Ping uma porta específica

Question

ocroquette

Asked: 2024-07-04 14:23:28 +0800 CST2024-07-04 14:23:28 +0800 CST 2024-07-04 14:23:28 +0800 CST

No Active Directory, como sincronizar automaticamente os membros de um grupo com base nos atributos dos usuários?

772

No Active Directory local, gostaria de manter listas de distribuição e grupos de segurança com base nos atributos dos usuários, por exemplo, o gerente, o departamento, a cidade.

1 respostas

Voted

ocroquette · Answer 1 · 2024-07-04T14:23:28+08:00

Infelizmente, o Windows não oferece esse recurso imediatamente, mas é relativamente fácil de implementar como um script Powershell, que pode ser executado como uma tarefa agendada.

Aqui está o arquivo que contém a função correspondente. É chamado AD2DL como em "Active Directory To Distribution List", mas também funciona com grupos de segurança.

AD2DL.ps1

# https://serverfault.com/questions/1161995/in-active-directory-how-to-synchronize-the-members-of-a-group-automatically-bas/1161996

function Sync-AD2DL {
    param (
        # Example AdGroupName: "MyGroup"
        [string]$AdGroupName,
        # Example filters:
        #   "*"
        #   "Department -eq 'IT'"
        #   "Department -like 'IT'"
        #   "Manager -eq 'someone' -or SamAccountName -eq 'someone'"
        #   "City -eq 'Berlin' -and SamAccountName -ne 'exception'"
        # See below for all properties
        [string]$Filter,
        # Example OrganisationalUnits: @("OU=Users,dc=domain,dc=tld")
        [string[]]$OrganisationalUnits
   )

    $expectedMembers = @()

    foreach($ou in $OrganisationalUnits)
    {
        $matchingUsers = Get-ADUser -SearchBase $ou -Filter $filter

        # Filter out accounts that are disabled:
        $matchingUsers = $matchingUsers | Where { $_.Enabled }

        $expectedMembers += $matchingUsers
    }

    # Write-Host "expectedMembers=" $currentMembers

    $expectedNames = $expectedMembers | select -ExpandProperty DistinguishedName

    $currentMembers = Get-ADGroupMember -Identity $AdGroupName
    $currentNames = $currentMembers | select -ExpandProperty DistinguishedName
    $oldLength = $currentMembers.Length

    # Write-Host "currentMembers=" $currentMembers

    $usersToAdd = $expectedMembers | Where-Object { $currentNames -notcontains $_.DistinguishedName }

    foreach($user in $usersToAdd)
    {
        Write-Host "Adding " $user " to " $AdGroupName
        Add-ADGroupMember -Identity $AdGroupName -Members $user.samaccountname -ErrorAction SilentlyContinue
    }

    $usersToRemove = $currentMembers | Where-Object { $expectedNames -notcontains $_.DistinguishedName }

    foreach($user in $usersToRemove)
    {
        Write-Host "Removing " $user " from " $AdGroupName
        Remove-ADGroupMember -Identity $AdGroupName -Members $user.samaccountname -Confirm:$false
    }

    $newLength = (Get-ADGroupMember -Identity $AdGroupName).Length
    Write-Host $AdGroupName " Added:" $usersToAdd.Length "  Removed:" $usersToRemove.Length "New size:" $newLength
}


