Need to Query Local Admin Group

Similar Messages

• List users in local admin group on all workstations

  Hi, I created a script that is supposed to query workstations and list all users in the local admin group. I originally used "test-connection" for logging purposes but it caused an issues when the computer responded but dns was incorrect for
  that pc so i would get a false list of local admin members on that workstation. I changed to a wmi query instead and queried the system name using that so If the system name matched the workstation name being queried then write it is supposed to write to a
  csv. For some reason, when i use $wmi.name as the variable, it does not work. What am i missing?
      $CurrentDate = Get-Date
      $CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss')
      import-module activedirectory
       $servers= get-content "C:\Scripts\AD Audits\Local Admin\workstations.txt"
       $output = "c:\temp\local admin audit $CurrentDate.csv"
       $results = @()
       $servers | ForEach-Object{
      $wmi = gwmi win32_ComputerSystem -ComputerName $_ -ErrorAction SilentlyContinue
      $connected = Test-Connection $_ -Count 1 -Quiet -ErrorAction SilentlyContinue
      $state = if($wmi.name -eq '$_') {"$_ Verified"} else {"$_ did not respond"}
      $state | Out-File -Append "c:\temp\LocalAdmin log $CurrentDate.txt"
      $group =[ADSI]"WinNT://$_/Administrators,group"
      $members = $group.Members() | ForEach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_,   $null) }
      if($wmi)
         New-Object PSObject -Property @{
             DistinguishedName = (Get-ADComputer $_).DistinguishedName
             Server = $_
             Members = $members -join ";"
      } | Export-Csv $Output -NoTypeInformation

  I agree use GP it is more reliable and easier to manage.
  For the sake of demonstration of how this can be don here is how most of us would be likely todo this or a very close variation.
  There is no issue with using Test-Connection and DNS.  AD/DNS cannot have the wrong names or your domain would crash.  Using Get-AdCOmputer instead of a file eliminates stale information.
  $csvfile="c:\temp\local admin audit $([DateTime]::Now.ToString('MM-dd-yyyy_hh-mm-ss')).csv"
  import-module activedirectory
  #adjust Filter as needed
  $adfilter='OperatingSystem -like "Windows 7*" -or OperatingSystem -like "Windows XP*"'
  Get-AdComputer -Filter $adfilter |
  ForEach-Object{
  $props=@{
  Server=$_.Name
  IsAlive=$false
  DistinguishedName=$_.DistinguishedName
  Members=$null
  if(Test-Connection $_.Name -Count 1 -Quiet){
  $props.IsAlive=$true
  $group =[ADSI]"WinNT://$($_.Name)/Administrators,group"
  $members=$group.Members() |
  ForEach-Object{
  $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
  $props.Members=$members -join ";"
  New-Object PSObject -Property $props
  } |
  Export-Csv $csvfile -NoTypeInformation
  Use GP and you won't have to be bothered with all of these techy details that usually require a Network Admin to sort out.
  ¯\_(ツ)_/¯

• DPM 2012 still requires put end users into local admin groups for the purpose of end user data recovery?

  On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
  the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
  backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.”  This is not ideal on many networks because the end users are not allowed to have local administrator access.
  Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
  This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
  One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
  practice.
  Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
  Please help.
  Thanks,

  This is a hands off solution to allow all users that use a machine to be able to restore their own files.
  1) Make these two cmd files and save them in c:\temp
  2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
  <addperms.cmd>
  Cmd.exe /v /c c:\temp\addreg.cmd
  <addreg.cmd>
  set users=
  echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
  FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
  echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
  REG IMPORT c:\temp\perms.reg
  Del c:\temp\perms.reg
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  That's a good one! Thanks for that.
  I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
  ========================================================================
  $RC=setoption("WOW64AlternateRegView","on") 
  $DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
  $uservariable = "%userdomain%\%username%"
  If KeyExist ($DPMkey)
  $Userstring=ReadValue($DPMkey, "ClientOwners")
  If $Userstring == ""
  WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
  ? "Key created"
  else
  If not instr($Userstring,$uservariable)
  $Userstring = "$Userstring,$uservariable"
  WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
  EndIf
  Endif
  EndIf
  ==========================================================================
  The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
  In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
  =========================================================
  $uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
  =========================================================
  The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP.

