Your basic ITPro blog... What's going on at work, what I'm interested in.

Thursday, December 10, 2009

List of Accounts in Local Administrators Group

Not all of this code is original. Thank you to the many many people in the Powershell community who freely share their code, expertise, and talent with the rest of us. In that spirit, here’s my script for reporting accounts in the local Administrators group on domain workstations. I hope it helps others.

NOTE: This script requires the Quest AD Cmdlets

------------------------------------------------------------------------------

$ErrorActionPreference = "SilentlyContinue"

$a = New-Object -comobject Excel.Application
$a.visible = $True

$b = $a.Workbooks.Add()

$c = $b.Worksheets.Item(3)
$c.Name = "Un-Pingable Machines"
$c.Cells.Item(1,1) = "Machine Name"
$c.Cells.Item(1,2) = "Logon Account"
$c.Cells.Item(1,3) = "Report Time Stamp"
$d = $c.UsedRange
$d.Interior.ColorIndex = 19
$d.Font.ColorIndex = 11
$d.Font.Bold = $True

$c = $b.Worksheets.Item(2)
$c.Name = "Good Machines"
$c.Cells.Item(1,1) = "Machine Name"
$c.Cells.Item(1,2) = "Logon Account"
$c.Cells.Item(1,3) = "Report Time Stamp"
$d = $c.UsedRange
$d.Interior.ColorIndex = 19
$d.Font.ColorIndex = 11
$d.Font.Bold = $True

$c = $b.Worksheets.Item(1)
$c.Name = "Violators"
$c.Cells.Item(1,1) = "Machine Name"
$c.Cells.Item(1,2) = "Logon Account"
$c.Cells.Item(1,3) = "Report Time Stamp"
$d = $c.UsedRange
$d.Interior.ColorIndex = 19
$d.Font.ColorIndex = 11
$d.Font.Bold = $True

$worksheetOneRow = 1
$worksheetTwoRow = 1
$worksheetThreeRow = 1

$filter = "Administrator",
    "Domain Admins",
    "Enterprise Admins",
    "crmadmin",
    "EXService",
    "RTCDomainServerAdmins",
    "SymBEServices",
    "Backup",
    "BackupExec"

$computers = Get-QADComputer | Where-Object {$_.OSName -notmatch "server"} | %{$_.Name}

$group = "Administrators"

foreach ($computer in $computers)
{
    $ping = new-object System.Net.NetworkInformation.Ping
    
    $Reply = $ping.send($computer)
    
    if($Reply.status -eq "success")
    {
        $users = $false
        $needHeader = $true
        
        $g = [ADSI]("WinNT://$computer/$group,group")
        $userList = $g.psbase.invoke("Members")
        foreach ($user in $userList)
        {
            $entry = $user.GetType().InvokeMember("AdsPath","GetProperty",$null,$user,$null)
            $match = $false
            foreach ($i in $filter)
            {
                if ($entry -match $i)
                {
                    $match = $true
                }
            }
            if ($match -eq $false)
            {
                if ($needHeader)
                {
                    $worksheetOneRow = $worksheetOneRow + 1
                    $c = $b.Worksheets.Item(1)
                    $c.Cells.Item($worksheetOneRow,1) = $computer.ToUpper()
                    $c.Cells.Item($worksheetOneRow,3) = Get-Date
                    $needHeader = $false
                }
                $c.Cells.Item($worksheetOneRow,2) = $entry
                $worksheetOneRow = $worksheetOneRow + 1
                $users = $true
            }
        }
        
        if (-not $users)
        {
            $worksheetTwoRow = $worksheetTwoRow + 1
            $c = $b.Worksheets.Item(2)
            $c.Cells.Item($worksheetTwoRow,1) = $computer.ToUpper()
            $c.Cells.Item($worksheetTwoRow,3) = Get-Date
            $c.Cells.Item($worksheetTwoRow,2).Interior.ColorIndex = 4
            $c.Cells.Item($worksheetTwoRow,2) = "No Invalid Users"
        }
        
        $users = $false
        $g = ""
        $userList = ""
        $Reply = ""
    }
    else
    {
        $worksheetThreeRow = $worksheetThreeRow + 1
        $c = $b.Worksheets.Item(3)
        $c.Cells.Item($worksheetThreeRow,1) = $computer.ToUpper()
        $c.Cells.Item($worksheetThreeRow,3) = Get-Date        
        $c.Cells.Item($worksheetThreeRow,2).Interior.ColorIndex = 3
        $c.Cells.Item($worksheetThreeRow,2) = "Not Pingable"
    }
}

$c = $b.Worksheets.Item(1)
$d = $c.UsedRange
$d.EntireColumn.AutoFit()
$c = $b.Worksheets.Item(2)
$d = $c.UsedRange
$d.EntireColumn.AutoFit()
$c = $b.Worksheets.Item(3)
$d = $c.UsedRange
$d.EntireColumn.AutoFit()

1 comment:

Kurt said...

All our user account begin with "US4" so here's my script to do the same thing:

@echo off
SET loc=\\PublicNetworkPath
NET LOCALGROUP Administrators | Findstr /C:us4 /C:US4 > %loc%\%computername%.txt
fc %loc%\%computername%.txt %loc%\empty.dat > nul
if %errorlevel% == 0 del %loc%\%computername%.txt

Additional Info

My photo
email: support (AT) mangrumtech (DOT) com
mobile: 480-270-4332