Tuesday, November 3, 2015

Powershell manage local users and group, nest domain users with domain group and local computer admins

Hi mates,
few months ago one of my customer told me :
"I need to clean a lot of servers in terms of local administrators group. At the sametime I would like to change the method to manage local administrators.....is it possbile to create one group for each single server so I can manage members from AD ?
And what we can do for the current situation ? Is it possible to clean without creating issue ? "
Effectively there were a lot of external partner's account inside these local groups, additionally there were a lot of internal application guys username
Anyway what I needed to do is well explained inside the script.....so enjoy :



Import-Module ActiveDirectory
if (test-path "c:\tmp\server_list.txt"){
remove-item "c:\tmp\server_list.txt" -force
}
Get-ADcomputer -SearchBase "OU=main_srv,OU=NY,DC=mydomain,DC=local" -SearchScope Subtree -Filter * -Properties name,enabled | where {$_.enabled -eq "true"} | select -ExpandProperty name | out-file "c:\tmp\server_list.txt"
Get-ADcomputer -SearchBase "OU=main_srv,OU=London,DC=mydomain,DC=local" -SearchScope Subtree -Filter * -Properties name,enabled | where {$_.enabled -eq "true"} | select -ExpandProperty name | out-file "c:\tmp\server_list.txt" -append
Get-ADcomputer -SearchBase "OU=main_srv,OU=Rome,DC=mydomain,DC=local" -SearchScope Subtree -Filter * -Properties name,enabled | where {$_.enabled -eq "true"} | select -ExpandProperty name | out-file "c:\tmp\server_list.txt" -append
$srvs = @();
$srv=@();
$group = @();
$domain = "mydomain"
$srvs = (get-content "c:\tmp\server_list.txt")
foreach ($srv in $srvs) {
# here for each server we create a gruop in AD dedicated to it that will contain users that must be in the local administrators group
New-ADGroup -Name ($srv + "_Local_Administrators") -Path “ou=administrators group for servers ,DC=mydomain,DC=local” -Description “Groups that will be added the the local administrators group for each server” -GroupCategory Security -GroupScope DomainLocal
$new_group= ($srv + "_Local_Administrators")
# here using pstools we connect to each singles server and we add the new early created group to the local Administrators one
$ps_tools="c:\pstools\psexec.exe"
&$ps_tools \\$srv net localgroup Administrators "mydomain\$new_group" /add
# here we enumerate le list of users present inside the local Administrators group for each single server in the loop
$user_admin = Get-CimInstance -ClassName win32_group -Filter "name = 'administrators'" -computername $srv | Get-CimAssociatedInstance -Association win32_groupuser | where-object {$_.domain -eq "mydomain"} | select -expandproperty name
# here for each user found in the local administrator group we do a cycle : we add the user found in the group early
# created and finally we delete this users, one by one
foreach ($usr in $user_admin){
# here we assign to this variable the connection to the new group
$Admin_Server_Group = [ADSI]"WinNT://dececco/$new_group,group"
# here we use a method to add to the previous group the domain users found in the previous CIM query
$Admin_Server_Group.psbase.Invoke("Add",([ADSI]"WinNT://$domain/$usr").path)
# here we delete all users present in the local administrators group
([ADSI]"WinNT://$srv/administrators,group").remove("WinNT://$domain/$usr")
}
}

No complications, no tricks, only the essential.
Hope this helps.
See you soon

2 comments: