Wednesday, 4 October 2017

Check if an user is member of a local group using PowerShell

We can easily find a local user is member of a local group by accessing ADSI WinNT Provider. In this post, I am going to share powershell script to check if local user is exists in a group, and check multiple users are member of a local group.

Check if local user is member of Administrators group:

The following powershell commands checks whether the given user is member of built-in Administrators group.
$user = "Morgan";
$group = "Administrators";
$groupObj =[ADSI]"WinNT://./$group,group" 
$membersObj = @($groupObj.psbase.Invoke("Members")) 

$members = ($membersObj | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)})

If ($members -contains $user) {
      Write-Host "$user exists in the group $group"
 } Else {
        Write-Host "$user not exists in the group $group"
}

Check if multiple users are member of a given local Group:

Run the below powershell command to check if multiple users are member of a given group.
$users = "Morgan","TestUser1","TestUser2"
$group = "Administrators";
$groupObj =[ADSI]"WinNT://./$group,group" 
$membersObj = @($groupObj.psbase.Invoke("Members")) 

$members = ($membersObj | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)})

ForEach ($user in $users) {
If ($members -contains $user) {
      Write-Host "$user exists in the group $group"
 } Else {
        Write-Host "$user not exists in the group $group"
}}

Check if users are member of a group in Remote Computer:

Use the below powershell command to check if users are member of a given group in remote machine/server.
$computer = "remote-pc" 
$users = "Morgan","TestUser1","TestUser2"
$group = "Administrators";
$groupObj =[ADSI]"WinNT://$computer/$group,group" 
$membersObj = @($groupObj.psbase.Invoke("Members")) 

$members = ($membersObj | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)})

ForEach ($user in $users) {
If ($members -contains $user) {
      Write-Host "$user exists in the group $group"
 } Else {
        Write-Host "$user not exists in the group $group"
}}

Advertisements
Advertisements

1 comment:

  1. So, I tested the script and it does not work in all cases. This script along with other ways of determining if you belong to the Administrators group, assumes you have been directly added to the "Administrators" group on a system.

    In the environment many of us work in (domain), in some areas we don't allow direct userIDs (sAMAccountNames) to be added to a local group; we instead utilize group policies to push out specific security groups that you are a member which grant local administrative rights. Thus, the code above will not work, I know this because I checked it against one of my accounts and it resulted in my account "not being a member of the Administrators group", when it actually is.

    Below is currently the simplest and most accurate way of finding if a specific SID/sAMAccountName has local administrative rights on a box; whether it be via a direct membership add or inherited via an AD group, see below:

    whoami /groups | findstr /i "builtin"

    In addition, if you created a local group and inherited the right via that, it should not matter either; although, I did not test that theory.

    Hope this helps someone else!

    ReplyDelete