{"id":4466,"date":"2012-12-15T00:01:00","date_gmt":"2012-12-15T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2012\/12\/15\/weekend-scripter-use-powershell-to-find-local-administrators-on-a-computer\/"},"modified":"2012-12-15T00:01:00","modified_gmt":"2012-12-15T00:01:00","slug":"weekend-scripter-use-powershell-to-find-local-administrators-on-a-computer","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/weekend-scripter-use-powershell-to-find-local-administrators-on-a-computer\/","title":{"rendered":"Weekend Scripter: Use PowerShell to Find Local Administrators on a Computer"},"content":{"rendered":"

Summary:<\/strong> Microsoft Scripting Guy, Ed Wilson, shows how to use Windows PowerShell and WMI CIM associations to find local administrators.\nMicrosoft Scripting Guy, Ed Wilson, is here. Well, we have been really lucky the past couple of days in Charlotte, North Carolina—at least weather wise. Yesterday, it was 60 degrees Fahrenheit and it was sunny with a clear blue sky. I am sitting on the lanai sipping a nice cup of green tea with a cinnamon stick, lemon grass, Jasmine flowers, and just a little bit of lavender. It tastes as great as it smells—certainly a nice way to relax and ease into the day.<\/p>\n

Use WMI to find members of the local administrator group<\/h2>\n

When I can get away with it, I love simplicity. Once you know Windows Management Instrumentation (WMI), the world of Windows administration opens to you. In fact, with the introduction of the CIM cmdlets in Windows PowerShell 3.0, and the movement towards Open Management Infrastructure (OMI)<\/a>, knowing how to use this technology becomes much more important—it is knowledge you can leverage over and over in your daily work.\nAnyway, today I was playing around with association WMI classes, and I decided to spend a bit of time using the Win32_GroupUser <\/strong>WMI class.<\/p>\n

Note<\/strong>   I talk about WMI associations in Use PowerShell CIM Cmdlets to Discover WMI Associations<\/a>. <\/em>\nThis association class references two other classes: Win32_Group<\/strong> and Win32_Account<\/strong>. This information is shown here.<\/p>\n

15:56 C:> Get-CimClass win32_groupuser | select -expand cimclassproperties<\/p>\n

 <\/p>\n

Name               : GroupComponent<\/p>\n

Value              :<\/p>\n

CimType            : Reference<\/p>\n

Flags              : Property, Key, ReadOnly, NullValue<\/p>\n

Qualifiers         : {Aggregate, read, key, MappingStrings…}<\/p>\n

ReferenceClassName : Win32_Group<\/p>\n

 <\/p>\n

Name               : PartComponent<\/p>\n

Value              :<\/p>\n

CimType            : Reference<\/p>\n

Flags              : Property, Key, ReadOnly, NullValue<\/p>\n

Qualifiers         : {read, key, MappingStrings, Override}<\/p>\n

ReferenceClassName : Win32_Account\nBy using Windows PowerShell 2.0 (or Windows PowerShell 3.0), I can query this class by using the Get-WmiObject<\/strong> cmdlet to directly query the association class. I can then filter out the GroupComponent that matches administrators. <\/em>For each of those, I can use the WMI type accelerator to retrieve the PartComponent property. From the output above, the PartComponent property contains the Win32_Account, and the GroupComponent property contains the Win32_Group, as shown here.<\/p>\n

Get-WmiObject win32_groupuser |<\/p>\n

Where-Object { $_.GroupComponent -match ‘administrators’ } |<\/p>\n

ForEach-Object {[wmi]$_.PartComponent }\nWhen I run the code, the following appears in the Windows PowerShell console.<\/p>\n

