FInding Computers without a specific set of local groups

PowerShell Help
1

We are trying to standardize our local Administrators group on all our PC’s. I know I can do this through GPO but first I want to find the computers without the specific set of groups so we know if we need to tweak things a bit.

I found this Script which will list the local groups but I am unsure how to have it sift through and check the groups like I want.

$computername = "Test01"
$Group = "Administrators"
Try {
		If ([ADSI]::Exists("WinNT://$($ComputerName)/$($Group),group")) {
			([ADSI]"WinNT://$($ComputerName)/$($Group),group").Members() | ForEach-Object {
				$PathElements = ($_.GetType().InvokeMember("AdsPath", 'GetProperty', $null, $_, $null)).Split('/',[StringSplitOptions]::RemoveEmptyEntries)
				If ($PathElements[-2] -eq 'WinNT:') {
					$PathElements[-1]
				} Else {
					"$($PathElements[-2])\$($PathElements[-1])"
				}
			}
		} Else {
			"Group '$($Group)' not found on $($ComputerName)!" | Write-Error
		}
	} Catch {
		$_.Exception.Message | Write-Error
	}

I would want to check it against a list like: Domain Admins, Psych Local Admins, etc. I would also need to run this script remotely from my PC and not on each individual PC (we do not have PSRemoting on).

Thanks,
Scott

2

Just filter for the groups you want. using an If, ForLoop, try/Catch, it’s your choice.
Pass in the list you want, to an loop or filter out during one.

That is a lot of code to check members of one group on a machine.
You can still use god ol’…

net localgroup administratos

… to get the list and filter via RegEx match…

I.e.
Use the default command to filter the local administrators group for specific members, user or domain group.
Use a RegEx match group1 or group2 or group3
(net localgroup administrators) -match ‘GroupName1|GroupName1|GroupName3’

Now the above would require remoting and using…

Invoke-Command -ComputerName ‘SomeRemoteComputer’ -ScriptBlock {(net localgroup administrators) -match ‘GroupName1|GroupName1|GroupName3’}

…or PSExec.

However, there several commands you can leverage without using remoting.
See the details here: ‘technet.microsoft.com/en-us/library/ff699046.aspx?f=255&MSPPError=-2147217396’

So, something like…

(Get-WmiObject -ComputerName ‘SomeRemoteComputer’ -Class Win32_Group -Filter “Name = ‘Administrators’”)-match ‘GroupName1|GroupName1|GroupName3’

…anything else is going to require remoting or using MS SysteInternals PSExec