
} 
finally { 
    $pc.domainContext() 
}