none
Search specific user in Local Administrators Group for all servers in Domain. RRS feed

  • Question

  • Hi Guys,

    I have a user "John" and i need to know which server has the user "John" as Local Admin privileges. Is there a script for that? There are over thousands of servers and i can't be looking at 1 by 1.

    Saturday, May 18, 2019 6:09 AM

Answers

  • I always test my code before I post it.

    Get-AdComputer-Get-LocalGroupMember


    v/r LikeToCode....Mark the best replies as answers.

    • Marked as answer by Bremen6 Sunday, April 26, 2020 1:28 AM
    Thursday, May 23, 2019 11:23 PM
    Moderator
  • My criticism is not "contempt" It is a bit of guidance that you need to think about.  Your answers most show a lack of basic understanding of PowerShell.  This is aggravated by you assuming that what yu think you know is right.  GO back and relearn the basics correctly.   You are on the right track but you need to address the incorrect assumptions you are making and find out what things you think are incorrect.

    To get a local group member remotely we would only need to do this:

    $sb = { Get-LocalGroupMember -Group Administrators -Member john }
    Invoke-Command -ComputerName ServerName -ScriptBlock $sb | select PsComputerName
    

    To get multiple computer we would do this:

    $sb = { Get-LocalGroupMember -Group Administrators -Member john }
    $computers = Get-ADComputer -Filter *
    Invoke-Command -ComputerName $computers -ScriptBlock $sb | select PsComputerName

    Note that the user asked "what computers have the user.  This will list the names of the systems that have the user.

     

    \_(ツ)_/

    • Marked as answer by Bremen6 Sunday, April 26, 2020 1:28 AM
    Friday, May 24, 2019 1:53 AM

All replies

  • Hi,

    I would start with Get-AdComputer and use the -Filter parameter to get a list of all the servers. Then I would use Get-LocalGroupMember to verify if the user is in the local group.

    The code below queries the a single server's local administrators group for a member name with 'username' in it. I'm using the '*' as a wildcard operator to ignore everything before the 'U'. This is not required but using this will allow me to ignore the AD name (domain\username).

    Get-ADComputer -Identity "Servername" | Where{
    If(Get-LocalGroupMember -Group "Administrators" -Member "*UserName"){
        Write-Host $True}
    Else{ 
        Write-Host $False}
    }


    v/r LikeToCode....Mark the best replies as answers.

    Thursday, May 23, 2019 10:17 PM
    Moderator
  • You cannot use Get-LocalGroupMember with Get-AdComputer. 

    You need to test your guesses before posting an answer.  At least take the time to read the help.

    https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.LocalAccounts/Get-LocalGroupMember?view=powershell-5.1


    \_(ツ)_/

    Thursday, May 23, 2019 10:37 PM
  • I always test my code before I post it.

    Get-AdComputer-Get-LocalGroupMember


    v/r LikeToCode....Mark the best replies as answers.

    • Marked as answer by Bremen6 Sunday, April 26, 2020 1:28 AM
    Thursday, May 23, 2019 11:23 PM
    Moderator
  • That only get groups on the local computer.  It cannot get remote users.

    Please take the time to learn about PowerShell and Windows remoting to understand why your code doe snot work.


    \_(ツ)_/

    Thursday, May 23, 2019 11:51 PM
  • JRV, Indeed you're right and I did not realize that, thanks for contemptuously pointing that out. When I tested my code, I was using a user that was listed in the admin group of both servers.

    However, I was trying to give the user some information to get them started. So I will correct my original code using Invoke-Command. Its best to familiarize yourself with this command before you use it.

    You will need to think about capturing all of the server names in a variable and then you could use ForEach statements to loop through each server name. I would suggest building in some error handling and test, test test.

    $Server = Get-ADComputer -Identity "ServerName"
    Invoke-Command -ComputerName $server.Name  -ScriptBlock {
      If(Get-LocalGroupMember -Group "Administrators" -Member "*UserName"){
       $result = "The User exists"}
      Else{
        $result = "The User does not exist"}
      Return $result
    }

     


    v/r LikeToCode....Mark the best replies as answers.


    Friday, May 24, 2019 12:38 AM
    Moderator
  • My criticism is not "contempt" It is a bit of guidance that you need to think about.  Your answers most show a lack of basic understanding of PowerShell.  This is aggravated by you assuming that what yu think you know is right.  GO back and relearn the basics correctly.   You are on the right track but you need to address the incorrect assumptions you are making and find out what things you think are incorrect.

    To get a local group member remotely we would only need to do this:

    $sb = { Get-LocalGroupMember -Group Administrators -Member john }
    Invoke-Command -ComputerName ServerName -ScriptBlock $sb | select PsComputerName
    

    To get multiple computer we would do this:

    $sb = { Get-LocalGroupMember -Group Administrators -Member john }
    $computers = Get-ADComputer -Filter *
    Invoke-Command -ComputerName $computers -ScriptBlock $sb | select PsComputerName

    Note that the user asked "what computers have the user.  This will list the names of the systems that have the user.

     

    \_(ツ)_/

    • Marked as answer by Bremen6 Sunday, April 26, 2020 1:28 AM
    Friday, May 24, 2019 1:53 AM