不要在 Powershell 脚本中阻止特定组的用户

Posted 2023-03-22

【中文标题】不要在 Powershell 脚本中阻止特定组的用户

【英文标题】：Don't block user from specific group in Powershell script

【发布时间】：2022-01-11 14:49:47

【问题描述】：

我有一个逻辑问题，如何使脚本对非阻止用户访问 IT 组更安全一些操作用户需要阻止他们的员工访问 AD。我非常接近自动化这个过程，通过与用户名、DateDisable、DateEnable 共享给他们 CSV 文件。

Get-Date

Write-Host $b

$b = (Get-Date).ToString('M"/"d"/"yyyy')



Import-Csv "I:\Clients\Block Accounts\Accounts Deactivation.csv" | ForEach-Object 
    
    $SamAccountName = $_."SamAccountName"     
    
    $dateDisable = $_."dateDisable"

    $dateEnable = $_."dateEnable"


    
    #How can I search users in group like PLKAT-NON-BLOCK-USERS and don't block users from this group by IF function. Can you tell me more about this solution. I will be grateful for some clues.

if ( Get-ADPrincipalGroupMembership -And $dateDisable -eq $b) 
        
        Get-ADUser -Identity $SamAccountName | Disable-ADAccount
        
        Write-Host "-User "$SamAccountName" Disabled"
    

    $dateEnable = $_."dateEnable"
     
     if ( $dateEnable -eq $b) 
        
        Get-ADUser -Identity $SamAccountName | Enable-ADAccount
            
            Write-Host "-User "$SamAccountName" Enable"
        
    
    
       

【问题讨论】：

请提供有关您要完成的工作的更多详细信息。似乎您仅在用户不是PLKAT-NON-BLOCK-USERS 组的成员并且基于DateTime 条件时才尝试禁用用户，但尚不完全清楚条件是什么。

运行Get-ADUser -Properties MemberOf - 这应该给你一个关于如何继续的线索，虽然如果你的列表很大，那么最好先使用Get-ADgroup检索组并以这种方式过滤

我只想检查此组 PLKAT-NON-BLOCK-USERS 中的用户，而不是所有组和除 PLKAT-NON-BLOCK-USERS 之外的其他组中的用户。这很重要。

感谢您的帮助，我在 foreach 循环中使用了 Get-ADGroup 和一个变量。

这是否意味着您的问题现在已经解决了？如果是这样，我建议关闭它。

【参考方案1】：

在脚本的顶部，您可以先获取PLKAT-NON-BLOCK-USERS 组中所有用户的列表。 然后在代码中检查您正在迭代的用户是否是该组的成员，如果是，请不要禁用该用户。

类似：

# get an array of SamAccountNames for users you do not wish to disable
$noDisable = (Get-ADGroupMember -Identity 'PLKAT-NON-BLOCK-USERS' -Recursive | Where-Object  $_.objectClass -eq 'user' ).SamAccountName

$refDate = (Get-Date).ToString('M"/"d"/"yyyy')
Import-Csv -Path 'I:\Clients\Block Accounts\Accounts Deactivation.csv' | ForEach-Object 
    if ($noDisable -contains $_.SamAccountName) 
        Write-Host "User '$($_.SamAccountName)' is member of group 'PLKAT-NON-BLOCK-USERS'. Skipped."
        continue  # skip this one and proceed with the next user
    

    # try and get the AD user object
    $user = Get-ADUser -Filter "SamAccountName -eq '$($_.SamAccountName)'" -ErrorAction SilentlyContinue
    if ($user) 
        if ($_.dateEnable -eq $refDate) 
            $user | Enable-ADAccount
            Write-Host "User '$($_.SamAccountName)' Enabled"            
        elseif ($_.dateDisable -eq $refDate) 
            $user | Disable-ADAccount
            Write-Host "User '$($_.SamAccountName)' Disabled"
        
    
    else 
        Write-Warning "User '$($_.SamAccountName)' does not exist.."
    

