few months ago one of my customer told me :
"I need to clean a lot of servers in terms of local administrators group. At the sametime I would like to change the method to manage local administrators.....is it possbile to create one group for each single server so I can manage members from AD ?
And what we can do for the current situation ? Is it possible to clean without creating issue ? "
Effectively there were a lot of external partner's account inside these local groups, additionally there were a lot of internal application guys username
Anyway what I needed to do is well explained inside the script.....so enjoy :
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Import-Module ActiveDirectory | |
if (test-path "c:\tmp\server_list.txt"){ | |
remove-item "c:\tmp\server_list.txt" -force | |
} | |
Get-ADcomputer -SearchBase "OU=main_srv,OU=NY,DC=mydomain,DC=local" -SearchScope Subtree -Filter * -Properties name,enabled | where {$_.enabled -eq "true"} | select -ExpandProperty name | out-file "c:\tmp\server_list.txt" | |
Get-ADcomputer -SearchBase "OU=main_srv,OU=London,DC=mydomain,DC=local" -SearchScope Subtree -Filter * -Properties name,enabled | where {$_.enabled -eq "true"} | select -ExpandProperty name | out-file "c:\tmp\server_list.txt" -append | |
Get-ADcomputer -SearchBase "OU=main_srv,OU=Rome,DC=mydomain,DC=local" -SearchScope Subtree -Filter * -Properties name,enabled | where {$_.enabled -eq "true"} | select -ExpandProperty name | out-file "c:\tmp\server_list.txt" -append | |
$srvs = @(); | |
$srv=@(); | |
$group = @(); | |
$domain = "mydomain" | |
$srvs = (get-content "c:\tmp\server_list.txt") | |
foreach ($srv in $srvs) { | |
# here for each server we create a gruop in AD dedicated to it that will contain users that must be in the local administrators group | |
New-ADGroup -Name ($srv + "_Local_Administrators") -Path “ou=administrators group for servers ,DC=mydomain,DC=local” -Description “Groups that will be added the the local administrators group for each server” -GroupCategory Security -GroupScope DomainLocal | |
$new_group= ($srv + "_Local_Administrators") | |
# here using pstools we connect to each singles server and we add the new early created group to the local Administrators one | |
$ps_tools="c:\pstools\psexec.exe" | |
&$ps_tools \\$srv net localgroup Administrators "mydomain\$new_group" /add | |
# here we enumerate le list of users present inside the local Administrators group for each single server in the loop | |
$user_admin = Get-CimInstance -ClassName win32_group -Filter "name = 'administrators'" -computername $srv | Get-CimAssociatedInstance -Association win32_groupuser | where-object {$_.domain -eq "mydomain"} | select -expandproperty name | |
# here for each user found in the local administrator group we do a cycle : we add the user found in the group early | |
# created and finally we delete this users, one by one | |
foreach ($usr in $user_admin){ | |
# here we assign to this variable the connection to the new group | |
$Admin_Server_Group = [ADSI]"WinNT://dececco/$new_group,group" | |
# here we use a method to add to the previous group the domain users found in the previous CIM query | |
$Admin_Server_Group.psbase.Invoke("Add",([ADSI]"WinNT://$domain/$usr").path) | |
# here we delete all users present in the local administrators group | |
([ADSI]"WinNT://$srv/administrators,group").remove("WinNT://$domain/$usr") | |
} | |
} |
No complications, no tricks, only the essential.
Hope this helps.
See you soon
Amazing! Very useful post Domenico!
ReplyDelete:-) ....Thank you very much
Delete