FInding Computers without a specific set of local groups

We are trying to standardize our local Administrators group on all our PC’s. I know I can do this through GPO but first I want to find the computers without the specific set of groups so we know if we need to tweak things a bit.

I found this Script which will list the local groups but I am unsure how to have it sift through and check the groups like I want.

$computername = "Test01"
$Group = "Administrators"
Try {
		If ([ADSI]::Exists("WinNT://$($ComputerName)/$($Group),group")) {
			([ADSI]"WinNT://$($ComputerName)/$($Group),group").Members() | ForEach-Object {
				$PathElements = ($_.GetType().InvokeMember("AdsPath", 'GetProperty', $null, $_, $null)).Split('/',[StringSplitOptions]::RemoveEmptyEntries)
				If ($PathElements[-2] -eq 'WinNT:') {
				} Else {
		} Else {
			"Group '$($Group)' not found on $($ComputerName)!" | Write-Error
	} Catch {
		$_.Exception.Message | Write-Error

I would want to check it against a list like: Domain Admins, Psych Local Admins, etc. I would also need to run this script remotely from my PC and not on each individual PC (we do not have PSRemoting on).


Just filter for the groups you want. using an If, ForLoop, try/Catch, it’s your choice.
Pass in the list you want, to an loop or filter out during one.

That is a lot of code to check members of one group on a machine.
You can still use god ol’…

net localgroup administratos

… to get the list and filter via RegEx match…

Use the default command to filter the local administrators group for specific members, user or domain group.
Use a RegEx match group1 or group2 or group3
(net localgroup administrators) -match ‘GroupName1|GroupName1|GroupName3’

Now the above would require remoting and using…

Invoke-Command -ComputerName ‘SomeRemoteComputer’ -ScriptBlock {(net localgroup administrators) -match ‘GroupName1|GroupName1|GroupName3’}

…or PSExec.

However, there several commands you can leverage without using remoting.
See the details here: ‘

So, something like…

(Get-WmiObject -ComputerName ‘SomeRemoteComputer’ -Class Win32_Group -Filter “Name = ‘Administrators’”)-match ‘GroupName1|GroupName1|GroupName3’

…anything else is going to require remoting or using MS SysteInternals PSExec