Subscribe
Accepted Solution

How does one query for the membership of the builtin\administrators group using Powershell?

It seems to me that this should be really simple.

My SOX audit requires me to provide test results for each in scope folder.  I have to list what users and groups have access and what that level of access for each in scope folder.

The accounts that are in AD are easily handled by Powershell's AD provider.  Each folder also lists the local (NetApp) administrators group.as having full control.

And I want to automate a query of the membership of the builtin\adminstrators group to complete this process.

get-nagroup only lists the local groups on the filer.  But there does not appear to be a way to get this cmdlet to give me the membership of any one group.

Please, what am I missing?

RE

Re: How does one query for the membership of the builtin\administrators group using Powershell?

You're right, it is really simple! 

Get-NaUser -Group Administrators

Re: How does one query for the membership of the builtin\administrators group using Powershell?

Thanks Eric,

That command definately gets me closer to my goal.  But not all the way.

The local administrators group on my filer includes the local administrator account.  But it also includes about 6 accounts from the 2008 R2 AD domain that the filer is assoicated with.

Running the command you suggest only displays the local administrator in the results.  It does not display any information about the 6 domain accounts that are also in the local administrators group on my filer.

And before you ask the quesiton, I can confirm that my filer sees my domain just fine.  cifs testdc and cifs lookup give solid results for the accounts that should be showing up in this query..

RE

Re: How does one query for the membership of the builtin\administrators group using Powershell?

Ok, figured it out.

Once CIFS is enabled, The filer looks mostly like another member server to other Windows hosts.  So much so that PowerShell's ADSI adaptor can query the filer like any other Windows machine.

The following basic PowerShell script can be used to query member servers (including a NetApp filer) or user PC's for local group membership:

$group = [ADSI]"WinNT://computer name/group name"

$members = @($group.psbase.Invoke("Members"))

$members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}

Just insert your specific computer name and group name.

And unlike "get-nauser -group administrators"  This will return all of accounts (local and domain) in the results.

Re: How does one query for the membership of the builtin\administrators group using Powershell?

Rolf, is there a way to retrieve the source of the account info - local filer or domain? The results don't indicate this.

Results for local Administrators group:

administrator

Domain Admins

chris

This is what it looks like using Computer Management on Windows:

DOTSIM801\administrator (S-1-5-21....)

TEST\Domain Admins

TEST\chris

Thanks,

Re: How does one query for the membership of the builtin\administrators group using Powershell?

I found a script here that gives me the info I am looking for, http://www.rlmueller.net/PowerShell/PSEnumLocalGroup.txt.

Here are the results for the same system from my previous posting:

Computer: DOTSIM801

Group: Administrators

WinNT://DOTSIM801A-1/administrator

WinNT://TEST/Domain Admins

LDAP://CN=Chris,CN=Users,DC=test,DC=ntap

LDAP://CN=Administrator,CN=Users,DC=test,DC=ntap

WinNT://TEST/chris

The ones listed with LDAP are the users found in the WinNT://TEST/Domain Admins group.

Pretty nifty.