Help with complicated Local User Report

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Don Jones Don Jones 10 months, 2 weeks ago.

  • Author
    Posts
  • #34356
    Profile photo of Mav rick
    Mav rick
    Participant

    I have tried many things as I have to create a local admin report that contains the local accounts for the local admins group on a list of 600 or so Windows 2003-2012r2 servers.

    The servers are in 4 domains and then there are some in workgroups/standalone.
    I have 1 account that is on every server with the same password, but I know the authentication fails when I run the scripts I've tried, so I wanted to loop through variations of the account to specify the proper domain name or leave the domain name blank, but I can't find how to do that.

    Then I want to add "last login time" from the local samdb to the report and below is the script I've found and modified that works, but it doesn't work to get the last login time and I've tried many things. If this was to be perfect, I would query every server, if there was an error getting to the box then the script would write to a log file, then I would get all "local accounts, but list the name of the group they are a member of on the server. If I can't do that then I can just stick with local admins for now.

    I know the lastlogin query requires using adsi against the server, and the items such as "full name" are gathered using wmi. Can anyone help me add the items I need to this script?

    I need computername, username, full name, description, lastlogin date, disabled status, password set to expire (true or false), passsword age and if this works against all built-in local groups, I would need to put the group name on the row for each username.

    Thx and I've spent a ton of time, so if anyone can assist I appreciate it!

    $ComputerName = Get-Content C:\john\servers.txt

    $Obj = @()

    Foreach($Computer in $ComputerName)

    {

    If($Credential)

    {

    $AllLocalAccounts = Get-WmiObject -Class Win32_UserAccount -Namespace "root\cimv2" `

    -Filter "LocalAccount='$True'" -ComputerName $Computer -Credential $Credential -ErrorAction SilentlyContinue

    }

    else

    {

    $AllLocalAccounts = Get-WmiObject -Class Win32_UserAccount -Namespace "root\cimv2" `

    -Filter "LocalAccount='$True'" -ComputerName $Computer -ErrorAction SilentlyContinue

    }

    Foreach($LocalAccount in $AllLocalAccounts)

    {

    $Object = New-Object -TypeName PSObject

    $Object|Add-Member -MemberType NoteProperty -Name "Name" -Value $LocalAccount.Name

    $Object|Add-Member -MemberType NoteProperty -Name "Full Name" -Value $LocalAccount.FullName

    $Object|Add-Member -MemberType NoteProperty -Name "Caption" -Value $LocalAccount.Caption

    $Object|Add-Member -MemberType NoteProperty -Name "Disabled" -Value $LocalAccount.Disabled

    $Object|Add-Member -MemberType NoteProperty -Name "Status" -Value $LocalAccount.Status

    $Object|Add-Member -MemberType NoteProperty -Name "LockOut" -Value $LocalAccount.LockOut

    $Object|Add-Member -MemberType NoteProperty -Name "Password Changeable" -Value $LocalAccount.PasswordChangeable

    $Object|Add-Member -MemberType NoteProperty -Name "Password Expires" -Value $LocalAccount.PasswordExpires

    $Object|Add-Member -MemberType NoteProperty -Name "Password Required" -Value $LocalAccount.PasswordRequired

    $Object|Add-Member -MemberType NoteProperty -Name "SID" -Value $LocalAccount.SID

    $Object|Add-Member -MemberType NoteProperty -Name "SID Type" -Value $LocalAccount.SIDType

    $Object|Add-Member -MemberType NoteProperty -Name "Account Type" -Value $LocalAccount.AccountType

    $Object|Add-Member -MemberType NoteProperty -Name "Domain" -Value $LocalAccount.Domain

    $Object|Add-Member -MemberType NoteProperty -Name "Description" -Value $LocalAccount.Description

    $Obj+=$Object

    }

    If($AccountName)

    {

    Foreach($Account in $AccountName)

    {

    $Obj|Where-Object{$_.Name -like "$Account"}

    }

    }

    else

    {

    $Obj | export-csv -NoTypeInformation c:\john\testnew.csv

    }

    }

  • #34376
    Profile photo of Don Jones
    Don Jones
    Keymaster

    So, that's a lot to read :). If I'm understanding your question, you can't; the local SAM doesn't maintain a last logon time like Active Directory does. Querying AD doesn't provide you the correct last logon time for a local user account. Does that make sense?

You must be logged in to reply to this topic.