Recently, I was tasked with getting an audit of all the users/groups that are in the local Administrator group of every server on the network.
Easy enough to do, but I wasn't about to logon to 2000+ servers to get this list. Instead, I decided to leverage some powershell to do it for me. At the same time, I figured this script would be useful for other people as well, so I made it a bit more flexible.
Want to get the local "Remote Desktop Users" group, sure, we can do that. Want to get it on server1, server2, and server3 only? Sure...yup, done. How about a collection of every ADComputer that is a server, or how about just workstations? Sure, we can do that too! Want to write it out to a file (recommended for larger collections), and done!
I then put this file on my github, so feel free to grab it: https://github.com/lukefiveoh/powershell/blob/master/Get-LocalGroups.ps1
Welcome to Get-LocalGroups. Here's a quick rundown of how this works after the jump.
The following are the parameters:
-ComputerName : This is an array of computer names. So for example, we can do "Get-LocalGroups -ComputerName SERVER1" , or if we want to gather it on a few more computers, we can do "Get-LcoalGroups -ComputerName SERVER1,SERVER2,SERVER3". This can also accept values from the pipeline, so we can do Get-ABunchOfComputers | Get-LocalGroups.
-type : we define 3 types, "server", "workstation" (aka: everything else), or "custom". This will populate the "Filter" parameter of Get-ADComputer. So if we want everything that is a Server OS, we would do "Get-LocalGroups -type server", if we wanted everything else we could do "Get-LocalGroups -type workstation" or if we knew our way around the Get-ADComputer Filter, we add the -Filter parameter, and we could do "Get-LocalGroups -type custom -Filter {Our Custom Filter}"
-MaxResultSize (Requires use of -type): We can limit the Get-ADComputer portion of the output by limiting its resultset. We can do "*" for unlimited results, or if we just want to test and grab the first 10 we could do that too. Examples are "Get-LocalGroups -MaxResultSize 10 -type server" or "Get-LocalGroups -type server -maxresultsize *"
-Group : By default this script grabs the Administrators group, but we can do other groups as well, such as "Get-LocalGroups -group "Server Operators" "
-OutFile : If we want to output the results to CSV, then we specify an outfile, otherwise it will just print to the console. So "Get-LocalGroups -outfile c:\temp.csv" will throw our results to that file.
-Overwrite (requires OutFile) : If we put in this flag, then it will overwrite our OutFile without asking us. Otherwise, if we put in a file that already exists, it will prompt us to delete.
-Verbose : Will tell you what it's doing at any time. Basically some debugging information I left in while developing.
If we run it without ANY parameters, it will display the local administrators group of the current machine to the screen.
I ran it as follows: "Get-LocalGroups -MaxResultSize * -type server -outfile c:\AllServersAndLocalGroups.csv" and it worked pretty beautifully.
Labels: Active Directory, automation, powershell, Scripts