locked
query local administrators except builtin and domain admins RRS feed

  • Question

  • hello,

    I have 300 pc's in my domain. in most of them domain users are local administrators on their computers. I want to query all computers, and export computer names in which local admins are someone except 'built in' local admin and domain admins.

    basically i want to find out which computers have someone else in their local administrators group except builtin admin and domain admins and export their computer names. i want to use powershell.

    thank you

    • Moved by Bill_Stewart Monday, October 19, 2015 4:28 PM This is not "scripts on demand"
    Tuesday, September 15, 2015 8:44 AM

Answers

All replies

  • That is nice.  Yes you can do that with PowerShell. 

    Start here: https://gallery.technet.microsoft.com/scriptcenter

    You will find many pre-written scripts that can do what you ask.


    \_(ツ)_/

    Tuesday, September 15, 2015 9:11 AM
  • thank you jrv.

    i downloaded a script. can u plz change it for me to meet my needs?

    $Searcher = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
    $Searcher.Filter = "(objectClass=computer)"
    $Searcher.SearchRoot = "LDAP://dc=fabrikam,dc=com"
    $Computers = ($Searcher.Findall())
    md C:\All_Local_Admins
    Foreach ($Computer in $Computers)
    {
    $Path=$Computer.Path
    $Name=([ADSI]"$Path").Name
    write-host $Name
    $members =[ADSI]"WinNT://$Name/Administrators"
    $members = @($members.psbase.Invoke("Members"))
    $members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty',
    $null, $_, $null) | out-file -append C:\All_Local_Admins\$name.txt 
    }
    }
    but this script list all local admins in computer in a text file for each computer.

    Tuesday, September 15, 2015 9:24 AM
  • No but you can change it as needed.  That is what scripting is for.

    Start here: https://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx?f=255&MSPPError=-2147217396


    \_(ツ)_/

    Tuesday, September 15, 2015 9:32 AM
  • thanks. i hope others can help me with the script.
    Tuesday, September 15, 2015 10:39 AM
  • We don't write or customize scripts on demand.  We can answer question and help you write your own script.  The scripting is up to you.  Please review the forum guidelines on the main forum page.

    I will suggest that you filter out the accounts and groups you do not what to see.

    The code you selected will not be useful for what you want.  It is not correctly written.  There are better scripts in  the Gallery.  By looking through the Gallery and studying the scripts you can learn quite a bit about how to write a script.


    \_(ツ)_/

    Tuesday, September 15, 2015 10:45 AM
  • thanks. i hope others can help me with the script.

    You should read this to set your expectations:

    https://social.technet.microsoft.com/Forums/scriptcenter/en-US/a0def745-4831-4de0-a040-63b63e7be7ae/posting-guidelines?forum=ITCG


    Tuesday, September 15, 2015 11:51 AM
  • 1) As already noted, this is not the right forum to post a script request or ask others to fix broken scripts for you.

    2) It is poor security practice to put end-users in the Administrators group on computers.

    3) You can define the membership of the Administrators group on computers using Group Policy. This provides automatic compliance and reporting. See the following thread:

    https://social.technet.microsoft.com/Forums/scriptcenter/en-US/747cb791-684e-4a92-9608-68559ca9ea9f/


    -- Bill Stewart [Bill_Stewart]

    • Proposed as answer by Bill_Stewart Monday, September 21, 2015 6:43 PM
    • Marked as answer by Bill_Stewart Monday, October 19, 2015 4:27 PM
    Tuesday, September 15, 2015 3:15 PM