CODEWITHSUNDEEP
powershell
Empty Coder
Empty Coder

Reputation: 589

Remove Single IDs from local administrator group

I want to delete individual ID's from Administrator group

I have below code to get the members and delete them

Get-LocalGroupMember -Name 'Administrators'

$AdminGroup = [ADSI]"WinNT://$ComputerName/Administrators,group"
$User = [ADSI]"WinNT://$DomainName/$UserName,user"
$AdminGroup.Remove($User.Path)
Write-Host "Successfull:" $ComputerName

the problem I am facing is how to identify the single/individual IDs in the group.

below is one sample output from one of the server I fetched the members where there is no individual IDs present

Name                                                 SID                                               PrincipalSource ObjectClass
----                                                 ---                                               --------------- -----------
AUTO1AP\csgadm#                                      S-1-5-21-126948685-454775200-1760099607-500                 Local User       
ZA\                                                  S-1-5-21-3095416536-3097367016-2845470932         ActiveDirectory Other      
ZA\A-Auto$                                           S-1-5-21-3095416536-3097367016-2845470932-1423106 ActiveDirectory User       
ZA\A-Server Administrators                           S-1-5-21-3095416536-3097367016-2845470932-128673  ActiveDirectory Group      
ZA\A92361                                            S-1-5-21-3095416536-3097367016-2845470932-1423726 ActiveDirectory User       
ZA\A-SAN-AUTO                                        S-1-5-21-3095416536-3097367016-2845470932-1475616 ActiveDirectory User       
ZA\Domain Admins                                     S-1-5-21-3095416536-3097367016-2845470932-512     ActiveDirectory Group

I have the above data now and I want to delete the Individual account from this which is ZA\A92361 ( here I know this is the individual account but in actual case I need to find out and delete)

Please let me know on this

Upvotes: 0

Views: 1656

Answers (1)

Theo
Theo

Reputation: 61168

Although it is still not clear to me what you mean by identify the users you want to remove, I believe the Get-LocalGroupMember cmdlet returns everything you need to identify them.

$ADusersToRemove = 'jdoe', 'cblossom'  # example some SamAccountNames of users to remove from the group
# from these users to remove, get an array of their Security IDs
$ADsidsToRemove = $ADusersToRemove | ForEach-Object { (Get-ADUser -Identity $_ -ErrorAction SilentlyContinue).SID }

# get a list of members of the local group, AD users only
$allADMembers = Get-LocalGroupMember -Name 'Administrators' | Where-Object { $_.ObjectClass -eq 'user' -and $_.PrincipalSource -eq 'ActiveDirectory' }

# remove the wanted AD users from the group
$ADmembersToRemove = @($allADMembers | Where-Object { $ADsidsToRemove -contains $_.SID })
if ($ADmembersToRemove.Count) {
    Remove-LocalGroupMember -Name 'Administrators' -Member $membersToRemove.SID
}

If you also want to remove LOCAL users (not AD), you can do something similar

# get an array of LocalPrincipal objects
$LocalUsersToRemove = @(Get-LocalUser -Name 'someguy', 'anotheruser' )
if ($LocalUsersToRemove.Count) {
    Remove-LocalGroupMember -Name 'Administrators' -Member $LocalUsersToRemove
}

If as you say you want to exclude service accounts, then this question really is how to distinguish between a service account and a normal user account.

I have no idea how you have organized your AD, but therfe are several options of course:

  1. you can have all service accounts start their samaccountname with a special prefix, like svc_ or something.
    Then you can alter the filter to become
Where-Object { $ADsidsToRemove -contains $_.SID -and (($_.Name -split '\\') -notlike 'svc_*')}
  1. you can have a special OU where all service accounts are stored like OU=ServiceAccounts,DC=Company,DC=com Then you can use filter
Where-Object { $ADsidsToRemove -contains $_.SID -and ((Get-ADUser -Identity $_.SID).DistinguishedName -notlike '*OU=ServiceAccounts,DC=Company,DC=com')}
  1. you can have the Description property of the service accounts all contain the words Service account
    Then you can use filter
Where-Object { $ADsidsToRemove -contains $_.SID -and ((Get-ADUser -Identity $_.SID -Properties Description).Description -notlike '*Service account*')}
  1. maybe you have used an Extension attribute on service accounts to test like ExtensionAttribute1=svc
    Then you can use filter
Where-Object { $ADsidsToRemove -contains $_.SID -and ((Get-ADUser -Identity $_.SID -Properties ExtensionAttribute1).ExtensionAttribute1 -notlike 'svc')}

The possibilities are almost endless as you can see..

Upvotes: 1

Related Questions