As a sysadmin, or more specifically in my current position as a sysadmin, I have always felt that I am constantly needing to manipulate the local admins group on different servers. Maybe a dev broke something in dev/test and they need higher rights temporarily to troubleshoot their code or the error.  There are just too many reasons to count as to why someone may want to change the local admins on a server.

This first script is just a Get of who belongs to the local admin group on a server/computer


Function get-localadmin{
param(
[string]$server=$(Read-Host "What server?"))
$output=@()

$computer = [ADSI]("WinNT://" + $server + ",computer")
$Group = $computer.psbase.children.find("Administrators")
$members= $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}

Write-Output "Local Admin Group of $server :"
foreach($user in $members)
{
 $output+= $user }

 $output
 }

Even if you don’t type in the server you want to grab the admins from, it will prompt you for the server name with read host. This also allowed me to give it to my boss so even he could use it 😛

Oh Look! The list of admins on a server are not what you expected we need to add someone!


Function add-localadmin{
 param(
 [string]$server=$(Read-Host "What server?"),
 [string]$group= $(Read-Host "What group? domain/group")
 )
 ([ADSI]"WinNT://$server/Administrators,group").add("WinNT://$group,group")

}

As with the previous script you don’t need to define the parameters as it will prompt you for both the server and the user/group you would like to add.

Can you guess what is come next? Yep! A script to remove an admin… you may even be able to guess how it is different from the Add script


Function remove-localadmin{

param(
 [string]$server=$(Read-Host "What server?"),
 [string]$group= $(Read-Host "What group? domain/group")
 )

([ADSI]"WinNT://$server/Administrators,group").remove("WinNT://$group,group")

}

You guessed it… I substituted “add” for “remove” and now we have a script to remove a local admin.

These were a few a scripts I wrote when I first started powershell, so they are pretty basic, however they have been a huge timesaver for me…Especially just checking the Admins group of a specified computer.

Hope you enjoy! And always let me know if you have any questions or comments

Categories: Powershell

3 Comments

adam · June 26, 2012 at 2:53 pm

How do you get this to work on just a local computer. I will get the user from the local computer not the domain. seems when I run you script nothing happens. I am pretty new to PS. I need a script that will check to if a user is an admin and set the password to what I want. If the user is not on the local computer then the script will create the new user.

thanks
adam.

    C-Rad · June 27, 2012 at 3:48 pm

    Hey Adam! Thanks for the comment! These are all functions so they need to be dot-sourced before you can run them. For example get-localadmin… if you save the file as get-localadmin.ps1 you would first type(from the directory the file is saved)

    . ./get-localadmin.ps1

    This essentially adds the function for use in this powershell session. Then you can do..

    get-localadmin

    and it should work how you would expect.
    Alternatively you can deletd the top and bottom line(making them not functions) and just type “./get-localadmin.ps1”. I hope this helps.

Paul · October 25, 2012 at 11:21 am

Thanks C-Rad.

These scripts are short, sweet and quick. I, too, had to remove the Function block label in order to get this to work.

Leave a Reply