As part of Continuous Monitoring, we have started an annual review of server access. We have three domains: two internal and a DMZ. I can get a list of servers managed by a particular Manager.
My problem is I can't get the ADSI to work (see code below the commented line: 'reads local admin group'. I'd like to get group members for each group in the Local Administrator group for all servers. If the group is from one of the other domains it should resolve the group correctly. Here's what I have so far:
Add-PSSnapin Quest.ActiveRoles.ADManagement
Import-Module ActiveDirectory
cls
$Domains = @(
"dc=domain,dc=gov"
"dc=domain,dc=local"
)
$admgrp = "Administrators"
$Servers = @()
#Get list of all servers in all domains managed by xxxx
foreach ($domain in $Domains)
{
$Servers += Get-QADComputer -Searchroot $domain -OSName "Windows*Server*" -NotMemberOf "Disabled" | where {$_.ManagedBy -like "*XXXXX*"} | sort Name
}
foreach ($server in $Servers)
{
$hostname = $server.dnsHostName
$tmp = $hostname.split(".")
$location = $tmp[1] + "." + $tmp[2]
$wsheet.Cells.Item($iRow,2) = $location
#$PC = $server.Name
$PC = $server.dnsHostName
#Reads local admin group
$strcomputer = [ADSI]("WinNT://$PC/$admgrp")
$groups = @($strcomputer.psbase.invoke("Members"))
foreach ($group in $groups)
{
$name = $group.GetType().InvokeMember("Name", 'GetProperty', $null, $group, $null)
$path = $group.GetType().InvokeMember("ADsPath", 'GetProperty', $null, $group, $null)
if ($group.GetType().InvokeMember("Class", 'GetProperty', $null, $group, $null)-eq "group") #verify if group
{
if($path -like "*/$server/*") #local group
{
$wsheet.Cells.Item(1,4) = "Local"
$iRow+=1
}
else #domain group
{
$wsheet.Cells.Item(1,4) = "Domain"
$iRow+=1
}
}
else #user
{
$wsheet.Cells.Item(1,4) = "User"
$iRow+=1
}
$iRow+=1
}
}
Thank you,
Kurt