在 PDC 上使用 LDAP 检索 badpwdcount
Retrieve badpwdcount with LDAP on PDC
我正在尝试从 "badpwdcount" 属性中获取值。问题是为了获得准确的值,我应该查询 PDC(主域控制器)。目前,我正在使用 powershell 来解决 LDAP 搜索问题。问题:是否有机会通过使用 LDAP 搜索从 PDC 获取值?
例如:
$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]"LDAP://$D"
$ADSearch = New-Object System.DirectoryServices.DirectorySearcher
$ADSearch.SearchRoot ="LDAP://$Domain
这将搜索当前域。我应该怎么做才能从 PDC 获取值?
$Domain = $Domain.PdcRoleOwner
每个域控制器都会使用其计数更新具有 PDC 仿真器 FSMO 角色的服务器(以便在超过最大数量时可以锁定帐户),不容易跟踪总数,so we have to query each domain controller separately那个数字。
# Import active directory modules
import-module activedirectory;
# Get all domain controllers
$dcs = get-adcomputer -filter * -searchbase "ou=domain controllers,dc=kamal,dc=local";
# Get all users - change "-filter {enabled -eq $true}" to a username to get just one user
$users = get-aduser -filter {enabled -eq $true} | sort name;
# Loop through all users found
foreach ($user in $users) {
$badpwdcount = 0;
# Loop through each domain controller
foreach ($dc in $dcs) {
$newuser = get-aduser $user.samaccountname -server $dc.name -properties badpwdcount;
# Increment bad password count
$badpwdcount = $badpwdcount + $newuser.badpwdcount;
}
# Highlight account if bad password count is greater than 0
if ($badpwdcount -gt 0) {
$outline = "******* " + $user.name + " - Badpwdcount: " + $badpwdcount + " *******";
}
else {
$outline = $user.name + " - Badpwdcount: " + $badpwdcount;
}
write-host $outline;
}
我正在尝试从 "badpwdcount" 属性中获取值。问题是为了获得准确的值,我应该查询 PDC(主域控制器)。目前,我正在使用 powershell 来解决 LDAP 搜索问题。问题:是否有机会通过使用 LDAP 搜索从 PDC 获取值?
例如:
$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]"LDAP://$D"
$ADSearch = New-Object System.DirectoryServices.DirectorySearcher
$ADSearch.SearchRoot ="LDAP://$Domain
这将搜索当前域。我应该怎么做才能从 PDC 获取值?
$Domain = $Domain.PdcRoleOwner
每个域控制器都会使用其计数更新具有 PDC 仿真器 FSMO 角色的服务器(以便在超过最大数量时可以锁定帐户),不容易跟踪总数,so we have to query each domain controller separately那个数字。
# Import active directory modules
import-module activedirectory;
# Get all domain controllers
$dcs = get-adcomputer -filter * -searchbase "ou=domain controllers,dc=kamal,dc=local";
# Get all users - change "-filter {enabled -eq $true}" to a username to get just one user
$users = get-aduser -filter {enabled -eq $true} | sort name;
# Loop through all users found
foreach ($user in $users) {
$badpwdcount = 0;
# Loop through each domain controller
foreach ($dc in $dcs) {
$newuser = get-aduser $user.samaccountname -server $dc.name -properties badpwdcount;
# Increment bad password count
$badpwdcount = $badpwdcount + $newuser.badpwdcount;
}
# Highlight account if bad password count is greater than 0
if ($badpwdcount -gt 0) {
$outline = "******* " + $user.name + " - Badpwdcount: " + $badpwdcount + " *******";
}
else {
$outline = $user.name + " - Badpwdcount: " + $badpwdcount;
}
write-host $outline;
}