Saturday, October 24, 2015

Powershell Add or Remove members from Remote Group Module

To show this demo I am using 2 computers, one is Windows 2012 R2 ( and another is windows 7 (, From Windows 2012 R2 I will be executing all the commands remotely on Both the commands use ADSI API to do the Addition or removal task., To know more example use Get-Help CMDLET -full to know more information. 

Why I wrote this article or script?
Earlier I written article on how to add users to group using Group Policy, It is not easy if you want to add users or group certain computers, you can do that through creating OU. But again inventory thing is not possible using it.

In earlier article I showed how to get information remotely using Get-GroupMembers cmdlet. I showed some cool csv file containing the data.
Lets say now we have data, Next what you want to Remove them Remotely. This Remove-GroupMember cmdlet is handy. To show the demo I will be removing vcloud\Devil user from "Remote Desktop Users" Group.
Simply in the powershell run below command. (To check how loaded module check my previous article Get-GroupMembers ).

Get-GroupMembers -ComputerName -RemoteGroups "Remote Desktop Users"

vKunal is the user in vCloud Domain. (vcloud\vkunal)
Remove-GroupMember -ComputerName -RemoteGroup "Remote Desktop Users" -Domain vcloud -User vkunal

(Tip: You can run Get-Help Remove-GroupMember,  To know on additian help.)

It detect if machine is not reachable, and will not go checking the server, even if some parameters are incorrect it will show message. you can verify Group members using Get-GroupMembers again.

As Remove-GroupMember is handy command to Remove member remotely, Add-GroupMember has its own magic. Many times we get request to add users or groups to multiple server's group. Earlier I removed vcloud\vkunal from remote Desktop users, Now I will be using vCloud\Devil user and Group vCloud\DemoGroup.

Here is the Demo.

Add-GroupMember -ComputerName -RemoteGroup "Remote Desktop Users" -Domain vCloud -User Devil

Add-GroupMember -ComputerName -RemoteGroup "Remote Desktop Users" -Domain vCloud -User DemoGroup

It may be possible that both and may not be in same domain, at that time you can use -Credential (Get-Crendential) parameter, These parameters can be used in all the cmdlet Add-GroupMember, Remove-GroupMember or Get-GroupMembers.

Next is verification using Get-GroupMembers. 2 Members are listed.
Other usefull Scripts
Get members from Remote Groups
List account configured on logon of Windows Service - Powershell

Powershell Module Get members from Remote Groups

Keeping servers compliant is very challenging task when it comes to maintaining Administrators group or other privileges on the servers, Many times we apply changes on the servers, assign admin rights by adding User accounts in local server Administrators group or any other Groups example Remote Desktop Group which we are not suppose to do, and forget. When auditing days comes we do repetitive manual task, log onto each server pull reports, validate, and goes on...

Many times user account groups are added through some change management process or ticketing tool, some time those tools doesn't help to track or list what those users permissions are on the servers, or when we can revoke them, Specially when you want to go for some company ISO certification this is one of the condition to comply with. (I might be talking some high level stuff regarding compliance but I have seen people struggling with these small stuffs, and spent long time to nailed it but still end of the day some servers are still missing or due to human mistake)

Here PowerShell comes to rescue. I have written a simple module which can collect information whats members (users or Groups) are in Administrators Group on Remote Server, or any other group, Under the hood it uses WMI to get information. for addition and removal it uses ADSI., You can keep complete lifecycle of Group membership with this module.
This module can be downloaded from here. I am using Windows 2012 R2 and windows 7 and 8.1 in my production, and written these scripts using Powershell version 4. To use commands Add-GroupMember and Remove-GroupMember this is the Article Powershell add or remove-members from Remote Group.

There are two files in the zip file, unzip them and keep it under your %Userprofile%\documents\WindowsPowerShell\Modules\GroupMembers as shown in the screenshot.
Open Powershell with Run as administrator, By default I was not able to execute any script, so to change the behavior I set my script execution mode to bypass using below command (You can ignore if you can already execute script)

Set-ExecutionPolicy Bypass

Next is Import-Module GroupMembers, it will load 3 commands in the powershell memory.
3 Cmdlets are
  1. Get-GroupMembers
  2. Add-GroupMember
  3. Remove-GroupMember
(Tip: Even if you don't import module, when you execute any of above command, it will automatically, load module in Powershell 4 and above version.)

First demo I will be showing for command Get-GroupMember, it uses WMI to get all the information.

Get-GroupMembers -ComputerName, -RemoteGroups Administrators, "Remote Desktop Users", Below is the results how they look.
Now in the below demo I will get information from AD computers and export it to CSV/Excel file. Also I have created log file for failed computers.

Get-ADComputer -Filter * | Get-GroupMembers -RemoteGroups Administrators -Logfile c:\temp\failed.txt | export-csv c:\temp\Mylist.csv

There are 2 files created under c:\temp, failed.exe contains, unable to get results, and mylist.csv file has the data.
In the next article I will be writing how to use Add-GroupMember and Remove-GroupMember commands.

Other useful Scripts

List account configuredon logon of Windows Service - Powershell