December 15th, 2012

Weekend Scripter: Use PowerShell to Find Local Administrators on a Computer

Doctor Scripto
Scripter

Summary: Microsoft Scripting Guy, Ed Wilson, shows how to use Windows PowerShell and WMI CIM associations to find local administrators. Microsoft Scripting Guy, Ed Wilson, is here. Well, we have been really lucky the past couple of days in Charlotte, North Carolina—at least weather wise. Yesterday, it was 60 degrees Fahrenheit and it was sunny with a clear blue sky. I am sitting on the lanai sipping a nice cup of green tea with a cinnamon stick, lemon grass, Jasmine flowers, and just a little bit of lavender. It tastes as great as it smells—certainly a nice way to relax and ease into the day.

Use WMI to find members of the local administrator group

When I can get away with it, I love simplicity. Once you know Windows Management Instrumentation (WMI), the world of Windows administration opens to you. In fact, with the introduction of the CIM cmdlets in Windows PowerShell 3.0, and the movement towards Open Management Infrastructure (OMI), knowing how to use this technology becomes much more important—it is knowledge you can leverage over and over in your daily work. Anyway, today I was playing around with association WMI classes, and I decided to spend a bit of time using the Win32_GroupUser WMI class.

Note   I talk about WMI associations in Use PowerShell CIM Cmdlets to Discover WMI Associations. This association class references two other classes: Win32_Group and Win32_Account. This information is shown here.

15:56 C:> Get-CimClass win32_groupuser | select -expand cimclassproperties

 

Name               : GroupComponent

Value              :

CimType            : Reference

Flags              : Property, Key, ReadOnly, NullValue

Qualifiers         : {Aggregate, read, key, MappingStrings…}

ReferenceClassName : Win32_Group

 

Name               : PartComponent

Value              :

CimType            : Reference

Flags              : Property, Key, ReadOnly, NullValue

Qualifiers         : {read, key, MappingStrings, Override}

ReferenceClassName : Win32_Account By using Windows PowerShell 2.0 (or Windows PowerShell 3.0), I can query this class by using the Get-WmiObject cmdlet to directly query the association class. I can then filter out the GroupComponent that matches administrators. For each of those, I can use the WMI type accelerator to retrieve the PartComponent property. From the output above, the PartComponent property contains the Win32_Account, and the GroupComponent property contains the Win32_Group, as shown here.

Get-WmiObject win32_groupuser |

Where-Object { $_.GroupComponent -match ‘administrators’ } |

ForEach-Object {[wmi]$_.PartComponent } When I run the code, the following appears in the Windows PowerShell console.

16:03 C:> Get-WmiObject win32_groupuser |

>> Where-Object { $_.groupcomponent -match ‘administrators’ } |

>> ForEach-Object {[wmi]$_.partcomponent }

>> 

AccountType : 512

Caption     : edLTAdministrator

Domain      : edLT

SID         : S-1-5-21-3464415469-1849125893-2015719117-500

FullName    :

Name        : Administrator

 

AccountType : 512

Caption     : edLTed

Domain      : edLT

SID         : S-1-5-21-3464415469-1849125893-2015719117-1001

FullName    :

Name        : ed

 

Caption : IAMMREDDomain Admins

Domain  : IAMMRED

Name    : Domain Admins

SID     : S-1-5-21-1457956834-3844189528-3541350385-512 The previous command is a single logical line, but it is broken at the pipe character for ease of reading. By using the Windows PowerShell 3.0 syntax, and a few aliases, I can reduce this to a single physical line. The command is shown here.

gwmi win32_groupuser | ? groupcomponent -match ‘administrators’ | % {[wmi]$_.partcomponent}

Use the PowerShell 3.0 CIM cmdlets to get local admins

I can use the same WMI classes, but use the CIM cmdlets from Windows PowerShell 3.0. This simplifies the code a bit. The first thing I need to do is to obtain a CIM instance. To do this, I use the Get-CimInstance cmdlet. I specify the WMI class as Win32_Group, and I look for groups with the name of administrators. I pipe the returned CIM Instance to the Get-AssociatedInstance cmdlet. This cmdlet will query for an association based upon the association class name. So you see, it is important to know what WMI classes are made up on which WMI association class. I know, because I know how to use the CIM cmdlets to expand the output to see the association. Now, all I need to do is specify that I am looking for an association and specify the associated class, as shown here.

Get-CimInstance -ClassName win32_group -Filter “name = ‘administrators'” |

Get-CimAssociatedInstance -Association win32_groupuser The command and its associated output is shown here.

16:06 C:> Get-CimInstance -ClassName win32_group -Filter “name = ‘administrators'” |

>> Get-CimAssociatedInstance -Association win32_groupuser

>> 

 

Name             Caption          AccountType      SID              Domain

—-             ——-          ———–      —              ——

Administrator    edLTAdminist… 512              S-1-5-21-3464… edLT

ed               edLTed          512              S-1-5-21-3464… edLT

 

Caption : IAMMREDDomain Admins

Domain  : IAMMRED

Name    : Domain Admins

SID     : S-1-5-21-1457956834-3844189528-3541350385-512 I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace. Ed Wilson, Microsoft Scripting Guy

Author

The "Scripting Guys" is a historical title passed from scripter to scripter. The current revision has morphed into our good friend Doctor Scripto who has been with us since the very beginning.

0 comments

Discussion are closed.

Feedback