Forum Discussion
Local Admin Script not working for certain OU's all of a sudden
I run the local admin scripts against our domain every month for a total of 13 location OUs. It has worked just fine for over 2 years until a couple of months ago when 3 OUs are not responding to the script so it puts all assets in the error report. I have checked and we have not made any sort of network or group policy changes. I am reviewing the PowerShell logs in Event Viewer but I am not finding a root cause. Any thoughts.
Here is the code that works for most OUs
<#
.SYNOPSIS
.
.DESCRIPTION
This script will find local administrators of client computers in your
domain and will same them as CSV file in current directory.
.PARAMETER Path
This will be the DN of the OU or searchscope. Simply copy the DN of OU
in which you want to query for local admins. If not defined, the whole
domain will be considered as search scope.
.PARAMETER ComputerName
This parametr defines the computer account in which the funtion will
run agains. If not specified, all computers will be considered as search
scope and consequently this function will get local admins of all
computers. You can define multiple computers by utilizing comma (,).
.EXAMPLE
C:\PS> Get-LocalAdminToCsv
This command will get local admins of all computers in the domain.
C:\PS> Get-LocalAdminToCsv -ComputerName PC1,PC2,PC3
This command will get local admins of PC1,PC2 and PC3.
C:\PS> Get-LocalAdminToCsv -Path "OU=Computers,DC=Contoso,DC=com"
.NOTES
Author: Mahdi Tehrani
Date : February 18, 2017
#>
Import-Module activedirectory
Clear-Host
function Get-LocalAdminToCsv {
Param(
$Path = (Get-ADDomain).DistinguishedName,
$ComputerName = (Get-ADComputer -Filter * -Server (Get-ADDomain).DNsroot -SearchBase $Path -Properties Enabled | Where-Object {$_.Enabled -eq "True"})
)
begin{
[array]$Table = $null
$Counter = 0
}
process
{
$Date = Get-Date -Format MM_dd_yyyy_HH_mm_ss
$FolderName = "LocalAdminsReport("+ $Date + ")"
New-Item -Path ".\$FolderName" -ItemType Directory -Force | Out-Null
foreach($Computer in $ComputerName)
{
try
{
$PC = Get-ADComputer $Computer
$Name = $PC.Name
$CountPC = @($ComputerName).count
}
catch
{
Write-Host "Cannot retrieve computer $Computer" -ForegroundColor Yellow -BackgroundColor Red
Add-Content -Path ".\$FolderName\ErrorLog.txt" "$Name"
continue
}
finally
{
$Counter ++
}
Write-Progress -Activity "Connecting PC $Counter/$CountPC " -Status "Querying ($Name)" -PercentComplete (($Counter/$CountPC) * 100)
try
{
$row = $null
$members =[ADSI]"WinNT://$Name/Administradores"
$members = @($members.psbase.Invoke("Members"))
$members | foreach {
$User = $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
$row += $User
$row += " ; "
}
write-host "Computer ($Name) has been queried and exported." -ForegroundColor Green -BackgroundColor black
$obj = New-Object -TypeName PSObject -Property @{
"Name" = $Name
"LocalAdmins" = $Row
}
$Table += $obj
}
catch
{
Write-Host "Error accessing ($Name)" -ForegroundColor Yellow -BackgroundColor Red
Add-Content -Path ".\$FolderName\ErrorLog.txt" "$Name"
}
}
try
{
$Table | Sort Name | Select Name,LocalAdmins | Export-Csv -path ".\$FolderName\Report.csv" -Append -NoTypeInformation
}
catch
{
Write-Warning $_
}
}
end{}
This happens under a local admin account as well as a domain admin account.
2 Replies
The three OUs are different because? Permissions on those OUs? When querying the objects in that OU, what error is returned?
Hi Kurt,
Which part of your script is actually 'breaking' ? Are you getting any error message?
How about separating the specific code and trying to run it manually out of the script context (what result do you get there?)
Can it be that your remote connection fails with ADSI?It's a good first step to get to the actual error message and start troubleshooting from there.
Regards
Bart
