Share via

How can I combine 2 get-ADComputer queries in 1

BMBM83 0 Reputation points
2024-06-27T02:44:50.9366667+00:00

Can someone please help me?

I am trying to find computers that match this criteria (see from screenshot Screenshot 2024-06-26 085801.png)

Right now I have 2 queries,

  1. Find all enabled computers : $allEnabledComputers=Get-ADComputer -Filter "Enabled -eq 'True'" | Select-Object -ExpandProperty Name
  2. For each computer then, check if its WriteAccountRestrictions is in Allow mode, for any of 'Everyone' / 'Domain users' / 'Users' groups. (See screenshot please) $writeAllowEnabledlist=(Get-ADComputer -Filter 'Name -like $eachComputername' -Properties nTSecurityDescriptor|select -ExpandProperty nTSecurityDescriptor).access ` 
    			**| where-object { $_.ObjectType -eq '4c164200-20c0-11d0-a768-00aa006e0529' -and  $_.ActiveDirectoryRights -eq 'WriteProperty' -and `** 		    			

         **($_.IdentityReference -eq 'myDomain\Domain Users' -or $_.IdentityReference -eq 'BUILTIN\Users' -or $_.IdentityReference -eq 'Everyone') -and $_.AccessControlType -eq 'Allow' }**
  3. if ($writeAllowEnabledlist -ne $null) { 
    	echo $**eachComputername**
    }

Can someone please help to give me a simplified single query, as I could for life of me, not join 1 and 2 above.

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,460 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,321 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. josh morrish 0 Reputation points
    2024-06-27T03:39:44.3866667+00:00

    Due to the nature of the operations, it’s not straightforward to combine these into a single query. The checking of WriteAccountRestrictions is dependent on the results of the first query (list of all enabled computers).

    Here’s a way to write it as a single script that performs both operations:

    # Get all enabled computers

    $allEnabledComputers = Get-ADComputer -Filter "Enabled -eq 'True'" | Select-Object -ExpandProperty Name

    # Initialize an empty array to hold computers with allowed WriteAccountRestrictions

    $writeAllowEnabledList = @()

    # Check each computer

    foreach ($eachComputername in $allEnabledComputers) {

    # Get the computer's security descriptor

    $securityDescriptor = (Get-ADComputer -Filter "Name -like '$eachComputername'" -Properties nTSecurityDescriptor | Select-Object -ExpandProperty nTSecurityDescriptor).Access

    # Check if 'Everyone', 'Domain Users', or 'Users' have Allow WriteAccountRestrictions

    if ($securityDescriptor | Where-Object { $_.IdentityReference -in 'Everyone', 'Domain Users', 'Users' -and $_.ActiveDirectoryRights -eq 'WriteAccountRestrictions' -and $_.AccessControlType -eq 'Allow' }) {

    # If so, add the computer to the list

    $writeAllowEnabledList += $eachComputername

    }

    }

    # Output the list of computers with allowed WriteAccountRestrictions

    $writeAllowEnabledList

    0 comments
  2. Rich Matheisen 45,831 Reputation points
    2024-06-27T18:59:51.69+00:00

    Riffing on the answer by @josh morrish , here's another way to do this and only get the information from the AD once. It also exports the information about the computers that satisfy the conditions to a CSV file with just on row per computer.

    $CsvFilePath = "c:\junk\InterestingComputers.csv"
$Who = [ordered]@{ComputerName="";Everyone=""; 'Domain Users'=""; Users=""}     # template
# Check each computer
Get-ADComputer -Filter "Enabled -eq 'True'" -Properties nTSecurityDescriptor |
    ForEach-Object{
        $ShouldWrite = $false               # not every active computer will be written to the output
        $SDInfo = $who.Clone                # make a fresh copy of the hash template
        $SDInfo.ComputerName = $_.Name      # fill in the name of the computer
        # Check if 'Everyone', 'Domain Users', or 'Users' have Allow WriteAccountRestrictions
        $securityDescriptor = ($_ | Select-Object -Expand nTSecurityDescriptor).Access
        foreach($sd in $securityDescriptor){
            if( $sd.ActiveDirectoryRights -eq 'WriteAccountRestrictions' -AND $sd.AccessControlType -eq 'Allow'){
                if ($sd.IdentityReference -in 'Everyone', 'Domain Users', 'Users'){
                    $SDInfo[$sd.IdentityReference = "Y"
                    $ShouldWrite = $true    # there's at least one condition satisfied, so export the info
                }
            }
        }
        if ($ShouldWrite){                  # only computers that satisfy the condition(s) will be exported
            [PSCustomObject]$SDInfo
        }
    } | Export-Csv -NoTypeInformation -Path $CsvFilePath
    0 comments