# All user properties, for reference, retrieved with "Get-Member":
#
# AccountExpirationDate                 Property              System.DateTime AccountExpirationDate {get;set;}
# accountExpires                        Property              System.Int64 accountExpires {get;set;}
# AccountLockoutTime                    Property              System.DateTime AccountLockoutTime {get;set;}
# AccountNotDelegated                   Property              System.Boolean AccountNotDelegated {get;set;}
# AllowReversiblePasswordEncryption     Property              System.Boolean AllowReversiblePasswordEncryption {get;set;}
# AuthenticationPolicy                  Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection AuthenticationPolicy {get;set;}
# AuthenticationPolicySilo              Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection AuthenticationPolicySilo {get;set;}
# BadLogonCount                         Property              System.Int32 BadLogonCount {get;}
# badPasswordTime                       Property              System.Int64 badPasswordTime {get;set;}
# badPwdCount                           Property              System.Int32 badPwdCount {get;set;}
# c                                     Property              System.String c {get;set;}
# CannotChangePassword                  Property              System.Boolean CannotChangePassword {get;set;}
# CanonicalName                         Property              System.String CanonicalName {get;}
# Certificates                          Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection Certificates {get;set;}
# City                                  Property              System.String City {get;set;}
# CN                                    Property              System.String CN {get;}
# co                                    Property              System.String co {get;set;}
# codePage                              Property              System.Int32 codePage {get;set;}
# Company                               Property              System.String Company {get;set;}
# CompoundIdentitySupported             Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection CompoundIdentitySupported {get;set;}
# Country                               Property              System.String Country {get;set;}
# countryCode                           Property              System.Int32 countryCode {get;set;}
# Created                               Property              System.DateTime Created {get;}
# createTimeStamp                       Property              System.DateTime createTimeStamp {get;}
# Deleted                               Property              System.Boolean Deleted {get;}
# Department                            Property              System.String Department {get;set;}
# Description                           Property              System.String Description {get;set;}
# DisplayName                           Property              System.String DisplayName {get;set;}
# DistinguishedName                     Property              System.String DistinguishedName {get;set;}
# Division                              Property              System.String Division {get;set;}
# DoesNotRequirePreAuth                 Property              System.Boolean DoesNotRequirePreAuth {get;set;}
# dSCorePropagationData                 Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection dSCorePropagationData {get;}
# EmailAddress                          Property              System.String EmailAddress {get;set;}
# EmployeeID                            Property              System.String EmployeeID {get;set;}
# EmployeeNumber                        Property              System.String EmployeeNumber {get;set;}
# Enabled                               Property              System.Boolean Enabled {get;set;}
# Fax                                   Property              System.String Fax {get;set;}
# GivenName                             Property              System.String GivenName {get;set;}
# HomeDirectory                         Property              System.String HomeDirectory {get;set;}
# HomedirRequired                       Property              System.Boolean HomedirRequired {get;set;}
# HomeDrive                             Property              System.String HomeDrive {get;set;}
# homeMDB                               Property              System.String homeMDB {get;set;}
# HomePage                              Property              System.String HomePage {get;set;}
# HomePhone                             Property              System.String HomePhone {get;set;}
# Initials                              Property              System.String Initials {get;set;}
# instanceType                          Property              System.Int32 instanceType {get;}
# isDeleted                             Property              System.Boolean isDeleted {get;}
# KerberosEncryptionType                Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection KerberosEncryptionType {get;set;}
# l                                     Property              System.String l {get;set;}
# LastBadPasswordAttempt                Property              System.DateTime LastBadPasswordAttempt {get;}
# LastKnownParent                       Property              System.String LastKnownParent {get;}
# lastLogoff                            Property              System.Int64 lastLogoff {get;set;}
# lastLogon                             Property              System.Int64 lastLogon {get;set;}
# LastLogonDate                         Property              System.DateTime LastLogonDate {get;}
# lastLogonTimestamp                    Property              System.Int64 lastLogonTimestamp {get;set;}
# legacyExchangeDN                      Property              System.String legacyExchangeDN {get;set;}
# LockedOut                             Property              System.Boolean LockedOut {get;set;}
# lockoutTime                           Property              System.Int64 lockoutTime {get;set;}
# logonCount                            Property              System.Int32 logonCount {get;set;}
# LogonWorkstations                     Property              System.String LogonWorkstations {get;set;}
# mail                                  Property              System.String mail {get;set;}
# mailNickname                          Property              System.String mailNickname {get;set;}
# Manager                               Property              System.String Manager {get;set;}
# mDBUseDefaults                        Property              System.Boolean mDBUseDefaults {get;set;}
# MemberOf                              Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection MemberOf {get;}
# MNSLogonAccount                       Property              System.Boolean MNSLogonAccount {get;set;}
# MobilePhone                           Property              System.String MobilePhone {get;set;}
# Modified                              Property              System.DateTime Modified {get;}
# modifyTimeStamp                       Property              System.DateTime modifyTimeStamp {get;}
# mS-DS-ConsistencyGuid                 Property              System.Byte[] mS-DS-ConsistencyGuid {get;set;}
# msDS-SupportedEncryptionTypes         Property              System.Int32 msDS-SupportedEncryptionTypes {get;set;}
# msDS-User-Account-Control-Computed    Property              System.Int32 msDS-User-Account-Control-Computed {get;}
# msExchArchiveQuota                    Property              System.Int64 msExchArchiveQuota {get;set;}
# msExchArchiveWarnQuota                Property              System.Int64 msExchArchiveWarnQuota {get;set;}
# msExchCalendarLoggingQuota            Property              System.Int32 msExchCalendarLoggingQuota {get;set;}
# msExchDumpsterQuota                   Property              System.Int32 msExchDumpsterQuota {get;set;}
# msExchDumpsterWarningQuota            Property              System.Int32 msExchDumpsterWarningQuota {get;set;}
# msExchELCMailboxFlags                 Property              System.Int32 msExchELCMailboxFlags {get;set;}
# msExchHomeServerName                  Property              System.String msExchHomeServerName {get;set;}
# msExchMailboxGuid                     Property              System.Byte[] msExchMailboxGuid {get;set;}
# msExchMailboxSecurityDescriptor       Property              System.DirectoryServices.ActiveDirectorySecurity msExchMailboxSecurityDescriptor {get;set;}
# msExchMobileMailboxFlags              Property              System.Int32 msExchMobileMailboxFlags {get;set;}
# msExchPoliciesIncluded                Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection msExchPoliciesIncluded {get;set;}
# msExchRBACPolicyLink                  Property              System.String msExchRBACPolicyLink {get;set;}
# msExchRecipientDisplayType            Property              System.Int32 msExchRecipientDisplayType {get;set;}
# msExchRecipientTypeDetails            Property              System.Int64 msExchRecipientTypeDetails {get;set;}
# msExchTextMessagingState              Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection msExchTextMessagingState {get;set;}
# msExchUMDtmfMap                       Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection msExchUMDtmfMap {get;set;}
# msExchUserAccountControl              Property              System.Int32 msExchUserAccountControl {get;set;}
# msExchUserCulture                     Property              System.String msExchUserCulture {get;set;}
# msExchVersion                         Property              System.Int64 msExchVersion {get;set;}
# msExchWhenMailboxCreated              Property              System.DateTime msExchWhenMailboxCreated {get;set;}
# Name                                  Property              System.String Name {get;}
# nTSecurityDescriptor                  Property              System.DirectoryServices.ActiveDirectorySecurity nTSecurityDescriptor {get;set;}
# ObjectCategory                        Property              System.String ObjectCategory {get;}
# ObjectClass                           Property              System.String ObjectClass {get;set;}
# ObjectGUID                            Property              System.Nullable`1[[System.Guid, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e0...
