Working with local Windows groups using the CIM cmdlets

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Biokinton Biokinton 3 years, 4 months ago.

  • Author
    Posts
  • #12125
    Profile photo of Biokinton
    Biokinton
    Participant

    Hello everyone,

    I'm working on a collection of scripts to check and update the members of local groups across a range of servers following Richard's excellent example available on the Hey, Scripting Guy! blog. Everything is fine save for the fact that each of the commands takes _forever_ to run. I've tried the following on a number of 2012 R2 and 8.1 workstations on the domain:

    $group = Get-CimInstance -ClassName Win32_Group  -Filter "Name = 'Administrators'"
    Get-CimAssociatedInstance -InputObject $group -ResultClassName Win32_UserAccount | select -ExpandProperty Caption

    All of the machines are of a decent specification and connected directly to the LAN but regardless of which one I choose Measure-Command reports an average run time of around 20 minutes. It's the same whether I go for the CIM approach, the WMI approach or the AccountManagement class approach.

    Can anyone suggest what I might be doing wrong?

    Many thanks in advance.

    🙂

  • #12132
    Profile photo of Biokinton
    Biokinton
    Participant

    Have you checked to see if it's actually enumerating from the domain as well?

    I have not, no, but that'd make perfect sense as our AD is enormous (terrifyingly so). I'll look over the Win32_UserAccount documentation as you recommend and take a look at the ADSI provider. Having never used VBScript that syntax always looks a little ... daunting. =)

    Thanks for the lightning fast response.

  • #12127
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Have you checked to see if it's actually enumerating from the domain as well?

    I ask because in most situations, querying Win32_UserAccount will get you the domain user list as well, which will obviously take a lot longer. That's built into how the class works in the WMI repository, so how you access it – DCOM, CIM, whatever – wouldn't matter. Note the docs for Win32_UserAccount, which say, "Note Because both the Name and Domain are key properties, enumerating Win32_UserAccount on a large network can negatively affect performance. Calling GetObject or querying for a specific instance has less impact." Win32_Group is similar.

    I tend to stick with the old-school WinNT:\\ ADSI provider when I want to work with local groups, although it's definitely more work since there's nothing as convenient as an association class. There's certainly other approaches others might suggest, but since I have so much history in VBScript, that's what I tend to do.

You must be logged in to reply to this topic.