Script - Move Local Admin Members Into a single Group ?

Hi

I want to move all the users in the local Administrators group  (on each server in a list) into a security group that sits inside this local Administrators group.

I managed to create the AD security group (e.g  <servername>_admins) and have this new group into each servers local administrators group.  Now I want to move all the other remaining memebrs of this admin group into it.

How could this be scripted?  ...prefereably in powershell.

Steps:
Read all the direct members of "\\servername\local admins" into an array, add them into the new AD security group
remove them from the direct local admin group - unless it's the new admin group (servername_admin)

Thanks,
Teeno
Teen-oAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

exx1976Commented:
Well, you could have some problems with this.  Biggest one I can think of is that you aren't going to be able to get local accounts into the domain group, since those local accounts don't exist outside of that local machine.  So, if you remove the local accounts from the local group, then they have NO access, since they won't be members of that domain group...


Just something to consider.


-exx
0
markdmacCommented:
exx raises a good point but it depends on whether or not the users are local or domain accounts.  If you are just looking to move from having domain  users assigned directly to the admin group and instead want to use a group, and if that group will be universal throughout your organization, then you don't need a script at all.  Use GPO with restricted groups.
0
Chris DentPowerShell DeveloperCommented:

It's not too hard to figure out if they're domain or local though, which is a good thing. But I do agree that group policy would be a more controlled approach.

If it's not practical I'll help you build the PS script.

Chris
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

jostranderCommented:
Here's what I was playing with last night.  Seems to be working for me... hope it works for you.


$pc = $env:computername
$group = $pc+"_admins"


$domain=$env:USERDOMAIN
$newGroupPath="WinNT://$domain/$group"

$objAccounts = [ADSI]"WinNT://$pc"


$groupAdmins =[ADSI]"WinNT://$pc/Administrators" 

$objNewGroup =[ADSI]$newGroupPath 

$members = @($groupAdmins.psbase.Invoke("Members")) 

foreach ($a in $members) {
	$user=$a.GetType().InvokeMember("ADsPath", 'GetProperty', $null, $a, $null)
	if (!$user.contains($pc)) {
		echo $user
		$objNewGroup.PSBase.Invoke("Add","$user")
		$groupAdmins.PSBase.Invoke("Remove",$user)
	}
}

echo $newGroupPath
$groupAdmins.PSBase.Invoke("Add",$newGroupPath)

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jostranderCommented:
Any luck with this?  
0
Teen-oAuthor Commented:
thanks for the help guys.  It seems to be moving the accounts, but there are some AD-groups nested  in the local admin group, they dont move/get copied.
0
jostranderCommented:
Did some more testing...

In my local PC administrators group, I have 3 user accounts, 1 AD Domain Local group and 2 AD Global groups.  

In AD, I have a Domain Local group called COMPUTER1_admins.  

All the accounts in the local PC administrators group get added to the COMPUTER1_admins group and that group gets added to the local PC administrators group.  All the domain accounts are removed from the local administrators group successfully too.

The only way I can make it fail is if I make the COMPUTER1_admins group as a Global group.  In your testing, do you have your domain group set as a Domain Local group?

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.