Only once export local administrators group members to a file on a central share
Export-LocalAdminsList -FilePath C:\Temp\ComputerName.txtThen compare the file with the group
Compare-LocalAdminsList -FilePath \\FileServer\AdminLists$\ComputerName.txtOr enforce the file to the group
Import-LocalAdminsList -FilePath \\FileServer\AdminLists$\ComputerName.txt- Many servers have different local Administrators members
- Applicative teams have been granted administrators rights on some servers and you want avoid them to add more accounts to the Administrators group
- Copy the module to every local server (usually to C:\Program Files\Windows Powershell\Modules)
- Export members of the local Administrators group to a file
Export-LocalAdminsList -FilePath C:\Temp\ComputerName.txt- Copy this file to a central repository.
Copy-Item -Path C:\Temp\ComputerName.txt -Destination \\FileServer\Z$\AdminListsSchedule a Powershell script
Compare-LocalAdminsList -FilePath \\FileServer\AdminLists$\ComputerName.txtSchedule a Powershell script
Import-LocalAdminsList -FilePath \\FileServer\AdminLists$\ComputerName.txtThis module is based on Powershell 5.1 cmdlets.
- The most secure way to schedule your script is through a GPO or via DSC
- Depending on your needs, the script you schedule, to monitor drifts or enforce local administrators, can send a mail and/or write an event in the eventlog (which can be monitored by SCOM or another tool).
Common parameters like -WhatIf, -Verbose and -Confirm are fully supported.
Permissions on the central repository should be narrowed down so that authorized people and computers have only permissions they need.
Typical permissions could be:
- Domain admins have Full Control permissions
- Computers accounts from computers using this module have Read Only permissions
- Computers accounts from computers not using this module have no access
- If applicable, you can add the Read-Write permissions on files for people who manage matching computers