PowerShell to Find Where Your Active Directory Groups Are Used On servers

Farley, Curtis G 1 Reputation point

I'm looking for a script to scan all the serves in an OU for a specific AD group. We get requests like this from time to time and we really have no way/tool to pull this information.

I'm NOT looking for anything user related - I have scripts to get users in groups, add uses to groups, remove users from groups, etc. Strictly looking to obtain a list of servers where a specific AD group is in the local admin group - again can either use a list or a (probably easier) scan an OU.

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,284 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Rich Matheisen 44,086 Reputation points

    Something like this should do it:

    $Accounts = 'ralph','george','melvin'
    $computers = Get-ADComputer -Filter * -SearchBase YourOuDistinguishedNameGoesHere 
    Get-WmiObject win32_groupuser -ComputerName $computers |
        Where-Object {$_.groupcomponent -like '*"Administrators"'} |
                $_.partcomponent -match ".+Domain\=(.+)\,Name\=(.+)$" > $nul
                $Name   = $matches[2].Trim('"')
                if ($Accounts -contains $Name){
                        ComputerName = $_.PSComputerName
                        Domain = $matches[1].Trim('"')
                        Name   = $Name
    0 comments No comments

  2. Farley, Curtis G 1 Reputation point

    Thanks Rich. I have a question though - I follow the script up until the "foreach-object" - but then lose it. What does that part of the script do exactly?