Saturday, October 24, 2015

Powershell Module Get members from Remote Groups

Keeping servers compliant is very challenging task when it comes to maintaining Administrators group or other privileges on the servers, Many times we apply changes on the servers, assign admin rights by adding User accounts in local server Administrators group or any other Groups example Remote Desktop Group which we are not suppose to do, and forget. When auditing days comes we do repetitive manual task, log onto each server pull reports, validate, and goes on...

Many times user account groups are added through some change management process or ticketing tool, some time those tools doesn't help to track or list what those users permissions are on the servers, or when we can revoke them, Specially when you want to go for some company ISO certification this is one of the condition to comply with. (I might be talking some high level stuff regarding compliance but I have seen people struggling with these small stuffs, and spent long time to nailed it but still end of the day some servers are still missing or due to human mistake)

Here PowerShell comes to rescue. I have written a simple module which can collect information whats members (users or Groups) are in Administrators Group on Remote Server, or any other group, Under the hood it uses WMI to get information. for addition and removal it uses ADSI., You can keep complete lifecycle of Group membership with this module.
This module can be downloaded from here. I am using Windows 2012 R2 and windows 7 and 8.1 in my production, and written these scripts using Powershell version 4. To use commands Add-GroupMember and Remove-GroupMember this is the Article Powershell add or remove-members from Remote Group.

There are two files in the zip file, unzip them and keep it under your %Userprofile%\documents\WindowsPowerShell\Modules\GroupMembers as shown in the screenshot.
Open Powershell with Run as administrator, By default I was not able to execute any script, so to change the behavior I set my script execution mode to bypass using below command (You can ignore if you can already execute script)

Set-ExecutionPolicy Bypass

Next is Import-Module GroupMembers, it will load 3 commands in the powershell memory.
3 Cmdlets are
  1. Get-GroupMembers
  2. Add-GroupMember
  3. Remove-GroupMember
(Tip: Even if you don't import module, when you execute any of above command, it will automatically, load module in Powershell 4 and above version.)

First demo I will be showing for command Get-GroupMember, it uses WMI to get all the information.

Get-GroupMembers -ComputerName, -RemoteGroups Administrators, "Remote Desktop Users", Below is the results how they look.
Now in the below demo I will get information from AD computers and export it to CSV/Excel file. Also I have created log file for failed computers.

Get-ADComputer -Filter * | Get-GroupMembers -RemoteGroups Administrators -Logfile c:\temp\failed.txt | export-csv c:\temp\Mylist.csv

There are 2 files created under c:\temp, failed.exe contains, unable to get results, and mylist.csv file has the data.
In the next article I will be writing how to use Add-GroupMember and Remove-GroupMember commands.

Other useful Scripts

List account configuredon logon of Windows Service - Powershell

Post a Comment