如何通过powershell从目录条目中获取IADSUser本机对象？

Question

我想在 windows 中获取本地用户帐户的组。如果我们从目录条目中获取本机对象，则可以做到这一点。这是通过 API 以下列方式实现的：

DirectoryEntry comp = new DirectoryEntry("WinNT://computername");
DirectoryEntry de = comp.Children.Find("account19", "user");     
IADsUser NativeObject = (IADsUser)directoryentry.NativeObject;

但是如何通过powershell脚本得到同样的东西呢？

Answer 1

您可以使用System.DirectoryServices.AccountManagement namespace 中的Microsoft .NET Framework 类型来获取本地组成员资格。我编写了一个简单的 PowerShell 高级函数，它将检索本地用户帐户的组成员身份。

注意：因为我们在UserPrincipal class上使用了GetGroups() method，所以这段代码效率很高。您确实不需要需要获取所有组的列表，然后迭代它们，正如之前在 cmets 中所建议的那样。

function Get-LocalUserGroupMembership {
    [CmdletBinding()]
    param (
        [Parameter(ValueFromPipeline = $true)]
        [string] $Identity = $env:USERNAME
    )

    # Import the System.DirectoryServices.AccountManagement .NET library
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement;

    # Get a reference to the local machine's Security Account Manager (SAM)
    $PrincipalContext = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Machine);
    # Get a reference to a specific user principal, based on its account name
    $UserAccount = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($PrincipalContext, $Identity);
    if (!$UserAccount) {
        throw 'User account could not be found!';
    }

    # Call the GetGroups() method on the UserPrincipal object
    $GroupList = $UserAccount.GetGroups();

    # Output the list of groups
    Write-Output -InputObject $GroupList;
}

Get-LocalUserGroupMembership;