Hello all. So I am working on an IT project that involves removing all local user admins from the local admins group in a domain environment. I created a GPO to wipe out all of the existing admin users/groups and then I re-added the necessary IT admin groups back in as local admins. I'm wondering how I can run a script for every single computer to make sure the GPO happened and their user account was wiped out? We have about 60 PC's that I need to check and it would be a pain in the a$$ to do a remote computer management and look through every single computer. It would be nice if there was some software (free) or a powershell script to query all the PC's and verify all local admins. Any help would be appreciated. Thank you!
Local Admins Group - Domain
- Thread starter cyclones
- Start date
https://gallery.technet.microsoft.com/scriptcenter/Get-remote-machine-members-bc5faa57
If you want to check all the PCs in an OU you could combine it with something like this - just change the searchbase to as broad or specific an OU as you'd like
If you want to check all the PCs in an OU you could combine it with something like this - just change the searchbase to as broad or specific an OU as you'd like
Code:
function get-localadmin {
param ($strcomputer)
$admins = Gwmi win32_groupuser –computer $strcomputer
$admins = $admins |? {$_.groupcomponent –like '*"Administrators"'}
$admins |% {
$_.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$†> $nul
$matches[1].trim('"') + “\†+ $matches[2].trim('"')
}
}
$PCList = Get-ADComputer -SearchBase "OU=Marketing,OU=Computers,dc=domain,dc=local" -Filter "*" | select -ExpandProperty Name
foreach ($PC in $PCList){
if (Test-Connection -ComputerName $PC -Quiet -Count 1){
get-localadmin $PC
}
}
Last edited:
Code:
function get-localadmin {
param ($strcomputer)
$admins = Gwmi win32_groupuser –computer $strcomputer
$admins = $admins |? {$_.groupcomponent –like '*"Administrators"'}
$admins |% {
$_.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$†> $nul
$matches[1].trim('"') + “\†+ $matches[2].trim('"')
}
}
$PCList = Get-ADComputer -SearchBase "OU=Computers,dc=domain,dc=local" -Filter "*" | select -ExpandProperty Name
$list = @()
foreach ($PC in $PCList){
if (Test-Connection -ComputerName $PC -Quiet -Count 1){
$result = get-localadmin $PC
$obj = [pscustomobject]@{
Workstation = $PC
Local_Admins = ($result | Out-String).Trim()
}
$list += $obj
}
}
$list | Export-Csv -Path "c:\temp\LocalAdmins.csv" -NoTypeInformationNote for this to show up properly in Excel, you have to go Format Cells >Alignment and set Vertical to "Top" instead of "Bottom". Otherwise it'll look like each cell in "Local_Admins" column only has one entry.
Alternatively, change this line:
Local_Admins = ($result | Out-String).Trim()
to:
Local_Admins = $result -join ', '
And it'll just output the list in one ling string separated by a comma and space.