• Is it possible to disallow RDP for one member of local admins group?

  Hello:
  I have an application server which has a service account that is in the local admins group. Is it possible to disallow only that particular service account from being able to RDP into the server? Server is Windows Server 2003 SP2. Basically, I'm trying to
  bypass this: Members of the local Administrators group can connect even if they are not listed. I understand that anyone using the service account could undo any restrictions I make, so what I'm trying to do would just be
  a deterrent. I cannot disable RDP altogether since our regular sys admins need to be able to RDP into the server. Thank you.

  What if you specified the user and denied them rights to RDP to the server.  A deny overrides every other permission, and if you can do this, then only that one user would not be able to RDP into the server, but other admins would be able to. 

• Can not add Domain User to Local Admin Group Win8.1

  Hello, 
  I am trying to add a domain user to the local admin account on a Win8.1 Enterprise computer. When I click the check name button it asks me to enter network credentials even though I am signed in to the computer with a domain admin account. When I try to
  type in any of my domain admin accounts it says "The Username or Password is incorrect". Even though I used that same account to login with. I can successfully ping all 3 of my DCs from the computer and have tried putting my second DC as the primary
  DNS and my third DC as the primary DC and same problem. I have checked for Active Directory errors on the DC and everything says it is running fine on the DC in server manager. I have this problem on multiple computers. Some of the computers it will work on
  but 90% of them it won't allow me to add the local user to the local admin group. 
  DCs are running Win Server 2008 R2 Enterprise. 
  Any help would be greatly appreciated. 
  Thank You

  I would suggest you to use Restricted Group(via GPO) to add domain users/group to a local admins group 
  1)Create a new group in Active Driectory
  Create a new group in Active Driectory that you wish to add to every workstations local administrator group. DO NOT add any users to this group at this time.
  2.
  Create a new GPO
  Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the WORKSTATIONS you are wanting to give users local administrative rights over.
  3.
  Edit the newly created GPO
  Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups
  4.
  Add your new Active Directory group to the Restricted Group
  Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"
  5.
  Add the Restricted Group to the local administrator group
  In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"
  6.
  Wait for GPO updates to apply to the workstations
  Once your users receive their updated group policy settings every workstation within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation,
  run "gpupdate /force" in a command window on that workstation.
  7.
  Add a user or group of users to the Active Directory Restricted Group
  When you are ready, or in a position where you need to provide local workstation admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management
  Console.

• Local admin vs user placed in local admin group

  what are the differences between the built-in and the user placed in the admin local group
  .  I noticed when installing Cisco's AnyConnect 3.x client as a user who has been elevated to the local admin group  that when the install is complete the settings only apply to the specific user used during the install as opposed to when the built-in
  admin (I am aware of the option for this) ...my question is  are there any window applications that require well known security identifiers (sid).
  or
  simply put what are the differences between the built-in and the user placed in the admin local group..I experienced differences and wanted to know where I can get more information

  Hi,
  Their are some subtle differences. The built-in administrator account SID is well known forprogramming logic by 3rd parties.
  For the built-in admin, UAC is disabled by default. That means that the built-in admin never requires elevation. But, as we all know, UAC can be turned off by the user so even when an admin user launches a program, he will be elevated automatically.
  The built-in admin account cant be deleted (though it can be disabled).
  Karen Hu
  TechNet Community Support

• Powershell add group to local admin group

  how do I remotely use powershell to add a domain group to the local admin group on a machine?
  thanks

  When using above, I got:
  [DBG]: PS C:\>> $remoteComputer = 'xxx.xxx.xxx.xxx'
  [DBG]: PS C:\>> $groupname = 'Admin-Group'
  [DBG]: PS C:\>> $fqdn = 'subdomain.domain.com'
  [DBG]: PS C:\>> ([ADSI]"WinNT://$remoteComputer/Administrators,group").Add("WinNT://$fqdn/$groupName"):
  Exception calling "Add" with "1" argument(s): "Access is denied.
  At line:1 char:1
  + ([ADSI]"WinNT://$remoteComputer/Administrators,group").Add("WinNT://$fqdn/$group ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI
  I am wondering how $remoteComputer authenticate?

