powershell - Powershell尝试/捕获/最终执行不正确(或者我已经完全用胶管把它塞住了)

Question

我有一个检查循环组的脚本。
该脚本接受域中的所有组(父组)，检查这些组的成员资格，并将objectClass为“group”的任何成员添加到数组(子组)中。

然后，脚本将检查子组，以查看父组是否是子组的成员(是的，虽然允许，但仍然不是一个好主意)。

我添加了一个try / catch / finally块，以便可以获得实际的组名，而不是PowerShell返回的截断的错误消息。

问题是，脚本在遇到的第一个错误处停止而不是继续。

这是我完成的第一次尝试/捕获，所以请耐心等待。

这是脚本:

$original_ErrorActionPreference = 'Continue'
$ErrorActionPreference = 'Stop'

Import-Module -Name ActiveDirectory

$domains = @('corp.com', 'dom1.corp.com', 'dom2.corp.com')


foreach($domain in $domains){
  Write-Host $domain -ForegroundColor Yellow
  $parents = Get-ADGroup -server $domain -Properties name,objectclass -Filter * #get all domain groups
  write-host $parents.count

  $table = @()
  $pGroupCount = @($parents).Count

  $record = @{
    'Parent' = ''
    'Child' = ''
    'Nester' = ''
  }

  foreach($parent in $parents){ 
    Write-Host $parent.name -ForegroundColor Green

脚本到此为止。

这是失败的部分-

    try { #get members in the parent that are groups
      $children = Get-ADGroupMember -Identity $parent | Where-Object{$_.ObjectClass -eq 'group'} | Select-Object name,distinguishedName,objectClass  
      } catch [Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember]{

        Write-Host $parent.name ' must be checked manually' -ForegroundColor blue -BackgroundColor Yellow
        $parent.distinguishedName | Out-String -Width 4096 | Out-File -FilePath "$env:USERPROFILE\desktop\$domain-manualCheck.txt" -Width 5120 -Append

    } finally {

    $pGroupCount = $pGroupCount - 1
    write-host $children.count ' - ' $children.name -ForegroundColor Gray
    Write-Host $pGroupCount ' groups to go' -foregroundColor yellow



  foreach($child in $children){ #get members in the children that are groups AND that have the same name as the parent
    $nested = Get-ADGroupMember $child.name | Where-Object {$_.objectClass -eq 'group' -and $_.name -eq $parent.name} 
    $nestedCount = @($nested).count

      if ($nestedCount -gt 0){
        foreach($nester in $nested){
          Write-Host $parent.name -ForegroundColor White
          Write-Host $nestedCount -ForegroundColor Magenta
          Write-Host $nester.name -ForegroundColor Cyan
          $record.'Parent' = $parent.name
          $record.'Child' = $child.name
          $record.'Nester' = $nester.name
          $objRecord = New-Object psobject -Property $record
          $table += $objRecord
        }
      }
    }
    $table | Export-Csv -Path "$env:USERPROFILE\desktop\$domain-Group-Report.csv" -NoTypeInformation
    $error | out-string -width 4096 | Out-File -FilePath "$env:USERPROFILE\desktop\$domain-Errors.txt" -Width 5120 -Append
  }
  }
  }
  $ErrorActionPreference = $original_ErrorActionPreference 

一旦脚本到达第一个有问题的组，这就是返回的错误(添加了#comments):

PS C:\Users\admin_j\Desktop> .\gtest.ps1
corp.com #current domain
283 #total group count
Exchange Servers #current group
6  -  Exchange Install Domain Servers Exchange Install Domain Servers Exchange Install Domain Servers Exchange Install Domain Servers Exchange Install Domain Servers #6 groups within the parent, groups are from sub-domains
Exchange Install Domain Servers
282  groups to go
Get-ADGroupMember : Cannot find an object with identity: 'Exchange Install Domain Servers' under: 'DC=corp,DC=com'.
At C:\Users\admin_j\Desktop\gtest.ps1:46 char:15
+     $nested = Get-ADGroupMember $child.name | Where-Object $_.objectClass -eq ' ...
+               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Exchange Install Domain Servers:ADGroup) [Get-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : Cannot find an object with identity: 'Exchange Install Domain Servers' under: 'DC=corp,DC=com'.,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

为什么不停止将不良组(在这种情况下为“DC = corp，DC = com”下的“Exchange Install Domain Servers”)写入文件，而是停止脚本？该组确实存在。

我是否应该添加另一个块以捕获任何“找不到对象”错误并将其发送到文件？

谢谢!

Answer 1

作为Will's comment implies，您确实通过指定类型文字与所需的异常相匹配，从而使catch子句无效。
catch子句的一般语法如下

catch [catch-type-list] <statement block>

其中 [catch-type-list]是可选的异常类型列表，关联的语句块将充当该异常类型的异常处理程序。

这意味着该catch子句:

catch [Microsoft.ActiveDirectory.Management.Commands.GetADGroupMem‌​ber] {
    # ...
}

仅将处理由 [Microsoft.ActiveDirectory.Management.Commands.GetADGroupMem‌​ber]类型的异常引起的错误-这当然不是异常类型，因此关联的语句块将永远不会执行。

为了使 catch子句在这种情况下有意义，请指定相关的异常类型:

try{
    Get-ADGroupMember -Identity $parent
}
catch [Microsoft.ActiveDirectory.Management.ADServerDownException]{
    # DC is unreachable, abort
}
catch [Microsoft.ActiveDirectory.Management.ADIdentityResolutionException]{
    # Group identity not resolved, add to list and continue
}
catch {
    # Something else, completely unforeseen, happened, you might want to re-throw and return from your function
}

最后一个 catch子句(其中省略了类型列表)被称为常规catch子句，它将处理与上述任何catch子句都不匹配的任何异常。