2

I was wondering how to best approach this. Basically I have a script that needs to check if USER1 is a member of local Administrators and if so, remove it. These groups are all local and the script will be run on the system I need to check (no remoting needed).

I was thinking something along the lines of capturing and evaluating the output from 

net localgroup Administrators

test\user1
test\user2

However I am not sure how to capture the output for evaluation (pretty new to powershell). Has anyone done something like this? I really appreciate any help.

Dominic Brunetti
  • 989
  • 3
  • 18
  • 36
  • possible duplicate of [powershell - list local users and their groups](http://stackoverflow.com/questions/4548476/powershell-list-local-users-and-their-groups) – Ansgar Wiechers May 17 '13 at 21:00

2 Answers2

7

one way without module or snapin:

$group =[ADSI]"WinNT://./Administrators,group" 
$members = @($group.psbase.Invoke("Members")) 

($members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}) -contains "Administrator"

this return True or False belong the case

to remove user Administrator from Administrators group:

$group.remove("WinNT://Administrator")
CB.
  • 58,865
  • 9
  • 159
  • 159
  • This does not quite work if a user is in a group which is an administrative group. The user would be an administrator in this case but would not show up as the Administrators group member – Andrew Savinykh Jul 01 '14 at 23:48
  • @zespri The OP ask how to check users in local Administrators group, if you need to check another local group you just need to change `Administrator` with the name of your local group in the first line of code. – CB. Jul 02 '14 at 05:18
  • The point is that a user can be an administrator without being in the local Administrators group. If he belongs to *any* group that is a member of the local Administrators group they will be a local admin. And you can't check it the shown way. – Andrew Savinykh Jul 02 '14 at 05:32
  • The best example are domain admins. They are local admins on your pc by merit of them being in the Domain Admins group and the Domain Admins group being a member of the local Administrators group. But of course the could be several levels of membership like this, not just one. – Andrew Savinykh Jul 02 '14 at 05:33
  • @zespri then you have to check membership of the domain user in the the 'domain admins' group i.e.: `([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole("Domain Admins")` – CB. Jul 02 '14 at 07:37
  • yep, but you would need to do this recursively, because Domain Admins group can have other groups, and other groups can be in the local admin group =) – Andrew Savinykh Jul 02 '14 at 09:12
1
$user = (net localgroup administrators | Select-String 'testuser1' -SimpleMatch).ToString()
net localgroup administrators "$user" /delete

You're not using objects and you don't have a lot of error checking, but this is a pretty simple way to get what you want.

E.V.I.L.
  • 2,120
  • 13
  • 14