Local Admins Group - Domain - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Click Here to Login
Reply
 
Thread Tools Display Modes
 
Old 12-06-2017, 07:33 PM   #1 (permalink)
Super Techie
 
Join Date: Jul 2005
Location: USA
Posts: 456
Default Local Admins Group - Domain

Hello all. So I am working on an IT project that involves removing all local user admins from the local admins group in a domain environment. I created a GPO to wipe out all of the existing admin users/groups and then I re-added the necessary IT admin groups back in as local admins. I'm wondering how I can run a script for every single computer to make sure the GPO happened and their user account was wiped out? We have about 60 PC's that I need to check and it would be a pain in the a$$ to do a remote computer management and look through every single computer. It would be nice if there was some software (free) or a powershell script to query all the PC's and verify all local admins. Any help would be appreciated. Thank you!
__________________

__________________
-B-
cyclones is offline   Reply With Quote
Old 12-06-2017, 08:32 PM   #2 (permalink)
Lord Techie
 
S0ULphIRE's Avatar
 
Join Date: Mar 2007
Location: Australia
Posts: 8,657
Send a message via MSN to S0ULphIRE
Default Re: Local Admins Group - Domain

https://gallery.technet.microsoft.co...mbers-bc5faa57

If you want to check all the PCs in an OU you could combine it with something like this - just change the searchbase to as broad or specific an OU as you'd like

Code:
function get-localadmin {  
param ($strcomputer)  
  
    $admins = Gwmi win32_groupuser –computer $strcomputer   
    $admins = $admins |? {$_.groupcomponent –like '*"Administrators"'}  
  
    $admins |% {  
        $_.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$” > $nul  
        $matches[1].trim('"') + “\” + $matches[2].trim('"')  
    }  
}

$PCList = Get-ADComputer -SearchBase "OU=Marketing,OU=Computers,dc=domain,dc=local" -Filter "*" | select -ExpandProperty Name

foreach ($PC in $PCList){
        if (Test-Connection -ComputerName $PC -Quiet -Count 1){
            get-localadmin $PC
        }
}
__________________

__________________
"As a result of all this hardship, dirt, thirst, and wombats, you would expect Australians to be a sour lot. Instead, they are genial, jolly, cheerful, and always willing to share a kind word with a stranger, unless they are an American." -- Douglas Adams
S0ULphIRE is online now   Reply With Quote
Old 12-06-2017, 09:20 PM   #3 (permalink)
Super Techie
 
Join Date: Jul 2005
Location: USA
Posts: 456
Default Re: Local Admins Group - Domain

Awesome, looks like that's working so far. How would I go about exporting the results into a csv or text file for easier readability once the script completes? Thanks again!
__________________
-B-
cyclones is offline   Reply With Quote
Old 12-06-2017, 09:40 PM   #4 (permalink)
Lord Techie
 
S0ULphIRE's Avatar
 
Join Date: Mar 2007
Location: Australia
Posts: 8,657
Send a message via MSN to S0ULphIRE
Default Re: Local Admins Group - Domain

Code:
function get-localadmin {  
param ($strcomputer)  
  
    $admins = Gwmi win32_groupuser –computer $strcomputer   
    $admins = $admins |? {$_.groupcomponent –like '*"Administrators"'}  
  
    $admins |% {  
        $_.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$” > $nul  
        $matches[1].trim('"') + “\” + $matches[2].trim('"')  
    }  
}

$PCList = Get-ADComputer -SearchBase "OU=Computers,dc=domain,dc=local" -Filter "*" | select -ExpandProperty Name
$list = @()
foreach ($PC in $PCList){
        if (Test-Connection -ComputerName $PC -Quiet -Count 1){
            $result = get-localadmin $PC

            $obj = [pscustomobject]@{            
            Workstation = $PC
            Local_Admins = ($result | Out-String).Trim()
            }
            $list += $obj
        }
}
$list | Export-Csv -Path "c:\temp\LocalAdmins.csv" -NoTypeInformation
Note for this to show up properly in Excel, you have to go Format Cells >Alignment and set Vertical to "Top" instead of "Bottom". Otherwise it'll look like each cell in "Local_Admins" column only has one entry.

Alternatively, change this line:

Local_Admins = ($result | Out-String).Trim()

to:

Local_Admins = $result -join ', '

And it'll just output the list in one ling string separated by a comma and space.
__________________
"As a result of all this hardship, dirt, thirst, and wombats, you would expect Australians to be a sour lot. Instead, they are genial, jolly, cheerful, and always willing to share a kind word with a stranger, unless they are an American." -- Douglas Adams
S0ULphIRE is online now   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sudden group of dead pixels *Large group* ireilly9 Monitors, Printers and Peripherals 4 06-05-2014 07:31 PM
Local Group Policy Editor Pictures luke127 Microsoft Windows and Software 11 05-15-2012 07:12 PM
Blocking Domain Accounts on Local Machine techdude25 Computer Networking and Internet Hardware 1 10-21-2004 10:52 AM
Deleting a Work group from a domain classproj03 Microsoft Windows and Software 4 09-27-2004 07:23 PM



Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 11:09 PM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.