I’m always looking for a way to do things by the command line, particularly if I can’t get to where I want to go quickly. Finding the members of a local group is one of those things where I like to being able to look things up quickly.
One area that comes up frequently, particularly in an audit, is who the local admins are. Most people head to the Computer Management console. I’ve got a better way, particularly if you have to deal with more than one machine.
With PowerShell I can make use of the WMI classes to perform the query. I start with the knowledge I want to use the WIN32_Group class to get information about groups. (See this for a list of the Managment Interfaces).
I could start with this:
That would be a bad thing to do on a domain though, particularly a large one. So I also add a filter:
Get-WmiObject Win32_Group -Filter “LocalAccount=True”
That gets me just the local machine groups. The one I am interested in is the Administrators group. I have two ways of getting this, both involving expanding my Filter. The first way is to expand the Filter to “LocalAccount=True AND NAME=’Administrators'”. While this works it has the problem of failing to return anything if the name of the group is changed. Instead I’ll expand the filter to include a look up using the SID.
get-wmiobject win32_group -Filter “LocalAccount=True AND SID=’S-1-5-32-544′”
Being a built-in group the SID is predefined and will not change so using the SID is garaunteed to get me the right group. At this point I have this output:
Caption Domain Name SID
——- —— —- —
PC\Administrators PC Administrators S-1-5-32-544
Not exactly what I was looking for. What I need to do now is pull some information from that into a query statment I can use with another WMI class. We’ll take the above command and assing it to a variable $admingroup.
$admingroup = get-wmiobject win32_group -Filter “LocalAccount=True AND SID=’S-1-5-32-544′”
To get the right results I am going to use two properties of the value stored in $admingroup, specifically Domain and Name. Here’s the query:
$query=”GroupComponent = `”Win32_Group.Domain='” + $admingroup.Domain + “‘,NAME='” + $admingroup.Name + “‘`””
GroupComponent is an instance of the Win32_GroupUser class that contains the information I am looking for. I’m setting the query filter to look for the domain retrieved from the Win32_Group class. I’m also, now that I’ve gotten the real name of the group, going to be filtering using the name of the group.
My next bit is to pull the data of the membership using the query I’ve just built:
Get-WmiObject win32_groupuser -Filter $query
Now if I were to run this I would get a BUNCH of information per object in the group. I want to clean it up:
(Get-WmiObject win32_groupuser -Filter $query).PartComponent
If you tried the previous command you would have seen, buried with the other information, the PartComponent property. The above command isolates out just that information:
It’s ugly but it is correct.
My next post I’ll discuss how to clean it up.