PowerShell to Find Where Your Active Directory Groups Are Used On servers

Farley, Curtis G 1 Reputation point
2021-11-19T18:28:08.947+00:00

I'm looking for a script to scan all the serves in an OU for a specific AD group. We get requests like this from time to time and we really have no way/tool to pull this information.

I'm NOT looking for anything user related - I have scripts to get users in groups, add uses to groups, remove users from groups, etc. Strictly looking to obtain a list of servers where a specific AD group is in the local admin group - again can either use a list or a (probably easier) scan an OU.

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,284 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Rich Matheisen 44,086 Reputation points
    2021-11-19T19:39:58.037+00:00

    Something like this should do it:

    $Accounts = 'ralph','george','melvin'
    $computers = Get-ADComputer -Filter * -SearchBase YourOuDistinguishedNameGoesHere 
    Get-WmiObject win32_groupuser -ComputerName $computers |
        Where-Object {$_.groupcomponent -like '*"Administrators"'} |
            ForEach-Object{
                $_.partcomponent -match ".+Domain\=(.+)\,Name\=(.+)$" > $nul
                $Name   = $matches[2].Trim('"')
                if ($Accounts -contains $Name){
                    [PSCustomObject]@{
                        ComputerName = $_.PSComputerName
                        Domain = $matches[1].Trim('"')
                        Name   = $Name
                    }
                }
            }
    
    0 comments No comments

  2. Farley, Curtis G 1 Reputation point
    2021-12-03T15:29:34.91+00:00

    Thanks Rich. I have a question though - I follow the script up until the "foreach-object" - but then lose it. What does that part of the script do exactly?