Create securty groups from server name

by sabeltiger81 at 2013-01-30 03:37:53

This script find all servers and who is a member of the LOCAL administrator group on these servers, output is in a CSV file.

I need some to create universal security groups following these rules:

"SEC-LOCALADM-ServerName" the groups for all the servers (ON) must have the Domain Users/Groups to be a member of the SEC_ServerName_LocalAdm groups. If the users are LOCAL users, they can stay in the Local -administrators group on the specific server.

The security groups are in this OU: OU=LA_OU,OU=Security Groups,OU=MYOU_1,OU=OU_2,DC=DOMAIN,DC=com

Here is the tricky part:
If the SEC_group exist, [ then the group shouldn’t be created, just move the Domain Users to the sec_group already listed, move them to that SEC_SeverName_LocalAdm group ]

If the Sec-group doesn’t exist. [1. Create the SEC_ServerNAme_LocalAdm group, 2. move the Domain Users, that are members of the Local Administrators group on the server, to this Sec_ServerName_LocaAdm group, 3. join this group to the Local Administrators Group on the server EQUAL to the SEC_ServerName_LocalAdm group, 4. All Domain Users/Groups that are found should of course not longer be a single member of the Local Administrator group on any server from this point on, but have there Local Admin rights through these Security Groups.]

Here is the script creating the csv file with Servers / Localadmin group:

Import-Module ActiveDirectory
$list =@()
Get-ADComputer -filter * -SearchBase $searchOU | Foreach-Object {
if ( Test-Connection $
.Name -q ) {
Write-Host "Processing $server" -fore green
([ADSI]"WinNT://$server/Administrators").psbase.invoke(‘Members’) | ForEach-Object {
$member=$.GetType().InvokeMember(‘Name’, ‘GetProperty’, $null, $, $null)
$list += New-Object PSObject -Property @{Server=$server; Account=$member}
} else {
$list += New-Object PSObject -property @{Server=$server; Account="NOT_AVAILABLE"}
$list | Select-Object -Property @{label="Server";expression={$.Server}}, @{label="Groups";expression={$.Account}} | Export-Csv "C:\Scripts\servers.csv" -NoTypeInformation
by DonJ at 2013-01-31 08:57:37
As a note, you should use the CODE button in the toolbar so that your script stays formatted. Otherwise it’s hard to read.

So, I see the list of what you want to do, and I see your script - what’s the problem? Where can we help you?
by sabeltiger81 at 2013-02-03 23:36:19
Is it possible to create a script that do these things?

Create universal sec groups based on the naming convention explained in my first post.
2. If the group exists already, move on to the next servername.
3. If the group does not exist, create a universal sec group.
4. All domain accounts that are a member of the local admin group on the server, move them to the sec group that matches the name for the server.
5. remove the domain accounts, after they have been moved to the sec group
6. Have the sec group to be a member of the local admin group, on the server, the group is named after, using the naming convention explained in my first post.

Are these 6 steps possible?
by DonJ at 2013-02-04 07:35:30
Absolutely, with some caveats. You’re dealing with a lot of domain groups and accounts; you’ll need commands to manipulate those. Quest offers a free set that works with any version of AD. Microsoft’s commands can install on Win7 and later, and require the presence of a DC running an add-in Web service (which comes with 2008R2 and later, and can be installed back to 2003). Manipulating local groups is slightly different, but entirely do-able.
by sabeltiger81 at 2013-02-11 04:14:38
Well, all the requirements you mention, I have.