Local admin woes...

I wrote a script that will search for local administrator group members on all servers in a list (text file) and will print results out in a csv file. It works, except it only shows me one of the accounts in the local admin group instead of ALL members. How can I get this script to show me all of the admin group members, listed in the csv?

The script is below:

$erroractionpreference = "SilentlyContinue"

$a = New-Object -comobject Excel.Application
$a.visible = $True

$b = $a.Workbooks.Add()
$c = $b.Worksheets.Item(1)

$c.Cells.Item(1,1) = "Machine Name"
$c.Cells.Item(1,2) = "Members"
$c.Cells.Item(1,3) = "Report Time Stamp"

$d = $c.UsedRange
$d.Interior.ColorIndex = 19
$d.Font.ColorIndex = 11
$d.Font.Bold = $True

$intRow = 2

foreach ($strComputer in get-content \\disk24\tech_eng-shared\windows_server_eng\SOX\PasswordChanges\SvrLists\test.Txt)
{
$c.Cells.Item($intRow,1)  = $strComputer.ToUpper()

$objcomputer = [ADSI]("WinNT://$env:computername,computer")
$group = $objcomputer.psbase.children.find("administrators")
$adminmembers = $group.psbase.invoke("Members") |
%{$_.GetType().InvokeMember("Name",'GetProperty',$null,$_,$null)}

$objDomain = New-Object System.DirectoryServices.DirectoryEntry;

$objResults = $objSearcher.FindAll();

$c.Cells.Item($intRow,2) = $adminmembers
$c.Cells.Item($intRow,3) = Get-Date
$intRow = $intRow + 1
}
   
$d.EntireColumn.AutoFit()

You're close, although you are making it more complicated than it needs to be. Here is a script from my Managing Active Directory with Windows Powershell book, which includes coverage of working with local users and groups. This should get you on the right path.

 #Get-LocalMembership.ps1
 
 Function Get-LocalMembership {
     Param([string]$group=$(Throw "You must enter a group name."),
           [string]$computer=$env:computername
           )
 
     [ADSI]$LocalGroup="WinNT://$computer/$group,group"
 
     $LocalGroup.psbase.invoke("Members") | ForEach-Object {
 
     #get ADS Path of member
     $ADSPath=$_.GetType().InvokeMember("ADSPath", 'GetProperty', `
     $null, $_, $null)
 
     #get the member class, ie user or group
     $class=$_.GetType().InvokeMember("Class", 'GetProperty', `
     $null, $_, $null)
 
     #Get the name property
     $name=$_.GetType().InvokeMember("Name", 'GetProperty', `
     $null, $_, $null)
 
     #Domain members will have an ADSPath like
     #WinNT://MYDomain/Domain Users.  Local accounts will have
     #be like WinNT://MYDomain/Computername/Administrator
 
     $domain=$ADSPath.Split("/")[2]
 
     #if computer name is found between two /, then assume
     #the ADSPath reflects a local object
     if ($ADSPath -match "/$env:computername/") {
         $local=$True
         }
     else {
         $local=$False
        }
 
     #create a custom object
     $obj = New-Object PSObject
 
     #define custom object properties
     $obj | Add-Member -MemberType NoteProperty -Name "Computer" -Value $computer.toUpper()
     $obj | Add-Member -MemberType NoteProperty -Name "ADSPath" -Value $ADSPath
     $obj | Add-Member -MemberType NoteProperty -Name "Domain" -Value $domain
     $obj | Add-Member -MemberType NoteProperty -Name "IsLocal" -Value $local
     $obj | Add-Member -MemberType NoteProperty -Name "Name" -Value $name
     $obj | Add-Member -MemberType NoteProperty -Name "Class" -Value $class
 
     #write the result to the pipeline
     write $obj
     }
 }
 
 #sample usage:
 #  Get-LocalMembership -group "Administrators"
 #  Get-LocalMembership -computer localhost -group "Administrators"
 
 

Ok, I have looked at this and have even run it but do not see the results. I am new to PS (duh), and am even less familiar with writing something to a pipeline. Can you please help? 

First off, this is more complicated than it needs to be and I don't think is doing what you think it should.

$objcomputer = [ADSI]("WinNT://$env:computername,computer")
$group = $objcomputer.psbase.children.find("administrators")
$adminmembers = $group.psbase.invoke("Members") |
%{$_.GetType().InvokeMember("Name",'GetProperty',$null,$_,$null)}

$objDomain = New-Object System.DirectoryServices.DirectoryEntry;

$objResults = $objSearcher.FindAll();


It looks like you are pulling the computername from a list and are referencing it as $strComputer. That's good. Here's code that will list each member of the administrators group.

 [ADSI]$Admins="WinNT://$strcomputer/Administrators,group"

 $Admins.psbase.invoke("Members") |  ForEach-Object {
 $name=$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
 write $name
}

I suggest geting this code to work in a separate script so you understand. Then you can integrate into you Excel-related script.

There is still an issue with how to write the group members to your spreadsheet. Do you want all the members in one cell?  Do you even have to use a spreadsheet? You can have your PowerShell script write to the pipeline where information can be exported to a CSV, converted to an HTML report, sent to a printer or more.  The script I posted is one example but you are welcome to use it. I wrote it specifically for auditing purposes like yours.

Jeff,
Thanks for all your help. I got the script working with the last info you posted. One more question, if you don't mind. Using the information you gave me, how would I get this script to show me mydomain\user when it writes the results? I have a few domains and would like to see which Domain Admins are in this group.

Ideally, I would love to have this print out on an HTML report to make it clean and branded. As of right now, SOX controls are due today so I need to have something to hand in from my audit. :)

Go back and look at my script.  There is an ADSPath property that will give you the domain information you are after.

