Home > Mobile >  PowerShell - server local admins reporting from a list of servers
PowerShell - server local admins reporting from a list of servers

Time:12-10

Beginner question. We only grant access to servers by AD group. We need to report who has admin access to a list of Windows servers. My auditor likes my Server Admins script however she also wants to know the group members first, last name. I don't need to use the ADGroupMember script, if there is a better way.

If someone could point me in the right direction that will be great. It's important I understand so I can do it myself next time : )

Thanks in advance

$computers = Get-content "c:\scripts\servers.txt"
ForEach ($Line In $computers)

{
  #write-host $Line
 Invoke-command -ComputerName $line -ScriptBlock { net localgroup administrators}  | Get-ADGroupMember -Identity "$_????what goes here????" |%{get-aduser $_.SamAccountName | select userPrincipalName } | out-file "c:\scripts\'$line'LocalAdmin.txt"
 }

This script works great but does not list out group members first, lastname

$computers = Get-content "c:\scripts\servers.txt"
ForEach ($Line In $computers)

{
  #write-host $Line
 Invoke-command -ComputerName $line -ScriptBlock { net localgroup administrators}  | out-file "c:\scripts\'$line'LocalAdmin.txt"
 }

CodePudding user response:

If you really need information about the users in the local Administrators group, you can use the cmdlets from the PSv5.1 Microsoft.PowerShell.LocalAccounts module.

However, note that local accounts just have a single .FullName property, not separate first and last name ones. Also, this property may or may not be filled in:

Invoke-Command -ComputerName (Get-Content c:\scripts\servers.txt) -ScriptBlock {
  Get-LocalGroupMember -Group Administrators | 
    Where-Object ObjectClass -eq User |
      Select-Object Sid | 
        Get-LocalUser
} |
  Sort-Object PSComputerName | 
    Select-Object PSComputerName, Name, FullName

If domain users are among the group's members and you do need separate first and last name information, pipe to Get-ADUser instead of to Get-LocalUser - you can distinguish users by their source (where they are defined) via the .PrincipalSource property, available on the output objects from Get-LocalGroupMember from Window 10 / Windows Server 2016.

CodePudding user response:

An alternative to mklement0's helpful answer, somewhat old school, using [adsi]:

$servers = Get-Content c:\scripts\servers.txt

Invoke-Command -ComputerName $servers -ScriptBlock {
    $adsi = [adsi]"WinNT://$env:COMPUTERNAME,computer"
    $adsi.PSBase.Children.Find('Administrators').PSBase.Invoke('members') |
    ForEach-Object {
        $Name    = $_.GetType().InvokeMember('Name','GetProperty',$null,$_,$null)
        $class   = $_.GetType().InvokeMember('Class','GetProperty',$null,$_,$null)
        $adspath = $_.GetType().InvokeMember('ADSPath','GetProperty',$null,$_,$null)
        $sid = [System.Security.Principal.SecurityIdentifier]::new(
            $_.GetType().InvokeMember('objectsid','GetProperty',$null,$_,$null),0
        ).Value
    
        [pscustomobject]@{
            Name = $Name
            Class = $Class
            Path = $adspath -replace '^WinNT://'
            SecurityIdentifier = $sid
        }
    } | Sort-Object Class -Descending
} | Where-Object Class -EQ User

Page link:https//www.codepudding.com/Mobile/222911.html

Prev:Powershell generated scheduled task does nothing when running
Next:Write-Host prints entire object instead of one property of it when surrounded by quotes
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding