Users and Local Groups Report using Powershell?

Question

Is there a simple way using powershell to show all Local Windows Groups that are active on a machine and the users that are part of those groups? A second part of this question would be if it can be extended to look at more than one machine at a time.

Shay Levy · Accepted Answer · 2009-06-11T09:08:20.707

13

In fact you can with the ADSI type shortcut and the WinNT moniker. Here's an example to list groups and members from your own machine:

$server="."
$computer = [ADSI]"WinNT://$server,computer"

$computer.psbase.children | where { $_.psbase.schemaClassName -eq 'group' } | foreach {
    write-host $_.name
    write-host "------"
    $group =[ADSI]$_.psbase.Path
    $group.psbase.Invoke("Members") | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
    write-host
}

edited Jun 11 '09 at 09:08

answered Jun 09 '09 at 21:07

Shay Levy

121,444
32
184
206

I am getting an error with the statement $group =[ADSI]$_.Path – msvcyc Jun 10 '09 at 06:19
add psbase in front of path (i.e. [ADSI]$_.psbase.Path) – Shay Levy Jun 11 '09 at 09:08
omg thank you i would have never found this myself ! Is there a way to know if the members of the localgroup are user or group ? (i want to list members of the localgroup administrators and if a member is a domaingroup list its members ) – Loïc MICHEL Oct 19 '12 at 08:52
I guess you can , try querying the groupType property, it only exist for groups. – Shay Levy Oct 19 '12 at 12:06
$_.GetType() will fail for 'orphaned' SIDs (unresolved accounts) – Safor Jun 20 '15 at 05:33
In case of unresolved accounts you get the following error: Error while invoking GetType. Could not find member. + ... | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $ ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (:) [], MissingMemberException + FullyQualifiedErrorId : System.MissingMemberException – Safor Jun 20 '15 at 18:53
How do I edit this script to output the results to a text or csv file? – salvationishere Oct 06 '17 at 19:27

score 7 · Answer 2 · answered Jun 09 '09 at 14:41

Powershell does not have any inherent support for such a feature. However it's easy to wrap the "net localgroup" command with a couple of powershell functions and thus enable it in the pipeline.

Get Local Groups

function Get-LocalGroups() {
  net localgroup | ?{ $_ -match "^\*.*" } | %{ $_.SubString(1) };
}

Get Local Group members

function Get-LocalGroupMembers() {
  param ([string]$groupName = $(throw "Need a name") )
  $lines = net localgroup $groupName
  $found = $false
  for ($i = 0; $i -lt $lines.Length; $i++ ) {
    if ( $found ) {
      if ( -not $lines[$i].StartsWith("The command completed")) {
        $lines[$i]
      }
    } elseif ( $lines[$i] -match "^----" ) {
      $found = $true;
    }
  }
}

The loop should break once it hits the line "The command completed", otherwise it will return an empty string as the last element of the array because the last line in the output is blank. — bradvido, Jan 22 '14 at 20:23

score 1 · Answer 3 · answered Jun 20 '15 at 21:11

Below is an improved version of Shay Levy's script which works for local groups with "orphaned" accounts which SIDs can't be resolved.

$server = "$env:COMPUTERNAME"
$computer = [ADSI]"WinNT://$server,computer"

$computer.psbase.children | where { $_.psbase.schemaClassName -eq 'group' } | foreach {
    write-host $_.name
    write-host "------"
    $group =[ADSI]$_.psbase.Path
    $group.psbase.Invoke("Members") | foreach {$_."GetType".Invoke().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
    write-host
}

Bruno · Answer 4 · 2016-04-17T23:06:33.200

Jay Levy's answer turned into a function :)

Function Get-LocalGroupMembers
{
    Param(
        [string]
        $server = "."
    )
    Try
    {
        $computer = [ADSI]"WinNT://$( $Server ),computer"
        $computer.psbase.children | 
            where { 
                $_.psbase.schemaClassName -eq 'group' 
            } |
                ForEach {
                    $GroupName = $_.Name.ToString()
                    $group =[ADSI]$_.psbase.Path
                    $group.psbase.Invoke("Members") |
                        foreach {
                            $memberName = $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null) -replace "WinNT:", ""

                            $props = @{
                                "LocalGroup" = $GroupName
                                "MemberName" = $memberName
                            }

                            $obj = New-Object -TypeName psobject -Property $props
                            Write-Output $obj
                        } # foreach members
                } # foreach group
    }
    Catch
    {
        Throw
    }
}

To get the local group members

Get-LocalGroupMembers

To get the local group members for another machine

Get-LocalGroupMembers -Server $Computer

How do I edit this function to output the results to a text or csv file? — salvationishere, Oct 06 '17 at 19:28

Users and Local Groups Report using Powershell?

4 Answers4

Linked