Problem:
[TESTSERVER]: PS C:\Users\administrator> Get-LocalGroupMember 'Remote Desktop Users'
Get-LocalGroupMember : Failed to compare two elements in the array.
+ CategoryInfo : NotSpecified: (:) [Get-LocalGroupMember], InvalidOperationException
+ FullyQualifiedErrorId : An unspecified error occurred.,Microsoft.PowerShell.Commands.GetLocalGroupMemberCommand
[TESTSERVER]: PS C:\Users\administrator> Add-LocalGroupMember -group 'Remote Desktop Users' -member intranet\testuser
Add-LocalGroupMember : Principal intranet\testuser was not found.
+ CategoryInfo : ObjectNotFound: (portal\nbsingh:String) [Add-LocalGroupMember], PrincipalNotFoundExcepti
on
+ FullyQualifiedErrorId : PrincipalNotFound,Microsoft.PowerShell.Commands.AddLocalGroupMemberCommand
Workaround:
# Remove orphaned accounts from a group
$groupName='Administrators'
$groupObject=@(([ADSI]"WinNT://./$groupName").psbase.Invoke('Members')
$members=$groupObject|% {$_.GetType().InvokeMember('AdsPath','GetProperty',$null,$($_),$null)}) -match '^WinNT'|%{$_.replace("WinNT://","")}
$members|%{if($_ -match "S-1"){Remove-LocalGroupMember -Group "$groupName" -Member "$_"}}
$servers="$env:computername"
$groupNames='Administrators'
function getLocalGroupMembers{
param(
$groupNames='Administrators',
$servers='localhost'
)
function convertFromWellKnownSids {
param(
$sid,
$wellKnownSIDs = @{
'S-1-0' = 'Null Authority'
'S-1-0-0' = 'Nobody'
'S-1-1' = 'World Authority'
'S-1-1-0' = 'Everyone'
'S-1-2' = 'Local Authority'
'S-1-2-0' = 'Local'
'S-1-2-1' = 'Console Logon'
'S-1-3' = 'Creator Authority'
'S-1-3-0' = 'Creator Owner'
'S-1-3-1' = 'Creator Group'
'S-1-3-2' = 'Creator Owner Server'
'S-1-3-3' = 'Creator Group Server'
'S-1-3-4' = 'Owner Rights'
'S-1-5-80-0' = 'All Services'
'S-1-4' = 'Non-unique Authority'
'S-1-5' = 'NT Authority'
'S-1-5-1' = 'Dialup'
'S-1-5-2' = 'Network'
'S-1-5-3' = 'Batch'
'S-1-5-4' = 'Interactive'
'S-1-5-6' = 'Service'
'S-1-5-7' = 'Anonymous'
'S-1-5-8' = 'Proxy'
'S-1-5-9' = 'Enterprise Domain Controllers'
'S-1-5-10' = 'Principal Self'
'S-1-5-11' = 'Authenticated Users'
'S-1-5-12' = 'Restricted Code'
'S-1-5-13' = 'Terminal Server Users'
'S-1-5-14' = 'Remote Interactive Logon'
'S-1-5-15' = 'This Organization'
'S-1-5-17' = 'This Organization'
'S-1-5-18' = 'Local System'
'S-1-5-19' = 'NT Authority'
'S-1-5-20' = 'NT Authority'
'S-1-5-32-544' = 'Administrators'
'S-1-5-32-545' = 'Users'
'S-1-5-32-546' = 'Guests'
'S-1-5-32-547' = 'Power Users'
'S-1-5-32-548' = 'Account Operators'
'S-1-5-32-549' = 'Server Operators'
'S-1-5-32-550' = 'Print Operators'
'S-1-5-32-551' = 'Backup Operators'
'S-1-5-32-552' = 'Replicators'
'S-1-5-64-10' = 'NTLM Authentication'
'S-1-5-64-14' = 'SChannel Authentication'
'S-1-5-64-21' = 'Digest Authority'
'S-1-5-80' = 'NT Service'
'S-1-5-83-0' = 'NT VIRTUAL MACHINE\Virtual Machines'
'S-1-16-0' = 'Untrusted Mandatory Level'
'S-1-16-4096' = 'Low Mandatory Level'
'S-1-16-8192' = 'Medium Mandatory Level'
'S-1-16-8448' = 'Medium Plus Mandatory Level'
'S-1-16-12288' = 'High Mandatory Level'
'S-1-16-16384' = 'System Mandatory Level'
'S-1-16-20480' = 'Protected Process Mandatory Level'
'S-1-16-28672' = 'Secure Process Mandatory Level'
'S-1-5-32-554' = 'BUILTIN\Pre-Windows 2000 Compatible Access'
'S-1-5-32-555' = 'BUILTIN\Remote Desktop Users'
'S-1-5-32-556' = 'BUILTIN\Network Configuration Operators'
'S-1-5-32-557' = 'BUILTIN\Incoming Forest Trust Builders'
'S-1-5-32-558' = 'BUILTIN\Performance Monitor Users'
'S-1-5-32-559' = 'BUILTIN\Performance Log Users'
'S-1-5-32-560' = 'BUILTIN\Windows Authorization Access Group'
'S-1-5-32-561' = 'BUILTIN\Terminal Server License Servers'
'S-1-5-32-562' = 'BUILTIN\Distributed COM Users'
'S-1-5-32-569' = 'BUILTIN\Cryptographic Operators'
'S-1-5-32-573' = 'BUILTIN\Event Log Readers'
'S-1-5-32-574' = 'BUILTIN\Certificate Service DCOM Access'
'S-1-5-32-575' = 'BUILTIN\RDS Remote Access Servers'
'S-1-5-32-576' = 'BUILTIN\RDS Endpoint Servers'
'S-1-5-32-577' = 'BUILTIN\RDS Management Servers'
'S-1-5-32-578' = 'BUILTIN\Hyper-V Administrators'
'S-1-5-32-579' = 'BUILTIN\Access Control Assistance Operators'
'S-1-5-32-580' = 'BUILTIN\Remote Management Users'
}
)
$name=($wellKnownSIDs[$sid]).Name
if(!$name){
$name=Try{
$objSID = New-Object System.Security.Principal.SecurityIdentifier($sid)
($objSID.Translate([System.Security.Principal.NTAccount])).Value
}Catch{
$sid
Write-verbose "$sid is not a valid SID or could not be identified"
}
}
return $name
}
$groups=@()
foreach($groupName in $groupNames){
$members=@()
foreach ($server in $servers){
$group=[ADSI]"WinNT://$Server/$groupName"
$groupMembers=@($group.Invoke('Members') | ForEach-Object {([ADSI]$_).path})
$members+=$groupMembers
}
$names=foreach ($member in $members){
$x=[regex]::match($member,'^WinNT://(.*)').groups[1].value;
if($x -match '^S-1'){
$y=convertFromWellKnownSids $x
if($y -ne $x){$y}else{$x}
}else{
$x
}
}
$groups+=[PSCustomObject]@{
group=$groupName
members=$names
}
}
return $groups
}
getLocalGroupMembers $groupNames $servers
Categories: