Author Posts

October 24, 2016 at 10:01 pm

how can get all list of local administrator accounts and enabled computers on network?

October 24, 2016 at 10:02 pm

You can't, really, unless you can be sure that all computers are in AD, in which case, Get-ADComputer.

October 24, 2016 at 10:09 pm

Yes all computers are in AD, I was using
Get-ADComputer -Filter * -Property * | Format-Table Name , Enabled -Wrap –Auto
but it shows me just list of computer, i also need local administrator accounts

October 24, 2016 at 10:52 pm

This code i was trying, but not working. I am new in Powershell

Import-Module ActiveDirectory

$ADComputerArray = Get-ADComputer -Properties * -Filter * -SearchBase "OU=LocalAdministrators, DC=domainname,DC=ad"

foreach($ADComputer in $ADComputerArray){

$GroupMembers = Get-ADComputerMember $ADComputer
$file.WriteLine($ADComputer.Name + ":")

foreach ($member in $GroupMembers){
if ($member.objectClass -eq "user"){
$file.WriteLine($member.name)
}
}

$file.WriteLine("")
}

$file.Close()

October 25, 2016 at 12:47 am

It appears that you are coming from a background in VBScript trying to write a file on the fly. A more 'Powershelly' way to do it is working with objects and then exporting them to a file. The code you posted looked like you were trying to get AD computer information. It sounds like you want the members of the local administrator group on a computer. You can try the below which is something I modified to from this function.

function Get-LocalAdmin {  
    #https://gallery.technet.microsoft.com/scriptcenter/Get-remote-machine-members-bc5faa57
    param (
        $ComputerName = $env:COMPUTERNAME
    )
    
    if (Test-Connection -ComputerName $ComputerName -Count 2 -Quiet) {  
        try {
            $admins = Get-WmiObject -Class Win32_GroupUser -ComputerName $ComputerName -ErrorAction Stop |
            Where {$_.GroupComponent –like '*"Administrators"'}
      
            $localAdmins = foreach ($admin in $admins) {
                $admin.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$” > $nul  
                $matches[1].trim('"') + “\” + $matches[2].trim('"')  
            }

            $props = @{
                ComputerName = $ComputerName
                LocalAdmins = $localAdmins
                Status = "Success"
            }
        }
        catch {
            $props = @{
                ComputerName = $ComputerName
                LocalAdmins = @()
                Status = "Failed. WMI Error connecting to {0}. {1}" -f $ComputerName, $_.Exception.Message
            }
        }
    }
    else {
        
        $props = @{
            ComputerName = $ComputerName
            LocalAdmins = @()
            Status = "Ping Failed. {0} is offline." -f $ComputerName
        }
    }

    New-Object -TypeName PSObject -Property $props
}

$computers = Get-ADComputer -Properties * -Filter * -SearchBase "OU=LocalAdministrators,DC=domainname,DC=ad"

$results = foreach($computer in $computers){
    Get-LocalAdmin -ComputerName $computer.Name
}

$results

Output:

PS C:\WINDOWS\system32> Get-LocalAdmin

Status  ComputerName LocalAdmins                       
------  ------------ -----------                       
Success MY-PC       {MY-PC\Administrator, MY-PC\Rob}

Once you have the results, you would export them to a CSV or better yet use Powershell to run queries against the $results:

$results | Select Status, ComputerName, @{Name="LocalAdmins";Expression={$_.LocalAdmins -join ","}} | Export-CSV C:\Scripts\LocalAdmin.csv -NoTypeInformation

October 25, 2016 at 4:50 pm

Thank you very much, it helped me a lot
But is it possible to get list of all computers on AD and return list of local administrator accounts and the enabled\disabled status of those accounts using one script

Forexample:
ComputerName Status Local Administrator

—- — ——

Thanks