Author Posts

August 6, 2014 at 9:36 pm

I have a small script that shows the members of local administrators group of a remote server, and then you can remove the accounts that do not belong there. It also shows orphaned sids, but when trying to remove them, nothing happens. Some help would sure be appreciated!.

$strDomain = Read-Host "Enter Domain"
$strComputer = Read-Host "Enter System Name"

do
{
$computer = [ADSI]("WinNT://" + $strComputer + ",computer")
$group = $computer.psbase.children.find("Administrators")
$group.Name

function ListAdministrators
{$members = $group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name",'GetProperty',$null,$_,$null)}
$members}

ListAdministrators
$strUser = Read-Host "Enter Username to remove"
$group.Remove("WinNT://" + $strDomain + "/" + $strUser)
cls
Write-Host These are the Current members of the local administrators group.
ListAdministrators

} while ($strUser -ne "")

August 7, 2014 at 2:35 am

tested, working..

August 7, 2014 at 6:36 am

Thanks for the reply, I know it works great for removing accounts that are 'fine' but if it's a an orphaned sid, it doesn't do anything to it.
What I mean is I run the script and it shows me a list of users like this:

Administrators
Baduser
olduser
service-account
Domain administrators
S-1-5-12-1234567890-1234567890-1234567890–123456
Enter Username to remove

I can put in Baduser and olduser, and they will remove quite nicely. When I put in S-1-5-12-1234567890-1234567890-1234567890–123456, this does not remove.
That's what I am hoping for some help with.

August 7, 2014 at 7:07 am

It's most likely to do with this line, a hard-coded assumption that the domain is part of the ADsPath for the orphaned SIDs:

$group.Remove("WinNT://" + $strDomain + "/" + $strUser)

Try outputting the full ADsPath of your members instead of just the name, to see what these SIDs really look like:

function ListAdministrators
{
    $group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("ADsPath",'GetProperty',$null,$_,$null)}
}

With that information, you should be able to update the script.

August 7, 2014 at 7:27 am

Thanks for the reply.
They now look like this: WinNT://S-1-5-12-1234567890-1234567890-1234567890–123456
They won't delete with or without the WinNT://

August 7, 2014 at 8:08 am

Ok, I got it! Thank you Dave, that got me on the path.

$strDomain = Read-Host "Enter Domain"
$strComputer = Read-Host "Enter System Name"

do
{
$computer = [ADSI]("WinNT://" + $strComputer + ",computer")
$group = $computer.psbase.children.find("Administrators")
$group.Name

function ListAdministrators
{
$group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("ADsPath",'GetProperty',$null,$_,$null)}
}
$members}

ListAdministrators
$strUser = Read-Host "Enter Username to remove"
$group.Remove($strUser)
cls
Write-Host These are the Current members of the local administrators group.
ListAdministrators

} while ($strUser -ne "")

August 7, 2014 at 8:12 am

Part two: How can I get the group to include both administrators and backup operators? I tried adding them together, with commas, and semi-colons, space, none worked.
$group = $computer.psbase.children.find("Administrators")