We needed to do an audit on privileged group membership on workstations. There are many way to do this but using PowerShell to query WMI remotely was the method that we choose as we had to do a few thousand and I wanted to do the checks in groups. .
I decided to write a script that will take the list of devices to be checked from a txt file and then use parameter for the export path and groups to be search.
In this script we will use the class Win32_Group below is a link to the Microsoft Docs
When querying WMI we can use filters to limit the results. If you run query without filtering the command will return all groups even those in AD. See below command and the returned results.
Get-WmiObject -Class Win32_GroupUser | Select-Object GroupComponent,PartComponent,PSComputerName
If we use a filter we can then reduce these by using domain which will be the local machine name and the local group name.
Get-WmiObject -Class Win32_GroupUser -Filter “GroupComponent=””Win32_Group.Domain=’LAB-Host01′,Name=’Administrators'””” | Select-Object GroupComponent,PartComponent,PSComputerName
Now that we have a filter we can use variables to for the text file path and group names. In the script these will be set using the complist and groups variables.
Below are two examples of how the script can be run against one group or multiple groups
.\Get-RemoteGroupMembers -CompList c:\Temp\Comps.txt c:\Temp\Results -groups “Administrators”
For multiple groups just add a , between the names and double or single quotes if there are spaces in the group name.
.\Get-RemoteGroupMembers -CompList .\Comps.txt -exportPath .\ -groups “Administrators”,”Remote Desktop Users”
The full script is on my github page. As always any scripts should be tested before run in production.