Microsoft Virtualization Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Microsoft Virtualization Discussions

Ask a Question

How does one query for the membership of the builtin\administrators group using Powershell?

rheichmann
‎2012-08-15 07:02 PM
13,512 Views

It seems to me that this should be really simple.

My SOX audit requires me to provide test results for each in scope folder.  I have to list what users and groups have access and what that level of access for each in scope folder.

The accounts that are in AD are easily handled by Powershell's AD provider.  Each folder also lists the local (NetApp) administrators group.as having full control.

And I want to automate a query of the membership of the builtin\adminstrators group to complete this process.

get-nagroup only lists the local groups on the filer.  But there does not appear to be a way to get this cmdlet to give me the membership of any one group.

Please, what am I missing?

RE

0 Kudos
View By:
1 ACCEPTED SOLUTION

rheichmann
‎2012-08-16 12:12 PM
13,512 Views

Ok, figured it out.

Once CIFS is enabled, The filer looks mostly like another member server to other Windows hosts.  So much so that PowerShell's ADSI adaptor can query the filer like any other Windows machine.

The following basic PowerShell script can be used to query member servers (including a NetApp filer) or user PC's for local group membership:

$group = [ADSI]"WinNT://computer name/group name"

$members = @($group.psbase.Invoke("Members"))

$members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}

Just insert your specific computer name and group name.

And unlike "get-nauser -group administrators"  This will return all of accounts (local and domain) in the results.

View solution in original post

0 Kudos
5 REPLIES 5

timothyn
NetApp Alumni
‎2012-08-15 08:15 PM
13,512 Views

You're right, it is really simple! 

Get-NaUser -Group Administrators

rheichmann
‎2012-08-16 10:08 AM
In response to timothyn
13,512 Views

Thanks Eric,

That command definately gets me closer to my goal.  But not all the way.

The local administrators group on my filer includes the local administrator account.  But it also includes about 6 accounts from the 2008 R2 AD domain that the filer is assoicated with.

Running the command you suggest only displays the local administrator in the results.  It does not display any information about the 6 domain accounts that are also in the local administrators group on my filer.

And before you ask the quesiton, I can confirm that my filer sees my domain just fine.  cifs testdc and cifs lookup give solid results for the accounts that should be showing up in this query..

RE

0 Kudos

rheichmann
‎2012-08-16 12:12 PM
13,513 Views

Ok, figured it out.

Once CIFS is enabled, The filer looks mostly like another member server to other Windows hosts.  So much so that PowerShell's ADSI adaptor can query the filer like any other Windows machine.

The following basic PowerShell script can be used to query member servers (including a NetApp filer) or user PC's for local group membership:

$group = [ADSI]"WinNT://computer name/group name"

$members = @($group.psbase.Invoke("Members"))

$members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}

Just insert your specific computer name and group name.

And unlike "get-nauser -group administrators"  This will return all of accounts (local and domain) in the results.

0 Kudos

ccastane
NetApp
‎2012-11-21 02:23 PM
In response to rheichmann
13,512 Views

Rolf, is there a way to retrieve the source of the account info - local filer or domain? The results don't indicate this.

Results for local Administrators group:

administrator

Domain Admins

chris

This is what it looks like using Computer Management on Windows:

DOTSIM801\administrator (S-1-5-21....)

TEST\Domain Admins

TEST\chris

Thanks,

0 Kudos

ccastane
NetApp
‎2012-11-21 02:50 PM
In response to ccastane
13,512 Views

I found a script here that gives me the info I am looking for, http://www.rlmueller.net/PowerShell/PSEnumLocalGroup.txt.

Here are the results for the same system from my previous posting:

Computer: DOTSIM801

Group: Administrators

WinNT://DOTSIM801A-1/administrator

WinNT://TEST/Domain Admins

LDAP://CN=Chris,CN=Users,DC=test,DC=ntap

LDAP://CN=Administrator,CN=Users,DC=test,DC=ntap

WinNT://TEST/chris

The ones listed with LDAP are the users found in the WinNT://TEST/Domain Admins group.

Pretty nifty.

0 Kudos
All Community Forums
Public