ADDS get local group member

Gan Herng Yih 41 Reputation points
2020-08-18T01:23:47.563+00:00

I am wondering when I run these, the source of the result is from AD database or it came from the computer object?

$Computer = [ADSI]"WinNT://computer_name"
$group = $Computer.Children.Find('Administrators','group')
$members =@($group.psbase.invoke('members')|%{([adsi]$_).Path})
$members

This code work on all computers across domain so I am thinking it came from the AD. Thank you in advance

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,431 questions
0 comments
Accepted answer
  1. Fan Fan 15,326 Reputation points Microsoft Vendor
    2020-08-19T06:01:34.303+00:00

    Hi,
    If the user don't have any privilege credential, it can't run the code again other servers .
    For example , one user without privilege rights logs onto PC1, the code can be run against PC1, means he can get the members of the local administrator group for PC1 only, but can't get the members of the local administrator group for other PCs, the command will fail .
    But when you run this command as domain admins you can run the command against any PCs.

    Following screenshot for your reference (the user logs onto the client1, will failed to get the membership for server1, but will be successful for client1 itself and both will be ok if run as domain administrator):
    18549-8191.png

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fan Fan 15,326 Reputation points Microsoft Vendor
    2020-08-18T07:12:57.373+00:00

    Hi,
    Based on my research , i found that the DC and destination PC act as different roles for the command you mentioned above.
    Actually, the data for the local administrator group is from the destination PC .If the destination PC is disconnected , we can't get any information of the local group from the AD data.
    But the DCs act as DNS server, it helps to find the ip address for destination PC and resolve the domain users' SID to user names.Without the DC, If you research the the local administrator group members for the PC itself , it will show a list of SIDs ;If you search the the local administrator group members for other PCs, you even can't find the destination PC without the name '
    resolution.Following screenshot for your reference:
    18148-8184.png
    18271-8186.png

    Best Regards,

    0 comments
  2. Gan Herng Yih 41 Reputation points
    2020-08-19T03:14:42.08+00:00

    Thank you for checking that. I tried shut down the server and sure enough the code failed. But I was wondering why ADSI allow that. Nothing is stopping me from running this code against any other server without using privillege credential.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.