Little Background:
Hello ,
It's kind of already weekend started... :) but suddenly remembered that I missed to post the items which I worked on earlier. So, here is the request that I received as part of my work.
I was assigned a project to do the clean-up of local administrator group membership to be restricted through GPO. So, here is the tasks that we plan to do .
1) Who all are in the current local administrator group membership
We mainly discuss about the line item 1, in this post ... please skip the mind from the other items listed above for now, I will try to cover them in my next blog, probably during another pleasant weekend ;)
Main Topic:-
How to generate a report of local administrator group membership of listed computers ?
I know there are plenty of scripts already available in the internet for this task, but why did I build this script ???
It's because, just for learning the POWERSHELL SCRIPTING. I understood one point is that unless you start working with POWERSHELL SCRIPTING in real-time scenarios, you won't get chance to work at no time. So, utilize whenever, we get chance.
Script Logic used:-
1) Use the ADSI method to get the information about the group membership
2) The output is not formatted like we wanted, so here is where the splitting, Joining works starts
3) I have added the Test-connection method , just to validate that computer is reachable or not.
4) Included the logging for each processing, so that we can cross check if something not correct.
5) Always, I stick to rules of working with input file method as much as needed. This is just to avoid any BIG mistake during the testing / Production and it will give possibility to touch only listed items.
Script Content :-
Copy from below starting "# " to the end
# Script to pull the Local administrator group list from the remote computers
# Input file should contain the server / workstation names one on each line.
# Example: .\Ladmin_Listing_Latest.ps1 -inputfile ".\serversList.txt"
# Make sure that you have the serverslist.txt file exist in the same folder where the script exist, otherwise, you need to provide
# the full path of the input file.
# Author : Murugan Natarajan
# Email : murugan.natarajan@outlook.com
# Script created date: 7/5/3/2021
# Disclaimer: Script provided as is without any warranty, please use it with your own risk.
param(
[Parameter(Mandatory=$True)]
[String]$Inputfile='.\ServersList.txt'
)
$logdate = (Get-Date -Format ddMMyyyy-hh-mm)
$FinalLog= ".\$($logdate)_LocalAdmin_List.csv"
Foreach ( $SName in (Get-Content $inputfile) ) {
$Message= " " # Adding empty line for each item processing
$Message | Out-File $FinalLog -Append
If (Test-Connection $SName -Count 1 -Quiet -ErrorAction SilentlyContinue) {
$group = [ADSI]("WinNT://$SName/Administrators,group")
$GMembers = $group.psbase.invoke("Members")
$Liste=$GMembers | ForEach-Object {$_.GetType().InvokeMember("ADspath",'GetProperty', $null, $_, $null) -replace ('WinNT://DOMAIN/' + $Sname + '/'), '' -replace ('WinNT://DOMAIN/', 'DOMAIN\') -replace ('WinNT://', '') }# | Out-File $FinalLog -append
#
foreach ( $object in $Liste ){
$Message="$sname,$object"
$message | Out-File $FinalLog -Append
}
}
else{
$Message="$SName,Problematic server"
$message | Out-File $FinalLog -Append
}
}
# Script line ends here
Important note: Please make sure that you specify the input file before executing the script, it won't harm, instead it will prompt to provide the full path for the input file because the parameter is made as mandatory.
Tail note: Hello everyone, I have written this blog on my experience, if you find any mistake, please leave comment. I will correct it.
Next topics to cover:-
2) GPO method to restrict the Local administrator group membership
3) Automate the basic groups needed for this scenario.
Hello ,
It's kind of already weekend started... :) but suddenly remembered that I missed to post the items which I worked on earlier. So, here is the request that I received as part of my work.
I was assigned a project to do the clean-up of local administrator group membership to be restricted through GPO. So, here is the tasks that we plan to do .
1) Who all are in the current local administrator group membership
2) What is the strategy that need to be followed to move the locally assigned principals to domain group
3) How to assign the domain group to the Local administrator group on each server ?
3) How to assign the domain group to the Local administrator group on each server ?
We mainly discuss about the line item 1, in this post ... please skip the mind from the other items listed above for now, I will try to cover them in my next blog, probably during another pleasant weekend ;)
Main Topic:-
How to generate a report of local administrator group membership of listed computers ?
I know there are plenty of scripts already available in the internet for this task, but why did I build this script ???
It's because, just for learning the POWERSHELL SCRIPTING. I understood one point is that unless you start working with POWERSHELL SCRIPTING in real-time scenarios, you won't get chance to work at no time. So, utilize whenever, we get chance.
Script Logic used:-
1) Use the ADSI method to get the information about the group membership
2) The output is not formatted like we wanted, so here is where the splitting, Joining works starts
3) I have added the Test-connection method , just to validate that computer is reachable or not.
4) Included the logging for each processing, so that we can cross check if something not correct.
5) Always, I stick to rules of working with input file method as much as needed. This is just to avoid any BIG mistake during the testing / Production and it will give possibility to touch only listed items.
Script Content :-
Copy from below starting "# " to the end
# Script to pull the Local administrator group list from the remote computers
# Input file should contain the server / workstation names one on each line.
# Example: .\Ladmin_Listing_Latest.ps1 -inputfile ".\serversList.txt"
# Make sure that you have the serverslist.txt file exist in the same folder where the script exist, otherwise, you need to provide
# the full path of the input file.
# Author : Murugan Natarajan
# Email : murugan.natarajan@outlook.com
# Script created date: 7/5/3/2021
# Disclaimer: Script provided as is without any warranty, please use it with your own risk.
param(
[Parameter(Mandatory=$True)]
[String]$Inputfile='.\ServersList.txt'
)
$logdate = (Get-Date -Format ddMMyyyy-hh-mm)
$FinalLog= ".\$($logdate)_LocalAdmin_List.csv"
Foreach ( $SName in (Get-Content $inputfile) ) {
$Message= " " # Adding empty line for each item processing
$Message | Out-File $FinalLog -Append
If (Test-Connection $SName -Count 1 -Quiet -ErrorAction SilentlyContinue) {
$group = [ADSI]("WinNT://$SName/Administrators,group")
$GMembers = $group.psbase.invoke("Members")
$Liste=$GMembers | ForEach-Object {$_.GetType().InvokeMember("ADspath",'GetProperty', $null, $_, $null) -replace ('WinNT://DOMAIN/' + $Sname + '/'), '' -replace ('WinNT://DOMAIN/', 'DOMAIN\') -replace ('WinNT://', '') }# | Out-File $FinalLog -append
#
foreach ( $object in $Liste ){
$Message="$sname,$object"
$message | Out-File $FinalLog -Append
}
}
else{
$Message="$SName,Problematic server"
$message | Out-File $FinalLog -Append
}
}
# Script line ends here
Important note: Please make sure that you specify the input file before executing the script, it won't harm, instead it will prompt to provide the full path for the input file because the parameter is made as mandatory.
Tail note: Hello everyone, I have written this blog on my experience, if you find any mistake, please leave comment. I will correct it.
Next topics to cover:-
2) GPO method to restrict the Local administrator group membership
3) Automate the basic groups needed for this scenario.
No comments:
Post a Comment