16:03 C:> Get-WmiObject win32_groupuser |<\/p>\n

>> Where-Object { $_.groupcomponent -match ‘administrators’ } |<\/p>\n

>> ForEach-Object {[wmi]$_.partcomponent }<\/p>\n

>> <\/p>\n

AccountType : 512<\/p>\n

Caption     : edLTAdministrator<\/p>\n

Domain      : edLT<\/p>\n

SID         : S-1-5-21-3464415469-1849125893-2015719117-500<\/p>\n

FullName    :<\/p>\n

Name        : Administrator<\/p>\n

 <\/p>\n

AccountType : 512<\/p>\n

Caption     : edLTed<\/p>\n

Domain      : edLT<\/p>\n

SID         : S-1-5-21-3464415469-1849125893-2015719117-1001<\/p>\n

FullName    :<\/p>\n

Name        : ed<\/p>\n

 <\/p>\n

Caption : IAMMREDDomain Admins<\/p>\n

Domain  : IAMMRED<\/p>\n

Name    : Domain Admins<\/p>\n

SID     : S-1-5-21-1457956834-3844189528-3541350385-512\nThe previous command is a single logical line, but it is broken at the pipe character for ease of reading. By using the Windows PowerShell 3.0 syntax, and a few aliases, I can reduce this to a single physical line. The command is shown here.<\/p>\n

gwmi win32_groupuser | ? groupcomponent -match ‘administrators’ | % {[wmi]$_.partcomponent}<\/p>\n

Use the PowerShell 3.0 CIM cmdlets to get local admins<\/h2>\n

I can use the same WMI classes, but use the CIM cmdlets from Windows PowerShell 3.0. This simplifies the code a bit. The first thing I need to do is to obtain a CIM instance. To do this, I use the Get-CimInstance<\/strong> cmdlet. I specify the WMI class as Win32_Group, and I look for groups with the name of administrators<\/em>. I pipe the returned CIM Instance to the Get-AssociatedInstance<\/strong> cmdlet. This cmdlet will query for an association based upon the association class name.\nSo you see, it is important to know what WMI classes are made up on which WMI association class. I know, because I know how to use the CIM cmdlets to expand the output to see the association. Now, all I need to do is specify that I am looking for an association and specify the associated class, as shown here.<\/p>\n

Get-CimInstance -ClassName win32_group -Filter “name = ‘administrators'” |<\/p>\n

Get-CimAssociatedInstance -Association win32_groupuser\nThe command and its associated output is shown here.<\/p>\n

16:06 C:> Get-CimInstance -ClassName win32_group -Filter “name = ‘administrators'” |<\/p>\n

>> Get-CimAssociatedInstance -Association win32_groupuser<\/p>\n

>> <\/p>\n

 <\/p>\n

Name             Caption          AccountType      SID              Domain<\/p>\n

—-             ——-          ———–      —              ——<\/p>\n

Administrator    edLTAdminist… 512              S-1-5-21-3464… edLT<\/p>\n

ed               edLTed          512              S-1-5-21-3464… edLT<\/p>\n

 <\/p>\n

Caption : IAMMREDDomain Admins<\/p>\n

Domain  : IAMMRED<\/p>\n

Name    : Domain Admins<\/p>\n

SID     : S-1-5-21-1457956834-3844189528-3541350385-512\nI invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.\nEd Wilson, Microsoft Scripting Guy<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Microsoft Scripting Guy, Ed Wilson, shows how to use Windows PowerShell and WMI CIM associations to find local administrators. Microsoft Scripting Guy, Ed Wilson, is here. Well, we have been really lucky the past couple of days in Charlotte, North Carolina—at least weather wise. Yesterday, it was 60 degrees Fahrenheit and it was sunny […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[362,3,4,61,45,6],"class_list":["post-4466","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-powershell-3","tag-scripting-guy","tag-scripting-techniques","tag-weekend-scripter","tag-windows-powershell","tag-wmi"],"acf":[],"blog_post_summary":"

Summary: Microsoft Scripting Guy, Ed Wilson, shows how to use Windows PowerShell and WMI CIM associations to find local administrators. Microsoft Scripting Guy, Ed Wilson, is here. Well, we have been really lucky the past couple of days in Charlotte, North Carolina—at least weather wise. Yesterday, it was 60 degrees Fahrenheit and it was sunny […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/4466","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=4466"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/4466\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=4466"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=4466"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=4466"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}