Active Directory - 用于查找不在一组组中的所有用户的脚本？

I have a set of 10 AD groups. What I'd like is to programmatically find out which users in the AD domain are NOT members of those 10 groups. There is only one domain. I know it's possible to perform ADO SQL queries in a vbscript but I was wondering (hoping, praying) if someone had a canned script?

我有一组10个AD组。我想要的是以编程方式找出AD域中哪些用户不是这10个组的成员。只有一个域名。我知道在vbscript中执行ADO SQL查询是可能的,但我想知道(希望,祈祷)是否有人有一个罐头脚本?

I suppose a hacky way might be:

我想一个hacky方式可能是:

Dump all users from the 10 groups

转储10个组中的所有用户

Dump all users from the domain

转储域中的所有用户

Run a windiff on the 2 dumps

在2个转储上运行windiff

Any ideas?

2 个解决方案

#1

For anyone interested, this worked:

对于任何有兴趣的人,这有用:

(&(objectCategory=Person)
    (&
        (!memberOf=CN=group1,dc=company,dc=local)
        (!memberOf=CN=group2,dc=company,dc=local)
        (!memberOf=CN=group3,dc=company,dc=local)
    )
)

#2

System.DirectoryServices provides the ability to write LDAP queries. something like this: (&(objectclass=User)(!memberof=cn=group1,...)(!memberof=cn=group2,...)(!memberof=cn=group3,...))

System.DirectoryServices提供编写LDAP查询的功能。像这样:(&(objectclass = User)(!memberof = cn = group1,...)(!memberof = cn = group2,...)(!memberof = cn = group3,...))

Each memberof condition has to be explicitly spelled out, I believe.

我相信,每个条件成员都必须明确说明。

I am just answering quickly, so I don't have 100% of the code to show you.

我只是快速回答,所以我没有100%的代码向您展示。

#1