Happy Monday all!
I’m finally getting around to posting some code from my last PowerShell class in Phoenix. As always, I invited my class to bring an idea with them that they would like to try on Friday. The idea that one of my PowerShell Rock Stars brought in reminded me of a problem that I had many years ago.
You see, when the company that I worked for acquired another business, my job was to go in and join their IT systems into our domain. Not a big deal with only about 30 clients. This company had no dedicated IT support prior to our take over so I was going to be the first IT staffer the former employees meet when we hired them back. All went well the first morning. It was after lunch that I spotted a problem.
Before they all returned, I removed all the video games from the clients. Right after lunch, I was walking through the cubes and was watching people play video games. Kind of bold considering it was their first day at work after being re-hired. That evening, I discovered how they got those games back on. They all had local administrator accounts. Obviously, I missed something.
The question that I helped to answer in class was “How do I remove all local users from the local Administrators groups on my clients?” I knew we could do it using the same method that we used to connect to Active Directory in PowerShell V1, ADSI. (Active Directory Services Integration). ADSI can connect to a number of directory services besides Microsoft’s Active Directory. In this case, a local security database.
This is not my usual cmdlet type code that I like to dish out. You can see a $ComputerName variable. Just feed it the name of the client that you need remove accounts from the local Administrators group. I’ll leave the error handling up to you. I tested this code out on Windows 10 Client. PowerShell remoting is required.
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 | $ComputerName = "CL1"
Invoke-Command -ComputerName $ComputerName -ScriptBlock {
# Object to be created for each user removed from the # local Administrators group. Function New-OutputObject { $Obj = New-Object -TypeName psobject -Property @{ UserNameRemoved = $Null } Write-Output $Obj }
# Connect to the local security database. $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
# Grab all local user objects and place them in a custom object $users = $adsi.Children | where {$_.SchemaClassName -eq 'user'} | Foreach-Object { New-Object -TypeName PSCustomObject -Property @{ UserName = $_.Name -join '' Groups = ($_.Groups() | Foreach-Object {$_.GetType(). InvokeMember("Name", 'GetProperty', $null, $_,$null)}) -join ',' SID = New-Object System.Security.Principal.SecurityIdentifier($_.ObjectSid[0],0) } }
# Get the local Adminsitrators group object. $Group = $ADSI.Children.Find('Administrators','group')
# Get the clients name. $client = $env:COMPUTERNAME
ForEach ($User in $Users) {
if (($User.Groups).split(",") -contains "users" -and ($User.Groups).split(",") -contains "Administrators") {
# Get a new copy of the output object and populate it. $Obj = New-OutputObject $Obj.UserNameRemoved = $User.UserName
# Invoke the local groups REMOVE method $Group.Remove(("WinNT://$Client/$($User.UserName)"))
# Send the object to the pipeline. Write-Output $Obj } Else { }
} } # END: Invoke-Command
|
Comments