none
Script to get user ids on remote servers. RRS feed

  • Question

  • Hi there...I am trying to get local users & admin group user ids on remote servers. I got a script that's working (mentioned below), I dont take credit to myself as I got some assistance in that (as I am still learning and get better at it). While using that script, I got some errors even when I target on some of new Server 2012 servers.

    $Output = "C:\Temp\Users-GroupMember\UserInfo.rtf"
    $Servers = Get-Content -Path "C:\Temp\Users-GroupMember\Servers.txt"
    
    foreach ($Servers in $Servers)
    
    {
    # 1. To get Local Administrators group Members
    
    Write-Output "1. *****Administrators group Members for the Server mentioned above****" |out-file $Output -Append
    
    $localgroup = "Administrators"
    $Group= [ADSI]"WinNT://$Servers/$LocalGroup,group" 
    $members = $Group.psbase.Invoke("Members")
    $members | ForEach-Object { $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null) } | Out-File $Output -Append
    
    # 2. Local user information
    
    Write-Output "2. *****Local user information for the Server mentioned above*****" | out-file $Output -Append
    
    $adsi = [ADSI]"WinNT://$Servers"
    $adsi.Children | where {$_.SchemaClassName -eq 'user'} | Foreach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)} | out-file $Output -Append
    } 

    Error, I got was

    Exception calling "Invoke" with "2" argument(s): "The network path was not found
    At C:\Temp\Users-GroupMember\Users-GroupMember.ps1:17 char:32
    
    + FullyQualifiedErrorId : DotNetMethodException
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + $members = $Group.psbase.Invoke < <<< ("Members")
    When I was researching about this error, I came to know about this blog about enabling CredSSP  in Windows servers (even though that for vCO powershell plugin. In that he had mentioned –

    "By default, PowerShell remoting authenticates using a “Network Logon”. Network Logons work by proving to the remote server that you have possession of the users credential without sending the credential to that server (see Kerberos and NTLM authentication). Because the remote server doesn't have possession of your credential, when you try to make the second hop (from Server A to Server B) it fails because Server A doesn't have a credential to authenticate to Server B with.

    To get around this issue, PowerShell provides the CredSSP (Credential Security Support Provider) option. When using CredSSP, PowerShell will perform a “Network Clear-text Logon” instead of a “Network Logon”. Network Clear-text Logon works by sending the user's clear-text password to the remote server. When using CredSSP, Server A will be sent the user's clear-text password, and will therefore be able to authenticate to Server B. Double hop works!"

    Can you pls share you thoughts if we need to do the same in server 2012 servers as well.


    VT

    • Moved by Bill_Stewart Friday, March 9, 2018 7:26 PM Unanswerable drive-by question
    Thursday, August 3, 2017 9:07 PM

All replies

  • That is not the "Invoke" you are using.  You are using COM "Invoke" which invokes a property or method  on an object.

    You will get your error on objects that are deleted from the domain but have not been removed from local groups.

    If you just want userids then use WMI to get groups and users.

    Get-WmiObject win32_group -computer alpha|select name

    Get-WmiObject win32_group -computer alpha|%{$_.GetRelated('Win32_UserAccount')}|select caption

    Look in the Gallery for pre-written scripts.


    \_(ツ)_/


    Thursday, August 3, 2017 9:20 PM
  • That is not the "Invoke" you are using.  You are using COM "Invoke" which invokes a property or method  on an object.

    You will get your error on objects that are deleted from the domain but have not been removed from local groups.

    If you just want userids then use WMI to get groups and users.

    Get-WmiObject win32_group -computer alpha|select name

    Get-WmiObject win32_group -computer alpha|%{$_.GetRelated('Win32_UserAccount')}|select caption

    Look in the Gallery for pre-written scripts.


    \_(ツ)_/


    Thanks JRV. Initially I used Get-WmiObject win32_group & posted that script. But I was told to use ADSI to get user IDs due as I cannot remotely see domain accounts with WMI due to second hop restrictions & ADSI can be executed remotely by adding the server in the WinNT path (in this forum post). But I thank you for your advice there as It worked fine. But only of few servers, we are getting that error mentioned above. 

    Thats why I asked if we need enable CredSSP in Windows Server.


    VT

    Friday, August 4, 2017 6:55 PM
  • You cannot remotely get domain accounts with ADSI.  You can with CredSSP and using Invoke or Get-CimInstance:

    Get-CimInstance Win32_Group -CimSession $session

    Create a PsSession using CredSSP for either method.

    It is not recommended that you arbitrarily enable CredSSP on  domain as it presents a security risk when not managed correctly.

    To manage and enforce Administrators group membership use the "Restricted Groups" GPO policy.


    \_(ツ)_/

    Friday, August 4, 2017 7:13 PM
  • Thanks again...I will try those options that you suggested.

    VT

    Friday, August 4, 2017 7:20 PM
  • This old script of mine might help:

    http://www.rlmueller.net/PowerShell/PSEnumLocalGroup.txt

    You might be able to use it as written, or it will give you clues to modify your script.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Saturday, August 12, 2017 3:13 PM
  • This old script of mine might help:

    http://www.rlmueller.net/PowerShell/PSEnumLocalGroup.txt

    You might be able to use it as written, or it will give you clues to modify your script.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thanks Richard for sharing the old script. I really appreciate it.

    VT

    Thursday, September 7, 2017 12:34 AM
  • I think I found the issue. I have a base server (which is in 172.128.x.x subnet - for example) to run that script. When I update with different server names (will be in different subnets - 192.168.x.x, 10.10.x.x & ...) in the ServerNames.txt file and when I run that script, its not getting the result as the script generates as expected. But When I copy the script to a server (which is in 10.12.x.x subnet) and against groups of 100 or more servers in the same 10.12.x.x subnet, it works fine.

    I really appreciate everyone who assisted in this. I thought I can update and let you know...


    VT

    Thursday, September 7, 2017 12:41 AM