Monday, October 24, 2011

Search AD, Collect Local Admin Group Info and Generate Email Alert – PowerShell Script

This is an updated version of one of my old scripts - http://portal.sivarajan.com/2011/04/list-local-administrator-group-members.html based on the discussion in the http://sivarajan.com/forum/viewthread.php?tid=59 thread. 

This updated script

  1. Searches Active Directory (Search_AD function) and collects the computer object information.  This information will be stored in the C:\Scripts\Servers.csv file. 
  2. The second function (Seach_LAdmin) uses  C:\Scripts\Servers.csv file as an input  and collects the Local Administrator Group membership details from these computers.
  3. The third function (Send_Email), generates an email alert with the output file (C:\Scripts\SGroupMemberDetails.csv).

Script

image

Output

It generates 2 output files – Servers.csv and SGroupMemberDetails.csv.  The Servers.csv contains all computer information from Active Directory (output of Seach_AD function) and SGroupMemberDetails.csv file contains the Local Admin group membership details . 

You will also see the status in the console itself. 

image

An email alert will be generated with SGroupMemberDetails.csv file (Send_Email function). 

Note

In PowerShell V2, you can use Send-MailMessage cmdlet create an email message:
http://technet.microsoft.com/en-us/library/dd347693.aspx

Download

You can download the script from the following 2 locations:

  1. www.sivarajan.com - http://www.sivarajan.com/scripts/Search_AD_Local_Admin_Email.txt
  2. Microsoft TechNet Gallery - http://gallery.technet.microsoft.com/scriptcenter/Search-AD-Collect-Local-9952be71

23 comments:

You could make your code more reusable by turning many of the variables into function parameters. Otherwise, people have to search for all the hard coded references. Anything that is local or specific to your environment should be parameterized.

Actually, I don't understand how this script can even run. In PowerShell you have to define functions before you can call them, unlike VBScript. You are calling Search_AD before you define it.

Thanks for the feedback Jeff.

That is my plan for the next version of this script. Using variables and passing the value to the function will make script more “portable”. I created this script to help one of the users in the following thread:

http://sivarajan.com/forum/viewthread.php?tid=59\

Next version of the script will be out in a few days :)

Regarding your comment about calling the Function, I think it was a “cached” issue in my blog site. It was showing the old version of my script. I have refreshed console and it displays the correct version.

Thanks again for the feedback!

That makes more sense now. One other suggestion for future versions would be to use Write-Progress instead of Write-Host. Not to mention error handling: what happens if you can't connect to the remote computer?

I have added an error handling procedure for remote computers. I am validating the \\computername\admin$ share first. If it fails, it display/writes the “Cannot Access” error message. Of course I can get the error code value and decode it to a more descriptive message like “Access is denied”, “Network Path was not Found” etc.

I look forward to more refinements. I would suggest that you use the standard verb-noun naming convention for your functions and write them so they are re-usable outside of your script.

Is there anyway I can modify the script to also list the memebers within the domain group that have access to the server ?

Thanks for the feedback Jeff..wait for my next version of the script :)

Jose,
Just members of an AD group? How about this script?

http://portal.sivarajan.com/2010/08/list-group-members-in-active.html

Hi Santhosh,

How do you exclude "Administrators, Domain Admins" from showing up in the output file.

Thanks
Mark

Hello,

can you Help me. I need the Output file in another format:
Row1-Servername Row2-Group

Example:
Server1;Administrators
Server1;Domain Admins

Thanks
Manuel

Hello Santhosh,

Thanks for your great work, I have already used few scripts to your sites and then perfectly workings.
I have a question, i have many difficult with powershell language, it's possible to add a feature for search a single object in the Admin local group ?
For example a AD group or user on every computer in the input file ?
If you have an idea for this, that will be great ;)

This comment has been removed by the author.

Hello,

When we create local admin account need email alert. Could you please help me on this.

Thank You,
Ajay P

I agree with Manuel, is there a way to set this up to export the way Manuel explained?

Is these script still being supported and followed thru this thread? I've run it in my environment and had to stop it as it seems to scan more than just the OU designated in the script. I have multiple domain in this environment and I notice the domain prefix is added to the account. So if the Administrators group on the server contains an account from domains 1,2,3 the domains don't appear, only the username. Is it possible to list the domain name with the user name like so: domain1\username, domain2\username

In addition I'm wondering if the request to change the format of the output in the SGroupMemberDetails file was ever acknowledged?

Great work as the script still has tremendous value years after its initial inception.

Thanks Jeff for the suggestions.

Ajaya,\
"When we create local admin account need email alert. Could you please help me on this."

What do you mean by this? Could you provide more info?

Sara
sarahs80th09,

>>>Is these script still being supported and followed thru this thread?
Yes

>>> I've run it in my environment and had to stop it as it seems to scan more than just the OU designated in the script.

Post your filter here.




Hi- Love this script. If there's any way to help me tweak it to:
show to the right of each member if it is a user account or group and some way to get the members of groups that are part of local administrators.

Thanks for the feedback.

Sure you can. But you need to check against AD to get this info.

Review this script - http://portal.sivarajan.com/2010/08/list-group-members-in-active.html

You can use the same logic. Create a function from this script.

Thanks Santhosh, It works like a charm!
Just wondering if you could help me with one more functionality.
Is it possible to highlight "Server Name - $SName -> ########Cannot Access" with red background in excel.

get and error 'Search_AD' is not recognized as the name of a cmdlet, function, script file, or operable program

Post a Comment

Popular Posts

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More