【讨论】：

感谢您的帮助，但我为 AD 中的 4 个组做了这个，而且我必须为四个不同的项目制作三个 csv 文件，

【参考方案2】：

感谢您的帮助，但我为 AD 中的 4 个组执行了此操作，并且出于安全原因，我不得不为三个不同的项目制作三个 csv 文件。我现在将 3 个 csv 文件导入脚本。我必须创建一个循环来检查 PLKAT-NON-BLOCK-USERS 和第二个循环来检查 CSV 文件中正确组的成员。所以我创建了 PLKAT-G-ORG-Client1-Block Users Only 、 PLKAT-G-ORG-Client2-Block Users Only 、 PLKAT-G-ORG-Client3-Block Users Only 并使用第二个循环来检查其中一个用户团体。这是为了防止阻止用户访问其他项目。

1.Import-Csv -Path 'I:\Clients1\Block Accounts\Accounts Deactivation.csv' | ForEach-对象 2.Import-Csv -Path 'I:\Clients2\Block Accounts\Accounts Deactivation.csv' | ForEach-对象 3.Import-Csv -Path 'I:\Clients3\Block Accounts\Accounts Deactivation.csv' | ForEach-Object

第一个循环检查 PLKAT-NON-BLOCK-USERS（IT、Backoffice 等）。

你可以告诉我这是否好或我可以改进什么 这里有代码：

$b = (Get-Date).ToString('M"/"d"/"yyyy')

$groups = 'PLKAT-G-ORG-NON Block Users'

$groupCLIENT1 = 'PLKAT-G-ORG-Client1 Block Users Only'

$groupCLIENT2 = 'PLKAT-G-ORG-Client2 Block Users Only'

$groupCLIENT3 = 'PLKAT-G-ORG-Client3 Block Users Only'





#################### Client1 ############################

Import-Csv "I:\Clients1\Block Accounts\Accounts Deactivation Test.csv" | ForEach-Object 
    
    $SamAccountName = $_."SamAccountName"     
    
    $dateDisable = $_."dateDisable"

    $dateEnable = $_."dateEnable"

    
    foreach ($group in $groups) 
        
        $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName

        If ($members -contains $SamAccountName ) 
        
            Write-Host $SamAccountName" is a member of NON Block User Group" 
            
            

       foreach ($group in $groupCLIENT1)  
       
       $members = Get-ADGroupMember -Identity $group1 -Recursive | Select -ExpandProperty SamAccountName       
       
        if ($members -contains $SamAccountName)

            $dateDisable -eq $b

             Get-ADUser -Identity $SamAccountName | Disable-ADAccount

        
            
       
        
        
     
 

    $dateEnable = $_."dateEnable"
     
     if ( $dateEnable -eq $b) 
        
        Get-ADUser -Identity $SamAccountName | Enable-ADAccount
        
        Write-Host "-User "$SamAccountName" Enable"
    

   

   

###################### Client2  ###########################################

   Import-Csv "I:\Clients2\Block Accounts\Accounts Deactivation Test.csv" | ForEach-Object 
    
    $SamAccountName = $_."SamAccountName"     
    
    $dateDisable = $_."dateDisable"

    $dateEnable = $_."dateEnable"

    
     foreach ($group in $groups) 
        
        $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName

        If ($members -contains $SamAccountName ) 
        
            Write-Host $SamAccountName" is a member of NON Block User Group" 
            
            

       foreach ($group in $groupCLIENT2)  
       
       $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName       
       
        if ($members -contains $SamAccountName)

            $dateDisable -eq $b

             Get-ADUser -Identity $SamAccountName | Disable-ADAccount

              Write-Host "-User "$SamAccountName" Disabled"
        
            
       
        
        
     

    $dateEnable = $_."dateEnable"
     
     if ( $dateEnable -eq $b) 
        
        Get-ADUser -Identity $SamAccountName | Enable-ADAccount
        
        Write-Host "-User "$SamAccountName" Enable"
    
    
    

   ##################### Client3 #################

Import-Csv "I:\Clients3\Block Accounts\Accounts Deactivation Test.csv" | ForEach-Object 
    
    $SamAccountName = $_."SamAccountName"     
    
    $dateDisable = $_."dateDisable"

    $dateEnable = $_."dateEnable"

    
     foreach ($group in $groups) 
        
        $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName

        If ($members -contains $SamAccountName ) 
        
            Write-Host $SamAccountName" is a member of NON Block User Group" 
            
            

       foreach ($group in $groupCLIENT3)  
       
       $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName       
       
        if ($members -contains $SamAccountName)

            $dateDisable -eq $b

             Get-ADUser -Identity $SamAccountName | Disable-ADAccount

              Write-Host "-User "$SamAccountName" Disabled"
        
            
       
        
        
     
        

    $dateEnable = $_."dateEnable"
     
     if ( $dateEnable -eq $b) 
        
        Get-ADUser -Identity $SamAccountName | Enable-ADAccount
        
        Write-Host "-User "$SamAccountName" Enable"