Thanks, I just noticed that.


Thanks again for your help!
Matthew

Jeff,

I don't mean to bother you again, but I am still having difficulties in getting the domain information to show on my spreadsheet. Below is the script that I pieced together from your script and my old script. Can you please tell me if there is something wrong? Again, I am wanting the domain\user information to allow me to determine which domain admins, of which domain, are in my local admins group of the servers. I used your $ADSPath suggestion and am not able to get it to work.

-----------------------------------------------------------------------

$a = New-Object -comobject Excel.Application
$a.visible = $True

$b = $a.Workbooks.Add()
$c = $b.Worksheets.Item(1)

$c.Cells.Item(1,1) = "Server Name"
$c.Cells.Item(1,2) = "Domain"
$c.Cells.Item(1,3) = "Members"
$c.Cells.Item(1,4) = "Date Run"


$d = $c.UsedRange
$d.Interior.ColorIndex = 19
$d.Font.ColorIndex = 11
$d.Font.Bold = $True

$intRow = 2

foreach ($strComputer in get-content \\disk24\tech_eng-shared\windows_server_eng\SOX\PasswordChanges\SvrLists\test.Txt)
{
[ADSI]$Admins="WinNT://$strcomputer/Administrators,group"


$ADSPath=$_.GetType().InvokeMember("ADSPath", 'GetProperty', `
   $null, $_, $null)
$domain=$ADSPath.Split("/")[2]

   #if computer name is found between two /, then assume
   #the ADSPath reflects a local object
   if ($ADSPath -match "/$env:computername/") {
       $local=$True
       }
   else {
       $local=$False
       }
      

$Admins.psbase.invoke("Members") |  ForEach-Object {
$name=$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
write $name

$c.Cells.Item($intRow,1)  = $strComputer.ToUpper()
$c.Cells.Item($intRow,2) = $domain
$c.Cells.Item($intRow,3) = $name
$c.Cells.Item($intRow,4) = Get-Date


$intRow = $intRow + 1
}
}
$d.EntireColumn.AutoFit()


----------------------------------------------------------------------

Why not simply store the full ADSPath instead of the name:

$Admins.psbase.invoke("Members") |  ForEach-Object {
$name=$_.GetType().InvokeMember("ADSPath", 'GetProperty', $null, $_, $null)
write $name

I see now.  You need to enumerate the ADSPath when you enumerate the members. Move that code to the ForEach loop.

$Admins.psbase.invoke("Members") |  ForEach-Object {
$name=$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
$ADSPath=$_.GetType().InvokeMember("ADSPath", 'GetProperty', `
  $null, $_, $null)
$domain=$ADSPath.Split("/")[2]

  #if computer name is found between two /, then assume
  #the ADSPath reflects a local object
  if ($ADSPath -match "/$env:computername/") {
      $local=$True
      }
  else {
      $local=$False
      }
write $name
$c.Cells.Item($intRow,1)  = $strComputer.ToUpper()
$c.Cells.Item($intRow,2) = $domain
$c.Cells.Item($intRow,3) = $name
$c.Cells.Item($intRow,4) = Get-Date


$intRow = $intRow + 1
}

That did the trick! Thanks again.

Matthew J.

Here is the completed  script, so far:

$a = edit-Object -comobject Excel.Application
$a.visible = $True

$b = $a.Workbooks.Add()
$c = $b.Worksheets.Item(1)

# If you remove the pound symbol for $ADSPath, be sure to place pound signs in front of Domain and Members. They provide the same information
$c.Cells.Item(1,1) = "Server Name"
#$c.Cells.Item(1,2) = "ADSPath"
$c.Cells.Item(1,2) = "Domain"
$c.Cells.Item(1,3) = "Members"
$c.Cells.Item(1,4) = "Date Run"

$d = $c.UsedRange
$d.Interior.ColorIndex = 19
$d.Font.ColorIndex = 11
$d.Font.Bold = $True

$intRow = 2

# Change \\disk24\... to your server list file path.
foreach ($strComputer in get-content \\disk24\...\...\Servers.Txt)
{
[ADSI]$Admins="WinNT://$strcomputer/Administrators,group"


$Admins.psbase.invoke("Members") |  ForEach-Object {
$name=$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
$ADSPath=$_.GetType().InvokeMember("ADSPath", 'GetProperty', `
$null, $_, $null)
$domain=$ADSPath.Split("/")[2]

#if computer name is found between two /, then assume
#the ADSPath reflects a local object
if ($ADSPath -match "/$env:computername/") {
     $local=$True
    
     }
else {
     $local=$False
     }
if ($name -match "55544") {$domain="LOCAL"
$c.Cells.Item($intRow,3).Interior.ColorIndex = 4}


write $name

# If you remove the pound symbol for $ADSPath, be sure to place pound signs in front of $domain and $name. They provide the same information.
$c.Cells.Item($intRow,1)  = $strComputer.ToUpper()
#$c.Cells.Item($intRow,2) = $ADSPath
$c.Cells.Item($intRow,2) = $domain
$c.Cells.Item($intRow,3) = $name
$c.Cells.Item($intRow,4) = Get-Date


$intRow = $intRow + 1

}
$d.EntireColumn.AutoFit()
}
  

Hi I am a nebie at power shell i was trying out this script. i only need to use 1 line 'Get-LocalMembership -computer localhost -group "Administrators"' i can then pipe out the information. Is there any way to get it to read all groups at the same time and not just Administrators. I can change the script to read the different groups but inly one at each time.

You would have to enumerate all the groups then then for each group use the code to enumerate group members.

To list groups you can start with this:
[ADSI]$computer="WinNT://chaos"
$computer.psbase.children | where {$_.schemaclassname -eq "group"} | Select ADSPath