Get the users who are having server access for my server

Question

We need to extract a report every month for our servers which should report who all are having the server admin access .This will help us remove the people for whom access is no more needed. Its taking lot of time to extract manually and I read on blogs that PowerShell is used to automate such kind of administration jobs.

Other details: Server - Win 2008 R2 Powershell 1.0 Could any one help me how to I extract this report?

Answer 1

There's no need for ADSI and PSRemoting. Example:

$cComputerNames = @("computer1", "computer2")
$cRows = @()

foreach ($sComputerName in $cComputerNames) {
    $cAdminAccounts = Get-WmiObject -ComputerName $sComputerName `
        -Class "Win32_GroupUser" `
        | Where-Object { 
            ($_.GroupComponent -split '"')[3] -eq "Administrators" 
          }
    foreach ($cAdminAccount in $cAdminAccounts) {
        $oRow = New-Object -TypeName PSObject -Property @{
            "ComputerName"  = $sComputerName
            "AccountDomain" = ($cAdminAccount.PartComponent -split '"')[1]
            "AccountName"   = ($cAdminAccount.PartComponent -split '"')[3]
        }
        $cRows += $oRow
    }
}

$cRows | Export-Csv -Path "admin-accounts.csv" -NoTypeInformation

You can use an associators of ... query to get more detailed info about accounts. See this blog post.

Answer 2

Here's a quick way to enumerate the list of administrators for a server.

$group = [ADSI]"WinNT://./Administrators"

@($group.Invoke("Members")) | foreach {
  $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
}

You can then use an email cmdlet to send it or however you want to send it back to you.

See: http://blogs.technet.com/b/heyscriptingguy/archive/2013/10/27/the-admin-s-first-steps-local-group-membership.aspx