Reputation: 3
Powershell command to find list of users allowed to log onto computer
I'm trying to find a way of using powershell to list the users assigned logon rights to a computer. But I'm unable to find the syntax if its even possible. Any help greatly appreciated.
Upvotes: 0
Views: 3076
Answers (1)
Reputation: 25001
If you are looking to query for ADUser objects that have their workstation logon explicitly restricted, you can query for values in the userWorkstations attribute. Since that attribute is a string with comma-separated values, you will need to potentially manipulate that data properly before doing a compare.
$computer = 'computername'
Get-ADUser -Filter "userWorkstations -like '*$computer*'" -Properties userWorkstations |
Where-Object { ($_.userWorkstations -split ',') -contains $computer }
You are not bound to this solution because there are a few ways to retrieve the data you want. I chose to use -split ',' because that will create an array where the -contains operator can find an exact match.
Using the -like operator in the -Filter allows for wildcard (*) matching. -eq is only going to work if the particular workstation is the only one listed in the userWorkstations attribute. You could potentially forego -like all together and get the same result. It is something worth testing since performance could be different[1].
Where-Object here provides exact matching. Since the AD -Filter parameter does not support containment operators, you have to rely on -like with wildcards for delimited strings. Since -like 'system1*' would also match system12334, we need to ensure that we only return our desired exact match.
Note: If your local security policy on your computer allows Domain Users to log on locally or interactively, then having no userWorkstations attribute value on a user means that user can log on to that machine. So to get a complete picture, you need to examine the local security policy of the machine and determine which domain users that actually applies to.
[1] My personal, limited testing showed using the -Filter with the -like operator cut my query time by 59%.
Upvotes: 1
Related Questions
- How to find all computers a user is logged into
- How to list logon denied from logonhours within powershell
- How to retrieve only enabled users from the Active Directory
- List of AD names and login names
- Trying to find enabled or disabled Users in AD with Powershell
- How to filter out which users are allowed to log in to a computer?
- Language independent way to find all the users with admin access to a computer via powershell
- How can I get a list of accounts for users that have logged onto a machine?
- Determine If Users Are In Active Directory With PowerShell
- List group memberships for AD users