• Service accounts adding to Local admin group

  Hello Everyone,
  What are the risks with adding SharePoint service application service accounts to local admin group.
  I see in many Microsoft blogs not to use farm account to create service application and better to use dedicated service account but i didn't see any articles why we shouldn't add dedicated service accounts to local admin group
  I am facing some GPO issue and one my friend suggested to add service accounts to add local administrator group to fix this issue but i am not sure what the risks behind it. 
  Please let me know if you aware of risks.
  Thanks S

  The basic is that it increases your attack surface. If the service (and this goes for any application regardless of vendor or platform) has elevated access to the underlying system (e.g. Local Administrator, SYSTEM, root, and so forth) and that service is
  compromised, there is the possibility that the entire server would be compromised.
  Clearly, this is not a good situation.
  Having said that, there are two scenarios where a service account in SharePoint must be a Local Administrator:
  If you're running the Claims to Windows Token Service (C2WTS) as a Domain User. This account requires Local Admin.
  If you're provisioning the User Profile Sync Service, the Farm Administrator account must be a Local Administrator during the provisioning process (reason being is that it makes calls to the SAM).
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Add Local Users to the Local Admin Group

  I am looking either via GPO or Third Party Tool.  I would like to add 6 Users to the Local Admin Groups on all the computers running Windows 7/8.  I want to Create a Group called "OUR Local Admins" and add these 6 local users (Not domain
  Users) to this Group and then nest this Group into the Local Admin Group Built-in into Windows 8
  Thank u

  > local users (Not domain Users) to this Group and then nest this Group
  > into the Local Admin Group Built-in into Windows 8
  You cannot nest local groups.
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• SCCM 2012 - Query Local Admin Users

  Hi Guys,
  I´m trying to get all users that are local admins of my network using sccm12.
  How it´s possible?
  Thank you.

  Hi,
  We can use the following query as follows
  SELECT DISTINCT SYS.Netbios_Name0, SYS.User_Name0, LocalAdminMembers.TimeStamp, LocalAdminMembers.Type0 as Object LocalAdminMembers.Account0, LocalAdminMembers.Domain0   FROM fn_rbac_GS_LocalAdminMembers0(@UserSIDs)  LocalAdminMembers JOIN fn_rbac_R_System(@UserSIDs)
   SYS ON SYS.ResourceID = LocalAdminMembers.ResourceID   WHERE   SYS.Netbios_Name0 LIKE @variable    ORDER BY SYS.Netbios_Name0
  To create a custom report
  1. Go to SCCM console – Reports – Create report
  2. Complete the Reporting Wizard. The MS SQL Report Builder will be opened up now
  3. Double Click the Table or Matrix which will open to select a new dataset window. Select ‘Create a dataset’
  4. Select the existing Data source connection and enter the data source credentials
  5. Under Design a Query window, Select “Edit as text” and copy the above query
  6. Next arrange the field as per the attached doc
  7. Choose the Layout of the Report and complete the wizard
  8. Right Click on report, where the empty area of report page and select properties. Go to reference tab, Click on assemblies. 
  Add following assemblie  -  SrsResources, culture=neutral 
  And Click OK.
  9. Select UserSIDs under Paramter and edit the properties
  10. Go to Default Value and select Specific Values and Add expression. Leave the rest of the tab as default and complete it
  11. Select Variable under Parameter and edit the properties
  12. Type Computer Name under Prompt field and leave the rest of the tab as default and complete it.
  13. Type Computer Name under Prompt field and leave the rest of the tab as default and complete it.
  You are done.
  Regards,
  Vinod

• Adding a domain user to Local Admin Groups using MDT 2012

  I don't know if this will help anyone, but it did me after weeks of searching.  If you are trying to add a domain user or domain groups to the local administrators group using MDT, simply go to the cs.ini and add "SkipAdminAccounts=No". 
  But the administrators accounts page will only appear if you choose to join a domain. 

