在PDC上使用LDAP检索badpwdcount

Question

我试图从"badpwdcount“属性中获取值。问题是为了得到准确的值，我应该查询到PDC (主域控制器)。目前，我正在使用powershell解决LDAP搜索问题。问题是:是否有机会通过使用LDAP搜索从PDC获得值？

例如：

$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]"LDAP://$D"
$ADSearch = New-Object System.DirectoryServices.DirectorySearcher
$ADSearch.SearchRoot ="LDAP://$Domain

这将搜索当前域。我应该怎么做才能从PDC中获得价值？

Answer 1

每个域控制器都使用PDC仿真器FSMO角色更新服务器的计数(这样，如果超过最大数目，帐户就可以被锁定)，总金额不容易跟踪，因此，我们必须分别查询每个域控制器。表示该数字。

# Import active directory modules
import-module activedirectory;

# Get all domain controllers
$dcs = get-adcomputer -filter * -searchbase "ou=domain controllers,dc=kamal,dc=local";

# Get all users - change "-filter {enabled -eq $true}" to a username to get just one user
$users = get-aduser -filter {enabled -eq $true} | sort name;

# Loop through all users found
foreach ($user in $users) {
    $badpwdcount = 0;

    # Loop through each domain controller
    foreach ($dc in $dcs) {
        $newuser = get-aduser $user.samaccountname -server $dc.name -properties badpwdcount;

        # Increment bad password count
        $badpwdcount = $badpwdcount + $newuser.badpwdcount;
    }

    # Highlight account if bad password count is greater than 0
    if ($badpwdcount -gt 0) {
        $outline = "******* " + $user.name + " - Badpwdcount: " + $badpwdcount + " *******";
    }
    else {
        $outline = $user.name + " - Badpwdcount: " + $badpwdcount;
    }

    write-host $outline;
}

Answer 2

$Domain = $Domain.PdcRoleOwner