# objectSid                             Property              System.Security.Principal.SecurityIdentifier objectSid {get;}
# Office                                Property              System.String Office {get;set;}
# OfficePhone                           Property              System.String OfficePhone {get;set;}
# Organization                          Property              System.String Organization {get;set;}
# OtherName                             Property              System.String OtherName {get;set;}
# PasswordExpired                       Property              System.Boolean PasswordExpired {get;set;}
# PasswordLastSet                       Property              System.DateTime PasswordLastSet {get;set;}
# PasswordNeverExpires                  Property              System.Boolean PasswordNeverExpires {get;set;}
# PasswordNotRequired                   Property              System.Boolean PasswordNotRequired {get;set;}
# POBox                                 Property              System.String POBox {get;set;}
# PostalCode                            Property              System.String PostalCode {get;set;}
# PrimaryGroup                          Property              System.String PrimaryGroup {get;}
# primaryGroupID                        Property              System.Int32 primaryGroupID {get;set;}
# PrincipalsAllowedToDelegateToAccount  Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection PrincipalsAllowedToDelegateToAccount {get;...
# ProfilePath                           Property              System.String ProfilePath {get;set;}
# ProtectedFromAccidentalDeletion       Property              System.Boolean ProtectedFromAccidentalDeletion {get;set;}
# proxyAddresses                        Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection proxyAddresses {get;set;}
# pwdLastSet                            Property              System.Int64 pwdLastSet {get;set;}
# SamAccountName                        Property              System.String SamAccountName {get;set;}
# sAMAccountType                        Property              System.Int32 sAMAccountType {get;set;}
# ScriptPath                            Property              System.String ScriptPath {get;set;}
# sDRightsEffective                     Property              System.Int32 sDRightsEffective {get;}
# ServicePrincipalNames                 Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection ServicePrincipalNames {get;set;}
# showInAddressBook                     Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection showInAddressBook {get;set;}
# SID                                   Property              System.Security.Principal.SecurityIdentifier SID {get;set;}
# SIDHistory                            Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection SIDHistory {get;}
# SmartcardLogonRequired                Property              System.Boolean SmartcardLogonRequired {get;set;}
# sn                                    Property              System.String sn {get;set;}
# st                                    Property              System.String st {get;set;}
# State                                 Property              System.String State {get;set;}
# StreetAddress                         Property              System.String StreetAddress {get;set;}
# Surname                               Property              System.String Surname {get;set;}
# telephoneNumber                       Property              System.String telephoneNumber {get;set;}
# Title                                 Property              System.String Title {get;set;}
# TrustedForDelegation                  Property              System.Boolean TrustedForDelegation {get;set;}
# TrustedToAuthForDelegation            Property              System.Boolean TrustedToAuthForDelegation {get;set;}
# UseDESKeyOnly                         Property              System.Boolean UseDESKeyOnly {get;set;}
# userAccountControl                    Property              System.Int32 userAccountControl {get;set;}
# userCertificate                       Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection userCertificate {get;set;}
# UserPrincipalName                     Property              System.String UserPrincipalName {get;set;}
# uSNChanged                            Property              System.Int64 uSNChanged {get;}
# uSNCreated                            Property              System.Int64 uSNCreated {get;}
# whenChanged                           Property              System.DateTime whenChanged {get;}
# whenCreated                           Property              System.DateTime whenCreated {get;}
# wWWHomePage                           Property              System.String wWWHomePage {get;set;}

Aqui está o roteiro principal. Há uma linha para cada grupo sincronizar. Coloque-o no mesmo diretório do script acima.

AD2DL-Sync-All.ps1


. $PSScriptRoot\AD2DL.ps1

$OrganisationalUnits = @(
    "OU=Users,dc=domain,dc=tld"
)


Sync-AD2DL -OrganisationalUnits $OrganisationalUnits  -AdGroupName 'All-Senior-Staff-Members' -filter "Title -eq 'Senior staff member'"

Aqui está um script de ajuda BAT que você pode chamar como tarefa agendada, por exemplo, duas vezes por dia. Coloque-o no mesmo diretório:

AD2DL-Sync-All.bat

@echo off
set ownpath=%~dp0
cd %ownpath%
powershell.exe -command "& '.\AD2DL-Sync-All.ps1'"

No Active Directory, como sincronizar automaticamente os membros de um grupo com base nos atributos dos usuários?

Você pode passar usuário/passar para autenticação básica HTTP em parâmetros de URL?