  Correct, if you were to go into the %DeployRoot%\Scripts\DeployWiz_Definition_ENU.xml file you would see the entry for the DeployWiz_AdminAccounts.xml page as follows:
  <Pane id="AdministratorAccounts" reference="DeployWiz_AdminAccounts.xml">
  <Condition><![CDATA[ UCase(Property("SkipAdminAccounts")) = "NO" and UCase(Property("DeploymentType"))<>"REPLACE" and Property("DeploymentType")<>"CUSTOM" and Property("JoinDomain") <> "" ]]></Condition>
  </Pane>
  Most Wizard Pages are displayed by default, and you can turn them off by using the SkipXxxXxxxxx Page variable to hide them during wizard execution. This page is different, since it was added for MDT 2012, the MDT team decided to leave it *OFF* by default,
  instead you must explicitly turn off the SkipAdminAccounts variable by setting it to "NO".
  Additionally, you would not need to display this page if you were running a Refresh or a Custom Task Sequence.
  Finally, this page does not actually *create* accounts, instead it just adds pre-existing user accounts and adds them to the local Administrators group. This scenario is only valid when you are joining the machine to a domain, so you must Join to the Domain.
  If you are interested in adding other local users to the Administrators Group, you should write a script to create the account(s) and add them to the local group. Windows 8.1 has some *gotchas* that have to do with Microsoft Accounts, but that's a different
  Story :^).
  Keith Garner - keithga.wordpress.com

• Need to audit domain admin group changes

  Hi
  I have windows server 2012 domain controllers (4 Dcs). I want to audit changes happening to domain admin group. Recently somebody modified domain admin members. I want to trace out who did this ..
  Please let me know how to check it...

  Hi,
  Checkout the below steps to enable auditing for AD User and Group Changes,
  1. Open GPMC console, click Start --> Administrative Tools --> Group Policy Management.
  2. Right click the Default Domain Controllers Policy, and then click Edit.
  3. Go to the node DS Access (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/DS Access.) 
      Enable Success auditing for the following settings
      - Audit Directory Service Access
      - Audit Directory Service Changes
  4. Go to the node Account Management (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Account Management.) 
      Enable Success auditing for the following settings
      - Audit User Account Management
      - Audit Computer Account Management
      - Audit Security Group Management
      - Audit Distribution Group Management
  After completing the audit settings, configure SACL in Active Directory Users and Computers console for enabling the geneartion of AD Change events in the eventlog as shown below,
  Regards,
  Gopi
  JiJi
  Technologies

• Cisco MeetingPlace One or More Local Admin Group

  Hi All UC Experts,
  I have a MeetingPlace 8.5 audio only, that is using in Hong Kong only. Now I want to share the MeetingPlace to my USA users to use too.
  But I am thinking the administrative problem as below:
  Can I create a USA local group for the USA users only? That should be a local USA admin, who can manage their USA users only.

  Hi All UC Experts,
  I have a MeetingPlace 8.5 audio only, that is using in Hong Kong only. Now I want to share the MeetingPlace to my USA users to use too.
  But I am thinking the administrative problem as below:
  Can I create a USA local group for the USA users only? That should be a local USA admin, who can manage their USA users only.

• Query regarding admin group

  I want to remove admin rights for my domain users. But they need to run all the applications or services as administrator by default. is there any way to do it?

  se80> select function group > display.
  Right click ofn the name of function group> create>function module.
  here u can create as many as function module
  why you not try by urself, its intersting.
  reward if useful.
  Amit Singla

• Giving an OD Network User/Group local admin rights.

  Is there a way to manage workstation admin rights from the server?
  I ran into a problem with Lightroom that requires admin privileges to change the program preferences. We have alot of graphic art students with roaming profiles, spread out across 5 labs, that need to make this change. I would like to be able to add a group or all network users to the local admin group, for a few days, so the students can make the changes.

  This works on 10.5, not sure about 10.6.
  As root on the client.
  Upgrading legacy group for local admin group - this is from 10.4 days, not sure if you still need to do it.
  dseditgroup -o edit -f n -t group -n /Local/Default admin
  Nest OD group in local admin group
  dseditgroup -o edit -a DirectoryAdminGroup -t group -n /Local/Default admin
  Gen