FInding Computers without a specific set of local groups

This topic contains 1 reply, has 2 voices, and was last updated by  postanote 1 week, 1 day ago.

  • Author
    Posts
  • #86642

    Scott Windmiller
    Participant

    We are trying to standardize our local Administrators group on all our PC's. I know I can do this through GPO but first I want to find the computers without the specific set of groups so we know if we need to tweak things a bit.

    I found this Script which will list the local groups but I am unsure how to have it sift through and check the groups like I want.

    $computername = "Test01"
    $Group = "Administrators"
    Try {
    		If ([ADSI]::Exists("WinNT://$($ComputerName)/$($Group),group")) {
    			([ADSI]"WinNT://$($ComputerName)/$($Group),group").Members() | ForEach-Object {
    				$PathElements = ($_.GetType().InvokeMember("AdsPath", 'GetProperty', $null, $_, $null)).Split('/',[StringSplitOptions]::RemoveEmptyEntries)
    				If ($PathElements[-2] -eq 'WinNT:') {
    					$PathElements[-1]
    				} Else {
    					"$($PathElements[-2])\$($PathElements[-1])"
    				}
    			}
    		} Else {
    			"Group '$($Group)' not found on $($ComputerName)!" | Write-Error
    		}
    	} Catch {
    		$_.Exception.Message | Write-Error
    	}

    I would want to check it against a list like: Domain Admins, Psych Local Admins, etc. I would also need to run this script remotely from my PC and not on each individual PC (we do not have PSRemoting on).

    Thanks,
    Scott

  • #86677

    postanote
    Participant

    Just filter for the groups you want. using an If, ForLoop, try/Catch, it's your choice.
    Pass in the list you want, to an loop or filter out during one.

    That is a lot of code to check members of one group on a machine.
    You can still use god ol'...

    net localgroup administratos

    ... to get the list and filter via RegEx match...

    I.e.
    Use the default command to filter the local administrators group for specific members, user or domain group.
    Use a RegEx match group1 or group2 or group3
    (net localgroup administrators) -match 'GroupName1|GroupName1|GroupName3'

    Now the above would require remoting and using...

    Invoke-Command -ComputerName 'SomeRemoteComputer' -ScriptBlock {(net localgroup administrators) -match 'GroupName1|GroupName1|GroupName3'}

    ...or PSExec.

    However, there several commands you can leverage without using remoting.
    See the details here: 'technet.microsoft.com/en-us/library/ff699046.aspx?f=255&MSPPError=-2147217396'

    So, something like...

    (Get-WmiObject -ComputerName 'SomeRemoteComputer' -Class Win32_Group -Filter "Name = 'Administrators'")-match 'GroupName1|GroupName1|GroupName3'

    ...anything else is going to require remoting or using MS SysteInternals PSExec

You must be logged in to reply to this topic.