Author Posts

August 3, 2017 at 9:03 pm

Hi there...I am trying to get local users & admin group user ids on remote servers. I got a script that's working (mentioned below), I dont take credit to myself as I got some assistance in that. While using that script, I got some errors even when I target on some of new Server 2012 servers.

$Output = "C:\Temp\Users-GroupMember\UserInfo.rtf"
$Servers = Get-Content -Path "C:\Temp\Users-GroupMember\Servers.txt"

foreach ($Servers in $Servers)

{
# 1. To get Local Administrators group Members

Write-Output "1. *****Administrators group Members for the Server mentioned above****" |out-file $Output -Append

$localgroup = "Administrators"
$Group= [ADSI]"WinNT://$Servers/$LocalGroup,group" 
$members = $Group.psbase.Invoke("Members")
$members | ForEach-Object { $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null) } | Out-File $Output -Append

# 2. Local user information

Write-Output "2. *****Local user information for the Server mentioned above*****" | out-file $Output -Append

$adsi = [ADSI]"WinNT://$Servers"
$adsi.Children | where {$_.SchemaClassName -eq 'user'} | Foreach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)} | out-file $Output -Append
} 

Error, I got was

 Exception calling "Invoke" with "2" argument(s): "The network path was not found
At C:\Temp\Users-GroupMember\Users-GroupMember.ps1:17 char:32

+ FullyQualifiedErrorId : DotNetMethodException
+ CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
+ $members = $Group.psbase.Invoke < <<< ("Members")

When I was researching about this error, I came to know about this blog about enabling CredSSP in Windows servers (even though that for vCO powershell plugin. In that he had mentioned –

"By default, PowerShell remoting authenticates using a “Network Logon”. Network Logons work by proving to the remote server that you have possession of the users credential without sending the credential to that server (see Kerberos and NTLM authentication). Because the remote server doesn't have possession of your credential, when you try to make the second hop (from Server A to Server B) it fails because Server A doesn't have a credential to authenticate to Server B with.

To get around this issue, PowerShell provides the CredSSP (Credential Security Support Provider) option. When using CredSSP, PowerShell will perform a “Network Clear-text Logon” instead of a “Network Logon”. Network Clear-text Logon works by sending the user's clear-text password to the remote server. When using CredSSP, Server A will be sent the user's clear-text password, and will therefore be able to authenticate to Server B. Double hop works!"

Can you pls share you thoughts if we need to do the same in server 2012 servers as well.

August 4, 2017 at 7:37 am

Just a thought. Should it not be

foreach ($Server in $Servers)

And then use $server in the for loop as $servers could contain multiple server names

August 4, 2017 at 8:28 pm

Thanks for that thought Simon B. I tested both ways, it worked fine. My apologies for delayed reply. But I think thats shouldn't cause that error.

September 7, 2017 at 12:42 am

I think I found the issue. I have a base server (which is in 172.128.x.x subnet – for example) to run that script. When I update with different server names (will be in different subnets – 192.168.x.x, 10.10.x.x & ...) in the ServerNames.txt file and when I run that script, its not getting the result as the script generates as expected. But When I copy the script to a server (which is in 10.12.x.x subnet) and against groups of 100 or more servers in the same 10.12.x.x subnet, it works fine.

I really appreciate everyone who assisted in this. I thought I can update and let you know...

September 7, 2017 at 9:48 am

Hi VT,

If you wanted to handle that connection issue in a more graceful way, you could run Test-Connection against your $Servers array, and create two new arrays (and/or log files) based on servers you can and can't connect to – and then only perform your foreach loop on the accessible ones.

Quick and dirty example:

Dan

September 7, 2017 at 10:44 pm

Thanks for that Dan, I think it will help. I will try that and will update.