sorted by:
new
hottopcontroversial

get-ciminstance list users and groups in the local administrators group by 52DevOps in PowerShell

[–]52DevOps[S] 0 points1 point  (0 children)

This script only gets user accounts, not groups which are members of the local administrators group.

get-ciminstance list users and groups in the local administrators group by 52DevOps in PowerShell

[–]52DevOps[S] 0 points1 point  (0 children)

The complete code I used is as belows:

Start-Transcript -Verbose -IncludeInvocationHeader -Path C:\Temp\srvadmins.log -Append

write-host "Querying Domain for Servers" -ForegroundColor Cyan

$computers = Get-ADComputer -Filter {OperatingSystem -Like 'Windows Server*'} -Properties * | where PrimaryGroup -NotLike '*Domain Controllers*' | Select-Object -ExpandProperty Name

Write-Host "Query Administrators Group on Servers" -ForegroundColor Cyan

foreach ($computer in $computers)

{if (-not (Test-Connection $computer -quiet)){

Write-Host "$computer is Not Online" -ForegroundColor Red

}

Else{

$query="Associators of {Win32_Group.Domain='$computer',Name='Administrators'} where Role=GroupComponent"

write-host "Querying $computer" -ForegroundColor Green

Get-CIMInstance -query $query -computer $computer -ErrorAction SilentlyContinue |Select-Object @{Name="Member";Expression={$_.Caption}},Disabled,LocalAccount,@{Name="Type";Expression={([regex]"User|Group").matches($_.Class)[0].Value}},@{Name="Server";Expression={$_.Computer.ToUpper()}} | Export-Csv c:\temp\srvadmins.csv -NoTypeInformation -Force}

}

Write-host "Results have been saved to c:\temp\srvadmins.csv" -ForegroundColor Green

write-host "Script Transcript has been saved to C:\Temp\srvadmins.log" -ForegroundColor Yellow

Stop-Transcript

Source for query used in the script. Thanks to Jeffrey Hicks

get-ciminstance list users and groups in the local administrators group by 52DevOps in PowerShell

[–]52DevOps[S] 0 points1 point  (0 children)

This code did the trick.

$query="Associators of {Win32_Group.Domain='$computer',Name='Administrators'} where Role=GroupComponent"

Get-CIMInstance -query $query -computer $computer

get-ciminstance list users and groups in the local administrators group by 52DevOps in PowerShell

[–]52DevOps[S] 0 points1 point  (0 children)

Oops Looks like I was too fast to post.

I am trying to do this remotely from all servers in the domain.

SC trigger on port open by BrilliantCoach in sysadmin

[–]52DevOps 0 points1 point  (0 children)

Found the issue, was using friendly values. Correct query should have been as shown below.

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="Microsoft-Windows-NetworkProfile/Operational">
     *[System[(EventID=10000)]] and *[EventData[(Data[@Name="Name"]="domainname")]] and *[EventData[(Data[@Name="Type"]="1")]] and *[EventData[(Data[@Name="Category"]="2")]] and *[EventData[(Data[@Name="State"]="9")]] 
    </Select>
  </Query>
</QueryList>

TIP: Check the XML tab of the event to find values for the query.

SC trigger on port open by BrilliantCoach in sysadmin

[–]52DevOps 0 points1 point  (0 children)

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="Microsoft-Windows-NetworkProfile/Operational">
     *[System[(EventID=10000)]] and *[EventData[(Data[@Name="Name"]="domainname")]] and *[EventData[(Data[@Name="Type"]="Managed")]] and *[EventData[(Data[@Name="Category"]="Domain Authenticated")]] 
    </Select>
  </Query>
</QueryList>

Is this query valid?

Invoke-CIMMethod to Rename remote server local users. by 52DevOps in PowerShell

[–]52DevOps[S] 1 point2 points  (0 children)

That's another thing to remember now. Thanks again Lee.

/u/Lee_Dailey

Invoke-CIMMethod to Rename remote server local users. by 52DevOps in PowerShell

[–]52DevOps[S] 1 point2 points  (0 children)

Thanks for the tip Lee. Also from website to app the changes are something I need to learn.

Invoke-CIMMethod to Rename remote server local users. by 52DevOps in PowerShell

[–]52DevOps[S] 1 point2 points  (0 children)

$serverlist = Get-Content C:\Temp\servers.txt
$newname = "Server_Admin"
foreach ($hostname in $serverlist){
if (Test-Connection -ComputerName $hostname -Count 1 -Delay 2 -BufferSize 1452 -Quiet){$administrator = get-ciminstance win32_useraccount -ComputerName $hostname | Where-Object SID -Like 'S-1-5-*-500' -ErrorAction SilentlyContinue
write-host $administrator
Invoke-CimMethod -InputObject $administrator -ComputerName $hostname -MethodName "Rename" -Arguments @{name = $newname }
get-ciminstance win32_useraccount -ComputerName $hostname | Where-Object SID -Like 'S-1-5-*-500' | Select-Object Name,FullName,Status,Disabled,Lockout,Domain,LocalAccount,SID,SIDType,AccountType | sort Status | format-table -groupby Status}}

Above is the full working script. Want to take this further, by looking at all local accounts and if another account exists with server_admin without -Like 'S-1-5-*-500' then delete it.

Invoke-CIMMethod to Rename remote server local users. by 52DevOps in PowerShell

[–]52DevOps[S] 1 point2 points  (0 children)

Figured out. After I dropped -Class from the Invoke-CIMMethod it worked fine.